Microsoft 365 evidence mapping, guided CMMC implementation, and assessor-ready documentation
Launch CMMC faster with Dakeeko—
Follow guided screens that show what to configure and what evidence to save. Map Microsoft 365 evidence to NIST 800-171 controls without turning it into a black box. Preview and generate POA&Ms from incomplete controls in one click.

Consultant mode

Isolated workspaces per client—run CMMC for multiple organizations from one partner account. Connect Microsoft 365 commercial or GCC High where client tenants support it.

Company mode

Your own org, roles, and evidence when you manage CMMC in-house—including Microsoft 365 integrations for commercial and Government environments.

Dakeeko gives teams a Microsoft 365 compliance workspace for CMMC Level 2. Connect Microsoft 365, review configuration signals, follow plain-English implementation guidance, collect assessor-ready evidence, and preview POA&Ms before anything is created. Available for both consultant and company modes.

Launch app · Start a trial and open the Microsoft 365 workspace on day one

Azure Government Cloud
Built on FedRAMP-authorized Azure services
US Sovereign Data Centers
Consultant & company modes Multi-client (consultant) AI gap & POA&M engine CMMC L1 & L2 · SPRS GCC High · Azure Government
Watch the demo

See Dakeeko in action

Consultant mode and company mode in the product—play inline or open on YouTube.

Use company mode for your own organization, or consultant mode when you manage multiple client tenants.

Built for:
Company mode · primes & subs In-house IT & compliance teams CMMC consultants & RPOs MSSPs & MSPs C3PAOs & assessment firms

Partners run client programs in Consultant mode; contractors run their own in Company mode—same AI engine, controls, and Azure Gov backbone.

110
NIST 800-171
Controls
320
Assessment
Objectives
95+
M365-Addressable
Controls
60s
AI Assessment
Time
Application data hosted in Azure Government | Uses applicable FedRAMP-authorized cloud services | Azure Government Cloud
Government-Grade Security

Your Compliance Data Deserves
Federal-Level Protection

Dakeeko runs on Microsoft Azure Government and uses applicable FedRAMP-authorized cloud services. Keep CUI in systems approved by your organization unless your agreement and configured Dakeeko environment explicitly permit its storage.

Azure Government Hosting

Built with applicable Microsoft Azure Government services that are within Microsoft's FedRAMP authorization scope. Dakeeko does not represent that hosting alone authorizes a customer's environment.

US Sovereign Data Centers

Dakeeko application data is hosted in Azure Government regions. Customers should keep CUI in their own authorized tenant, repository, or enclave and reference it from Dakeeko when needed.

Designed Around Your CUI Boundary

Manage CMMC workflows without uploading CUI. Store CUI, ITAR, and export-controlled materials in your authorized environment; use Dakeeko for control status, POA&Ms, SSP drafts, and evidence references.

Security Responsibilities at a Glance

A clear view of what Dakeeko provides and what remains the customer's responsibility.

Security Feature Dakeeko Customer Responsibility
Cloud Infrastructure Azure Government Define the authorized system boundary
Cloud Authorization Scope Applicable Azure services Validate services and configuration
CUI Upload Required No Keep CUI in approved systems
Data Residency U.S. Gov Only Confirm contractual requirements
Evidence Handling Documents and references Classify content before upload
CUI Boundary Support References only Approve repositories and access

Want to see Dakeeko in action?

Schedule a consultation to see how Dakeeko fits your compliance workflow.

Schedule a Demo →
AI-Assisted Readiness Review

Turn Your Existing Work Into a Clearer CMMC Plan

Dakeeko reviews the notes and evidence you provide, suggests objective-level findings, identifies likely gaps, and drafts remediation actions for human review. You remain responsible for validating every result.

Objective-Level Review
Review notes and linked evidence
Draft POA&Ms
Preview before creating records
Human Validation
Accept, revise, or reject findings
PDF Reports
Share with stakeholders
Get Started →

Spend Less Time Organizing Evidence and Drafting Next Steps

Dakeeko helps your team structure the work while keeping compliance decisions in human hands.

Manual Process
2-4 weeks
to complete an assessment
High outside consulting costs
often quoted separately from your tools
Days of manual POA&M writing
for each unmet control
Weeks of back-and-forth
for remediation planning
Start over from scratch
for every reassessment
VS
With Dakeeko AI
Focused readiness review
based on the content you provide
Built into the workspace
run assessments as you prepare
POA&M drafts previewed
before records are created
AI-prioritized by SPRS impact
fix what matters most first
Re-run anytime, unlimited
track progress as you remediate

Use AI to organize the work, then apply your team's judgment before anything becomes part of the compliance record.

Learn More About AI-Assisted Review →

Everything You Need to Prove CMMC Compliance

Readiness tools built specifically for defense contractors preparing for CMMC Level 1 and Level 2 requirements

Game Changer

AI-Assisted Readiness Review HUMAN REVIEW

Turn evidence and implementation notes into structured next steps. Dakeeko suggests objective findings, gaps, POA&M drafts, and priorities for your team to review. It supports readiness work; it does not certify compliance or replace an assessor.

