Consultant mode
Isolated workspaces per client—run CMMC for multiple organizations from one partner account. Connect Microsoft 365 commercial or GCC High where client tenants support it.
Company mode
Your own org, roles, and evidence when you manage CMMC in-house—including Microsoft 365 integrations for commercial and Government environments.
Dakeeko gives teams a Microsoft 365 compliance workspace for CMMC Level 2. Connect Microsoft 365, review configuration signals, follow plain-English implementation guidance, collect assessor-ready evidence, and preview POA&Ms before anything is created. Available for both consultant and company modes.
Launch app · Start a trial and open the Microsoft 365 workspace on day one
See Dakeeko in action
Consultant mode and company mode in the product—play inline or open on YouTube.
Use company mode for your own organization, or consultant mode when you manage multiple client tenants.
Partners run client programs in Consultant mode; contractors run their own in Company mode—same AI engine, controls, and Azure Gov backbone.
Controls
Objectives
Controls
Time
Your Compliance Data Deserves
Federal-Level Protection
Dakeeko runs on Microsoft Azure Government and uses applicable FedRAMP-authorized cloud services. Keep CUI in systems approved by your organization unless your agreement and configured Dakeeko environment explicitly permit its storage.
Azure Government Hosting
Built with applicable Microsoft Azure Government services that are within Microsoft's FedRAMP authorization scope. Dakeeko does not represent that hosting alone authorizes a customer's environment.
US Sovereign Data Centers
Dakeeko application data is hosted in Azure Government regions. Customers should keep CUI in their own authorized tenant, repository, or enclave and reference it from Dakeeko when needed.
Designed Around Your CUI Boundary
Manage CMMC workflows without uploading CUI. Store CUI, ITAR, and export-controlled materials in your authorized environment; use Dakeeko for control status, POA&Ms, SSP drafts, and evidence references.
Security Responsibilities at a Glance
A clear view of what Dakeeko provides and what remains the customer's responsibility.
| Security Feature | Dakeeko | Customer Responsibility |
|---|---|---|
| Cloud Infrastructure | Azure Government | Define the authorized system boundary |
| Cloud Authorization Scope | Applicable Azure services | Validate services and configuration |
| CUI Upload Required | No | Keep CUI in approved systems |
| Data Residency | U.S. Gov Only | Confirm contractual requirements |
| Evidence Handling | Documents and references | Classify content before upload |
| CUI Boundary Support | References only | Approve repositories and access |
Want to see Dakeeko in action?
Schedule a consultation to see how Dakeeko fits your compliance workflow.
Turn Your Existing Work Into a Clearer CMMC Plan
Dakeeko reviews the notes and evidence you provide, suggests objective-level findings, identifies likely gaps, and drafts remediation actions for human review. You remain responsible for validating every result.
Spend Less Time Organizing Evidence and Drafting Next Steps
Dakeeko helps your team structure the work while keeping compliance decisions in human hands.
Use AI to organize the work, then apply your team's judgment before anything becomes part of the compliance record.
Learn More About AI-Assisted Review →Everything You Need to Prove CMMC Compliance
Readiness tools built specifically for defense contractors preparing for CMMC Level 1 and Level 2 requirements
Prove Control Implementation
Track all 110 NIST SP 800-171 requirements and 320 assessment objectives in one control workspace. Link policies, screenshots, notes, assets, and other evidence, then record each control as Met, Partial, Not Met, or N/A with an auditable rationale.
Generate Living SSP Drafts
Build a System Security Plan draft from your current company profile, system boundary, assets, policies, and control implementation statements. Review and approve the document before using it with customers or assessors.
Audit-Defensible POA&M Management
Create, track, and manage Plan of Action & Milestones for controls that aren't fully implemented. Set priorities, assign owners, and document remediation timelines that satisfy assessor requirements.
SPRS Score Calculator AUTO
Know where you stand. Maintain a working SPRS score estimate based on recorded implementation statuses. Use the official DoW assessment methodology and SPRS submission process for contractual reporting.
Asset Inventory
Maintain a comprehensive inventory of your IT assets, software, and hardware. Organize by asset type and track everything in one centralized location.
Evidence Repository
Store and organize compliance documentation, policies, and evidence in one secure location. Everything you need for your CMMC audit, ready when you need it.
Team Collaboration ROLE BASED
Keep the work accountable. Invite members, assign roles and tasks, add control comments, record activity, and keep evidence and remediation work connected to the correct workspace.
