ISMS Copilot
CMMC 2.0

CMMC 2.0 Copilot

Navigate DoD cybersecurity certification requirements with confidence

Start Free TrialSee it in action

What the CMMC 2.0 Copilot Can Do

Identify which CMMC level applies to your contract and information type

Map your asset inventory to defined CMMC assessment scope categories

Understand POA&M eligibility rules and named-barred requirements under §170.21

Navigate the C3PAO, DIBCAC, and self-assessment pathways for each level

Interpret ESP and cloud provider obligations under DFARS 252.204-7012

Track annual affirmation and three-year certification lifecycle obligations

About CMMC 2.0 Copilot

CMMC 2.0, established under 32 CFR Part 170 and operationalized via DFARS 252.204-7021, requires defense contractors handling FCI or CUI to meet defined security requirements at one of three levels. The CMMC 2.0 Copilot helps you work through assessment readiness, scoping decisions, and POA&M constraints across all three levels.

Who it's for

NIST 800-171

The control catalogue CMMC assessments verify against — the substantive cybersecurity requirements live in 800-171.

Frequently Asked Questions

What is CMMC 2.0?

CMMC 2.0 is a DoD certification scheme established under 32 CFR Part 170 that requires defense contractors and subcontractors to meet defined cybersecurity requirements before processing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It operates across three levels, drawing on FAR 52.204-21 at Level 1, NIST SP 800-171 Rev. 2 at Level 2, and selected NIST SP 800-172 requirements at Level 3.

How does the CMMC 2.0 Copilot help?

The Copilot helps you understand the requirements at each level, identify which assets fall within your CMMC Assessment Scope under §170.19, and interpret the POA&M constraints and named-barred requirements under §170.21 so you can prepare for a self-assessment or C3PAO engagement more effectively.

Which requirements can never be placed on a POA&M at Level 2?

Under §170.21(b), six requirements are barred from POA&M at Level 2 and must be fully implemented at the time of assessment: AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. Additionally, POA&Ms are not permitted at all at Level 1, and any open POA&M items at Level 2 must be closed within 180 days to avoid expiry of Conditional CMMC Status.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0