What the AI Assessor Does:

  • Scans notes and uploaded evidence (PDFs, policies, screenshots)
  • Drafts POA&Ms for review before creation
  • Suggests timelines based on remediation complexity
  • Prioritizes gaps by SPRS score impact
  • Generates downloadable PDF assessment reports

Prove Control Implementation

Track all 110 NIST SP 800-171 requirements and 320 assessment objectives in one control workspace. Link policies, screenshots, notes, assets, and other evidence, then record each control as Met, Partial, Not Met, or N/A with an auditable rationale.

Generate Living SSP Drafts

Build a System Security Plan draft from your current company profile, system boundary, assets, policies, and control implementation statements. Review and approve the document before using it with customers or assessors.

Audit-Defensible POA&M Management

Create, track, and manage Plan of Action & Milestones for controls that aren't fully implemented. Set priorities, assign owners, and document remediation timelines that satisfy assessor requirements.

SPRS Score Calculator AUTO

Know where you stand. Maintain a working SPRS score estimate based on recorded implementation statuses. Use the official DoW assessment methodology and SPRS submission process for contractual reporting.

Asset Inventory

Maintain a comprehensive inventory of your IT assets, software, and hardware. Organize by asset type and track everything in one centralized location.

Evidence Repository

Store and organize compliance documentation, policies, and evidence in one secure location. Everything you need for your CMMC audit, ready when you need it.

Team Collaboration ROLE BASED

Keep the work accountable. Invite members, assign roles and tasks, add control comments, record activity, and keep evidence and remediation work connected to the correct workspace.

Consultant Portfolio & Client Workspaces

Give each client an isolated compliance workspace and use the consultant portfolio dashboard to compare readiness, open POA&Ms, overdue tasks, and recent activity across the clients you manage.

AI Structured Around CMMC Requirements HUMAN REVIEW

You stay in control while AI accelerates the drafting work. Generate implementation-statement suggestions, interpret assessment objectives, and preview remediation actions while preserving human approval for every compliance decision.

Security Tool Integrations AUTOMATE

Connect supported security platforms and review what their configuration can demonstrate. Microsoft 365 commercial and GCC High integrations map selected identity, access, device, and audit signals to relevant requirements. A read-only Palo Alto pilot supports SCM Pro and Cortex data. Findings remain subject to human review, and planned connectors are labeled separately.

Connects With Your Security Stack

Automate evidence collection and control verification by connecting your existing tools

Microsoft 365
Endpoint/MDM
Training
Vuln Scanner
SIEM
Ticketing
Backup
95+
M365 Evidence-Mapped Controls
8
Integration Categories
86%
Potential Evidence Coverage
View All Integrations →

Ready to Simplify Your Compliance?

Join defense contractors who trust Dakeeko to manage their CMMC journey

Automate Your Compliance

Powerful Integrations for
Automated Compliance

Connect supported platforms for read-only findings and asset import. Pilot and roadmap connectors are clearly labeled.

30+
Evidence Signals (Basic)
95+
M365-Addressable Controls
86%
Potential Evidence Coverage
Real-Time
Compliance Sync

Connect Your Security Stack

Read-only evidence signals and guided setup for supported platforms

Available

Microsoft GCC High

Microsoft 365 Evidence Mapping + Guided Execution

For organizations using Microsoft 365 GCC High, Dakeeko collects selected read-only configuration signals, maps them to relevant CMMC requirements, and explains what the signal supports and what documentation is still needed. Users review findings before applying statuses or creating POA&Ms.

Covers All Control Families
Access Control (22) Identification & Auth (11) System & Comms (16) Audit & Accountability (9) Config Management (9) + 9 More Families
95+ Microsoft-addressable controls
Evidence mapping with human review before status changes
Live

Microsoft 365 / Entra ID

Identity & Access Management

Connect a supported Microsoft 365 tenant to review MFA enrollment, Conditional Access policies, privileged roles, audit visibility, and selected user/device inventory. Choose which discovered assets to import into the workspace.

Checks Evidence From
MFA Enforcement Conditional Access User Roles Audit Logs
Mapped findings presented for human validation
Live

Microsoft Intune Assets

Selective User and Device Import

Review discovered Microsoft users and managed devices, select the records that belong in the CMMC boundary, and import them into the asset inventory with user-to-device mappings.

Available Source
Microsoft Intune
Scope-aware import with duplicate protection
Pilot

Palo Alto Networks

Read-Only Network and Endpoint Signals

Connect supported Strata Cloud Manager Pro and Cortex environments with read-only credentials. Dakeeko normalizes selected security metadata and maps findings to relevant NIST SP 800-171 requirements for review.

Pilot Sources
SCM Pro Cortex
Read-only pilot with in-app setup guidance
Roadmap

Vulnerability Scanner

Continuous Security Assessment

Planned support for importing vulnerability findings, risk context, and remediation status into evidence and POA&M workflows.

Supported Platforms
Nessus (Planned) Qualys (Coming Soon) Rapid7 (Coming Soon)
Vulnerability evidence mapped to relevant controls
Roadmap

Backup & Recovery

Data Protection & Recovery

Planned support for bringing backup policy, encryption, job status, and recovery evidence into the compliance workspace.

