Software Built for What’s at Stake
When the program matters, the compliance posture of every vendor in the chain matters. SEP builds software in a CMMC Level 2 Enclave, independently assessed and built to work in environments where Controlled Unclassified Information (CUI) is part of the mission.
What Our Certification Actually Covers
SEP builds software through which CUI is processed, stored, and transmitted. That’s a different compliance posture than an organization whose CUI exposure is limited to data at rest. SEP was assessed in the context of software development environments where CUI is present.
That’s a harder bar than certifying an IT environment that stores sensitive data. We build the systems; the data moves through our work.
Certification details
Certifying organization
A-Lign
Assessment date
June 2, 2026
SPRS score
110
as of July 6, 2026 certification
Scope
Infrastructure, systems, and tooling for software development and product delivery
CMMC Level 2 maps to the 110 security requirements of NIST SP 800-171 Rev. 2. Achieving it requires a C3PAO-conducted assessment, not a self-assessment, against 14 control families, including access control, incident response, system and communications protection, and configuration management.
Why the CUI-Flow Distinction Matters
There’s a difference between a company that handles CUI and a company that builds software through which CUI is processed, stored, and transmitted.
If your program involves software systems that include mission planning tools, supply chain platforms, logistics systems, and embedded firmware, the compliance posture of your software development partner isn’t a checkbox. It’s a program risk.
SEP works in that space. We’ve structured our CMMC Enclave and security practices around it, and our certification reflects that.
Compliance Isn’t Just a Process. It’s a Culture.
SEP is employee-owned. That changes how people show up to work, including how they approach security and compliance.
When employees have an ownership stake in the company, they care about doing the work right — not only because a compliance team says so, but because it reflects on them directly. That same ownership orientation is what makes us consultative by nature. We ask the hard questions, flag the issues that are easier to ignore, and treat your success as an extension of our own reputation. CMMC requirements don’t feel like overhead in that environment. Our ESOP structure means that orientation runs through every level of the work, not just the people with “security” in their title.
What Working with SEP Looks Like
We engage defense organizations and their program teams at the software development level — embedded in programs, not parachuted in.
Typical engagements include:
- Custom software development for programs operating in CUI environments
- Modernization of legacy defense systems with compliance requirements built in
- Software engineering development and support for DIB contractors
Frequently Asked Questions
CMMC Level 2 is the tier requirement for defense contractors handling Controlled Unclassified Information under DoD contracts that specify the requirements. CMMC Level 2 mandates a third-party assessment against 110 security requirements of NIST SP 800-171 Rev. 2.
Self-assessment means a company certifies its own compliance, which is sufficient for CMMC Level 1. CMMC Level 2 requires a C3PAO assessment – an independent evaluation conducted by an organization authorized by the Cyber AB, the accreditation body for the CMMC ecosystem. SEP’s Enclave was assessed by an authorized C3PAO rather than by self-assessment.
The Supplier Performance Risk System score reflects a contractor’s self-assessed compliance with NIST SP 800-171 Rev. 2. SEP has fully implemented all 110 security controls.