Third-party CMMC assessments become mandatory November 10, 2026.
Phase 1 self-assessments are already required. Phase 2 eliminates self-attestation for CUI — your C3PAO will need evidence, not checklists.
until Phase 2 enforcement
Map your entire pipeline to 110 NIST 800-171 practices in 90 seconds. Know your SPRS score before your C3PAO does.
CMMC four-phase rollout
The final rule was published September 10, 2025. Enforcement is already underway. Contracts require compliance at your required level now — not by 2028.
Nov 10, 2025
Self-Assessments Required
Level 1 and Level 2 self-assessments are required in new contracts. DoD may still request third-party Level 2 assessments.
Nov 10, 2026
Third-Party Assessments Mandatory
Level 2 C3PAO assessments become mandatory for all contracts involving CUI. No more self-attestation.
Nov 10, 2027
Level 3 Assessments
Level 3 government-led assessments introduced for the most sensitive contracts and programs.
Nov 10, 2028
Full Implementation
CMMC requirements fully implemented across all applicable DoD contracts. No exceptions.
No size exemption
CMMC applies to all DoD contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — including prime contractors, subcontractors, and small businesses. If you plan to bid on contracts after November 10, 2025, you need compliance at your required level immediately.
What you get
All 110 CMMC Level 2 Practices Mapped
Every NIST SP 800-171 Rev 2 practice automatically mapped from your scan findings. No spreadsheets, no guesswork.
SPRS Score Calculation
Instant Supplier Performance Risk System score from -203 to 110. Know exactly where you stand before your C3PAO assessment.
Gap Analysis with Remediation Priorities
AI-prioritized remediation roadmap ranked by risk impact. Focus on what moves the needle for your SPRS score first.
POAM Auto-Generation
FedRAMP Appendix A-format Plans of Action and Milestones generated automatically. Accepted by C3PAOs and DIBCAC assessors.
Audit Evidence Export
One-click PDF and CSV export of assessment results, control mappings, and remediation status for your assessment package.
Cryptographic Audit Trail
Ed25519 signed + Merkle tree verified evidence chain. Tamper-proof records your C3PAO assessor can independently verify.
How it works for defense contractors
Step 01
Run the scanner
Point the CLI at your codebase, infrastructure configs, or import existing scan results from Nessus, Qualys, or any of 11 supported formats.
Step 02
AI maps findings to NIST 800-171
AI-powered triage automatically maps every finding to the relevant NIST 800-171 practices across all 14 control families.
Step 03
Generate your SPRS score and POAMs
Get your calculated SPRS score, see which practices are met, partially met, or not met, and generate compliant POAMs.
Step 04
Track remediation in the dashboard
Assign findings to team members, set SLA deadlines, track remediation progress, and watch your SPRS score improve.
CMMC compliance shouldn't cost $50K
300,000+ small defense subcontractors need to comply. Most can't afford a consultant.
Typical CMMC consultant
- —$15,000 – $50,000 engagement fee
- —3–6 month assessment timeline
- —Point-in-time snapshot only
- —Manual spreadsheet-based tracking
- —No continuous monitoring
- —Additional cost for remediation support
CVERiskPilot Pro
- $149/month — cancel anytime
- 90-second initial assessment
- Continuous compliance monitoring
- Automated POAM generation
- AI-prioritized remediation roadmap
- Evidence export for C3PAO assessors
Less than 1% of what a typical CMMC consultant charges — with continuous monitoring, not a one-time snapshot.
Estimate your SPRS score
Select the implementation status for each of the 14 NIST 800-171 control families. Click a family to cycle through Not Implemented, Partially Implemented, Fully Implemented.
Estimated SPRS score
-123
Range: −203 (worst) to 110 (perfect)
Get a precise SPRS score with a full scan
This estimator uses control family-level granularity. For a practice-by-practice assessment mapping your infrastructure to all 110 NIST 800-171 practices, run the CVERiskPilot scanner.
Plans for every stage of CMMC readiness
Free workspace
Create the workspace, run the scanner, and establish a CMMC baseline before buying hosted usage.
- Unlimited local CLI scans
- CMMC-focused baseline checks
- Workspace and first API key
- Local evidence gathering
- Upgrade later when you need more AI volume
Pro
The default paid path for teams validating a real hosted assessment workflow, with a 14-day trial before the first bill.
- 1,000 AI triage calls / month
- Hosted triage and batch routes
- POAM generation + export
- Best fit for initial rollout
- 14-day Pro trial
Phase 2 is seven months away. Start now.
Phase 1 self-assessments are already in contracts. Phase 2 makes third-party assessments mandatory — your C3PAO will need evidence packages, not spreadsheets. Run the scanner, get your SPRS score, and build your evidence trail today.
100% Veteran Owned · SDVOSB eligible · FedRAMP POAM ready