🎁 Start with a 5-Day FREE Trial - No Credit Card Required
The only AI-powered CMMC platform
on FedRAMP High infrastructure. that writes your SSP for you. your auditor will trust. built for the DoD supply chain. with US sovereign data centers.

AI assesses all 110 NIST 800-171 controls, finds every gap, auto-generates your POA&M and SSP β€” all on Azure Government infrastructure. Not just compliant tools β€” compliant infrastructure.

Try AI Assessor Free β†’ See How It Works
Azure Government Cloud
FedRAMP High Authorized Infrastructure
US Sovereign Data Centers
✨ AI-Powered Assessor βœ… CMMC 2.0 Level 1 & Level 2 βœ… Auto-generate POA&Ms βœ… Official SPRS scoring πŸ›‘οΈ FedRAMP High Authorized
Perfect for:
🏭 Defense Contractors πŸ’» IT Teams Managing Compliance 🎯 C3PAO Assessment Prep πŸ’Ό CMMC Consultants & MSPs

Join the growing number of defense contractors streamlining their CMMC compliance.

110
NIST 800-171
Controls
320
Assessment
Objectives
95+
Auto-Verifiable
Controls
60s
AI Assessment
Time
Your data never leaves U.S. sovereign soil | FedRAMP High β€” 421 security controls | Azure Government Cloud
Government-Grade Security

Your Compliance Data Deserves
Federal-Level Protection

Dakeeko runs entirely on Microsoft Azure Government Cloud β€” the same FedRAMP High authorized infrastructure trusted by the DoD, FBI, and hundreds of federal agencies. Your CMMC data never touches commercial servers.

FedRAMP High Authorized

Built on infrastructure that meets all 421 FedRAMP High security controls β€” the highest baseline for federal cloud systems. Verified by independent 3PAO auditors.

US Sovereign Data Centers

All data is processed and stored exclusively in U.S. Government data centers operated by screened U.S. persons. Your CUI never leaves sovereign soil.

CUI-Ready Platform

Azure Government is authorized for CUI, ITAR, and DoD IL2/IL4/IL5 workloads β€” meaning your most sensitive compliance data is stored at a classification level that exceeds CMMC requirements.

How Dakeeko Compares

Most CMMC platforms run on commercial cloud. Dakeeko is built different.

Security Feature Dakeeko Typical GRC Tool
Cloud Infrastructure Azure Government AWS / Azure Commercial
FedRAMP Authorization βœ“ High None or Moderate
CUI Authorized βœ“ Yes βœ— No
Data Residency U.S. Gov Only Multi-region / Global
Screened US Personnel βœ“ Yes βœ— No
DoD IL2/IL4/IL5 Ready βœ“ Yes βœ— No

Want to see Dakeeko in action?

Book a free 1-on-1 walkthrough β€” we'll show you how it works for your specific needs.

Schedule a Demo β†’

See the Platform in Action

Built for compliance teams who need clarity, not complexity

Dakeeko Compliance Dashboard β€” SPRS score, compliance metrics, and real-time status tracking
Real-time compliance dashboard with SPRS scoring, gap tracking, and assessment status
POA&M remediation tracking with assigned owners, target dates, and phased implementation

πŸ“‹ Plan of Action & Milestones

Track every remediation step with assigned owners, target dates, phased implementation notes, and real-time status updates. Never lose sight of what needs to happen next.

Microsoft 365 integration β€” auto-verify MFA, devices, users, and audit logs

πŸ”Œ Integrations

Connect Microsoft 365, Sentinel, Veeam, and more. Auto-verify MFA, devices, users, and audit logs across Commercial and GCC High environments.

Built for Two Roles

Whether you're managing your own compliance or guiding clients through theirs

Company Mode

🏒 Manage Your Own Compliance

Own your organization's CMMC journey. Manage team members with roles like Owner and Admin, track your company profile, and maintain full control of your compliance data.

Company mode β€” manage your own organization's CMMC compliance with team roles
Consultant Mode

🀝 Guide Your Clients

Manage client engagements as a CMMC consultant. Oversee client organizations with dedicated roles β€” Consultant, Admin, and Assessor β€” while keeping client data separate and secure.

Consultant mode β€” manage client CMMC compliance engagements with consultant, admin, and assessor roles
πŸš€ Introducing AI Assessor

What Used to Take Weeks, Our AI Does in Seconds

One click analyzes all 110 CMMC controls, identifies every gap in your compliance posture, and automatically generates a complete remediation plan with POA&Ms, timelines, and downloadable reports.

⚑
Instant Analysis
Scan all controls in seconds
πŸ“‹
Auto-Generate POA&Ms
Complete remediation plans
πŸ“…
Smart Timelines
Based on complexity
πŸ“„
PDF Reports
Share with stakeholders
Try AI Assessor Free β†’

Why Spend $20K+ on Manual Assessments When AI Does It in Seconds?

CMMC assessments have always been expensive, slow, and painful. Not anymore.

πŸ“‹ Manual Process
βœ•
2-4 weeks
to complete an assessment
βœ•
$15,000 – $40,000
typical manual assessment costs
βœ•
Days of manual POA&M writing
for each unmet control
βœ•
Weeks of back-and-forth
for remediation planning
βœ•
Start over from scratch
for every reassessment
VS
✨ With Dakeeko AI
βœ“
Minutes, one click
all 110 controls analyzed
βœ“
Included at $129/mo
unlimited assessments
βœ“
POA&Ms auto-generated
with remediation steps & timelines
βœ“
AI-prioritized by SPRS impact
fix what matters most first
βœ“
Re-run anytime, unlimited
track progress as you remediate

Stop spending weeks on manual assessments β€” let AI handle the heavy lifting.

