What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

CMMC 2.0 compliance · Free audit · No signup

CMMC 2.0 Level 1 + Level 2 Audit

Grade your System Security Plan (SSP) and information security policy against CMMC 2.0 — 17 Level 1 practices (FAR 52.204-21) and the 110 Level 2 practices (NIST SP 800-171 Rev. 2) every DoD contractor handling CUI must implement. Get the exact policy + procedure language to add before your C3PAO assessment.

Run free CMMC 2.0 audit

Cybersecurity Maturity Model Certification 2.0 (DFARS 252.204-7021 / 32 CFR Part 170) · U.S. Department of Defense contractors + subcontractors handling FCI or CUI

What CMMC 2.0 non-compliance actually costs

$2M – $11M+

DoJ Civil Cyber-Fraud Initiative settlement (per case)

False Claims Act treble damages for misrepresented NIST SP 800-171 score

$100K – $1B+

Lost contract value (single award)

No SPRS-reported score = ineligible for award under DFARS 252.204-7019

$9M

Aerojet Rocketdyne settlement (2022)

FCA — misrepresented cybersecurity compliance to DoD/NASA

$4M

Verizon Business Network (2023)

FCA — undisclosed gaps in SP 800-171 implementation on EIS contract

Who must comply with CMMC 2.0?

Level 1 — All DoD contractors that receive or generate Federal Contract Information (FCI). Annual self-assessment + senior official affirmation.
Level 2 — Contractors that store, process, or transmit Controlled Unclassified Information (CUI). Triennial C3PAO third-party assessment (self-assessment only for limited CUI scopes).
Level 3 — Contractors supporting the highest-priority DoD programs. Triennial DIBCAC government-led assessment against NIST SP 800-172.
Flow-down: prime contractors MUST flow the CMMC requirement down to all subcontractors handling FCI/CUI

What this audit checks

12 required clauses, scored as Present / Partial / Missing with the exact regulatory citation and suggested fix.

System Security Plan (SSP) — current + complete (NIST 800-171 §3.12.4)

Single most-cited gap. SSP must describe each of the 110 controls, system boundary, scoping diagram, and POA&M references

CUI scoping + asset categorization (32 CFR 170.19)

CUI Assets, Security Protection Assets, CRMA, Specialized Assets, Out-of-Scope — each handled differently in the assessment

Access Control (AC) family — 22 controls

Unique IDs, MFA, session lock, remote access encryption, mobile device protection, info flow control

Audit + Accountability (AU) — 9 controls

Audit log generation, content (who/what/when/where/outcome), protection from unauthorized access, review + reporting

Configuration Management (CM) — 9 controls

Baselines, least functionality, software allowlisting, change control

Identification + Authentication (IA) — 11 controls (MFA = 3.5.3)

MFA for privileged + network access to non-privileged accounts; password complexity; cryptographic IA

Incident Response (IR) — 3 controls

Documented IR plan, tested, with 72-hour DoD reporting via DIBNet (DFARS 252.204-7012)

Media Protection (MP) + Physical Protection (PE) — 9 + 6 controls

Sanitization (NIST 800-88), labeling, visitor logs, monitoring

Risk Assessment (RA) + Security Assessment (CA)

Periodic risk assessment, vulnerability scanning, SSP + POA&M maintenance, control assessment

System + Communications Protection (SC) — 16 controls

FIPS 140-validated cryptography, boundary protection, key mgmt, mobile code, VoIP, DNSSEC

System + Information Integrity (SI) — 7 controls

Flaw remediation SLA, malicious code, system monitoring, alerts + advisories

DFARS 252.204-7012 incident reporting (72 hours)

Reporting + media preservation + DoD cyber incident damage assessment cooperation; required even pre-CMMC

Why CMMC 2.0 audits actually fail

Self-assessed SPRS score that can't be defended

Under the DoJ Civil Cyber-Fraud Initiative, an inflated SPRS basic assessment score (max 110) is a False Claims Act exposure. Every control marked 'implemented' must have evidence — policy + procedure + screenshots/tickets.

No FIPS 140-validated cryptography for CUI in transit/at rest

AC.L2-3.13.11 and SC.L2-3.13.11 require FIPS-validated modules — NOT just 'AES-256'. Many cloud services have FIPS modes that are NOT on by default. Document the validation certificate # in your SSP.

Shared responsibility with cloud provider not documented

DFARS 252.204-7012(b)(2)(ii)(D) requires CSP equivalent to FedRAMP Moderate for storing CUI. Customer Responsibility Matrix (CRM) must be in the SSP, mapping each 800-171 control to provider vs customer.

External Service Providers (ESPs) treated as out-of-scope

Per CMMC final rule (32 CFR 170), ESPs handling CUI must themselves be CMMC L2 certified. Many MSPs / MSSPs are scrambling — primes must verify before flow-down.

CMMC 2.0 FAQ

When does CMMC become enforced in contracts?

The 48 CFR rule (DFARS 252.204-7021) is now in effect — DoD began phased inclusion of CMMC requirements in solicitations in 2025, with full coverage of applicable contracts by 2028. New solicitations are already including Level 2 self-assessment or C3PAO requirements.

Can I self-attest at Level 2?

Only for a limited subset of contracts identified by the DoD program office as 'self-assessment eligible' (typically lower-criticality CUI). The majority of Level 2 contracts require triennial assessment by an authorized C3PAO listed on the Cyber AB marketplace.

How is FCI different from CUI?

FCI = Federal Contract Information — not public, generated under contract performance. Triggers CMMC Level 1 (17 practices = FAR 52.204-21). CUI = Controlled Unclassified Information — designated by DoD in the contract, often marked SP-PRVCY, SP-CTI, etc. Triggers Level 2 (NIST SP 800-171 Rev. 2, 110 practices).