Consultant Portfolio & Client Workspaces
Give each client an isolated compliance workspace and use the consultant portfolio dashboard to compare readiness, open POA&Ms, overdue tasks, and recent activity across the clients you manage.
AI Structured Around CMMC Requirements HUMAN REVIEW
You stay in control while AI accelerates the drafting work. Generate implementation-statement suggestions, interpret assessment objectives, and preview remediation actions while preserving human approval for every compliance decision.
Security Tool Integrations AUTOMATE
Connect supported security platforms and review what their configuration can demonstrate. Microsoft 365 commercial and GCC High integrations map selected identity, access, device, and audit signals to relevant requirements. A read-only Palo Alto pilot supports SCM Pro and Cortex data. Findings remain subject to human review, and planned connectors are labeled separately.
Connects With Your Security Stack
Automate evidence collection and control verification by connecting your existing tools
Ready to Simplify Your Compliance?
Join defense contractors who trust Dakeeko to manage their CMMC journey
Powerful Integrations for
Automated Compliance
Connect supported platforms for read-only findings and asset import. Pilot and roadmap connectors are clearly labeled.
Connect Your Security Stack
Read-only evidence signals and guided setup for supported platforms
Keep CUI in Your Approved Environment
See what the Microsoft integration reads, what users may choose to import, and what Dakeeko retains
Collect the Evidence You Need Without Expanding the CUI Boundary
Dakeeko stores compliance records and the evidence users choose to upload. CUI upload is not required. Integration secrets are handled separately from evidence, and read-only integrations retain only the data needed to support mapped findings.
How Data Flows - And Where It Stays
Your GCC High Tenant
CUI and source configurations
REMAIN CUSTOMER CONTROLLED
(Read-Only)
Your Browser
Short-lived token + API responses
PROCESSED IN SESSION
Results
Dakeeko
Mapped findings + approved imports
WORKSPACE RECORDS
Customer-Controlled App Registration
You create the Azure AD App Registration in YOUR tenant. You control all permissions. You can revoke access instantly - Dakeeko never has admin access to your environment.
Client-Side OAuth Authentication
The current Microsoft connection uses a short-lived access token in the browser session. Dakeeko does not display that token as evidence or require a standing Microsoft administrator password.
Read-Only Permissions
We only request read permissions: User.Read.All, AuditLog.Read.All, Policy.Read.All, Directory.Read.All. We cannot modify anything in your tenant.
Browser-Based Processing
The browser calls Microsoft Graph and converts selected responses into mapped findings. Raw responses are not retained as evidence; only mapped results and user-approved asset imports are written to the workspace.
Full Auditability
Every Graph API call is logged in your Azure AD audit logs. You can see exactly what data was accessed, when, and by whom - complete transparency.
Instant Revocation
Delete the App Registration in Azure AD and access is immediately revoked. No persistent credentials, no service accounts, no backdoors - you're always in control.
What the Workspace Stores
met, partial, not_met)
What the Microsoft Sync Does Not Retain
Example: How MFA Verification Works
This architecture reduces unnecessary data collection: read-only integrations return selected compliance signals, credentials are not displayed as evidence, and customers decide which non-CUI documents or references belong in the workspace.
How Integrations Work
Three simple steps to automated compliance
Connect
Follow the in-app setup guide to authorize read-only access for a supported platform. Permissions remain visible and revocable by the customer.
Sync
Dakeeko retrieves selected read-only signals from supported platforms and maps them to relevant NIST SP 800-171 requirements.
Verify
Mapped findings are presented with their supporting context for human validation. Approved status changes update the workspace and SPRS estimate.
Ready to Automate Your Compliance?
Connect your first integration and start tracking compliance in minutes.
About Dakeeko
Dakeeko is a CMMC readiness and compliance-operations platform for defense contractors, MSPs, and consultants. It replaces disconnected spreadsheets and manual workflows with a shared system for assessment objectives, evidence, policies, SSP drafts, POA&Ms, assets, tasks, and client workspaces.
From your first self-assessment through preparation for a C3PAO engagement, Dakeeko helps organize controls, assessment objectives, evidence, documentation drafts, and remediation work. Final compliance determinations remain with your organization and its assessor.
Built on Azure Government Cloud
Dakeeko is hosted in Microsoft Azure Government and uses applicable services within Microsoft's federal authorization scope. Azure Government provides U.S. government regions and additional personnel-screening assurances; customers remain responsible for validating their own architecture, configurations, agreements, and system boundary.
