Meridian Compass

Free AI Tool

Ask a CMMC Compliance Question — Free AI Assistant

Plain-English answers about CMMC 2.0, DFARS clauses, CUI, Level requirements, and costs. No sales pitch.

Get Instant CMMC Answers

CMMC compliance generates dozens of specific questions that generic guidance doesn't answer: Does my MSP need to be CMMC certified? What happens if my subcontractor fails their assessment? Can I use Microsoft 365 GCC for CUI?

Our AI assistant is trained on CMMC 2.0 documentation, NIST SP 800-171, DoD rulemaking, and Cyber AB guidance. It's designed for defense contractors who need clear, specific answers — not generic overviews.

Common questions the assistant handles well:

  • Contract and flowdown requirements
  • Technology compliance (Microsoft 365, Google Workspace, AWS GovCloud)
  • Assessment preparation and C3PAO selection
  • SSP and POA&M structure
  • SPRS scoring

The assistant is a starting point, not legal advice. For contract-specific questions or formal guidance, consult a Registered Practitioner Organization (RPO).

Common questions

Hi — I'm Meridian's CMMC assistant. Ask me anything about CMMC 2.0 compliance, DFARS clauses, CUI, Level requirements, or what certification actually costs.

I give plain-English answers based on current regulations and real market data. For complex situations, I'll suggest you talk to a navigator.

AI-generated responses. Not legal advice. For contract-specific questions, talk to a navigator.

Next Step

For situation-specific guidance, a navigator can review your contracts directly.

Free 15-min call. We'll review your contracts and tell you exactly what applies to your situation.

Talk to a Navigator → Take the Readiness Assessment →

Common CMMC Questions — Sample Answers

Can I use Microsoft 365 for CUI under CMMC Level 2? +

Yes, but only Microsoft 365 GCC High meets the full requirements for CUI under CMMC Level 2. Standard M365 and M365 GCC do not meet all NIST 800-171 controls for CUI. GCC High is FedRAMP High authorized and supports the full control set required for CUI handling.

Does my IT provider (MSP) need to be CMMC certified? +

If your MSP has access to your CUI environment or manages systems that process CUI, they are likely in scope for CMMC and may need their own certification or be assessed as part of your enclave. This is a common gap — verify your MSP's CMMC status before your assessment.

What is the Cyber AB and why does it matter? +

The Cyber Accreditation Body (Cyber AB) is the accreditation body for the CMMC ecosystem. It accredits C3PAOs (assessors), Registered Practitioner Organizations (RPOs), and individual practitioners. Use the Cyber AB marketplace to find authorized assessors and consultants.

What score do I need on my SPRS self-assessment? +

The maximum SPRS score is 110 (full compliance with NIST 800-171). There is no minimum passing score for the self-assessment itself — you must have any score on file. However, contracting officers may set minimum score thresholds in solicitations, and a very low score can affect contract competitiveness.

How long does a C3PAO assessment take? +

A Level 2 C3PAO assessment typically takes 2–4 weeks from kickoff to final report for a small business. The on-site or virtual assessment itself is usually 3–5 days. Add 4–6 weeks of preparation time if you're not yet ready. Total timeline from engagement to certificate: 8–16 weeks.

Related Resources

CMMC Guide Do I Need CMMC? How to Know If It Applies to Your Business CMMC Guide What Is a C3PAO and Why Does It Matter? CMMC CMMC for Subcontractors: What You Need to Know

Next Step

Need a structured assessment of your readiness?

The free readiness assessment gives you a scored evaluation across 9 control domains — more structured than Q&A.

Take the Free Readiness Assessment →