CMMC2Go & CMMC compliance, plainly answered.

No. CMMC2Go is software that helps you prepare for a CMMC assessment - it generates your System Security Plan, tracks your evidence, deploys your Microsoft 365 baseline, manages your POA&M, and walks your team through the controls. The CMMC certification itself is awarded by an authorized C3PAO (Certified Third-Party Assessment Organization) after they assess your environment. We are not a C3PAO and we do not issue certifications. CMMC2Go gets you ready; the C3PAO certifies you.

CMMC2Go is a self-hosted server plus desktop client that lives inside your tenant. It (a) reads your Microsoft 365 + Defender state via Graph and surfaces alerts, sign-in logs, and policy gaps; (b) deploys Conditional Access, Intune compliance, ASR, BitLocker, LAPS, and Windows hardening baselines on your behalf; (c) renders a per-control SSP and captures evidence per control; (d) tracks your POA&M; (e) provides device-access helpdesk tooling (LAPS retrieval, BitLocker recovery, force-sync, session revocation) and a Quick-Assist wrapper for remote support - all permission-gated and audit-logged. The complete control surface for each CMMC L2 family is on the Features page.

No. CMMC2Go is classified as a Security Protection Asset (SPA) that processes Security Protection Data (SPD), not CUI. It reads control state from your tenant, captures audit metadata, and renders compliance documents - it does not read CUI mailboxes, file shares, SharePoint sites, or engineering applications. The full classification with hosting tiers and inheritance map is in our Customer Responsibility Matrix (shipped with every install).

No. We are an IT implementation and readiness-consulting company. We are not authorized by The Cyber AB or DoD to perform official CMMC assessments, issue CMMC certifications, or use Cyber AB marketplace badges. If you need an official Level 2 assessment, you must engage an authorized C3PAO; final determinations are made by a Certified CMMC Assessor (CCA) or Lead CCA.

No. Only an authorized C3PAO can perform an official Level 2 certification assessment. What we CAN do is a readiness review or internal mock - a structured walk-through of all 110 NIST 800-171 controls against your evidence, with a written gap report and remediation plan. This is preparation work, not certification, and we are explicit about that distinction in writing before any engagement starts.

No, and any vendor who tells you that is misleading you. The C3PAO is independent and makes their own determination based on the evidence they observe. What we guarantee is that the tooling, baselines, and documentation CMMC2Go produces map cleanly to the 110 controls of NIST SP 800-171 / CMMC L2, and that if you use them correctly your assessor will have everything they need to evaluate you. The decision is theirs.

Readiness and implementation support, sold as add-on engagements separate from the app license. This includes: NIST SP 800-171 gap reviews, CUI scoping help, SSP and POA&M preparation, Microsoft 365 GCC High implementation, PreVeil enclave deployment, MFA and Conditional Access design, endpoint hardening, logging architecture, firewall and network segmentation, and internal "mock" readiness reviews. Every engagement is scoped in writing with explicit language that we are not performing an official CMMC certification assessment.

Possibly, yes. Under the CMMC rule, any provider that manages systems, logs, security tools, backups, admin accounts, or security services for a contractor handling CUI may be considered an External Service Provider (ESP) and brought into the contractor's assessment scope. ESP relationships have to be documented in your SSP and Customer Responsibility Matrix, and ESP-delivered services that meet a CMMC requirement get evaluated within your assessment. If you engage us for managed services beyond the software license, we'll work with you up front to define which controls we own, which you own, and how the boundary gets documented for the C3PAO. CMMC2Go ships with an ESP-aware Customer Responsibility Matrix template designed for exactly this scenario.

No. If you purchase CMMC2Go and self-install, self-administer, and self-operate it inside your environment with no managed-service relationship from us, we are a software vendor and are not in your assessment scope. CMMC2Go has no telemetry, no callback, no remote administration channel - the only outbound traffic from your install is to your own Microsoft 365 / Defender APIs and the optional signed-update manifest poll. The Customer Responsibility Matrix shipped with the app documents this clearly for your auditor.

The price tiers include guided onboarding to help you stand the application up - install walkthrough, first-run wizard support, and answers to product questions. This is product support, not ongoing management of your systems. It is not an ESP relationship by itself; we don't hold credentials in your tenant, we don't operate your security tools, and we don't access your CUI environment. If you want us to take over ongoing operation of any part of your environment, that's a separate managed-services agreement and the ESP boundary gets formalized at that point.

The first-year price bundles the CMMC2Go app license and your first year of subscription updates and support into a single charge. There is no separate setup fee. Starting at month 12, the subscription renews automatically at the per-tier renewal rate listed on the pricing page. You can cancel or change tier at any time from your customer portal; we don't lock you in.

Stripe stores it, not us. When you check out, the card form is rendered by Stripe inside an iframe on our site - your card number never enters our servers or our database. Stripe is a PCI DSS Level 1 provider (the highest level), and our integration is PCI DSS SAQ A scope (the lowest customer obligation) because we never touch the card data directly. We see the customer name, billing email, and subscription status; we don't see your full card number, CVV, or expiration date.

You install it inside your environment - either on a Windows VM in your GCC High Azure subscription, or on internal hardware in your CUI enclave. We don't host CMMC2Go for you. This matters because CUI handling under DFARS / CMMC restricts what cloud regions and providers can touch the data; by keeping CMMC2Go inside your tenant we sidestep that question entirely. Standard deployment tiers and supported hosting environments are documented in the install guide that ships with each release.

Contact us within 30 days of purchase and we'll refund in full if the app isn't a fit. After 30 days, refunds are pro-rated against the remaining subscription period at our discretion. Auto-renewals can be cancelled at any time from your customer portal; cancelling stops the next renewal charge but doesn't refund the current period.