For new CMMC obligations

You need CMMC. Here's what that actually means.

If you do business with the U.S. Department of Defense and your contract has been updated to require CMMC, you have a deadline and a real risk of losing the work. This page explains, in plain English, what CMMC is, whether you need it, how long it takes, and what it costs.

Find your gaps in 20 minutes See the alternatives →

320

Assessment objectives

NIST 800-171A determination statements graded at L2

110

Controls · NIST SP 800-171

the underlying control set L2 is built on

$50–150K

Typical RPO readiness fee

mid-sized contractor, full outsourced prep · 2026 industry data

C3PAOs nationwide

for ~80,000 DIB orgs requiring L2 certification

FedRAMP Moderate AWS

us-east-2 · production today

Official Microsoft Partner

M365 · Entra

NIST SP 800-171

all 110 controls · 320 objectives

C3PAO-ready output

signed evidence package

Do I need it?

If your contract has a DFARS 7012 clause and you handle CUI, yes.

You handle CUI. If you've received any defense data the government has marked or treated as controlled (drawings, specs, plans, controlled research), you need Level 2.
Your contract has a DFARS 252.204-7012 or 7021 clause. These are the clauses that trigger the CMMC obligation. Check any recent contract modification or new RFP.
You only handle FCI, not CUI. Federal Contract Information without CUI = Level 1, which is a self-assessment. Easier path, but still mandatory.

Cost of inaction

If you don't get certified, you lose the work.

CMMC isn't a "nice to have." When a contract requires it, missing the deadline has direct, contractual consequences:

Existing contracts at risk. If your contract was modified to require CMMC and you can't prove it, you may be in breach.
Ineligible for new awards. You can't bid on DoD work that requires CMMC. The DIB is consolidating fast around certified suppliers.
False Claims Act exposure. If you ever affirmed compliance you didn't have, that can carry penalties separate from the contract itself.

This is why most defense contractors are treating CMMC as the top compliance priority of the next 12–18 months.

What it is

CMMC is the DoD's required security standard for anyone handling sensitive defense data.

CMMC stands for Cybersecurity Maturity Model Certification. It is the security framework the U.S. Department of Defense requires every contractor and subcontractor to be certified against if they handle Controlled Unclassified Information (CUI) — things like technical drawings, manufacturing specs, or controlled research that isn't classified but isn't public either.

CMMC has three levels. Level 1 is for companies that only handle Federal Contract Information (the day-to-day stuff, like procurement records). Level 2 — built on the 110 security requirements in NIST SP 800-171 — is what most defense contractors handling CUI need. Level 3 is reserved for the most sensitive programs.

You don't self-certify. A separate accredited firm called a C3PAO (Certified Third-Party Assessment Organization) runs the official assessment and issues the certification. Garde1 is not a C3PAO — we're the platform that gets you ready for one.

How Garde1 gets you there

The path from contract clause to certification.

PHASE 01

Setup

Days 1–3

01

Onboarding

A guided setup captures your contract clause, business profile, and the people involved. About 30 minutes — no consultants required.

Scope and team captured

02

Connect integrations

Plug in your identity provider, cloud, endpoints, and SaaS apps via secure OAuth or a lightweight agent. Garde1 reads configuration; it never modifies your systems.

Live data flowing from your stack

PHASE 02

Build

Weeks 1–6

03

Generate policies

Garde1 drafts the 14 CMMC L2 domain policies and the supporting SOPs you need to operate by — pre-filled from your scope and the facts the integrations already provided. Assessment artifacts come later.

14 domain policies + SOPs

04

Collect evidence

Integrations stream evidence for controls they cover automatically. For manual controls (training records, physical access logs, etc.) you upload artifacts through the same interface.

Evidence linked to every objective

05

Assess and remediate

Garde1 evaluates each control against the evidence, flags gaps, and walks you through fixes. Includes built-in security baselines (CIS Benchmarks) pushed to your devices to close common gaps automatically.

Gaps closing on a live score

PHASE 03

Certify

Weeks 6–12

06

Reach assessment-ready

When your readiness score clears the bar for a passing CMMC L2 assessment, Garde1 tells you in plain English. No guessing whether you would pass the real one.

Plain-English readiness signal

07

Generate assessment artifacts

Once you clear the bar, Garde1 generates your System Security Plan (SSP) and packages the signed evidence — the documents an assessor actually reviews. These are produced from the live, scored state of your environment, not pre-staged drafts.

SSP + signed evidence package

08

Invite your C3PAO

Share the signed assessment evidence package with your C3PAO directly from Garde1 — available for download in one click. They get everything they need to run the official assessment.

C3PAO can begin the official audit

Why Garde1

Four things that don't exist in the typical compliance stack.

BUILT FOR NUANCE

Per-objective, not pass/fail per control

CMMC L2 is 110 controls and 320 determination statements. Most platforms only show pass/fail at the control level. Garde1 surfaces every NIST 800-171A determination — so you see that AC-2(a) passes but AC-2(c) is incomplete, not just "AC-2 partial." Checklist tools cannot show this.

