Compliance

The assessor packet, line by line.

Pre-sale buyers should start at /security. New to CMMC? Start with the plain-English explainer → This page is for the CMMC assessor and the customer compliance team documenting Garde1 in an OSC's scope. 32 CFR §170.19 places Garde1 in the Security Protection Asset (SPA) lane and names a single regulatory deliverable: a published Customer Responsibility Matrix. Below, in reading order: the §170.19 framing, the per-feature data taxonomy, the CRM itself, pasteable SSP boilerplate, and the regs we track to.

← Buyer-facing /security Jump to the CRM

Where we sit

A Security Protection Asset under 32 CFR §170.19. Documented, scoped, accounted for in your CRM.

The DoD framework that governs Garde1's customers — CMMC Level 2 under 32 CFR Part 170 — defines a specific lane for External Service Providers that process, store, or transmit Security Protection Data without touching CUI. §170.19 places those ESPs in the OSC's assessment scope as Security Protection Assets and names a single deliverable from the ESP: a published Customer Responsibility Matrix. We've read the regulation closely — the DoD CMMC Level 2 Scoping Guide v2 is the assessor-facing companion — and built Garde1 to land cleanly in that lane. The CRM below is what your assessor will ask for.

Four facts your assessor can rely on. One, Garde1 doesn't ask for, accept, or store CUI (see the published No-CUI Policy). Two, customers document Garde1 in their SSP as the CMMC-relevant ESP supporting readiness and reference the CRM below. Three, the regulation doesn't require Garde1 to hold its own CMMC certification or FedRAMP authorization — §170.19(c)(2) is explicit that SPD-only ESPs are scoped via a published CRM, not via independent certification of the provider. Our GovCloud tenancy and FedRAMP 20x roadmap commitments are voluntary — we're pursuing them because serious DIB buyers eventually ask, not because §170.19 requires them. Four, we don't make claims we can't back — “out of CMMC scope”, “CMMC certified”, “FedRAMP compliant”, “performs assessments” are all phrases you will never see on this site.

What Garde1 does

Platform function, data category, CMMC implication.

Per-feature accounting. Each platform function maps to the data category it produces and the CMMC consequence of using it.

Platform function	Data category	CMMC implication
Generates SSP drafts	SPD / security-sensitive	Customer owns the final SSP; Garde1 must protect drafts.
Stores SSPs and document packages	SPD / possibly sensitive business	Needs retention, deletion, access controls, auditability.
Generates POA&M / remediation items	SPD	Customer owns remediation decisions.
Pulls connector configuration and security posture	SPD	Read-only / default scopes; documented connector scope matrix.
Produces evidence summaries	SPD	Customer validates final evidence.
Produces SPRS self-assessment packet	Assessment support data	Customer / Affirming Official submits. Garde1 does not affirm.
Interview prep	Assessor-prep only	Cannot satisfy controls on its own.
Mock assessment / readiness scoring	Advisory	Not a C3PAO assessment. No certification outcome.
AI recommendations	Advisory	Customer reviews and applies. Garde1 does not make changes autonomously.

Customer Responsibility Matrix

The CRM, line by line.

Most assessors expect this matrix on file before they accept Garde1 in the scope discussion. Paste it verbatim into your CRM or adapt to match your environment.

Official CMMC assessment and certification

Garde1 owns

None. Garde1 provides mock-assessment readiness tooling, draft artifacts, gap analysis, SPRS self-assessment support packets where applicable, and advisory recommendations only. Garde1 is not a C3PAO, does not perform official certification assessments, does not submit C3PAO results to eMASS, and does not determine official CMMC status.

Customer owns

Select and engage a C3PAO where required, approve final scope/evidence, submit required affirmations and SPRS entries, implement remediations, and own all official CMMC assessment outcomes.

CUI

Garde1 owns

Garde1 does not require or intentionally request CUI in the commercial product.

Customer owns

Do not upload CUI unless separately contracted for a CUI-capable / federal environment (not yet generally available).

SSP generation

Garde1 owns

Generate draft SSPs from customer inputs, structured scoping data, sanitized connector facts, and approved templates.

Customer owns

Review, correct, approve, maintain, and own the final SSP.

