CMMC 2.0 — Level 2NIST SP 800-171 Rev. 2

Get CMMC Level 2 ready
in 30 days.

Armory is the operating system for small defense contractors. Upload what you have, answer the questions a real auditor will ask, and ship a complete readiness package to your C3PAO.

BEGIN GAP ANALYSIS JOIN LEVEL 2 WAITLISTLevel 1 live · Level 2 GovCloud enclave Q3 2026

Level 1 · FCI

$99/mo

17 practices · live today

Level 2 · CUI

$299/mo

110 controls · GovCloud Q3

Avg. timeline

23 days

vs. 6–9 months

C3PAOs in network

Pre-vetted assessors

Inbound — 06:14 EDT

FROM: contracts@lockheedmartin.comHIGH PRIORITY

Action required: CMMC Level 2 attestation

Per DFARS 252.204-7021, your organization must hold an active CMMC Level 2 certification by the contract renewal date. Failure to comply will result in non-renewal of contract FA8650-23-C-1004.

Forwarded to Armory · auto-classified

ARMORY ENGAGED

Built against

DFARS 252.204-7021DFARS 252.204-7012NIST SP 800-171 r2CMMC 2.0FedRAMP Mod. Equivalent (Q3)ITAR-aware

How it works

FUNNEL-PHASE-1

01
Upload what you have
Policies, an old SSP, or nothing at all.
02
AI generates your gap analysis
Know exactly what's missing in 5 minutes.
03
Complete tasks one by one
Step-by-step instructions, no jargon.
04
Export and pass assessment
C3PAO-ready package in 30 days or less.

Step 01 / Intake

FORM-IDX-001

Generate gap analysis

Three inputs. Output is a control-by-control readiness report mapped to NIST SP 800-171 Rev. 2.

System Security Plan

CAGE code

Don't know it? Leave blank — we'll look it up from your DUNS / UEI.

Current compliance posture

No card required. Analysis takes ~6 seconds.

Output preview

AWAITING INPUT

12%Readiness · CMMC Level 2

0%Target: 100%

Controls required

110

Partially met

Missing

103

Top risks identified

CRITICAL
AC.L2-3.1.1
No multi-factor authentication on admin accounts
CRITICAL
IR.L2-3.6.1
No documented incident response plan
HIGH
MP.L2-3.8.3
No media sanitization procedures
HIGH
AU.L2-3.3.1
Insufficient audit log retention (90 days required)
MED
CM.L2-3.4.2
Baseline configurations not documented

Estimated timeline

29 days

Estimated cost

$20,940vs. $15,000+ consultant

Sample output — submit form to compute your numbers

The 30-day journey

From letter received to readiness package shipped.

We don't sell AI. We sell "keep your contract" — and we use AI to make it 10× faster and 5× cheaper than a consultant.

01
DAY 0
Panic, then triage
Upload your SSP — or tell us you don't have one. We map your current posture against all 110 NIST 800-171 controls in under a minute.
OutputGap analysis · Top 3 risks · Cost & timeline estimate
02
DAY 1–7
Discovery & documentation
Async chat interviews, 5 minutes at a time. The AI generates your System Security Plan, 12 required policy documents, and a network diagram template — pre-filled with your CAGE, NAICS, and systems inventory.
OutputSSP · 12 policies · Network diagram · Evidence checklist
03
DAY 8–21
Remediation
Each missing control becomes a step-by-step task. Upload screenshots; vision models verify the evidence and confirm the control is satisfied.
OutputTask tracker · Evidence vault · Daily digest
04
DAY 22–30
Validation & readiness
Pre-assessment scan runs the questions a C3PAO will ask. Export a complete readiness package: SSP, evidence binder, POA&M, and an introduction letter for your assessor.
OutputReadiness package · POA&M · C3PAO handoff

Control surface

Every NIST 800-171 family.
Mapped, scored, attributable.

MATRIX-110 · UPDATED 14:02:00Z

Family

Description

Met / Total

Coverage

Access Control

14 / 22

64%

Awareness & Training

3 / 3

100%

Audit & Accountability

5 / 9

56%

Configuration Management

4 / 9

44%

Identification & Authentication

8 / 11

73%

Incident Response

0 / 3

Maintenance

4 / 6

67%

Media Protection

2 / 9

22%

Physical Protection

6 / 6

100%

Personnel Security

2 / 2

100%

Risk Assessment

1 / 3

33%

System & Comms Protection

9 / 16

56%

Remediation surface

Tasks written like a tech manual, not a TED talk.

Every missing control becomes an ordered procedure. Vision models verify uploaded screenshots against expected configuration state. No more "send us a folder of PNGs and pray."

Step-by-step procedures

Written for the person actually doing the work — not a CISO.

AI evidence verification

Screenshots are parsed and matched to the control's acceptance criteria.