Supported Platforms
Veeam (Planned) Commvault (Coming Soon) Rubrik (Coming Soon)
Backup evidence mapped to relevant controls
Roadmap

Ticketing System

Incident & Change Management

Planned synchronization of remediation tasks, incidents, and change records with external PSA and ticketing platforms.

Supported Platforms
Jira (Planned) ServiceNow (Coming Soon) ConnectWise (Coming Soon)
Ticket evidence mapped to relevant controls
Roadmap

SIEM

Security Information & Event Management

Planned support for selected logging, alerting, and incident-detection evidence from SIEM platforms.

Supported Platforms
Microsoft Sentinel (Planned) Splunk (Coming Soon) Elastic (Coming Soon)
SIEM evidence mapped to relevant controls
Data-Minimized Integration Design

Keep CUI in Your Approved Environment

See what the Microsoft integration reads, what users may choose to import, and what Dakeeko retains

Collect the Evidence You Need Without Expanding the CUI Boundary

Dakeeko stores compliance records and the evidence users choose to upload. CUI upload is not required. Integration secrets are handled separately from evidence, and read-only integrations retain only the data needed to support mapped findings.

How Data Flows - And Where It Stays

Your GCC High Tenant

CUI and source configurations
REMAIN CUSTOMER CONTROLLED

Graph API
(Read-Only)

Your Browser

Short-lived token + API responses
PROCESSED IN SESSION

Selected
Results

Dakeeko

Mapped findings + approved imports
WORKSPACE RECORDS

Customer-Controlled App Registration

You create the Azure AD App Registration in YOUR tenant. You control all permissions. You can revoke access instantly - Dakeeko never has admin access to your environment.

Client-Side OAuth Authentication

The current Microsoft connection uses a short-lived access token in the browser session. Dakeeko does not display that token as evidence or require a standing Microsoft administrator password.

Read-Only Permissions

We only request read permissions: User.Read.All, AuditLog.Read.All, Policy.Read.All, Directory.Read.All. We cannot modify anything in your tenant.

Browser-Based Processing

The browser calls Microsoft Graph and converts selected responses into mapped findings. Raw responses are not retained as evidence; only mapped results and user-approved asset imports are written to the workspace.

Full Auditability

Every Graph API call is logged in your Azure AD audit logs. You can see exactly what data was accessed, when, and by whom - complete transparency.

Instant Revocation

Delete the App Registration in Azure AD and access is immediately revoked. No persistent credentials, no service accounts, no backdoors - you're always in control.

What the Workspace Stores

Control compliance status (met, partial, not_met)
Timestamp of last verification
Integration connection state (connected/disconnected)
Organization metadata you provide
Notes, policies, and evidence documents users intentionally upload
Mapped findings and selected user/device assets approved for import

What the Microsoft Sync Does Not Retain

OAuth access tokens or credentials
Unselected directory users or devices as workspace assets
Raw Microsoft Graph response payloads as evidence
Complete tenant policy exports or security configurations
CUI or encryption keys retrieved from Microsoft Graph
Unapproved Intune inventory records

Example: How MFA Verification Works

// 1. Browser calls Microsoft Graph directly with YOUR token
const response = await fetch('https://graph.microsoft.us/v1.0/policies/conditionalAccessPolicies', {
headers: { 'Authorization': `Bearer ${customerToken}` } // Token stays in browser
});
// 2. Browser checks if MFA is enforced
const mfaEnforced = policies.some(p => p.state === 'enabled' && p.grantControls?.builtInControls?.includes('mfa'));
// 3. Store the mapped finding and supporting summary, not the raw policy export
await saveMappedFinding({ control: '3.5.3', signal: mfaEnforced, reviewRequired: true });
// 4. Present the finding to a user before applying a control status

This architecture reduces unnecessary data collection: read-only integrations return selected compliance signals, credentials are not displayed as evidence, and customers decide which non-CUI documents or references belong in the workspace.

Hosted on Azure Government Cloud
Azure Government hosting · Applicable FedRAMP-authorized services · Built for defense contractors

How Integrations Work

Three simple steps to automated compliance

1

Connect

Follow the in-app setup guide to authorize read-only access for a supported platform. Permissions remain visible and revocable by the customer.

2

Sync

Dakeeko retrieves selected read-only signals from supported platforms and maps them to relevant NIST SP 800-171 requirements.

3

Verify

Mapped findings are presented with their supporting context for human validation. Approved status changes update the workspace and SPRS estimate.

Ready to Automate Your Compliance?

Connect your first integration and start tracking compliance in minutes.

About Dakeeko

Dakeeko is a CMMC readiness and compliance-operations platform for defense contractors, MSPs, and consultants. It replaces disconnected spreadsheets and manual workflows with a shared system for assessment objectives, evidence, policies, SSP drafts, POA&Ms, assets, tasks, and client workspaces.

From your first self-assessment through preparation for a C3PAO engagement, Dakeeko helps organize controls, assessment objectives, evidence, documentation drafts, and remediation work. Final compliance determinations remain with your organization and its assessor.