Learn More About AI Assessor β†’

Everything You Need to Prove CMMC Compliance

Assessment-ready tools built specifically for defense contractors pursuing CMMC Level 1 and Level 2 certification

⚑ Game Changer
✨

AI-Powered Assessor NEW

Get hours of manual assessment work done in seconds. Our AI analyzes your current control implementations and instantly identifies gaps, generates POA&Ms, calculates remediation timelines, and provides actionable recommendations β€” all with one click.

✨ What the AI Assessor Does:

  • βœ“ Scans notes and uploaded evidence (PDFs, policies, screenshots)
  • βœ“ Auto-generates POA&Ms with remediation steps
  • βœ“ Calculates realistic timelines based on complexity
  • βœ“ Prioritizes gaps by SPRS score impact
  • βœ“ Generates downloadable PDF assessment reports
πŸ“Š

Prove Control Implementation

Document and verify all 110 NIST 800-171 controls with evidence-driven tracking. Upload policies, screenshots, and configurations as evidence β€” then mark controls as Implemented, Planned, or Alternative with audit-defensible documentation for each.

πŸ“„

Generate Assessor-Grade SSPs

Instantly generate comprehensive, C3PAO-ready System Security Plans with one click. Automatically populates your control implementations, company information, and compliance documentation into a professional NIST 800-171 formatted document that assessors expect to see.

πŸ“‹

Audit-Defensible POA&M Management

Create, track, and manage Plan of Action & Milestones for controls that aren't fully implemented. Set priorities, assign owners, and document remediation timelines that satisfy assessor requirements.

πŸ“ˆ

SPRS Score Calculator AUTO

Know where you stand instantly. Automatically calculate your Supplier Performance Risk System (SPRS) score based on your control implementations. Required for DoD contracts and updated in real-time as you progress.

πŸ’»

Asset Inventory

Maintain a comprehensive inventory of your IT assets, software, and hardware. Organize by asset type and track everything in one centralized location.

πŸ“

Evidence Repository

Store and organize compliance documentation, policies, and evidence in one secure location. Everything you need for your CMMC audit, ready when you need it.

πŸ‘₯

Team Collaboration POWERFUL

Work together as a team. Invite team members to collaborate in real-time. Assign controls, track who implemented what, and keep everyone aligned on compliance progressβ€”all in one shared workspace.

🏒

Company Profile Management

Centralize your organization's compliance information including company details, contact information, and certification status.

✨

AI Trained on CMMC Assessment Logic NEW

You stay in control β€” AI accelerates your work. Our AI writes implementation statements, suggests POA&M remediation plans, and interprets assessment objectives on demand. Get expert-level suggestions in seconds while maintaining full control over your compliance documentation.

πŸ”Œ

Security Tool Integrations AUTOMATE

Connect your existing security tools for automated compliance verification. Integrate with Microsoft 365, endpoint protection, security training, vulnerability scanners (Nessus), backup solutions (Veeam), ticketing systems (Jira), and SIEM (Microsoft Sentinel) to automatically verify up to 95+ controls with GCC High.

πŸ”Œ Connects With Your Security Stack

Automate evidence collection and control verification by connecting your existing tools

πŸ”·
Microsoft 365
πŸ”’
Endpoint/MDM
πŸŽ“
Training
πŸ”
Vuln Scanner
πŸ›‘οΈ
SIEM
🎫
Ticketing
πŸ’Ύ
Backup
95+
Auto-Verified Controls
8
Integration Categories
86%
L2 Automation
View All Integrations β†’

Ready to Simplify Your Compliance?

Join defense contractors who trust Dakeeko to manage their CMMC journey

Start Your Free Trial β†’ Schedule a Demo
πŸ”Œ Automate Your Compliance

Powerful Integrations for
Automated Compliance

Connect your existing security tools to automatically verify controls, generate evidence, and keep your compliance data always up-to-date.

30+
Controls (Basic)
95+
Controls (GCC High)
86%
L2 Automation
Real-Time
Compliance Sync

Connect Your Security Stack

One-click integrations with the tools you already use

⭐ Premium
☁️

Microsoft GCC High

Full CMMC Compliance Automation

For organizations using Microsoft 365 GCC High, unlock comprehensive compliance automation across all 14 CMMC control families. Auto-verify nearly all Level 2 controls with deep integration into your FedRAMP-authorized environment.

Covers All Control Families
Access Control (22) Identification & Auth (11) System & Comms (16) Audit & Accountability (9) Config Management (9) + 9 More Families
95+ controls automatically verified
That's 86% of all 110 Level 2 controls β€” fully automated
Live
πŸ”·

Microsoft 365 / Entra ID

Identity & Access Management

Connect your M365 tenant to automatically verify MFA status, conditional access policies, user roles, and pull audit logs for compliance evidence.

Auto-Verifies
MFA Enforcement Conditional Access User Roles Audit Logs
9 controls automatically verified
Live
πŸ”’

Endpoint / MDM

Device Security & Management

Auto-verify device encryption, OS patch levels, antivirus status, and compliance posture from your endpoint protection platform.

Supported Platforms
Microsoft Intune CrowdStrike SentinelOne Jamf
5 controls automatically verified
Live
πŸŽ“

Security Awareness Training

Training & Phishing Simulation

Auto-verify training completion rates, phishing simulation results, and user risk scores from your security awareness platform.

