Answers to common questions about CMMC Level 2, HIPAA compliance, SSP-as-Code, pricing, and how we work.
CMMC Level 1 covers 17 basic cyber hygiene practices and allows self-assessment — you check yourself and submit an affirmation annually. Level 2 covers all 110 practices from NIST SP 800-171 Rev 2 and requires a C3PAO (Third-Party Assessment Organization) assessment for contracts that involve CUI (Controlled Unclassified Information).
If your DoD contract includes DFARS 252.204-7012 and you touch CUI, you are in L2 scope. There is no self-attestation path for L2 contracts at full certification level.
Yes, if your prime's contract includes DFARS 252.204-7012 and you handle CUI. Flow-down requirements apply to the entire supply chain — a subcontractor that processes or stores CUI must meet the same CMMC level as the prime.
Even if you only handle FCI (Federal Contract Information) and not CUI, you need at least Level 1. If you're unsure whether your data qualifies as CUI, the DoD CUI Registry at archives.gov/cui is the authoritative reference.
Those platforms excel at SOC 2 and ISO 27001. CMMC L2 has fundamentally different requirements: you need CUI boundary modeling, a weighted SPRS score (not a percent-complete bar), OSCAL-format artifacts, and detect/respond tooling that stays inside your authorization boundary.
We complement them, not replace them. If you're running SOC 2 in parallel, keep Drata for that program and add a CMMC-native stack for the DoD work. See our vs. Drata comparison for the technical breakdown.
SPRS (Supplier Performance Risk System) score is a weighted number ranging from −203 to 110, calculated per the DoD Assessment Methodology. You self-calculate it, submit it to SPRS.gov, and contracting officers check it before awarding contracts that involve CUI.
It is not a percentage-complete bar. Each of the 110 NIST 800-171 practices carries a specific point value, so the same number of gaps can produce very different scores depending on which controls are missing. Try our interactive SPRS simulator to see how your current posture scores.
CMMC is being phased into new contracts starting now under DFARS 2019-D041. By October 2026, C3PAO third-party assessments become the standard path for contracts involving CUI. The timeline is accelerating — the DoD has been including CMMC clauses in new solicitations since late 2025.
If your prime is already asking for your SPRS score, you are already in scope. Don't wait for a contract clause to force your hand — the C3PAO assessment pipeline is already backed up.
Your System Security Plan is generated from a pipeline, not written by hand. Here is how it works: Prowler scans your AWS environment against all 110 NIST 800-171 controls. OPA policies enforce the configuration on every commit. Our OSCAL emitter reads those results and assembles a machine-readable SSP in OSCAL 1.2.1 format.
When your infrastructure changes, your SSP updates automatically. Every control statement references a specific Prowler check ID with SHA256-signed provenance. The evidence is already assembled before the C3PAO calls. The SSP is a build artifact — it has a version, a hash, and a pipeline that generated it.
A CMMC Ready assessment takes 2–3 weeks. That includes a Prowler scan of your AWS environment, a point-accurate SPRS baseline, and a gap analysis with a prioritized remediation roadmap.
A full SSP-as-Code build takes 8–12 weeks. The range depends on your current posture — if you already have Terraform-managed infrastructure and a CI pipeline, you're starting from a better baseline. Take the readiness quiz for a quick estimate based on your current state.
Yes. For CMMC L2 clients, the detect/respond stack — SOCFortress CoPilot (Wazuh + Graylog + Velociraptor + DFIR-IRIS + Shuffle) — is deployed inside your authorization boundary. CUI telemetry never leaves your environment. Our infrastructure is explicitly out of scope.
This is not optional for CMMC L2. Pushing SIEM logs or IR artifacts to a multi-tenant SaaS that does not itself hold CMMC L2 authorization creates a compliance problem. The per-client deployment model is the only architecturally correct approach.
You get three things: a machine-generated SSP in OSCAL format, a CI compliance gate that runs on every commit and fails the build if a policy is violated, and an evidence pipeline that keeps your documentation current as your infrastructure evolves.
When the C3PAO assessor arrives, your evidence package is already assembled and signed. There is no scrambling to gather screenshots or write explanatory narratives. The pipeline is the evidence.
Traditional GRC consultants produce Word documents and spreadsheets that describe what your controls are supposed to do. Those documents go stale within weeks of delivery because infrastructure keeps changing and no one updates the documentation.
We produce a pipeline that regenerates evidence on every infrastructure change. The SSP is a build artifact with a version and a hash. Every control statement references a Prowler check ID that was actually run against your actual environment. If the check passes, the control is green. If it fails, the POA&M is updated automatically.
$8,000–$15,000 depending on scope. The range reflects the size of your AWS footprint and the number of system boundaries in scope. Includes a Prowler scan of your environment, a point-accurate SPRS baseline, a gap analysis mapped to NIST 800-171 Rev 2, and a prioritized remediation roadmap. Delivered in 2–3 weeks.
See the full pricing page for a breakdown of all three tiers.
Yes. Managed Ops ($3k–$5k/month) includes continuous compliance monitoring, monthly automated Prowler scans, SSP regeneration when your infrastructure changes, drift detection and alerting, POA&M tracking, and incident response support.
Managed Ops is the right tier for organizations that have completed their SSP-as-Code build and need to maintain compliance between now and their C3PAO assessment — and after it.
Everything in the SSP-as-Code tier, plus:
Absolutely. Most clients start with CMMC Ready to understand their gaps, then move to SSP-as-Code for the full build. The assessment work feeds directly into the build phase — the Prowler scan results, SPRS baseline, and gap analysis all carry forward. Nothing is thrown away and re-done.
The CMMC Ready assessment is priced as a standalone engagement. If you move to SSP-as-Code, the assessment cost is credited against the project fee.
Still have questions?
We're happy to answer via email or on a quick call — no pitch, just answers.
Get in touch →