What is CMMC Level 2 and who needs it?

CMMC Level 2 requires compliance with all 110 controls from NIST SP 800-171 Rev 2. Any Defense Industrial Base (DIB) contractor that handles Controlled Unclassified Information (CUI) on DoD contracts will need CMMC Level 2 certification. This affects an estimated 80,000+ contractors.

When is the CMMC certification deadline?

CMMC Phase 2 requires C3PAO third-party assessments starting November 2026. However, DoD is already including CMMC requirements in new contracts. Starting now gives you time to close gaps, build evidence, and avoid last-minute scrambles when every C3PAO is booked solid.

Can I use CMMC Command for my self-assessment?

Yes. The free tier gives you a complete 110-control NIST SP 800-171 assessment with real-time SPRS score calculation. You can document your status, identify gaps, and calculate your exact SPRS score — which you're already required to submit to SPRS.mil.

How does the AI compliance analyst work?

Our 8 AI features analyze your actual assessment data — not generic templates. The AI generates gap analysis narratives, remediation plans with effort estimates, SSP implementation statements, evidence sufficiency reviews, and realistic C3PAO interview questions. It never sees your uploaded documents or CUI — only control metadata.

Do you store CUI or sensitive documents?

No. CMMC Command stores compliance metadata — control statuses, SPRS scores, task assignments, and evidence references. Uploaded evidence files are scanned for CUI markers and we explicitly do not store controlled unclassified information.

How does CMMC Command compare to hiring a consultant?

A typical CMMC consultant charges $200–$400/hr, and most assessments require 80–200 hours ($16K–$80K). CMMC Command replaces the ongoing assessment tracking, gap analysis, document generation, and remediation planning — for $749/mo.

What integrations are supported?

We connect with 10 security tools: Microsoft Entra ID, Microsoft 365 & Defender, CrowdStrike Falcon, Google Workspace, AWS, SentinelOne, Tenable.io, KnowBe4, Jamf Pro, and Okta. Each integration auto-collects compliance evidence mapped to specific NIST controls.

Can I cancel anytime?

Yes. All plans are month-to-month with no long-term contracts. Annual plans offer 2 months free. If you cancel, you retain read-only access to your data for 30 days. We also support full data export.

CUI Identification and Marking: A Practical Guide for Contractors

What Is CUI and Why Does It Matter?

Controlled Unclassified Information (CUI) is information that the government creates or possesses — or that an entity creates or possesses for the government — that requires safeguarding per law, regulation, or government-wide policy. It's not classified, but it's not public either.

For defense contractors, CUI is the trigger for CMMC Level 2. If you handle CUI, you need to protect it per NIST SP 800-171. The first step: knowing what CUI you actually have.

Common CUI Categories in Defense Contracting

Technical Data

Engineering drawings and specifications
Test and evaluation results
Manufacturing process documentation
Source code for defense-related software
Performance specifications
Technical manuals and maintenance procedures

Contract and Acquisition Data

Proposal information (pre-award)
Contract pricing data
Source selection information
Proprietary business information submitted under contract

Export-Controlled Information

ITAR-controlled technical data
EAR-controlled technology
Munitions list items and data

Other Common Categories

Vulnerability assessment results
Critical infrastructure information
Privacy data (PII of military personnel)
Law enforcement sensitive information

How to Identify CUI in Your Organization

Step 1: Contract Review

Start with your contracts. Look for:

DFARS 252.204-7012: The primary CUI protection clause
DFARS 252.204-7019/7020: NIST 800-171 assessment requirements
ITAR clauses: International Traffic in Arms Regulations
CUI marking requirements: Some contracts specify how CUI must be marked

Step 2: Data Flow Mapping

Trace where contract-related information flows:

Where do you receive technical data from the government or primes?
Where is it stored (file servers, cloud, email, workstations)?
Who accesses it and through what systems?
Where does it leave your organization (to subcontractors, deliverables)?

Step 3: System Inventory

Identify every system that touches CUI:

Email systems (CUI in attachments or body)
File storage (network drives, SharePoint, cloud storage)
Engineering tools (CAD software, PLM systems)
Communication tools (Teams, Slack — are CUI discussions happening here?)
Mobile devices (are engineers accessing CUI remotely?)
Backup systems (your backups contain CUI too)

CUI Marking Requirements

Document Marking

CUI documents should include:

Banner marking: "CUI" or "CONTROLLED" at the top and bottom of each page
Category marking: The specific CUI category (e.g., "CUI//SP-CTI" for Controlled Technical Information)
Distribution statement: Who can receive this document
Point of contact: Who to contact about the CUI designation

Example Banner Marking

CUI//SP-CTI
DISTRIBUTION STATEMENT D: Distribution authorized to DoD and U.S. DoD contractors only.

Email Marking

Subject line: Include "CUI" at the beginning
Body: Include CUI banner at top
Attachments: Mark each attachment individually

Digital File Marking

Include CUI designation in file metadata where possible
Use descriptive file names that indicate CUI status
Store in designated CUI folders/locations

Building Your CUI Boundary

The CUI boundary defines which systems, networks, and physical locations process CUI. This boundary is critical for your SSP and directly impacts your CMMC assessment scope.

Minimize Your Boundary

The smaller your CUI boundary, the fewer systems need full NIST 800-171 compliance:

Segment CUI systems from general business systems
Use a dedicated enclave for CUI processing when possible
Limit CUI access to personnel who genuinely need it
Consider virtual desktop infrastructure (VDI) for CUI access

Document the Boundary

Your SSP must clearly define:

Network diagrams showing CUI-processing systems
Physical locations where CUI is stored or accessed
Personnel authorized to access CUI
Data flow diagrams showing CUI movement

Common CUI Mistakes

1. CUI Sprawl

CUI ends up everywhere — personal laptops, personal email, unauthorized cloud storage. Implement technical controls to contain it.

2. Over-Classification

Not everything is CUI. Over-marking wastes resources and creates compliance fatigue. Only mark what's actually designated CUI by the government.

3. Ignoring Derived CUI

If you create a document using CUI source material, the derived document is also CUI. Many contractors miss this.

4. Forgetting Backups

Your backup systems contain CUI. They're in scope for NIST 800-171 controls.

5. No Destruction Procedures

When CUI is no longer needed, it must be destroyed per NIST 800-88. "Deleting" a file isn't sufficient — media must be sanitized or destroyed.

How CMMC Command Helps with CUI Management

Asset inventory: Track every system in your CUI boundary with scope designation
CUI evidence scanning: Automated detection of CUI markers in uploaded evidence files
SSP generation: Automatically generates CUI boundary documentation
Policy templates: Pre-built CUI handling policies mapped to NIST controls

Map your CUI boundary for free — start your assessment and document your CUI environment.