What Makes Dakeeko Different
Most compliance tools are built for large enterprises with dedicated security teams. Dakeeko is built for the rest of the defense industrial base - small and mid-size contractors, IT service providers, and the consultants who support them.
AI-Powered Assessor
Our AI reviews selected documentation and evidence, suggests objective-level findings, identifies possible gaps, and drafts remediation actions for human review.
Microsoft 365 Workspace + Integrations
Connect Microsoft 365 commercial or GCC High to map selected tenant signals to relevant NIST SP 800-171 requirements, import approved assets, and review guided implementation steps for the remaining work.
Multi-Client Management
Consultants and MSPs can manage multiple client enclaves from a single account - each with its own controls, evidence, documentation, and team workspace.
Assessor-Grade Documentation
Generate complete SSPs, POA&Ms, and SPRS scores that meet assessor expectations. Every document is built from your actual control data - not generic templates.
Meet the Founder
Tim Cleland
With over a decade of experience in government cybersecurity, I founded Dakeeko after seeing how defense contractors - especially small and mid-size companies - struggled to navigate CMMC without enterprise budgets. I've spent years working in federal compliance and understand what assessors actually look for. Dakeeko is built to make that expertise accessible to everyone in the defense industrial base, whether you're a solo contractor or an MSP managing dozens of clients.
Our Mission
CMMC preparation should be understandable for organizations of every size. We build tools that help small internal teams and experienced consultants organize the same requirements, evidence, responsibilities, and remediation work without pretending software replaces qualified judgment.
Every feature in Dakeeko is designed around real-world assessment workflows. We don't just track controls - we help you understand what each one requires, document how you meet it, and prove it with evidence. You stay in control. We accelerate the work.
Built on Azure Government Cloud
Dakeeko runs in Microsoft Azure Government using applicable services within Microsoft's federal authorization scope. This gives defense-sector customers a government-cloud foundation while preserving the shared-responsibility model for application security, configuration, data handling, and CMMC compliance.
Federal Cloud Foundation
Uses applicable Azure Government services within Microsoft's authorization scope. Dakeeko does not claim that hosting alone certifies a customer environment.
US Sovereign Data
All data processed and stored in U.S. Government data centers operated by screened U.S. persons.
CUI Boundary Friendly
Built so teams can manage CMMC workflows while keeping CUI and export-controlled files in their authorized environment.
Government Cloud Foundation
Designed for defense contractor compliance workflows on Azure Government, with customer CUI kept outside the Dakeeko app.
What This Means for You
Your CUI stays in your authorized environment
Use Dakeeko for control status, POA&Ms, SSP drafts, AI assessments, and evidence references. Do not upload CUI; keep source files and controlled data in your approved tenant or repository.
You practice what you preach
When your C3PAO auditor asks where your compliance workflow data lives, the answer is Azure Government infrastructure, with CUI intentionally kept in your authorized environment.
A clearer data-residency story
Dakeeko application data is hosted in Azure Government. CUI remains in the customer-controlled systems your organization has already approved.
AI review is for non-CUI compliance content
Use AI Assessor for non-CUI notes, mappings, and evidence references. Do not submit CUI to AI Assessor.
Security Responsibilities at a Glance
Dakeeko provides a government-cloud foundation; customers still own scope, configuration, and data-handling decisions.
| Security Feature | Dakeeko | Customer Responsibility |
|---|---|---|
| Cloud Infrastructure | Azure Government | Define the authorized boundary |
| Cloud Authorization Scope | Applicable Azure services | Validate selected services |
| CUI Storage Model | No CUI storage required | Classify content before upload |
| ITAR / Export-Controlled Files | Keep in customer system | Approve storage locations |
| Data Residency | U.S. Gov Only | Confirm contractual requirements |
| Hosting Personnel Assurance | Azure Government commitments | Validate operational roles |
| Defense Workload Foundation | Azure Gov foundation | Document shared responsibilities |
| AI Processing Location | Azure Gov for non-CUI content | Approve content submitted to AI |
Ready to See Dakeeko in Your Workflow?
Run an AI-assisted readiness review while keeping CUI in your authorized environment and validating every suggested finding.
Clear Pricing, Flexible Where You Need It
Start with predictable platform pricing, then add client workspaces, partner services, or custom integrations as needed.
