What is CMMC Level 2 and who needs it?

CMMC Level 2 requires compliance with all 110 controls from NIST SP 800-171 Rev 2. Any Defense Industrial Base (DIB) contractor that handles Controlled Unclassified Information (CUI) on DoD contracts will need CMMC Level 2 certification. This affects an estimated 80,000+ contractors.

When is the CMMC certification deadline?

CMMC Phase 2 requires C3PAO third-party assessments starting November 2026. However, DoD is already including CMMC requirements in new contracts. Starting now gives you time to close gaps, build evidence, and avoid last-minute scrambles when every C3PAO is booked solid.

Can I use CMMC Command for my self-assessment?

Yes. The free tier gives you a complete 110-control NIST SP 800-171 assessment with real-time SPRS score calculation. You can document your status, identify gaps, and calculate your exact SPRS score — which you're already required to submit to SPRS.mil.

How does the AI compliance analyst work?

Our 8 AI features analyze your actual assessment data — not generic templates. The AI generates gap analysis narratives, remediation plans with effort estimates, SSP implementation statements, evidence sufficiency reviews, and realistic C3PAO interview questions. It never sees your uploaded documents or CUI — only control metadata.

Do you store CUI or sensitive documents?

No. CMMC Command stores compliance metadata — control statuses, SPRS scores, task assignments, and evidence references. Uploaded evidence files are scanned for CUI markers and we explicitly do not store controlled unclassified information.

How does CMMC Command compare to hiring a consultant?

A typical CMMC consultant charges $200–$400/hr, and most assessments require 80–200 hours ($16K–$80K). CMMC Command replaces the ongoing assessment tracking, gap analysis, document generation, and remediation planning — for $749/mo.

What integrations are supported?

We connect with 10 security tools: Microsoft Entra ID, Microsoft 365 & Defender, CrowdStrike Falcon, Google Workspace, AWS, SentinelOne, Tenable.io, KnowBe4, Jamf Pro, and Okta. Each integration auto-collects compliance evidence mapped to specific NIST controls.

Can I cancel anytime?

Yes. All plans are month-to-month with no long-term contracts. Annual plans offer 2 months free. If you cancel, you retain read-only access to your data for 30 days. We also support full data export.

How to Improve Your SPRS Score Fast: Prioritization Strategies That Work

Your SPRS Score Is Negative. Now What?

A negative SPRS score isn't unusual — it just means you have significant gaps in your NIST 800-171 implementation. Many contractors start at -50 to -150. The question isn't where you start, it's how fast you can improve.

The Weight-Based Prioritization Strategy

Not all controls are equal. The DOD assigns weights of 1, 3, or 5 to each control. Your fastest path to score improvement: start with weight-5 controls that are easiest to implement.

The Impact Matrix

Plot your unimplemented controls on two axes: DOD weight (impact on score) and implementation difficulty (time/cost to implement).

Priority	Weight	Difficulty	Action
1 (Do First)	5	Low	Immediate quick wins
2 (Do Next)	5	Medium	Schedule this week
3 (Plan For)	5	High	Start planning, may need budget
4 (Batch)	3	Low	Batch together for efficiency
5 (Schedule)	3	Medium-High	Scheduled remediation
6 (Last)	1	Any	Address after higher weights

Quick Win Controls (Weight 5, Low Difficulty)

These are controls that most organizations can implement in a day or less:

3.5.3 — Use multifactor authentication (Weight 5) MFA is available in most identity platforms (Azure AD, Google, Okta) and can be enabled in hours. This is almost always the single highest-ROI action.

3.1.1 — Limit system access to authorized users (Weight 5) Review your user accounts. Remove inactive accounts. Document who has access to what. This is often already partially done.

3.1.2 — Limit system access to transaction types (Weight 5) Implement role-based access control. Users should only have permissions for their job function.

3.13.8 — Implement cryptographic mechanisms for CUI in transit (Weight 5) Enable TLS/HTTPS everywhere. Configure VPN for remote access. Most organizations already have this partially implemented.

3.14.2 — Provide protection from malicious code (Weight 5) Deploy endpoint protection on all devices. Solutions like CrowdStrike and SentinelOne deploy in minutes.

Medium Effort, High Impact (Weight 5)

3.3.1 — Create and retain system audit logs (Weight 5) Enable logging on all CUI-touching systems. Configure a SIEM or log aggregator. Takes 1-2 weeks to fully implement.

3.4.1 — Establish and maintain baseline configurations (Weight 5) Document your current system configurations. This is labor-intensive but straightforward.

3.13.1 — Monitor communications at external boundaries (Weight 5) Deploy or configure boundary firewalls with logging. Many organizations have firewalls but aren't monitoring them effectively.

The 60-Day Score Improvement Plan

Week 1-2: Assessment and MFA (+25-35 points)

Complete full 110-control assessment
Enable MFA everywhere
Implement quick-win weight-5 controls
Document existing controls that are implemented but not documented

Week 3-4: Access Control Sweep (+15-25 points)

Audit all user accounts and remove unused accounts
Implement RBAC with documented access matrices
Configure session timeouts and lockouts
Document remote access procedures

Week 5-6: Logging and Monitoring (+15-20 points)

Enable audit logging on all CUI systems
Configure log retention (90+ days)
Set up basic log review process
Enable endpoint protection reporting

Week 7-8: Documentation Burst (+10-15 points)

Generate SSP from your compliance platform
Create policies for all 14 control families
Build POA&M for remaining gaps
Collect evidence for implemented controls

Expected improvement: 65-95 SPRS points in 60 days.

A contractor starting at -80 can realistically reach 0-15 in 60 days by focusing on weight-5 controls and documentation.

The POA&M Strategy

For controls you genuinely can't implement in 60 days, create POA&M entries. A control with a valid POA&M (documented plan with milestones) is not deducted from your SPRS score.

But be honest: assessors will scrutinize POA&M items. Each entry needs:

Specific finding description
Remediation milestones with dates
Responsible party
Resource requirements
Realistic target completion date

Common Score Killers

1. Ignoring Access Control

AC has 22 controls — more than any other family — with heavy weight-5 concentration. A weak AC implementation alone can cost 50+ SPRS points.

2. No Audit Logging

The AU family is weight-5 heavy. If you're not logging, you're hemorrhaging points.

3. Treating Documentation as Optional

Many contractors have implemented controls technically but never documented them. In SPRS scoring, an undocumented control is a not-implemented control.

Tracking Your Progress

Your SPRS score should be a living metric that updates as you implement controls. Use a platform that:

Calculates your score in real-time using DOD weights
Shows trending over time
Identifies which controls will have the most score impact
Generates your SPRS submission automatically

Calculate your SPRS score now — free, real-time, with DOD-accurate weights and an impact simulator.