110+
NIST 800-171 Controls
320
Assessment Objectives
95+
Microsoft-Addressable Controls

Built on Azure Government Cloud

Dakeeko is hosted in Microsoft Azure Government and uses applicable services within Microsoft's federal authorization scope. Azure Government provides U.S. government regions and additional personnel-screening assurances; customers remain responsible for validating their own architecture, configurations, agreements, and system boundary.

Azure Government CUI Boundary Friendly Azure Government No CUI Upload Required

What Makes Dakeeko Different

Most compliance tools are built for large enterprises with dedicated security teams. Dakeeko is built for the rest of the defense industrial base - small and mid-size contractors, IT service providers, and the consultants who support them.

AI-Powered Assessor

Our AI reviews selected documentation and evidence, suggests objective-level findings, identifies possible gaps, and drafts remediation actions for human review.

Microsoft 365 Workspace + Integrations

Connect Microsoft 365 commercial or GCC High to map selected tenant signals to relevant NIST SP 800-171 requirements, import approved assets, and review guided implementation steps for the remaining work.

Multi-Client Management

Consultants and MSPs can manage multiple client enclaves from a single account - each with its own controls, evidence, documentation, and team workspace.

Assessor-Grade Documentation

Generate complete SSPs, POA&Ms, and SPRS scores that meet assessor expectations. Every document is built from your actual control data - not generic templates.

Meet the Founder

Tim Cleland - Founder & CEO of Dakeeko
Founder & CEO

Tim Cleland

Cybersecurity & Compliance Expert

With over a decade of experience in government cybersecurity, I founded Dakeeko after seeing how defense contractors - especially small and mid-size companies - struggled to navigate CMMC without enterprise budgets. I've spent years working in federal compliance and understand what assessors actually look for. Dakeeko is built to make that expertise accessible to everyone in the defense industrial base, whether you're a solo contractor or an MSP managing dozens of clients.

10+ Years in Gov Cybersecurity Federal Compliance Expert Defense Industry Specialist

Our Mission

CMMC preparation should be understandable for organizations of every size. We build tools that help small internal teams and experienced consultants organize the same requirements, evidence, responsibilities, and remediation work without pretending software replaces qualified judgment.

Every feature in Dakeeko is designed around real-world assessment workflows. We don't just track controls - we help you understand what each one requires, document how you meet it, and prove it with evidence. You stay in control. We accelerate the work.

Security & Compliance

Built on Azure Government Cloud

Dakeeko runs in Microsoft Azure Government using applicable services within Microsoft's federal authorization scope. This gives defense-sector customers a government-cloud foundation while preserving the shared-responsibility model for application security, configuration, data handling, and CMMC compliance.

Federal Cloud Foundation

Uses applicable Azure Government services within Microsoft's authorization scope. Dakeeko does not claim that hosting alone certifies a customer environment.

US Sovereign Data

All data processed and stored in U.S. Government data centers operated by screened U.S. persons.

CUI Boundary Friendly

Built so teams can manage CMMC workflows while keeping CUI and export-controlled files in their authorized environment.

Government Cloud Foundation

Designed for defense contractor compliance workflows on Azure Government, with customer CUI kept outside the Dakeeko app.

What This Means for You

Your CUI stays in your authorized environment

Use Dakeeko for control status, POA&Ms, SSP drafts, AI assessments, and evidence references. Do not upload CUI; keep source files and controlled data in your approved tenant or repository.

You practice what you preach

When your C3PAO auditor asks where your compliance workflow data lives, the answer is Azure Government infrastructure, with CUI intentionally kept in your authorized environment.

A clearer data-residency story

Dakeeko application data is hosted in Azure Government. CUI remains in the customer-controlled systems your organization has already approved.

AI review is for non-CUI compliance content

Use AI Assessor for non-CUI notes, mappings, and evidence references. Do not submit CUI to AI Assessor.

Security Responsibilities at a Glance

Dakeeko provides a government-cloud foundation; customers still own scope, configuration, and data-handling decisions.

Security Feature Dakeeko Customer Responsibility
Cloud Infrastructure Azure Government Define the authorized boundary
Cloud Authorization Scope Applicable Azure services Validate selected services
CUI Storage Model No CUI storage required Classify content before upload
ITAR / Export-Controlled Files Keep in customer system Approve storage locations
Data Residency U.S. Gov Only Confirm contractual requirements
Hosting Personnel Assurance Azure Government commitments Validate operational roles
Defense Workload Foundation Azure Gov foundation Document shared responsibilities
AI Processing Location Azure Gov for non-CUI content Approve content submitted to AI

Ready to See Dakeeko in Your Workflow?

Run an AI-assisted readiness review while keeping CUI in your authorized environment and validating every suggested finding.

Clear Pricing, Flexible Where You Need It

Start with predictable platform pricing, then add client workspaces, partner services, or custom integrations as needed.

Have questions about your compliance needs?