Have questions about your compliance needs?
Schedule a Consultation →Dakeeko CMMC Platform
One workspace for CMMC readiness and ongoing compliance operations
Base Dakeeko subscription
Includes 5 users & 1 organization workspace
- Level 1 & Level 2 readiness and compliance-management tools
- All 110 NIST SP 800-171 requirements + 15 FAR safeguarding requirements
- 320 assessment objectives
- Microsoft 365 evidence mapping across relevant control families
- Microsoft 365 workspace with guided steps and assessor evidence prompts
- SSP & POA&M document generators
- SPRS score calculator
- AI-assisted review + POA&M drafts
- Asset inventory tracking
- Evidence repository
- Real-time team collaboration
- Microsoft 365 commercial and GCC High integration support
No credit card required
Scale for Clients, Partners, and Specialized Environments
Standard workspace pricing stays predictable. Services that require engineering or a custom delivery model receive a scoped quote.
Additional Client Workspace
5 users per workspace
Separate controls, evidence, assets, and documentation
White Label
Volume pricing, reseller provisioning, white labeling, custom domains, onboarding, and support
View Partner Program →
Custom Integrations
Pilot integrations, connector development, and ongoing support based on API availability, security requirements, complexity, and maintenance scope
Request an integration review →Which level do my clients need?
Level 1 is for contractors handling Federal Contract Information (FCI) only.
Level 2 generally applies when an applicable contract requires protection of Controlled Unclassified Information (CUI) under NIST SP 800-171.
Good news: Dakeeko is built to support both levels.
Why Choose Dakeeko?
Microsoft 365 Guidance
Give teams a clear, screen-by-screen path for implementation with plain-English instructions and assessor-focused evidence prompts.
Mapped Findings + POA&M Preview
Map selected signals from supported tools, review what each finding supports, and preview proposed POA&Ms before creating records.
MSP Multi-Tenant
Manage all your clients from one dashboard with seamless switching.
Frequently Asked Questions
Is my data safe?
Dakeeko is hosted in Microsoft Azure Government using applicable services within Microsoft's federal authorization scope. It stores compliance records and evidence users intentionally add; uploading CUI is not required and customers should keep CUI in approved systems unless their agreement and configured environment explicitly permit otherwise. See our Security Architecture ->
Do I need GCC High to use Dakeeko?
No. Dakeeko works without GCC High: teams can review all 110 requirements and 320 assessment objectives, upload non-CUI evidence, manage POA&Ms, and generate documentation drafts. The GCC High integration adds selected read-only Microsoft findings and asset import, with results presented for human review.
What does the Microsoft 365 workspace do?
It brings Microsoft 365 connection, evidence mapping, implementation guidance, control status, and POA&M preview into one workspace. GCC High is supported for Government tenants, and commercial Microsoft 365 tenants can use the same guided flow where the available Microsoft data supports it.
What's the difference between Level 1 and Level 2?
Level 1 covers 15 basic safeguarding requirements for Federal Contract Information (FCI). Level 2 covers all 110 NIST SP 800-171 requirements and generally applies when an applicable contract requires protection of CUI. The solicitation or contract determines the required level and assessment type.
What's included?
After your 5-day trial, you'll need to subscribe to keep access. All your data, assessments, and documentation are preserved - nothing is lost. You can pick up right where you left off.
Can I cancel anytime?
Yes. There are no long-term contracts or cancellation fees. You can cancel your subscription at any time from your account settings.
Can I manage multiple clients?
Yes. Each client workspace gets its own isolated controls, evidence, documentation, and team members. Perfect for MSPs and consultants. See our Consultant Program →
Does Dakeeko replace a C3PAO assessment?
No. Dakeeko is a preparation and readiness platform. It helps organize potential gaps, evidence, implementation statements, documentation drafts, and remediation work, but a C3PAO performs its own assessment and makes independent determinations.
A Faster Way to Review
Your CMMC Evidence.
Review the implementation notes and evidence you provide against CMMC requirements and assessment objectives. Dakeeko suggests findings, identifies potential gaps, and drafts remediation actions for your team to validate before they become part of the compliance record.
How It Works
From documentation to a human-reviewed readiness record in 5 steps
Document Your Controls
Add "How We Comply" notes to your controls describing your organization's current security implementations, and attach non-CUI evidence references for AI review. You can type notes manually, import from a spreadsheet, or use AI to help draft implementation statements.