Supported Platforms
KnowBe4 Proofpoint Mimecast
3 controls automatically verified
Live
πŸ”

Vulnerability Scanner

Continuous Security Assessment

Auto-import vulnerability scan results, risk scores, and remediation status for continuous security monitoring and POA&M tracking.

Supported Platforms
Nessus Qualys (Coming Soon) Rapid7 (Coming Soon)
4 controls automatically verified
Live
πŸ’Ύ

Backup & Recovery

Data Protection & Recovery

Verify backup policies, encryption status, job success rates, and recovery point objectives for data protection compliance.

Supported Platforms
Veeam Commvault (Coming Soon) Rubrik (Coming Soon)
4 controls automatically verified
Live
🎫

Ticketing System

Incident & Change Management

Track security incidents, change requests, and remediation tasks. Auto-generate audit trails for compliance documentation.

Supported Platforms
Jira ServiceNow (Coming Soon) ConnectWise (Coming Soon)
3 controls automatically verified
Live
πŸ›‘οΈ

SIEM

Security Information & Event Management

Centralized logging verification, security alert tracking, and incident detection for comprehensive audit compliance.

Supported Platforms
Microsoft Sentinel Splunk (Coming Soon) Elastic (Coming Soon)
6 controls automatically verified
πŸ” Zero-Trust Architecture

Your CUI Never Leaves Your Tenant

Understanding how Dakeeko's GCC High integration keeps your sensitive data exactly where it belongs β€” in your environment

πŸ›‘οΈ

"We Don't Want Your Data. We Want to Know If You're Compliant."

Dakeeko only stores pass/fail compliance status β€” never your CUI, tokens, configurations, or user data.

How Data Flows β€” And Where It Stays

☁️

Your GCC High Tenant

CUI, configs, users, policies
STAYS HERE

β†’
Graph API
(Read-Only)
πŸ–₯️

Your Browser

OAuth token + API responses
PROCESSED & DISCARDED

β†’
Status
Only
πŸ“Š

Dakeeko

Only "met" or "not_met"
COMPLIANCE STATUS ONLY

πŸ”‘

Customer-Controlled App Registration

You create the Azure AD App Registration in YOUR tenant. You control all permissions. You can revoke access instantly β€” Dakeeko never has admin access to your environment.

🌐

Client-Side OAuth Authentication

OAuth tokens are returned directly to your browser β€” never to Dakeeko's servers. Your access token stays in browser memory and expires after 1 hour.

πŸ‘οΈ

Read-Only Permissions

We only request read permissions: User.Read.All, AuditLog.Read.All, Policy.Read.All, Directory.Read.All. We cannot modify anything in your tenant.

⚑

Browser-Based Processing

Your browser calls Microsoft Graph directly. Raw API responses are processed client-side to determine compliance status, then immediately discarded from memory.

πŸ“‹

Full Auditability

Every Graph API call is logged in your Azure AD audit logs. You can see exactly what data was accessed, when, and by whom β€” complete transparency.

🚫

Instant Revocation

Delete the App Registration in Azure AD and access is immediately revoked. No persistent credentials, no service accounts, no backdoors β€” you're always in control.

βœ…

What Dakeeko Stores

β€’ Control compliance status (met, partial, not_met)
β€’ Timestamp of last verification
β€’ Integration connection state (connected/disconnected)
β€’ Organization metadata you provide
🚫

What Dakeeko NEVER Stores

βœ— OAuth access tokens or credentials
βœ— User lists, email addresses, or PII
βœ— Audit logs, sign-in data, or activity records
βœ— Policy configurations or security settings
βœ— CUI, files, documents, or encryption keys
βœ— Intune device configurations or inventories
πŸ’»

Example: How MFA Verification Works

// 1. Browser calls Microsoft Graph directly with YOUR token
const response = await fetch('https://graph.microsoft.us/v1.0/policies/conditionalAccessPolicies', {
headers: { 'Authorization': `Bearer ${customerToken}` } // Token stays in browser
});
// 2. Browser checks if MFA is enforced
const mfaEnforced = policies.some(p => p.state === 'enabled' && p.grantControls?.builtInControls?.includes('mfa'));
// 3. ONLY the boolean result is sent to Dakeeko β€” no policy details
await saveToDakeeko({ control: '3.5.3', status: mfaEnforced ? 'met' : 'not_met' });
// 4. Raw API response is discarded from browser memory

This architecture means that even if Dakeeko were somehow compromised, attackers would only get compliance status booleans β€” not CUI, not configurations, not credentials, not tokens.

Hosted on Azure Government Cloud
FedRAMP High authorized infrastructure Β· US sovereign data centers Β· Built for defense contractors

How Integrations Work

Three simple steps to automated compliance

1

Connect

One-click OAuth connection or API key β€” no complex setup required. Your data stays in your systems.

2

Sync

Dakeeko automatically pulls compliance-relevant data and maps it to NIST 800-171 controls.

3

Verify

Controls are auto-verified with real evidence. Your SPRS score updates in real-time.

Ready to Automate Your Compliance?

Start your 5-day free trial and connect your first integration in minutes.

Start Free Trial β†’ Schedule a Demo

About Dakeeko

Dakeeko is the complete CMMC compliance platform built for defense contractors, MSPs, and compliance consultants. We help organizations achieve and maintain CMMC Level 1 and Level 2 certification β€” replacing scattered spreadsheets and manual workflows with a single, purpose-built solution.