Security Protection Data

Garde1 owns

Protect SSP drafts, assessment metadata, connector-derived security posture, evidence summaries, and remediation data.

Customer owns

Decide what to enter or connect, validate accuracy, and classify customer-side data.

Connectors and agents

Garde1 owns

Support read-only assessment integrations by default. For remediation and baseline workflows, support explicitly authorized write-capable integrations with scoped permissions, audit logs, and customer approval controls.

Customer owns

Choose whether to enable write-capable scopes, approve requested permissions, maintain customer-side service accounts, monitor changes, and revoke access when no longer needed.

Baseline application and remediation execution

Garde1 owns

Provide workflows, proposed actions, rationale, execution records, guardrails, and customer-controlled approval steps. Where configured, Garde1 may initiate approved changes using customer-authorized integrations or agents. Garde1 does not autonomously modify customer environments.

Customer owns

Review and approve changes, grant least-privilege permissions, validate impact, maintain rollback / backup procedures, and own final remediation decisions and operational outcomes.

Access control

Garde1 owns

Application roles, auth and session controls, audit logs, support access controls.

Customer owns

User lifecycle, SSO / MFA policy, role assignment, approver designation.

Tenant isolation

Garde1 owns

Two-layer tenant isolation: application-layer filter on every read and write, and database-layer row-level security forced on roughly 110 multi-tenant tables. A query has to satisfy both to return data.

Customer owns

Maintain separation in customer systems and avoid cross-tenant or cross-customer data entry.

Recommendations

Garde1 owns

Provide advisory findings, rationale, mock-assessment results, and gap analysis.

Customer owns

Decide whether and how to remediate; own implementation and risk acceptance.

Evidence and document review

Garde1 owns

Provide workflows for draft artifacts, evidence summaries, readiness review, and export.

Customer owns

Approve final evidence, maintain source evidence, present artifacts to the C3PAO.

Support access

Garde1 owns

Audited support and break-glass process.

Customer owns

Approve support sessions and maintain emergency contacts.

Retention and deletion

Garde1 owns

Platform retention, export, deletion, backups, and deletion handling.

Customer owns

Request deletion or export and define customer-side retention obligations.

Garde1 uses read-only integrations for assessment and recommendation workflows by default. Write-capable scopes are opt-in per connector for remediation and baseline workflows only; those require explicit customer authorization and run on customer-owned credentials. Garde1 does not make autonomous changes to customer environments — see connector scopes for the per-category breakdown.

For your SSP and CRM

Pasteable boilerplate. Drop it in. Adjust to your scope.

Two paragraphs your assessor expects. The first describes Garde1's role under §170.19; the second states the no-CUI / SPD-handling posture explicitly.

Garde1, operated by ComplAI Solutions, LLLP, is a mock-assessment
and CMMC readiness platform used by the OSC as an External Service
Provider. Garde1 is not a C3PAO and does not issue CMMC certifications
or determine official CMMC status. Under 32 CFR §170.19, Garde1 is
treated as a Security Protection Asset within this OSC's CMMC
assessment scope because the service processes and stores Security
Protection Data on the OSC's behalf. As an SPD-only, non-CSP ESP,
Garde1 is not required under §170.19 to obtain its own CMMC
certification; the Garde1-published Customer Responsibility Matrix at
garde1.com/compliance documents the security-responsibility split
that satisfies the §170.19 ESP-documentation requirement.

Garde1 does not require customers to provide CUI to generate SSPs or
readiness artifacts. Garde1 may process security-sensitive information,
including SSP drafts, assessment metadata, sanitized configuration
data, evidence summaries, and Security Protection Data.

Sources

Regs and DoD guidance this page tracks to.

32 CFR §170.4 — CMMC definitions (ESP, SPA, SPD, CUI, FCI).
32 CFR §170.19 — CMMC Level 2 scoping. SPA treatment of ESPs that process / store / transmit SPD without CUI.
DoD CMMC Level 2 Scoping Guide v2 — assessor-facing reference.

Specialty references

Topic-specific deep dives.

No-CUI Policy →What we don't take, and what to do if it lands.
Connector scopes →Read-only by default; write authorization audit.
AI data use →Azure OpenAI + Cohere Rerank, zero-retention, what we send.
Subprocessors →All vendors, data classes, DPAs.