Run an AI-Assisted Review
Run a review across documented controls or focus on an individual control. Dakeeko compares the supplied content with NIST SP 800-171 requirements and CMMC assessment objectives, then returns suggested findings rather than a certification decision.
Review Detailed Results
Review the suggested finding (Met, Partial, or Not Met), confidence indicator, supporting rationale, identified gaps, and remediation suggestions. Trace each recommendation back to the content that was reviewed.
Validate Results and Preview POA&Ms
Accept, revise, or reject suggested findings. Preview proposed POA&M content for applicable gaps before creating any record, then assign ownership, milestones, and dates through the normal workflow.
Export & Repeat
Export a readiness report for internal review or collaboration with your consultant. As evidence and implementations change, run another review to compare progress while preserving human ownership of final determinations.
Dakeeko reviews selected non-CUI evidence and suggests how it may support relevant NIST SP 800-171 requirements
See What AI Assessment Results Look Like
Suggested outcomes are presented for review and do not replace an assessor's determination
The supplied content appears to support the requirement; a reviewer confirms whether the evidence is sufficient.
Some aspects appear supported while identified gaps still require evidence, implementation, or clarification.
The supplied content does not yet support the requirement; proposed POA&M content can be previewed and edited.
What the AI Evaluates
Structured around NIST SP 800-171 requirements and CMMC assessment objectives
Implementation Completeness
Does your documentation address all aspects of the control requirement? The AI analyzes your "How We Comply" notes and non-CUI evidence references against the full control description and assessment objectives.
Assessment Objective Alignment
The 110 NIST SP 800-171 requirements contain 320 CMMC assessment objectives. Dakeeko compares supplied content to each applicable objective and suggests an outcome for review.
Gap Identification
The AI specifically identifies what's missing - not just "you're not compliant" but exactly which aspects of the requirement your documentation doesn't address, so you know precisely what to fix.
Actionable Suggestions
Beyond identifying problems, the AI suggests specific remediation steps - what to implement, what to document, and how to strengthen your compliance posture for each control.
Confidence Scoring
Every determination comes with a confidence level (High, Medium, Low) so you know which assessments are solid and which might need human review. Full transparency, no black boxes.
POA&M Drafting
For applicable gaps, Dakeeko proposes a weakness description, remediation steps, milestones, and a target timeline. Users preview and approve the record before creation.
Frequently Asked Questions
How accurate is the AI assessment?
Output quality depends on the completeness and accuracy of the submitted notes and evidence. Treat every result as a preliminary suggestion, review its rationale, and make final determinations with qualified personnel or your assessor.
Is my compliance data sent to third parties?
Selected content is processed through Dakeeko's configured Azure AI service under the service's applicable data-handling terms. Do not submit CUI unless your agreement and configured environment explicitly permit it. Dakeeko does not use customer prompts or outputs to train a public model.
Can I re-run the assessment after making changes?
Yes - unlimited times. Run a full assessment, remediate the gaps, update your documentation, and re-run to verify improvement. You can also re-review individual controls for a deeper analysis. This iterative approach is how real compliance maturity works.
Does this replace a C3PAO assessment?
No. The AI-assisted review is a pre-assessment readiness tool that helps organize possible gaps before an official assessment. A C3PAO makes its own determinations, and using Dakeeko does not guarantee certification or a particular assessment outcome.
Do I need to document every control before running it?
No. The AI assesses whichever controls have documentation. You can document a few controls and run a partial assessment, or document all 110 and run a full assessment. Start wherever you are - the AI meets you there.
Is the AI Assessor included?
Yes - fully included with unlimited assessments. No per-run fees, no token limits, no upsells. Every Dakeeko subscription includes the complete AI assessment engine.
Ready to See Where You Stand?
Add your compliance documentation and run your first assessment in minutes. No credit card required.
White Label Dakeeko
Under Your Brand
Offer your clients a fully branded CMMC compliance platform - your logo, your colors, your domain. Powered by Dakeeko's AI assessment engine and hosted on Azure Government Cloud. Small defense contractors can also use Dakeeko directly in company mode when they are running their own CMMC program.
Built for Consultants, MSSPs, C3PAOs & Small Businesses
Run CMMC for clients, prepare organizations for formal assessment, or manage your own internal CMMC program as a small defense contractor.
Compliance Consultants
Offer a branded compliance portal to your clients. Manage assessments, documentation, and remediation across your entire client base from one dashboard.