From your first self-assessment to C3PAO readiness, Dakeeko guides you through every step β€” mapping controls, generating assessor-grade documentation, tracking remediation, and proving compliance with confidence.

110+
NIST 800-171 Controls
320
Assessment Objectives
95+
Auto-Verifiable Controls

Built on Azure Government Cloud

Dakeeko is one of the only CMMC compliance platforms hosted entirely on Microsoft Azure Government β€” FedRAMP High authorized infrastructure with 421 security controls. Your compliance data is processed and stored exclusively in U.S. Government data centers, operated by screened U.S. persons.

FedRAMP High CUI Authorized DoD IL2/IL4/IL5 ITAR Compliant

What Makes Dakeeko Different

Most compliance tools are built for large enterprises with dedicated security teams. Dakeeko is built for the rest of the defense industrial base β€” small and mid-size contractors, IT service providers, and the consultants who support them.

πŸ€–

AI-Powered Assessor

Our AI reviews your documentation and evidence against each control, identifies gaps, suggests remediation steps, and auto-generates POA&Ms β€” saving hours of manual review.

☁️

GCC High Integration

Connect your Microsoft 365 GCC High environment and auto-verify up to 95+ controls directly from your tenant configuration β€” no manual evidence collection required.

πŸ‘₯

Multi-Client Management

Consultants and MSPs can manage multiple client organizations from a single account β€” each with their own controls, evidence, documentation, and team members.

πŸ“„

Assessor-Grade Documentation

Generate complete SSPs, POA&Ms, and SPRS scores that meet assessor expectations. Every document is built from your actual control data β€” not generic templates.

Meet the Founder

Tim Cleland - Founder & CEO of Dakeeko
Founder & CEO

Tim Cleland

Cybersecurity & Compliance Expert

With over a decade of experience in government cybersecurity, I founded Dakeeko after seeing how defense contractors β€” especially small and mid-size companies β€” struggled to navigate CMMC without enterprise budgets. I've spent years working in federal compliance and understand what assessors actually look for. Dakeeko is built to make that expertise accessible to everyone in the defense industrial base, whether you're a solo contractor or an MSP managing dozens of clients.

πŸ›‘οΈ 10+ Years in Gov Cybersecurity πŸ“‹ Federal Compliance Expert πŸ›οΈ Defense Industry Specialist

Our Mission

CMMC compliance shouldn't require a dedicated security team or six-figure consulting engagements. We're building the tools that make certification achievable for organizations of any size β€” intuitive enough for a one-person IT shop, powerful enough to satisfy a C3PAO assessor.

Every feature in Dakeeko is designed around real-world assessment workflows. We don't just track controls β€” we help you understand what each one requires, document how you meet it, and prove it with evidence. You stay in control. We accelerate the work.

Start Your Free Trial β†’ Contact Us
Security & Compliance

Built on Azure Government Cloud

Dakeeko runs entirely on Microsoft Azure Government β€” the same FedRAMP High authorized, U.S. sovereign cloud infrastructure trusted by the Department of Defense, intelligence community, and hundreds of federal agencies.

πŸ›‘οΈ

FedRAMP High

421 security controls β€” the highest federal baseline. Verified by independent 3PAO auditors.

πŸ‡ΊπŸ‡Έ

US Sovereign Data

All data processed and stored in U.S. Government data centers operated by screened U.S. persons.

πŸ“‹

CUI Authorized

Authorized for Controlled Unclassified Information, ITAR, and export-controlled data.

πŸ›οΈ

DoD Impact Levels

Supports IL2, IL4, and IL5 workloads β€” exceeding CMMC Level 2 requirements.

What This Means for You

βœ“

Your compliance data is treated like federal data

SSPs, POA&Ms, evidence files, AI assessments, and control mappings are stored with the same protections the government uses for its own sensitive data.

βœ“

You practice what you preach

When your C3PAO auditor asks where your compliance tool stores data, the answer is "Azure Government Cloud β€” FedRAMP High." That speaks volumes.

βœ“

No data sovereignty questions

Your data never touches commercial cloud or leaves U.S. sovereign soil. No overseas replication, no shared infrastructure with consumer workloads.

βœ“

AI processing stays sovereign too

Dakeeko's AI Assessor runs on Azure OpenAI within Azure Government β€” your documents are analyzed by AI that never leaves the government boundary.

How We Compare

Most CMMC platforms run on commercial cloud. We're built different.

Security Feature Dakeeko Typical GRC Tool
Cloud Infrastructure Azure Government AWS / Azure Commercial
FedRAMP Authorization βœ“ High (421 controls) None or Moderate
CUI Authorized βœ“ Yes βœ— No
ITAR Compliant βœ“ Yes βœ— No
Data Residency U.S. Gov Only Multi-region / Global
Screened US Personnel βœ“ Yes βœ— No
DoD IL2/IL4/IL5 βœ“ Yes βœ— No
AI Processing Location Azure Gov (Sovereign) Commercial / Unknown

Ready to See Federal-Grade Compliance?

Start your free trial and run a full CMMC gap assessment in minutes β€” on infrastructure you can actually trust with CUI.

Start Free Trial β†’ Schedule a Security Briefing

Simple, Affordable CMMC Compliance

One platform. One price. Complete Level 1 & Level 2 compliance.

Have questions about your compliance needs?