Schedule a Consultation →
Complete L1 & L2 Coverage

Dakeeko CMMC Platform

One workspace for CMMC readiness and ongoing compliance operations

$200/month

Base Dakeeko subscription

Includes 5 users & 1 organization workspace

  • Level 1 & Level 2 readiness and compliance-management tools
  • All 110 NIST SP 800-171 requirements + 15 FAR safeguarding requirements
  • 320 assessment objectives
  • Microsoft 365 evidence mapping across relevant control families
  • Microsoft 365 workspace with guided steps and assessor evidence prompts
  • SSP & POA&M document generators
  • SPRS score calculator
  • AI-assisted review + POA&M drafts
  • Asset inventory tracking
  • Evidence repository
  • Real-time team collaboration
  • Microsoft 365 commercial and GCC High integration support
Start Dakeeko →

No credit card required

Azure Government Cloud
Federal cloud services CUI Boundary Friendly US Data Only

Scale for Clients, Partners, and Specialized Environments

Standard workspace pricing stays predictable. Services that require engineering or a custom delivery model receive a scoped quote.

Additional Client Workspace

$80 /month each

5 users per workspace
Separate controls, evidence, assets, and documentation

Partners & Enterprise

White Label

Scoped Quote

Volume pricing, reseller provisioning, white labeling, custom domains, onboarding, and support
View Partner Program →

Engineering Services

Custom Integrations

Scoped Quote

Pilot integrations, connector development, and ongoing support based on API availability, security requirements, complexity, and maintenance scope

Request an integration review →

Which level do my clients need?

Level 1 is for contractors handling Federal Contract Information (FCI) only.
Level 2 generally applies when an applicable contract requires protection of Controlled Unclassified Information (CUI) under NIST SP 800-171.

Good news: Dakeeko is built to support both levels.

Why Choose Dakeeko?

Microsoft 365 Guidance

Give teams a clear, screen-by-screen path for implementation with plain-English instructions and assessor-focused evidence prompts.

Mapped Findings + POA&M Preview

Map selected signals from supported tools, review what each finding supports, and preview proposed POA&Ms before creating records.

MSP Multi-Tenant

Manage all your clients from one dashboard with seamless switching.

Frequently Asked Questions

Is my data safe?

Dakeeko is hosted in Microsoft Azure Government using applicable services within Microsoft's federal authorization scope. It stores compliance records and evidence users intentionally add; uploading CUI is not required and customers should keep CUI in approved systems unless their agreement and configured environment explicitly permit otherwise. See our Security Architecture ->

Do I need GCC High to use Dakeeko?

No. Dakeeko works without GCC High: teams can review all 110 requirements and 320 assessment objectives, upload non-CUI evidence, manage POA&Ms, and generate documentation drafts. The GCC High integration adds selected read-only Microsoft findings and asset import, with results presented for human review.

What does the Microsoft 365 workspace do?

It brings Microsoft 365 connection, evidence mapping, implementation guidance, control status, and POA&M preview into one workspace. GCC High is supported for Government tenants, and commercial Microsoft 365 tenants can use the same guided flow where the available Microsoft data supports it.

What's the difference between Level 1 and Level 2?

Level 1 covers 15 basic safeguarding requirements for Federal Contract Information (FCI). Level 2 covers all 110 NIST SP 800-171 requirements and generally applies when an applicable contract requires protection of CUI. The solicitation or contract determines the required level and assessment type.

What's included?

After your 5-day trial, you'll need to subscribe to keep access. All your data, assessments, and documentation are preserved - nothing is lost. You can pick up right where you left off.

Can I cancel anytime?

Yes. There are no long-term contracts or cancellation fees. You can cancel your subscription at any time from your account settings.

Can I manage multiple clients?

Yes. Each client workspace gets its own isolated controls, evidence, documentation, and team members. Perfect for MSPs and consultants. See our Consultant Program →

Does Dakeeko replace a C3PAO assessment?

No. Dakeeko is a preparation and readiness platform. It helps organize potential gaps, evidence, implementation statements, documentation drafts, and remediation work, but a C3PAO performs its own assessment and makes independent determinations.

AI-Assisted Readiness

A Faster Way to Review
Your CMMC Evidence.

Review the implementation notes and evidence you provide against CMMC requirements and assessment objectives. Dakeeko suggests findings, identifies potential gaps, and drafts remediation actions for your team to validate before they become part of the compliance record.

How It Works

From documentation to a human-reviewed readiness record in 5 steps

1

Document Your Controls

Add "How We Comply" notes to your controls describing your organization's current security implementations, and attach non-CUI evidence references for AI review. You can type notes manually, import from a spreadsheet, or use AI to help draft implementation statements.

2

Run an AI-Assisted Review

Run a review across documented controls or focus on an individual control. Dakeeko compares the supplied content with NIST SP 800-171 requirements and CMMC assessment objectives, then returns suggested findings rather than a certification decision.

3

Review Detailed Results

Review the suggested finding (Met, Partial, or Not Met), confidence indicator, supporting rationale, identified gaps, and remediation suggestions. Trace each recommendation back to the content that was reviewed.

4

Validate Results and Preview POA&Ms

Accept, revise, or reject suggested findings. Preview proposed POA&M content for applicable gaps before creating any record, then assign ownership, milestones, and dates through the normal workflow.

5

Export & Repeat

Export a readiness report for internal review or collaboration with your consultant. As evidence and implementations change, run another review to compare progress while preserving human ownership of final determinations.