Auto POA&M generation

Anything not satisfied flows into a Plan of Action & Milestones with owner & target date.

COMPLIANCE / ACCESS CONTROL / AC.L2-3.1.1

Implement multi-factor authentication

Estimated time: 2 hours

CRITICAL

01Log into Microsoft 365 Admin Center
02Navigate to Security & Compliance → MFA
03Enable 'Require MFA for all admin accounts'
04Capture screenshot of confirmation screen

mfa-confirmation.png

Uploaded 2 minutes ago · 248 KB

AI AUDIT-READY · 98% CONFIDENCE

Pre-screened: MFA policy enabled for 4 admin accounts. Control AC.L2-3.1.1 ready for human sign-off.

AI pre-screens evidence. A senior official still signs the SPRS affirmation.

Discovery surface

Five-minute interviews.
A complete SSP at the end.

INTERVIEW-SESSION-014 · 24 QUESTIONS REMAINING

Async interview

SESSION 014 · 04:18 ELAPSED

ARMORY
Where does CUI live in your environment? Pick all that apply.
Q 07 / 24 · AC.L2-3.1.3
YOU
M365 SharePoint, two engineering laptops, and a NAS in the back office.
answered · 14:02 EDT
ARMORY
The NAS is a flag. Is it on the same VLAN as guest Wi-Fi?
follow-up · auto
YOU
Honestly not sure. It's the Synology in the wiring closet.
answered · 14:03 EDT
ARMORY
Logged. Generating a network segmentation task and adding 'Synology DS-series' to the systems inventory. SC.L2-3.13.1 will be drafted.
action taken · 14:03 EDT

Drafting next question based on your answer…

Generated artifacts

5 / 13 PRODUCED

SSP-001
System Security Plan
47 pages · auto-filled from intake
DRAFTED
POL-002
Access Control Policy
6 pages · auto-filled from intake
DRAFTED
POL-003
Incident Response Plan
11 pages · auto-filled from intake
DRAFTED
DIA-004
Network Diagram (template)
1 page · auto-filled from intake
PENDING
INV-005
Systems Inventory
3 pages · auto-filled from intake
DRAFTED

Time invested

4 min 18 sec

Equivalent consultant time

~14 hours

Evidence vault

Cryptographically pinned.
Assessor-ready on day 30.

VAULT-INDEX · 142 ARTIFACTS · SHA-256 PINNED

Artifact

Control

Verified

Captured

EV-0142

mfa-confirmation.png

screenshot · 248 KB

AC.L2-3.1.1

98%

14:21:04Z

EV-0141

audit-log-retention.pdf

config export · 1.2 MB

AU.L2-3.3.1

100%

13:55:18Z

EV-0140

incident-response-plan-v2.docx

policy · 84 KB

IR.L2-3.6.1

100%

12:40:03Z

EV-0139

synology-firmware.png

screenshot · 412 KB

SI.L2-3.14.1

71%

11:12:47Z

ADVISORY

Firmware 7.1.0 — patch level acceptable but advisory pending. Verify within 30 days.

EV-0138

media-sanitization-log.csv

log export · 12 KB

MP.L2-3.8.3

100%

10:08:29Z

EV-0137

physical-access-log.pdf

log export · 318 KB

PE.L2-3.10.1

100%

09:44:11Z

Chain head

0x9f4c…a08e1b

Audit trail

318 entries

Export package

SSP + binder + POA&M

Compliance posture

Two infrastructures.
Matched to what your contract actually requires.

FCI rides commercial. CUI rides GovCloud. We will not host CUI on AWS Commercial — and you should not trust anyone who will.

LEVEL 1 · FCI ONLYLIVE TODAY

SOC 2 Type II commercial cloud

For suppliers who only touch Federal Contract Information (FCI) — janitorial, food service, office supplies. Self-attestation under FAR 52.204-21 runs on SOC 2 Type II infrastructure with full audit logging.

Hosting: AWS commercial · SOC 2 Type II
Scope: 17 FAR 52.204-21 practices
Attestation: Self-attestation via SPRS
Pricing: $99 / month

ACTIVATE LEVEL 1

LEVEL 2 · CUIWAITLIST · Q3 2026

AWS GovCloud (US) dedicated enclave

CUI cannot legally live on commercial cloud. Level 2 prep runs in a dedicated us-gov-west-1 enclave with FIPS 140-2 validated encryption, US-persons-only operators, and DFARS 252.204-7012 incident reporting under a signed BAA.

Hosting: AWS GovCloud · us-gov-west-1
Encryption: FIPS 140-2 validated · KMS auditable
Operators: US persons only · background-checked
Reporting: DFARS 7012 · 72-hour incident SLA

JOIN GOVCLOUD WAITLIST

Plans

Two tiers. One platform.
Pick the level your contracts require.