Schedule a Free Consultation β†’
πŸ›‘οΈ Complete L1 & L2 Coverage

Dakeeko CMMC Platform

Everything you need for CMMC certification

$129/month

Billed annually

Includes 2 user accounts & 1 additional company

  • Complete Level 1 & Level 2 compliance tools
  • All 110 NIST 800-171 controls + 17 FAR controls
  • 320 assessment objectives
  • Auto-verify up to 95+ controls with GCC High
  • SSP & POA&M document generators
  • SPRS score calculator
  • ✨ AI Assessor + Auto POA&Ms
  • Asset inventory tracking
  • Evidence repository
  • Real-time team collaboration
  • ☁️ GCC High integration support
Start Free Trial β†’

βœ“ No credit card required β€’ βœ“ 5-day trial

Azure Government Cloud
βœ“ FedRAMP High βœ“ CUI Authorized βœ“ US Data Only

πŸ“ˆ Need More? Simple Add-on Pricing

Scale as you grow with transparent per-client and per-user pricing.

πŸ‘₯

Additional Client

+$49 /mo

Per client organization
Separate workspace & controls

πŸ‘€

Additional User

+$12 /mo

Per team member
Full platform access

Premium
🏷️

White Label

Custom Domain + Your Brand

For MSSP's / C3PAO's
View Partner Program β†’

πŸ€” Which level do my clients need?

Level 1 is for contractors handling Federal Contract Information (FCI) only.
Level 2 is required if you handle Controlled Unclassified Information (CUI).

Good news: Our $129/mo plan includes both levels!

πŸš€ Why Choose Dakeeko?

☁️

GCC High Integration

Connect your GCC High tenant to auto-verify 95+ controls. Our platform integrates securely without storing sensitive data.

πŸ”—

Auto-Verify Up to 95+ Controls

30+ with basic integrations, 95+ with GCC High β€” fully automated compliance.

πŸ‘₯

MSP Multi-Tenant

Manage all your clients from one dashboard with seamless switching.

❓ Frequently Asked Questions

Is my data safe?

Absolutely. Dakeeko is hosted on Azure Government Cloud β€” FedRAMP High authorized, US sovereign data centers. We only store compliance status data (met/not met booleans), never CUI, configurations, or credentials. See our Security Architecture β†’

Do I need GCC High to use Dakeeko?

No. Dakeeko works fully without GCC High β€” you can manually assess all 110 controls, use the AI Assessor, upload evidence, and generate documentation. GCC High integration is an optional add-on that auto-verifies up to 95+ controls for you.

What's the difference between Level 1 and Level 2?

Level 1 covers 15 basic safeguarding requirements for Federal Contract Information (FCI). Level 2 covers all 110 NIST 800-171 controls and is required if you handle Controlled Unclassified Information (CUI). Dakeeko includes both levels in every plan.

What happens after my free trial ends?

After your 5-day trial, you'll need to subscribe to keep access. All your data, assessments, and documentation are preserved β€” nothing is lost. You can pick up right where you left off.

Can I cancel anytime?

Yes. There are no long-term contracts or cancellation fees. You can cancel your subscription at any time from your account settings.

Can I manage multiple clients?

Yes. The first 2 client organizations are included in your base plan. Add more for $49/mo each β€” every client gets their own isolated workspace with separate controls, evidence, documentation, and team members. Perfect for MSPs and consultants. See our Consultant Program β†’

Does Dakeeko replace a C3PAO assessment?

No. Dakeeko prepares you for your C3PAO assessment β€” it doesn't replace it. Think of it as your preparation and readiness platform. Our AI identifies gaps, generates the documentation assessors expect, and helps you track remediation so you walk into your official assessment confident and organized.

✨ AI-Powered Compliance

The AI Gap Assessment
That Changes Everything.

One click. All 110 NIST 800-171 controls analyzed. Every gap identified. Complete remediation plan generated β€” with POA&Ms, timelines, and prioritization by SPRS impact. What used to take weeks of manual work now takes seconds.

Try It Free β€” No Credit Card β†’

How It Works

From documentation to full assessment in 5 steps

1

Document Your Controls

Add "How We Comply" notes to your controls describing your organization's current security implementations, and upload evidence files (policies, screenshots, configurations, PDFs) for AI review. You can type notes manually, import from a spreadsheet, or use AI to help draft implementation statements.

2

Click "Run AI Assessor"

One button launches the assessment across all documented controls. The AI evaluates each control individually using CMMC assessment methodology β€” the same logic a C3PAO assessor would use β€” analyzing your documentation against NIST 800-171 requirements.

3

Review Detailed Results

Every control gets a detailed assessment with: status determination (Met / Partially Met / Not Met), confidence level, reasoning explaining the determination, identified gaps, and actionable suggestions for remediation.

4

Apply Results & Auto-Generate POA&Ms

Accept the AI's findings with one click. Control statuses update automatically. For every control marked "Not Met," a POA&M is created instantly with the gap description, remediation steps, and recommended timeline β€” ready for your assessor.

5

Export & Repeat

Generate a comprehensive PDF assessment report to share with leadership, your C3PAO, or your CMMC consultant. As you remediate gaps, re-run the assessment anytime to track improvement β€” unlimited runs included.

AI scanning uploaded evidence documents for compliance assessment

The AI scans your uploaded evidence documents β€” policies, screenshots, configurations β€” and evaluates them against NIST 800-171 requirements

See What AI Assessment Results Look Like

Every control gets a detailed assessment β€” here are the three possible outcomes

βœ“ Implemented

Control fully meets requirements. AI provides detailed reasoning and improvement suggestions.