AI scanning uploaded evidence documents for compliance assessment

Dakeeko reviews selected non-CUI evidence and suggests how it may support relevant NIST SP 800-171 requirements

See What AI Assessment Results Look Like

Suggested outcomes are presented for review and do not replace an assessor's determination

Met

The supplied content appears to support the requirement; a reviewer confirms whether the evidence is sufficient.

AI assessment result showing Implemented status with high confidence
~ Partially Met

Some aspects appear supported while identified gaps still require evidence, implementation, or clarification.

AI assessment result showing Partially Met status with identified gaps
Not Met

The supplied content does not yet support the requirement; proposed POA&M content can be previewed and edited.

AI assessment result showing Not Met status with gaps and POA&M auto-generation

What the AI Evaluates

Structured around NIST SP 800-171 requirements and CMMC assessment objectives

Implementation Completeness

Does your documentation address all aspects of the control requirement? The AI analyzes your "How We Comply" notes and non-CUI evidence references against the full control description and assessment objectives.

Assessment Objective Alignment

The 110 NIST SP 800-171 requirements contain 320 CMMC assessment objectives. Dakeeko compares supplied content to each applicable objective and suggests an outcome for review.

Gap Identification

The AI specifically identifies what's missing - not just "you're not compliant" but exactly which aspects of the requirement your documentation doesn't address, so you know precisely what to fix.

Actionable Suggestions

Beyond identifying problems, the AI suggests specific remediation steps - what to implement, what to document, and how to strengthen your compliance posture for each control.

Confidence Scoring

Every determination comes with a confidence level (High, Medium, Low) so you know which assessments are solid and which might need human review. Full transparency, no black boxes.

POA&M Drafting

For applicable gaps, Dakeeko proposes a weakness description, remediation steps, milestones, and a target timeline. Users preview and approve the record before creation.

Frequently Asked Questions

How accurate is the AI assessment?

Output quality depends on the completeness and accuracy of the submitted notes and evidence. Treat every result as a preliminary suggestion, review its rationale, and make final determinations with qualified personnel or your assessor.

Is my compliance data sent to third parties?

Selected content is processed through Dakeeko's configured Azure AI service under the service's applicable data-handling terms. Do not submit CUI unless your agreement and configured environment explicitly permit it. Dakeeko does not use customer prompts or outputs to train a public model.

Can I re-run the assessment after making changes?

Yes - unlimited times. Run a full assessment, remediate the gaps, update your documentation, and re-run to verify improvement. You can also re-review individual controls for a deeper analysis. This iterative approach is how real compliance maturity works.

Does this replace a C3PAO assessment?

No. The AI-assisted review is a pre-assessment readiness tool that helps organize possible gaps before an official assessment. A C3PAO makes its own determinations, and using Dakeeko does not guarantee certification or a particular assessment outcome.

Do I need to document every control before running it?

No. The AI assesses whichever controls have documentation. You can document a few controls and run a partial assessment, or document all 110 and run a full assessment. Start wherever you are - the AI meets you there.

Is the AI Assessor included?

Yes - fully included with unlimited assessments. No per-run fees, no token limits, no upsells. Every Dakeeko subscription includes the complete AI assessment engine.

Ready to See Where You Stand?

Add your compliance documentation and run your first assessment in minutes. No credit card required.

Partner Program

White Label Dakeeko
Under Your Brand

Offer your clients a fully branded CMMC compliance platform - your logo, your colors, your domain. Powered by Dakeeko's AI assessment engine and hosted on Azure Government Cloud. Small defense contractors can also use Dakeeko directly in company mode when they are running their own CMMC program.

Built for Consultants, MSSPs, C3PAOs & Small Businesses

Run CMMC for clients, prepare organizations for formal assessment, or manage your own internal CMMC program as a small defense contractor.

Compliance Consultants

Offer a branded compliance portal to your clients. Manage assessments, documentation, and remediation across your entire client base from one dashboard.

Managed Service Providers

Add CMMC compliance as a service offering. Your clients see your brand - not ours. Increase contract value with a turnkey compliance solution.

RPOs & C3PAOs

Provide your assessed organizations a branded platform to track their compliance posture. Streamline pre-assessment workflows and evidence collection.

Small Defense Contractors

Run your own CMMC program in company mode with Microsoft 365 guidance, evidence mapping, and assessor-ready documentation in one workspace.

What's Included

Everything you need to run a branded compliance practice.

Your Brand, Everywhere

Custom logo, colors, and company name throughout the platform

Custom Domain

compliance.yourcompany.com with managed SSL certificate

AI Assessment Engine

AI-assisted evidence review, objective findings, and POA&M drafts with human approval

Multi-Client Dashboard

Manage all client enclaves from a single partner view

Microsoft 365 Integrations

Map Microsoft 365 evidence across commercial and GCC High client tenants

Azure Government Cloud

Azure Government hosting using applicable federally authorized cloud services

Partner Engagement

Partner pricing is shared during onboarding based on enclaves, delivery model, and support scope.

Ready to structure your partner package?

Schedule a Partner Call →

Get Started in 3 Steps

1

Schedule a Partner Call

We'll walk through the platform, discuss your practice, and define branding, provisioning, support, and integration requirements. Timing depends on the selected partner configuration.