Managed Service Providers
Add CMMC compliance as a service offering. Your clients see your brand - not ours. Increase contract value with a turnkey compliance solution.
RPOs & C3PAOs
Provide your assessed organizations a branded platform to track their compliance posture. Streamline pre-assessment workflows and evidence collection.
Small Defense Contractors
Run your own CMMC program in company mode with Microsoft 365 guidance, evidence mapping, and assessor-ready documentation in one workspace.
What's Included
Everything you need to run a branded compliance practice.
Custom logo, colors, and company name throughout the platform
compliance.yourcompany.com with managed SSL certificate
AI-assisted evidence review, objective findings, and POA&M drafts with human approval
Manage all client enclaves from a single partner view
Map Microsoft 365 evidence across commercial and GCC High client tenants
Azure Government hosting using applicable federally authorized cloud services
Partner Engagement
Partner pricing is shared during onboarding based on enclaves, delivery model, and support scope.
Ready to structure your partner package?
Schedule a Partner Call →Get Started in 3 Steps
Schedule a Partner Call
We'll walk through the platform, discuss your practice, and define branding, provisioning, support, and integration requirements. Timing depends on the selected partner configuration.
We Configure Your Portal
Send us your logo, brand colors, and custom domain. We'll set up your white-label instance with managed SSL - ready to show your clients.
Start Onboarding Clients
Add client workspaces, run AI assessments, and deliver compliance services under your brand as your customer list grows.
No commitment required. Let's see if it's a fit.
Contact Us
Have questions about CMMC compliance? We're here to help you succeed.
Send Us a Message
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of War's framework for verifying that defense contractors protect Federal Contract Information and Controlled Unclassified Information. Here's what organizations need to know.
The Basics
CMMC stands for Cybersecurity Maturity Model Certification. It is the U.S. Department of War (DoW) program for assessing whether companies in the defense supply chain have implemented applicable safeguards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC adds standardized assessment levels, affirmation requirements, and contract enforcement to existing safeguarding obligations. Depending on the solicitation or contract, Level 2 may require either a self-assessment or an independent certification assessment by a C3PAO.
The CMMC program rule at 32 CFR Part 170 became effective December 16, 2024. The companion DFARS rule became effective November 10, 2025, beginning a four-phase implementation. Phase 1 runs through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessment requirements, although certification requirements may appear in selected procurements.
Who Needs CMMC?
If your company processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in performance of an applicable DoW contract, the solicitation or contract may require a specific CMMC level. This applies to:
Companies that contract directly with the DoW
Any tier in the supply chain that touches CUI or FCI
Managed service providers supporting defense contractors
Parts, materials, or engineering firms in the defense industrial base
The 3 CMMC Levels
Level 1 - Foundational
Self-Assessment • 15 Practices • FCI OnlyLevel 1 covers basic cyber hygiene for companies handling Federal Contract Information (FCI) only - not CUI. It requires 15 practices from FAR 52.204-21, things like using antivirus, limiting access, and basic password management. Assessment is a self-assessment, affirmed annually by a senior company official.
Level 2 - Advanced
C3PAO Assessment • 110 Controls • CUILevel 2 requires implementation of all 110 requirements from NIST SP 800-171 Rev. 2, covering 14 requirement families. The solicitation or contract specifies whether Level 2 requires a self-assessment or a certification assessment by a C3PAO. CMMC status is generally valid for three years, subject to annual affirmation and other program conditions.
Do not infer the assessment type from the organization or data alone; confirm the requirement stated in the applicable solicitation or contract.
Level 3 - Expert
Government-Led • NIST 800-172 • APT DefenseLevel 3 is for selected organizations supporting the most sensitive DoW programs. It adds requirements selected from NIST SP 800-172, focused on protection against Advanced Persistent Threats (APTs). Assessment is performed by DCMA DIBCAC rather than a C3PAO.
Key Terms You'll Hear
CUI - Controlled Unclassified Information
Sensitive government information that isn't classified but still requires safeguarding. Think technical drawings, test data, personnel info, export-controlled data. CUI is defined by the National Archives (ISOO) and marked in contracts.
FCI - Federal Contract Information
Information provided by or generated for the government under a contract, not intended for public release. FCI has fewer protection requirements than CUI (Level 1 vs Level 2).
C3PAO - Certified Third-Party Assessor Organization
The independent organizations authorized by the CMMC Accreditation Body (Cyber AB) to conduct Level 2 assessments. They send certified assessors to evaluate your implementation of the 110 controls.