AI assessment result showing Implemented status with high confidence
~ Partially Met

Gaps identified with specific remediation suggestions to reach full compliance.

AI assessment result showing Partially Met status with identified gaps
βœ— Not Met

Critical gaps highlighted. POA&M with remediation plan auto-generated on apply.

AI assessment result showing Not Met status with gaps and POA&M auto-generation

What the AI Evaluates

Trained on CMMC assessment methodology with deep knowledge of NIST 800-171

πŸ”

Implementation Completeness

Does your documentation address all aspects of the control requirement? The AI analyzes your "How We Comply" notes and uploaded evidence files β€” policies, screenshots, configurations β€” against the full control description and assessment objectives.

πŸ“

Assessment Objective Alignment

Each NIST 800-171 control has specific assessment objectives (320 total). The AI evaluates whether your implementation evidence satisfies each objective for the control.

⚠️

Gap Identification

The AI specifically identifies what's missing β€” not just "you're not compliant" but exactly which aspects of the requirement your documentation doesn't address, so you know precisely what to fix.

πŸ’‘

Actionable Suggestions

Beyond identifying problems, the AI suggests specific remediation steps β€” what to implement, what to document, and how to strengthen your compliance posture for each control.

πŸ“Š

Confidence Scoring

Every determination comes with a confidence level (High, Medium, Low) so you know which assessments are solid and which might need human review. Full transparency, no black boxes.

πŸ“‹

Automatic POA&M Creation

Controls determined "Not Met" automatically get a POA&M generated with the identified weakness, remediation milestones, and realistic timelines based on implementation complexity.

Frequently Asked Questions

How accurate is the AI assessment?

The AI is trained on CMMC assessment methodology and NIST 800-171 control requirements. It provides high-quality preliminary assessments with confidence scoring. We recommend treating it as an expert first pass β€” review the results and make final determinations with your team. The AI is a force multiplier, not a replacement for human judgment.

Is my compliance data sent to third parties?

Your control documentation is processed through our secure AI pipeline and is not stored by the AI model, shared with third parties, or used for training. We take data security seriously β€” we're a CMMC compliance company, after all.

Can I re-run the assessment after making changes?

Yes β€” unlimited times. Run a full assessment, remediate the gaps, update your documentation, and re-run to verify improvement. You can also re-review individual controls for a deeper analysis. This iterative approach is how real compliance maturity works.

Does this replace a C3PAO assessment?

No β€” and it's not meant to. Our AI Assessor is a pre-assessment readiness tool that helps you identify and fix gaps before your official C3PAO assessment. Think of it as your compliance dress rehearsal. Organizations that go into a C3PAO assessment prepared pass faster and with fewer findings.

Do I need to document every control before running it?

No. The AI assesses whichever controls have documentation. You can document a few controls and run a partial assessment, or document all 110 and run a full assessment. Start wherever you are β€” the AI meets you there.

Is the AI Assessor included in the $129/mo plan?

Yes β€” fully included with unlimited assessments. No per-run fees, no token limits, no upsells. Every Dakeeko subscription includes the complete AI assessment engine.

Ready to See Where You Stand?

Start your free trial, add your compliance documentation, and run your first AI assessment in minutes. No credit card required.

Start Free Trial β†’ Schedule a Demo β†’
🀝 Partner Program

White Label Dakeeko
Under Your Brand

Offer your clients a fully branded CMMC compliance platform β€” your logo, your colors, your domain. Powered by Dakeeko's AI assessment engine and hosted on Azure Government Cloud.

Schedule a Partner Call β†’ Contact Us

Built for Compliance Consultants & MSPs

You already advise defense contractors on CMMC. Now give them a platform with your name on it.

🏒

Compliance Consultants

Offer a branded compliance portal to your clients. Manage assessments, documentation, and remediation across your entire client base from one dashboard.

πŸ›‘οΈ

Managed Service Providers

Add CMMC compliance as a service offering. Your clients see your brand β€” not ours. Increase contract value with a turnkey compliance solution.

πŸ“‹

RPOs & C3PAOs

Provide your assessed organizations a branded platform to track their compliance posture. Streamline pre-assessment workflows and evidence collection.

What's Included

Everything you need to run a branded compliance practice.

βœ“
Your Brand, Everywhere

Custom logo, colors, and company name throughout the platform

βœ“
Custom Domain

compliance.yourcompany.com with managed SSL certificate

βœ“
AI Assessment Engine

Full AI-powered assessor, document review, and auto-generated POA&Ms

βœ“
Multi-Client Dashboard

Manage all client organizations from a single partner view

βœ“
GCC High Integration

Auto-verify 95+ controls across all client tenants

βœ“
Azure Government Cloud

FedRAMP High authorized infrastructure β€” US sovereign data centers

Partner Pricing

Simple, transparent pricing. Scale as your practice grows.

White Label + Custom Domain
$299 /mo

Billed annually

First 2 client organizations included

βœ“ Custom branding (logo, colors, name)
βœ“ Your own custom domain + SSL
βœ“ All 110 NIST 800-171 controls
βœ“ AI Assessor + Auto POA&Ms
βœ“ SSP & SPRS score generators
βœ“ Evidence repository & AI linking
βœ“ GCC High integration support
Become a Partner β†’

Additional Client Organizations

Each with their own workspace, controls, evidence & team

+$49 /mo each

Get Started in 3 Steps

1

Schedule a Partner Call

We'll walk through the platform, discuss your practice, and configure your branding. The entire onboarding process takes less than a week.