2

We Configure Your Portal

Send us your logo, brand colors, and custom domain. We'll set up your white-label instance with managed SSL - ready to show your clients.

3

Start Onboarding Clients

Add client workspaces, run AI assessments, and deliver compliance services under your brand as your customer list grows.

Schedule a Partner Call →

No commitment required. Let's see if it's a fit.

Contact Us

Have questions about CMMC compliance? We're here to help you succeed.

Schedule a Demo
Partner With Us

Send Us a Message

CMMC Education Center

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of War's framework for verifying that defense contractors protect Federal Contract Information and Controlled Unclassified Information. Here's what organizations need to know.

300K+
Companies Affected
3 Levels
of Certification
110
Controls (Level 2)
2025
Final Rule Effective

The Basics

CMMC stands for Cybersecurity Maturity Model Certification. It is the U.S. Department of War (DoW) program for assessing whether companies in the defense supply chain have implemented applicable safeguards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC adds standardized assessment levels, affirmation requirements, and contract enforcement to existing safeguarding obligations. Depending on the solicitation or contract, Level 2 may require either a self-assessment or an independent certification assessment by a C3PAO.

The CMMC program rule at 32 CFR Part 170 became effective December 16, 2024. The companion DFARS rule became effective November 10, 2025, beginning a four-phase implementation. Phase 1 runs through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessment requirements, although certification requirements may appear in selected procurements.

Who Needs CMMC?

If your company processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in performance of an applicable DoW contract, the solicitation or contract may require a specific CMMC level. This applies to:

Prime Contractors

Companies that contract directly with the DoW

Subcontractors

Any tier in the supply chain that touches CUI or FCI

IT / MSP Providers

Managed service providers supporting defense contractors

Manufacturers & Suppliers

Parts, materials, or engineering firms in the defense industrial base

The 3 CMMC Levels

L1

Level 1 - Foundational

Self-Assessment • 15 Practices • FCI Only

Level 1 covers basic cyber hygiene for companies handling Federal Contract Information (FCI) only - not CUI. It requires 15 practices from FAR 52.204-21, things like using antivirus, limiting access, and basic password management. Assessment is a self-assessment, affirmed annually by a senior company official.

Self-Assessment Annual Affirmation FAR 52.204-21
L2

Level 2 - Advanced

C3PAO Assessment • 110 Controls • CUI

Level 2 requires implementation of all 110 requirements from NIST SP 800-171 Rev. 2, covering 14 requirement families. The solicitation or contract specifies whether Level 2 requires a self-assessment or a certification assessment by a C3PAO. CMMC status is generally valid for three years, subject to annual affirmation and other program conditions.

Do not infer the assessment type from the organization or data alone; confirm the requirement stated in the applicable solicitation or contract.

NIST 800-171 C3PAO Assessment Triennial 320 Objectives
L3

Level 3 - Expert

Government-Led • NIST 800-172 • APT Defense

Level 3 is for selected organizations supporting the most sensitive DoW programs. It adds requirements selected from NIST SP 800-172, focused on protection against Advanced Persistent Threats (APTs). Assessment is performed by DCMA DIBCAC rather than a C3PAO.

NIST 800-172 DIBCAC Assessment APT Focused

Key Terms You'll Hear

CUI - Controlled Unclassified Information

Sensitive government information that isn't classified but still requires safeguarding. Think technical drawings, test data, personnel info, export-controlled data. CUI is defined by the National Archives (ISOO) and marked in contracts.

FCI - Federal Contract Information

Information provided by or generated for the government under a contract, not intended for public release. FCI has fewer protection requirements than CUI (Level 1 vs Level 2).

C3PAO - Certified Third-Party Assessor Organization

The independent organizations authorized by the CMMC Accreditation Body (Cyber AB) to conduct Level 2 assessments. They send certified assessors to evaluate your implementation of the 110 controls.

SSP - System Security Plan

Your master document describing how your organization meets each of the 110 NIST 800-171 controls. This is the first thing an assessor reviews. A strong SSP is the single most important CMMC artifact.

POA&M - Plan of Action and Milestones

A document listing controls you haven't fully met yet, along with your plan and timeline to fix them. Under CMMC, limited POA&Ms are allowed - but NOT MET controls with high point values may be disqualifying.

SPRS Score

Your Supplier Performance Risk System score, ranging from -203 to 110 points. Calculated based on which of the 110 controls you've implemented (each has a 1, 3, or 5 point value). You're already required to submit this score today under DFARS 7019/7020.

NIST SP 800-171

The National Institute of Standards and Technology publication that defines the 110 security controls for protecting CUI in non-federal systems. CMMC Level 2 is a direct implementation verification of 800-171 Rev 2.

Scoping - CUI Boundary

The systems, people, and facilities that process, store, or transmit CUI. Defining your CUI boundary is one of the first and most critical steps - it determines what's in scope for your assessment.