Level 1 is live today on SOC 2 Type II infrastructure. Level 2 launches on a dedicated AWS GovCloud (US) enclave — join the waitlist to lock in launch pricing.

LEVEL 1 · FCI

Basic

Self-attestation · LIVE

17 FAR 52.204-21 practices, 4 policy templates, SPRS-ready self-attestation form. For janitorial, food service, and other FCI-only suppliers.

$99/mo

Activate →

LEVEL 2 · CUI

Comply

GovCloud enclave · Q3 2026

Full 110-control NIST 800-171 prep on a dedicated AWS GovCloud (US) enclave: AI Copilot, SSP & POA&M, mock C3PAO assessor, evidence vault, C3PAO handoff bundle.

FedRAMP Moderate Equivalent · DFARS 7012 ready · US-persons-only

$299/mo

Join waitlist →

ADD-ON · LIVE

Secure

Supply Chain Sentinel

Geopolitical risk monitoring, single-source vulnerability detection, pre-qualified domestic alternatives.

+ $99/mo

Activate →

PHASE 2 · Q3

Grow

Proposal Forge

SBIR & DIU solicitation matching, technical approach drafting, compliance checklist for submission.

$499 / proposal

Notify me

Optional add-on · Supply Chain Sentinel

Already CMMC-ready?
Add supplier monitoring.

Once your audit is behind you, layer on OFAC, BIS Entity List, DLA, and commodity-feed monitoring against your bill of materials. When a Tier-2 vendor goes dark, you have a pre-qualified domestic alternate before the prime asks. Bolt onto any tier for +$99/mo.

BOM-INDEX · 312 PARTS
MONITORED · LAST SWEEP 14:30Z

Supplier / Part

Origin

Tier

Risk

Posture

SUP-018

Shenzhen Precision Components Ltd.

PCB-A4471 · Flight controller board

BLOCK

FLAGS

▲ FOCI▲ ITAR-restricted destination▲ Single-source

SUP-031

Tatra Aerospace s.r.o.

ALU-7075 · Forged airframe ribs

WATCH

FLAGS

▲ Lead time +14d (port congestion)

SUP-044

Penobscot Machine Works

MIL-STD fasteners (Grade 8)

US-ME

FLAGS

▲ DPAS-rated▲ DFARS 252.225-7008 compliant

SUP-057

Yokota Optics K.K.

OPT-IR-220 · Thermal lens assembly

WATCH

FLAGS

▲ Allied source▲ Sole supplier — qualify alternate

SUP-061

Almaty Rare Metals JSC

Ta-99.95 · Tantalum capacitor stock

BLOCK

FLAGS

▲ Conflict mineral exposure▲ Logistics via RU corridor

Pre-qualified alternates

For SUP-018 · Flight controller board · Domestic, ITAR-cleared

3 MATCHES

ALT-018A
Sierra Circuits
Sunnyvale, CA · lead 21 days · ITAR-registered
+18%
ALT-018B
Advanced Assembly
Aurora, CO · lead 28 days · DFARS-compliant
+11%
ALT-018C
Summit Interconnect
Anaheim, CA · lead 34 days · AS9100D
+24%

Live signals

FEED · 14:30Z

14:22ZOFACNew entity added — Shenzhen Precision parent (Hongli Group)
13:48ZBISEntity List update: 4 PRC drone OEMs
11:02ZUSGSTantalum spot up 7.4% on Kazakhstan export delays
08:30ZDLADPAS rating issued on contract FA8650-23-C-1004

Final brief

The contract is on the table.
Don't lose it to paperwork.

BEGIN GAP ANALYSISNo card · 6 minutes · Output ready instantly

Get CMMC Level 2 readyin 30 days.

Generate gap analysis

From letter received to readiness package shipped.

Panic, then triage

Discovery & documentation

Remediation

Validation & readiness

Every NIST 800-171 family.Mapped, scored, attributable.

Tasks written like a tech manual, not a TED talk.

Five-minute interviews.A complete SSP at the end.

Cryptographically pinned.Assessor-ready on day 30.

Two infrastructures.Matched to what your contract actually requires.

SOC 2 Type II commercial cloud

AWS GovCloud (US) dedicated enclave

Two tiers. One platform.Pick the level your contracts require.

Already CMMC-ready?Add supplier monitoring.

The contract is on the table.Don't lose it to paperwork.

Get CMMC Level 2 ready
in 30 days.

Every NIST 800-171 family.
Mapped, scored, attributable.

Five-minute interviews.
A complete SSP at the end.

Cryptographically pinned.
Assessor-ready on day 30.

Two infrastructures.
Matched to what your contract actually requires.

Two tiers. One platform.
Pick the level your contracts require.

Already CMMC-ready?
Add supplier monitoring.

The contract is on the table.
Don't lose it to paperwork.