CMMC2Go
Compliance, fielded
Download
How it works

Three pieces. Built for security. Made for you.

A server you host. A desktop app your team installs. A secure update channel between them. Everything else - the encryption, the controls library, the assessor-ready output - is taken care of for you.

1

Your CMMC2Go server

Lives in your tenant, on hardware you control. Your SSP, evidence, and audit log never leave your boundary. Strong encryption is on by default.

2

Your team's desktop app

One signed Windows installer. Each user enters your server URL on first run. The app is purpose-built for compliance work - no extensions, no leaks, no surprises.

3

Secure updates from us

We push new control mappings, security recommendations, and feature updates through a verified channel. Your server validates every update before applying it. You stay current without lifting a finger.

Trust by design

Encryption you can name-drop in your audit.

We use RSA-4096 - the strong cryptographic standard - to sign and verify every update, every license, and every release artifact. If a single byte gets tampered with anywhere along the chain, your server refuses it. No fall-backs, no exceptions.

🔒

Your data is yours

The CMMC2Go server runs in your environment. No third-party cloud holds your SSP, evidence, or POA&M. SPA classification, never a CUI repository.

Verified end-to-end

Updates and licenses are cryptographically signed by us and verified by your server. Tampered or unauthorized payloads are rejected automatically.

🛡

No telemetry, ever

The desktop app talks to your server. Nothing else. No usage analytics, no error reporting to a SaaS, no phone-home behavior of any kind.

cmmc2go.com

What lives at this address.

Three things you can fetch from us; nothing of yours.

📥

Public installer download

The Windows desktop installer at /download. The same installer for every customer; only the server URL each user types differs.

🔒

Signed update manifest

A small JSON document that tells installed apps when a new version is available. Cryptographically signed. Your app verifies it before pulling anything.

Not your customer data

Your SSP, your POA&M, your evidence files, your auth tokens, your audit log - none of these ever leave your tenant. They live exclusively on the CMMC2Go server in your environment.

License lifecycle

What happens if you don't renew?

Don't worry - your evidence is yours forever. Just the automated tooling takes a break until you're back.

Always yours

Your evidence stays put

Everything you've already built - SSP, POA&M, evidence bundles - stays right where it is, readable and exportable. You can still hand a current packet to your assessor any day of the week.

On pause

The automations take a nap

The fancy stuff hits snooze until you renew:

  • Tenant management workflows
  • One-screen access that replaces portal-hopping
  • Automations for IT and compliance admins
  • Guided wizards for non-experts
  • Fresh control mappings and security updates

Renew whenever you're ready and everything wakes back up instantly - your team picks up exactly where they left off. Nothing to reconfigure, nothing to migrate.

Disaster recovery

Get back in the saddle, fast.

Whatever happens to your server - hardware failure, accidental restore, full DR scenario - we have documented recovery methods that get you back to a known-good state with your evidence and configuration intact. Talk to us during onboarding and we'll walk through the right plan for your environment.

Ask about DR options