LIVE MEASUREMENT

Scored from what is running, not what you wrote down

Garde1 reconciles stated (your questionnaire), derived (your connectors), and per-CUI-package posture — and surfaces the contradictions across those layers. Upload-and-tag tools score the documents; Garde1 scores the live environment behind them.

MEETS YOU WHERE YOU ARE

No new enclave. No platform to migrate to.

Plug in the identity, cloud, and endpoints you already run. Garde1 reads configuration — it does not require GCC High provisioning, a managed VDI subscription, or moving email and files into a new encrypted stack before you can start.

EDUCATIONAL BY DESIGN

Garde1 explains CMMC as you implement it

CUI, CRMA, ESP, RPO, C3PAO, SPRS, scoping — the ecosystem is dense. Garde1 ships an inline glossary, per-question "why we ask / what this changes" guidance, and a help drawer on every page. Most teams stop paying a consultant to read NIST to them within the first week.

How Garde1 compares

Why DIB contractors pick Garde1 over the alternatives.

Dimension	Garde1 CMMC compliance OS	Secureframe Defense GRC + managed CUI enclave	Drata GRC platform · CMMC module	FutureFeed CMMC checklist + SPRS tracker	Delve AI compliance + partner RPO	PreVeil Encrypted CUI overlay
CMMC depth	Per-objective scoring across all 320 NIST 800-171A determination statements. CMMC L2 is the only focus.	Defense tier added Mar 2026. One of 20+ frameworks; CMMC is a specialized bundle.	SOC 2-first. CMMC mapping is framework-agnostic — not architected around the 320 objectives.	DIB-specific. Checklist of NIST controls + SPRS score tracker. No per-objective granularity.	AI compliance platform. The CMMC story relies on a partner RPO doing the actual readiness work — the platform on its own does not reach CMMC depth.	Encryption-first. Covers ~102 of 110 NIST 800-171 controls via the overlay.
Adoption approach	Meets you where you are. Connect existing identity, cloud, and endpoints — Garde1 reads configuration, never modifies your systems.	Stand up a new GCC High / Google Workspace enclave + Azure Government VDI in a separate Azure subscription you own and pay for.	Light cloud integrations. CMMC nuance is handled outside the product — typically via the BARR Advisory Compliance Accelerator partnership.	Upload, tag, score. No live integrations — the platform organizes what you give it.	Connect data + engage their partner RPO to do what the AI can't. Two vendors, twice the headache.	Migrate email + file sharing into the PreVeil encrypted stack. Compliance is the side-effect of the encryption layer.
Posture model	Reconciles stated × derived × per-CUI-package posture. Surfaces contradictions across the three layers.	Documentation-first with continuous monitoring + SSP / POA&M automation.	Continuous monitoring + drift detection on cloud config. Generic CMMC mapping.	Score-tracking around docs you upload. Does not measure live posture.	AI-summarized evidence; not architected around the 320 determination statements.	Cryptography posture only. Not a full-environment measurement tool.
Education in-product	Inline glossary, per-question "why we ask / what this changes" guidance, full PageHelp drawer on every surface. You stop paying a consultant to explain NIST.	"Defense Navigator" AI workflow. Documentation + KB.	Generic GRC help. Deep CMMC education comes from BARR partner engagement.	Documentation portal. No contextual glossary in the questionnaire.	AI assistant for compliance Q&A. Deep CMMC education comes from the partner RPO.	KB articles + support. Not architected as a teaching surface.
What’s left for you	The C3PAO assessment itself (industry-set fee).	C3PAO + Azure Government costs + per-user GCC High licenses + likely a consultant for gap remediation.	C3PAO + the BARR Advisory engagement (partner RPO) layered on top.	C3PAO + the actual work of doing CMMC yourself with a checklist.	C3PAO + the partner RPO engagement.	C3PAO + an RPO + a way to measure the other 200+ objectives the overlay does not touch.
Pricing	$20K/yr flat. Single tier. Full feature access.	Quote-only. Industry-reported avg ~$20K ACV across tiers; Defense priced higher.	Median ACV ~$13.5K (third-party data). Per-framework add-ons.	~$2.2K–$4K/yr depending on FTE band (DoD Contractor CUI Bundle).	Not publicly disclosed.	From $450/mo entry tier (3 users / annual upfront). Scales with seats.

Pricing and feature data drawn from public sources as of Q2 2026 (vendor sites, Help Net Security, Sacra, Crunchbase, E-N Computers, CyberAB Marketplace). C3PAOs (e.g. ControlCase, CyberSheath) are not listed here — they certify, Garde1 prepares.

Timeline

With Garde1: 4–12 weeks. With consultants: 6–18 months.

The traditional path is a consulting engagement: someone interviews your staff, drafts documents in Word, collects evidence in spreadsheets, and rebuilds it all every audit cycle. That typically takes 6 to 18 months and costs six figures.