SSP - System Security Plan
Your master document describing how your organization meets each of the 110 NIST 800-171 controls. This is the first thing an assessor reviews. A strong SSP is the single most important CMMC artifact.
POA&M - Plan of Action and Milestones
A document listing controls you haven't fully met yet, along with your plan and timeline to fix them. Under CMMC, limited POA&Ms are allowed - but NOT MET controls with high point values may be disqualifying.
SPRS Score
Your Supplier Performance Risk System score, ranging from -203 to 110 points. Calculated based on which of the 110 controls you've implemented (each has a 1, 3, or 5 point value). You're already required to submit this score today under DFARS 7019/7020.
NIST SP 800-171
The National Institute of Standards and Technology publication that defines the 110 security controls for protecting CUI in non-federal systems. CMMC Level 2 is a direct implementation verification of 800-171 Rev 2.
Scoping - CUI Boundary
The systems, people, and facilities that process, store, or transmit CUI. Defining your CUI boundary is one of the first and most critical steps - it determines what's in scope for your assessment.
The 14 Control Families
NIST 800-171's 110 controls are organized into 14 families. Here's what each one covers:
What a C3PAO Assessor Actually Looks For
A CMMC Level 2 assessment isn't a simple checkbox exercise. Assessors use the CMMC Assessment Guide which breaks each control into individual assessment objectives - 320 total across the 110 controls. For each objective, they look for three things:
Review documentation - policies, procedures, SSP, configurations, screenshots, and evidence artifacts.
Talk to personnel responsible for implementation to confirm they understand and follow the documented practices.
Verify the control is actually working as described - inspect live systems, check configurations, validate technical implementation.
Pro tip: The best way to prepare is to write your SSP as if the assessor is reading it. For each control, document what you do, how you do it, and what evidence proves it. If you can satisfy Examine + Interview + Test before the assessor arrives, you're in great shape.
CMMC Timeline
Streamlined from 5 levels to 3. Aligned Level 2 with NIST 800-171.
CMMC program codified in federal regulation. Defines assessment requirements.
CMMC program officially in effect. C3PAOs can begin conducting assessments.
The companion DFARS rule became effective and began the phased inclusion of CMMC requirements in applicable DoW procurements.
Implementation focuses primarily on Level 1 and Level 2 self-assessments. DoW may include Level 2 certification requirements in selected Phase 1 procurements.
Applicable solicitations increasingly require Level 2 certification assessments when that assessment type is specified by the program office or requiring activity.
Phase 3 adds Level 3 requirements where applicable. Full implementation begins November 10, 2028 for applicable solicitations and contracts involving FCI or CUI.
Common Misconceptions
Company size does not determine the requirement. The information handled, the systems used, and the applicable solicitation or contract determine the required CMMC level and assessment type.
Tools are important, but CMMC is about proving that you've implemented practices - policies, procedures, training, and evidence. You can have the best firewall in the world, but if you can't document how it's configured and why, it doesn't count.
The 32 CFR final rule is already in effect. C3PAOs are authorized and conducting assessments now. Even before CMMC appears in your contract, DFARS 7012/7019/7020 already require you to implement NIST 800-171 and report your SPRS score. Primes are also increasingly requiring it of their subs.
Your MSP might manage your infrastructure, but you are responsible for your CMMC certification. You need to understand your CUI boundary, document your security practices, and own the assessment process. Your MSP is a partner, not a substitute.
Most organizations need 6-18 months to go from starting their compliance journey to being assessment-ready, depending on their starting point. Dakeeko dramatically accelerates this, but implementing real security practices still takes focused effort.
Getting Started with CMMC
Identify what CUI you handle, where it flows, and which systems, people, and facilities are in scope. This is the foundation everything else builds on.
Evaluate your current security posture against NIST 800-171's 110 controls. Dakeeko's AI assessor can do this in minutes instead of weeks.
Implement missing controls, create policies and procedures, and build your SSP. Create POA&Ms for anything you can't fix immediately.
Gather screenshots, configuration exports, policy documents, training records, and other artifacts that prove each control is implemented.
Submit required assessment results in SPRS, complete the required affirmation, and engage a C3PAO when the contract requires a Level 2 certification assessment.
Ready to Start Your CMMC Journey?
Dakeeko makes CMMC compliance achievable for organizations of any size. Get started — no credit card required.