2

We Configure Your Portal

Send us your logo, brand colors, and custom domain. We'll set up your white-label instance with managed SSL β€” ready to show your clients.

3

Start Onboarding Clients

Add client organizations, run AI assessments, and deliver compliance services under your brand. Add new clients anytime for $49/mo each.

Schedule a Partner Call β†’

No commitment required. Let's see if it's a fit.

Contact Us

Have questions about CMMC compliance? We're here to help you succeed.

πŸ“§
🎯
Schedule a Demo
🀝
Partner With Us

Send Us a Message

πŸ›‘οΈ CMMC Education Center

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for ensuring that defense contractors adequately protect sensitive information. Here's everything you need to know.

300K+
Companies Affected
3 Levels
of Certification
110
Controls (Level 2)
2025
Final Rule Effective

πŸ“‹ The Basics

CMMC stands for Cybersecurity Maturity Model Certification. It's a verification framework created by the U.S. Department of Defense (DoD) to ensure that companies working in the defense supply chain meet specific cybersecurity standards before handling sensitive government information.

Before CMMC, contractors simply self-attested that they met security requirements under DFARS 252.204-7012. There was no third-party verification. CMMC changes that β€” it requires independent assessments for most organizations handling Controlled Unclassified Information (CUI).

The CMMC final rule (32 CFR Part 170) was published in October 2024 and became effective December 16, 2024. The companion DFARS rule (48 CFR) is expected to begin appearing in DoD contracts via a phased rollout starting in 2025.

🏒 Who Needs CMMC?

If your company holds or processes Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a DoD contract, you will need some level of CMMC certification. This applies to:

πŸ”§
Prime Contractors

Companies that contract directly with the DoD

πŸ”—
Subcontractors

Any tier in the supply chain that touches CUI or FCI

πŸ’»
IT / MSP Providers

Managed service providers supporting defense contractors

🏭
Manufacturers & Suppliers

Parts, materials, or engineering firms in the defense industrial base

πŸ“Š The 3 CMMC Levels

L1

Level 1 β€” Foundational

Self-Assessment • 15 Practices • FCI Only

Level 1 covers basic cyber hygiene for companies handling Federal Contract Information (FCI) only β€” not CUI. It requires 15 practices from FAR 52.204-21, things like using antivirus, limiting access, and basic password management. Assessment is a self-assessment, affirmed annually by a senior company official.

Self-Assessment Annual Affirmation FAR 52.204-21
L2

Level 2 β€” Advanced

C3PAO Assessment • 110 Controls • CUI

Level 2 is where most defense contractors will land. It requires implementation of all 110 security controls from NIST SP 800-171 Rev 2, covering 14 control families. For contracts involving critical CUI, a third-party assessment by a C3PAO (Certified Third-Party Assessor Organization) is required, with triennial reassessments and annual affirmations.

Some Level 2 contracts may allow self-assessment (for non-critical CUI), but most are expected to require third-party assessment.

NIST 800-171 C3PAO Assessment Triennial 320 Objectives
L3

Level 3 β€” Expert

Government-Led • NIST 800-172 • APT Defense

Level 3 is for organizations working on the most sensitive DoD programs. It adds 24+ additional enhanced security requirements from NIST SP 800-172, focused on protecting against Advanced Persistent Threats (APTs). Assessment is performed by the government (DIBCAC), not a C3PAO. Very few contractors will need Level 3.

NIST 800-172 DIBCAC Assessment APT Focused

πŸ“– Key Terms You'll Hear

CUI β€” Controlled Unclassified Information

Sensitive government information that isn't classified but still requires safeguarding. Think technical drawings, test data, personnel info, export-controlled data. CUI is defined by the National Archives (ISOO) and marked in contracts.

FCI β€” Federal Contract Information

Information provided by or generated for the government under a contract, not intended for public release. FCI has fewer protection requirements than CUI (Level 1 vs Level 2).

C3PAO β€” Certified Third-Party Assessor Organization

The independent organizations authorized by the CMMC Accreditation Body (Cyber AB) to conduct Level 2 assessments. They send certified assessors to evaluate your implementation of the 110 controls.

SSP β€” System Security Plan

Your master document describing how your organization meets each of the 110 NIST 800-171 controls. This is the first thing an assessor reviews. A strong SSP is the single most important CMMC artifact.

POA&M β€” Plan of Action and Milestones

A document listing controls you haven't fully met yet, along with your plan and timeline to fix them. Under CMMC, limited POA&Ms are allowed β€” but NOT MET controls with high point values may be disqualifying.

SPRS Score

Your Supplier Performance Risk System score, ranging from -203 to 110 points. Calculated based on which of the 110 controls you've implemented (each has a 1, 3, or 5 point value). You're already required to submit this score today under DFARS 7019/7020.

NIST SP 800-171

The National Institute of Standards and Technology publication that defines the 110 security controls for protecting CUI in non-federal systems. CMMC Level 2 is a direct implementation verification of 800-171 Rev 2.

Scoping β€” CUI Boundary

The systems, people, and facilities that process, store, or transmit CUI. Defining your CUI boundary is one of the first and most critical steps β€” it determines what's in scope for your assessment.