The 14 Control Families

NIST 800-171's 110 controls are organized into 14 families. Here's what each one covers:

3.1
Access Control - 22 controls. Who can access what, and how.
3.2
Awareness & Training - 3 controls. Security training for your team.
3.3
Audit & Accountability - 9 controls. Logging and monitoring activity.
3.4
Configuration Management - 9 controls. System baselines and change control.
3.5
Identification & Authentication - 11 controls. Verifying user identities, MFA.
3.6
Incident Response - 3 controls. Detecting, reporting, and handling incidents.
3.7
Maintenance - 6 controls. Secure system maintenance practices.
3.8
Media Protection - 9 controls. Protecting and sanitizing CUI on media.
3.9
Personnel Security - 2 controls. Screening and access for personnel.
3.10
Physical Protection - 6 controls. Securing facilities and hardware.
3.11
Risk Assessment - 3 controls. Identifying and managing risks.
3.12
Security Assessment - 4 controls. Evaluating control effectiveness.
3.13
System & Communications Protection - 16 controls. Encryption, network isolation.
3.14
System & Information Integrity - 7 controls. Patching, malware, and monitoring.

What a C3PAO Assessor Actually Looks For

A CMMC Level 2 assessment isn't a simple checkbox exercise. Assessors use the CMMC Assessment Guide which breaks each control into individual assessment objectives - 320 total across the 110 controls. For each objective, they look for three things:

Examine

Review documentation - policies, procedures, SSP, configurations, screenshots, and evidence artifacts.

Interview

Talk to personnel responsible for implementation to confirm they understand and follow the documented practices.

Test

Verify the control is actually working as described - inspect live systems, check configurations, validate technical implementation.

Pro tip: The best way to prepare is to write your SSP as if the assessor is reading it. For each control, document what you do, how you do it, and what evidence proves it. If you can satisfy Examine + Interview + Test before the assessor arrives, you're in great shape.

CMMC Timeline

COMPLETED - Nov 2021
CMMC 2.0 Announced

Streamlined from 5 levels to 3. Aligned Level 2 with NIST 800-171.

COMPLETED - Oct 2024
Final Rule Published (32 CFR Part 170)

CMMC program codified in federal regulation. Defines assessment requirements.

COMPLETED - Dec 16, 2024
32 CFR Effective Date

CMMC program officially in effect. C3PAOs can begin conducting assessments.

EFFECTIVE - Nov 10, 2025
48 CFR DFARS Rule (Contract Requirements)

The companion DFARS rule became effective and began the phased inclusion of CMMC requirements in applicable DoW procurements.

PHASE 1 - Nov 10, 2025 to Nov 9, 2026
Level 1 & Level 2 Self-Assessments in Contracts

Implementation focuses primarily on Level 1 and Level 2 self-assessments. DoW may include Level 2 certification requirements in selected Phase 1 procurements.

PHASE 2 - Begins Nov 10, 2026
Level 2 C3PAO Assessments Required

Applicable solicitations increasingly require Level 2 certification assessments when that assessment type is specified by the program office or requiring activity.

PHASE 3-4 - Nov 10, 2027 through Nov 10, 2028
Full Rollout Including Level 3

Phase 3 adds Level 3 requirements where applicable. Full implementation begins November 10, 2028 for applicable solicitations and contracts involving FCI or CUI.

Common Misconceptions

"We're too small for CMMC"

Company size does not determine the requirement. The information handled, the systems used, and the applicable solicitation or contract determine the required CMMC level and assessment type.

"We just need to buy the right tools and we'll be compliant"

Tools are important, but CMMC is about proving that you've implemented practices - policies, procedures, training, and evidence. You can have the best firewall in the world, but if you can't document how it's configured and why, it doesn't count.

"CMMC got delayed again, so we don't need to worry yet"

The 32 CFR final rule is already in effect. C3PAOs are authorized and conducting assessments now. Even before CMMC appears in your contract, DFARS 7012/7019/7020 already require you to implement NIST 800-171 and report your SPRS score. Primes are also increasingly requiring it of their subs.

"Our IT provider handles security, so we're covered"

Your MSP might manage your infrastructure, but you are responsible for your CMMC certification. You need to understand your CUI boundary, document your security practices, and own the assessment process. Your MSP is a partner, not a substitute.

"We can get certified in a few weeks"

Most organizations need 6-18 months to go from starting their compliance journey to being assessment-ready, depending on their starting point. Dakeeko dramatically accelerates this, but implementing real security practices still takes focused effort.

Getting Started with CMMC

1
Define your CUI boundary

Identify what CUI you handle, where it flows, and which systems, people, and facilities are in scope. This is the foundation everything else builds on.

2
Conduct a gap assessment

Evaluate your current security posture against NIST 800-171's 110 controls. Dakeeko's AI assessor can do this in minutes instead of weeks.

3
Remediate gaps and build documentation

Implement missing controls, create policies and procedures, and build your SSP. Create POA&Ms for anything you can't fix immediately.

4
Collect and organize evidence

Gather screenshots, configuration exports, policy documents, training records, and other artifacts that prove each control is implemented.

5
Submit your SPRS score and prepare for assessment

Submit required assessment results in SPRS, complete the required affirmation, and engage a C3PAO when the contract requires a Level 2 certification assessment.

Ready to Start Your CMMC Journey?

Dakeeko makes CMMC compliance achievable for organizations of any size. Get started — no credit card required.

Chat with Us