Garde1 generates the documents from a guided questionnaire, pulls evidence automatically from the systems you already run (Microsoft, AWS, Okta, CrowdStrike, and 20+ more), and keeps it all current as your environment changes. Most organizations reach assessment-ready in 4 to 12 weeks depending on their starting posture.

What Garde1 saves you

$30K–$130K less, 6–14 months sooner, same finish line.

Most defense contractors hire an RPO to do the readiness work — the gap assessment, the SSP drafting, the evidence collection — and pay $50K–$150K over 12–18 months to get to assessment-ready. Garde1 starts at $20K/yr and gets you to the same place in 4–12 weeks. The C3PAO assessment fee at the end is set by the C3PAO and unavoidable — Garde1 doesn't charge for it, it prepares you to walk in without scrambling.

RPO + consulting path

Garde1

Readiness work

$50K–$150K · paid to an RPO / consultant for the gap assessment, SSP, evidence collection

→ $30K–$130K saved on Year 1 readiness

Starts at $20K/yr · platform fee, all-in

Time to assessment-ready

12–18 months · industry standard for outsourced readiness

→ 6–14 months of calendar time saved

4–12 weeks · most contractors reach the bar inside the first quarter

Continuous monitoring

$15K–$50K/yr ongoing · separate engagement after certification

Included · same flat subscription

C3PAO assessment fee

$40K–$80K · industry-set, paid to the C3PAO

$40K–$80K · same, set by the C3PAO (not Garde1)

Cost ranges sourced from Q2 2026 industry data (DoD CMMC rule, Workstreet, IBSS, Huntress, Red River, CISPOINT). Lower-end RPO fees apply to smaller contractors with simpler scope; upper end applies to mid-sized contractors with complex CUI handling.

See your specific savings See pricing

Next step

See where you stand in 20 minutes.

Bring your contract clauses and any existing security documents. We'll walk through the gaps, give you a concrete timeline, and tell you honestly whether Garde1 is the right fit.

Book a demo Send a question Read the assessor packet

FAQ

Common questions, direct answers.

What is CMMC?+

CMMC stands for Cybersecurity Maturity Model Certification. It is the U.S. Department of Defense's required security standard for any company that handles Controlled Unclassified Information (CUI) on behalf of the DoD. There are three levels — most defense contractors need Level 2.

Do I actually need CMMC?+

If your contracts include a DFARS 252.204-7012 or 252.204-7021 clause and you handle CUI, then yes — you will need CMMC Level 2 certification to keep those contracts and to bid on new DoD work. Companies that only handle FCI (Federal Contract Information) but not CUI typically need Level 1.

What happens if I don't get certified?+

You lose the ability to hold or bid on DoD contracts that require CMMC. You may be in breach of existing contracts that have already been updated with the new clauses. There is also potential exposure under the False Claims Act if you affirmed compliance you did not have.

How long does CMMC certification take?+

With Garde1, most organizations reach assessment-ready in 4–12 weeks depending on their starting security posture. The traditional consultant path typically runs 6–18 months because of manual evidence collection, document drafting, and back-and-forth with the assessor.

What does CMMC cost?+

Garde1's software is priced at roughly 10–20% of what a consulting engagement typically costs. The third-party assessment itself (run by a C3PAO, separate from Garde1) is an additional cost set by the assessor.

Is Garde1 a C3PAO?+

No. Garde1 prepares you for assessment and runs a mock assessment so you know where you stand. The official certification is issued by a separate, accredited C3PAO — Garde1 does not issue certifications.

Glossary

The acronyms you'll keep hearing, in one place.

CMMC

Cybersecurity Maturity Model Certification

The DoD's required security standard for contractors.

CUI

Controlled Unclassified Information

Sensitive but unclassified information the federal government requires you to protect (technical data, blueprints, plans, etc.).

DFARS

Defense Federal Acquisition Regulation Supplement

The DoD's contracting rulebook. Clause 7012 is the one that triggers your CMMC obligation.

DIB

Defense Industrial Base

The collective network of contractors and suppliers that produce goods and services for the DoD.

C3PAO

Certified Third-Party Assessment Organization

The accredited firm that runs your official CMMC assessment and issues the certification. Garde1 is not a C3PAO.

RPO

Registered Provider Organization

A firm authorized to help contractors prepare for CMMC. Garde1 is pursuing RPO registration.

OSC

Organization Seeking Certification

That's you — the contractor going through CMMC.

ESP

External Service Provider

A third party that processes, stores, or transmits CUI on your behalf, or provides security protection for your environment.

SSP

System Security Plan

The master document describing how your organization meets each security requirement. Required for assessment.

POA&M

Plan of Action and Milestones

The formal remediation plan listing the gaps you have and when you'll fix them. Auditors expect this.

SPRS

Supplier Performance Risk System

The DoD's scoring system. Your CMMC score (out of 110) is reported here.

NIST SP 800-171

NIST Special Publication 800-171

The 110 security requirements that CMMC Level 2 is built on.