πŸ›οΈ The 14 Control Families

NIST 800-171's 110 controls are organized into 14 families. Here's what each one covers:

3.1
Access Control β€” 22 controls. Who can access what, and how.
3.2
Awareness & Training β€” 3 controls. Security training for your team.
3.3
Audit & Accountability β€” 9 controls. Logging and monitoring activity.
3.4
Configuration Management β€” 9 controls. System baselines and change control.
3.5
Identification & Authentication β€” 11 controls. Verifying user identities, MFA.
3.6
Incident Response β€” 3 controls. Detecting, reporting, and handling incidents.
3.7
Maintenance β€” 6 controls. Secure system maintenance practices.
3.8
Media Protection β€” 9 controls. Protecting and sanitizing CUI on media.
3.9
Personnel Security β€” 2 controls. Screening and access for personnel.
3.10
Physical Protection β€” 6 controls. Securing facilities and hardware.
3.11
Risk Assessment β€” 3 controls. Identifying and managing risks.
3.12
Security Assessment β€” 4 controls. Evaluating control effectiveness.
3.13
System & Communications Protection β€” 16 controls. Encryption, network isolation.
3.14
System & Information Integrity β€” 7 controls. Patching, malware, and monitoring.

πŸ” What a C3PAO Assessor Actually Looks For

A CMMC Level 2 assessment isn't a simple checkbox exercise. Assessors use the CMMC Assessment Guide which breaks each control into individual assessment objectives β€” 320 total across the 110 controls. For each objective, they look for three things:

πŸ“„
Examine

Review documentation β€” policies, procedures, SSP, configurations, screenshots, and evidence artifacts.

πŸ’¬
Interview

Talk to personnel responsible for implementation to confirm they understand and follow the documented practices.

πŸ–₯️
Test

Verify the control is actually working as described β€” inspect live systems, check configurations, validate technical implementation.

Pro tip: The best way to prepare is to write your SSP as if the assessor is reading it. For each control, document what you do, how you do it, and what evidence proves it. If you can satisfy Examine + Interview + Test before the assessor arrives, you're in great shape.

πŸ“… CMMC Timeline

COMPLETED β€” Nov 2021
CMMC 2.0 Announced

Streamlined from 5 levels to 3. Aligned Level 2 with NIST 800-171.

COMPLETED β€” Oct 2024
Final Rule Published (32 CFR Part 170)

CMMC program codified in federal regulation. Defines assessment requirements.

COMPLETED β€” Dec 16, 2024
32 CFR Effective Date

CMMC program officially in effect. C3PAOs can begin conducting assessments.

IN PROGRESS β€” 2025
48 CFR DFARS Rule (Contract Requirements)

The companion rule that actually places CMMC requirements in DoD contracts. Expected to roll out in phases.

PHASE 1 β€” Early 2025+
Level 1 & Level 2 Self-Assessments in Contracts

DoD begins including CMMC Level 1 and Level 2 self-assessment requirements in new contracts and option exercises.

PHASE 2 β€” ~1 Year Later
Level 2 C3PAO Assessments Required

Contracts begin requiring third-party (C3PAO) assessments for Level 2 certification on contracts involving critical CUI.

PHASE 3–4 β€” Years 2–3+
Full Rollout Including Level 3

CMMC requirements expand to all applicable DoD contracts. Level 3 (DIBCAC) assessments begin for the most sensitive programs.

❌ Common Misconceptions

βœ—
"We're too small for CMMC"

Size doesn't matter β€” if you handle CUI or FCI on a DoD contract, you need CMMC. Even a 5-person machine shop making parts for a defense prime needs at least Level 1, and likely Level 2 if CUI is involved.

βœ—
"We just need to buy the right tools and we'll be compliant"

Tools are important, but CMMC is about proving that you've implemented practices β€” policies, procedures, training, and evidence. You can have the best firewall in the world, but if you can't document how it's configured and why, it doesn't count.

βœ—
"CMMC got delayed again, so we don't need to worry yet"

The 32 CFR final rule is already in effect. C3PAOs are authorized and conducting assessments now. Even before CMMC appears in your contract, DFARS 7012/7019/7020 already require you to implement NIST 800-171 and report your SPRS score. Primes are also increasingly requiring it of their subs.

βœ—
"Our IT provider handles security, so we're covered"

Your MSP might manage your infrastructure, but you are responsible for your CMMC certification. You need to understand your CUI boundary, document your security practices, and own the assessment process. Your MSP is a partner, not a substitute.

βœ—
"We can get certified in a few weeks"

Most organizations need 6–18 months to go from starting their compliance journey to being assessment-ready, depending on their starting point. Dakeeko dramatically accelerates this, but implementing real security practices still takes focused effort.

πŸš€ Getting Started with CMMC

1
Define your CUI boundary

Identify what CUI you handle, where it flows, and which systems, people, and facilities are in scope. This is the foundation everything else builds on.

2
Conduct a gap assessment

Evaluate your current security posture against NIST 800-171's 110 controls. Dakeeko's AI assessor can do this in minutes instead of weeks.

3
Remediate gaps and build documentation

Implement missing controls, create policies and procedures, and build your SSP. Create POA&Ms for anything you can't fix immediately.

4
Collect and organize evidence

Gather screenshots, configuration exports, policy documents, training records, and other artifacts that prove each control is implemented.

5
Submit your SPRS score and prepare for assessment

Upload your SPRS score to the DoD portal and engage a C3PAO when you're ready, or affirm your self-assessment for Level 1.

Ready to Start Your CMMC Journey?

Dakeeko makes CMMC compliance achievable for organizations of any size. Try it free β€” no credit card required.

Chat with Us