What is CMMC Level 2 and who needs it?

CMMC Level 2 requires compliance with all 110 controls from NIST SP 800-171 Rev 2. Any Defense Industrial Base (DIB) contractor that handles Controlled Unclassified Information (CUI) on DoD contracts will need CMMC Level 2 certification. This affects an estimated 80,000+ contractors.

When is the CMMC certification deadline?

CMMC Phase 2 requires C3PAO third-party assessments starting November 2026. However, DoD is already including CMMC requirements in new contracts. Starting now gives you time to close gaps, build evidence, and avoid last-minute scrambles when every C3PAO is booked solid.

Can I use CMMC Command for my self-assessment?

Yes. The free tier gives you a complete 110-control NIST SP 800-171 assessment with real-time SPRS score calculation. You can document your status, identify gaps, and calculate your exact SPRS score — which you're already required to submit to SPRS.mil.

How does the AI compliance analyst work?

Our 8 AI features analyze your actual assessment data — not generic templates. The AI generates gap analysis narratives, remediation plans with effort estimates, SSP implementation statements, evidence sufficiency reviews, and realistic C3PAO interview questions. It never sees your uploaded documents or CUI — only control metadata.

Do you store CUI or sensitive documents?

No. CMMC Command stores compliance metadata — control statuses, SPRS scores, task assignments, and evidence references. Uploaded evidence files are scanned for CUI markers and we explicitly do not store controlled unclassified information.

How does CMMC Command compare to hiring a consultant?

A typical CMMC consultant charges $200–$400/hr, and most assessments require 80–200 hours ($16K–$80K). CMMC Command replaces the ongoing assessment tracking, gap analysis, document generation, and remediation planning — for $749/mo.

What integrations are supported?

We connect with 10 security tools: Microsoft Entra ID, Microsoft 365 & Defender, CrowdStrike Falcon, Google Workspace, AWS, SentinelOne, Tenable.io, KnowBe4, Jamf Pro, and Okta. Each integration auto-collects compliance evidence mapped to specific NIST controls.

Can I cancel anytime?

Yes. All plans are month-to-month with no long-term contracts. Annual plans offer 2 months free. If you cancel, you retain read-only access to your data for 30 days. We also support full data export.

C3PAO Assessment Preparation: The 30-Day Checklist

Your C3PAO Assessment Is in 30 Days — Here's Exactly What to Do

You've booked your CMMC Level 2 assessment with a C3PAO. The clock is ticking. This checklist covers everything you need to do in the final 30 days to maximize your chances of passing.

Week 1 (Days 30-24): Documentation Review

Day 30-28: SSP Deep Review

Review every section of your System Security Plan
Verify system boundary descriptions match your actual environment
Confirm all 110 controls have implementation statements
Check that personnel names and roles are current
Validate network diagrams reflect current architecture
Ensure CUI data flow diagrams are accurate

Day 27-25: POA&M Validation

Review all POA&M items — are milestone dates realistic?
Verify that no POA&M items have passed their target dates without resolution
Document progress on each open item
Ensure each POA&M entry has: finding, milestone, responsible party, target date
Remove any items that have been completed (move to evidence)

Day 24: Policy Currency Check

Confirm all policies have been reviewed within the last 12 months
Check that policy version numbers and review dates are current
Verify all team members have signed acknowledgments
Ensure policies cover all 14 NIST control families

Week 2 (Days 23-17): Evidence Gathering

Day 23-21: Technical Evidence

Capture fresh screenshots of security configurations
Export audit logs showing 90+ days of continuous logging
Document MFA enrollment status for all CUI-access users
Capture vulnerability scan results (recent, not stale)
Export endpoint protection deployment reports
Screenshot access control lists and permission matrices

Day 20-18: Administrative Evidence

Gather training completion records for all personnel
Collect signed acceptable use agreements
Document incident response test results (tabletop or live)
Compile background check completion records
Gather maintenance logs for systems in CUI scope

Day 17: Evidence Organization

Map every piece of evidence to specific controls
Ensure no control is missing evidence entirely
Verify file names are descriptive (not "screenshot1.png")
Organize by control family for assessor navigation
Check that timestamps on evidence are recent

Week 3 (Days 16-10): Team Preparation

Day 16-14: Role-Based Interview Prep

Assessors will interview personnel in key roles. Prepare each person:

IT Administrator / System Admin

How are user accounts provisioned and deprovisioned?
Walk me through your patch management process
Show me your baseline configuration documentation
How do you monitor for unauthorized software?

Security Officer / CISO

Describe your incident response process
When was the last time you tested your IR plan?
How do you track CUI throughout your environment?
What's your risk assessment methodology?

General Staff

What is CUI and how do you handle it?
What would you do if you received a phishing email?
Where do you report security incidents?
What are your password requirements?

Day 13-11: Mock Interview Sessions

Conduct mock interviews with each key role
Document any knowledge gaps and provide targeted training
Ensure everyone knows the location of key documents (SSP, policies)
Practice walking through CUI data flow on the network diagram

Day 10: Logistics

Confirm assessment dates and agenda with C3PAO
Reserve meeting rooms for interviews
Prepare systems for live demonstrations
Ensure assessors will have network access to review evidence
Designate a primary point of contact

Week 4 (Days 9-1): Final Preparation

Day 9-7: Dry Run

Walk through every control as if you're the assessor
For each control, can you show: policy, procedure, evidence, implementation?
Identify any last-minute gaps and document them in POA&M if needed
Verify all systems in scope are functioning normally

Day 6-4: Environment Check

Run a final vulnerability scan — no critical/high findings should be open
Verify all endpoints have current antivirus signatures
Check that all user accounts with CUI access still require MFA
Confirm audit logging is active and collecting events
Test your incident response communication chain

Day 3-1: Final Touches

Print and organize all documentation for quick reference
Brief the executive team on the assessment process
Ensure your SPRS score in SPRS.mil matches your current assessment
Get a good night's sleep — you've prepared well

Common Assessment Pitfalls

1. Stale Evidence

Assessors will question evidence that's more than 90 days old. Capture fresh screenshots and exports in the final week.

2. Disconnected Documentation

Your SSP says one thing, but your actual environment looks different. Walk through every SSP statement with fresh eyes.

3. Untrained Staff

The #1 reason for assessment findings isn't technical — it's personnel who can't articulate their security responsibilities.

4. Missing POA&M Items

If a control isn't fully implemented and doesn't have a POA&M entry, it's an automatic finding. Better to document a known gap than leave it undocumented.

5. Scope Creep

During the assessment, don't volunteer information about systems outside your defined CUI boundary. Stay focused on the systems described in your SSP.

Post-Assessment: What Happens Next

Assessment report: C3PAO delivers findings within 30 days
Finding resolution: You have 90 days to remediate any findings
Certification decision: C3PAO submits to the Cyber AB
Certificate issued: Valid for 3 years with annual affirmation

Start your assessment prep with CMMC Command — see your readiness score and get AI-powered guidance on exactly what to prepare.