2-Minute CMMC Router · Independent & Vendor-Neutral

Find your CMMC path before you hire the wrong provider.

Answer a few questions about your contract, CUI, environment, timeline, and budget. We'll show whether you need readiness help, a CUI enclave, GCC High, an MSP/MSSP, GRC software, a C3PAO assessment, or a Level 1 self-assessment — built by people who actually read the rule.

The bottom line:CMMC is not one buying decision. Handle only FCI? Your path may be Level 1 self-assessment. Handle CUI? It usually starts with scoping, where CUI lives, SSP/POA&M, and SPRS — beforeany formal assessment. If you're truly assessment-ready, a C3PAO comes later, not first.

CMMC is contractually live. Phase 1 began Nov 10, 2025 (Level 1 / Level 2 self-assessment requirements in new contracts); Phase 2 begins Nov 10, 2026, when Level 2 third-party (C3PAO) certification is required for CUI handlers. Level 2 readiness typically takes several months — starting late risks lost contracts.

Independent CMMC routing tool. Not affiliated with DoD, Cyber AB, DCMA DIBCAC, NIST, or any government agency. Do not submit CUI, drawings, export-controlled files, or sensitive contract details. Your information is not sent to any provider unless you explicitly consent. Educational triage only — not legal, consulting, or compliance advice.

I only want the checklist

How this CMMC router works

CMMC (Cybersecurity Maturity Model Certification) is not a single purchase. Depending on whether you handle FCI or CUI, your real next step might be a Level 1 self-assessment against FAR 52.204-21, a Level 2 readiness project around NIST SP 800-171, a scoped CUI enclave decision, or — only when you're assessment-ready — a C3PAO certification assessment. This router maps your answers to the right categoryof help so you don't overspend or hire in the wrong order.

We never claim to determine your binding requirement. Under 32 CFR Part 170, the requiring activity or program office sets the level for prime contracts, and the prime or next-higher-tier contractor sets it for subcontracts and supplier agreements. Use this as a planning guide, then confirm with your contracting officer, a CMMC Registered Practitioner, or qualified federal-contracts counsel.

Readiness comes before assessment

The most common mistake we see is engaging a C3PAO before scope, SSP, SPRS, and evidence are in place. A C3PAO performs your certification assessment — it does not build your controls, and the firm that builds your controls cannot also assess you (a Cyber AB conflict rule). If you don't yet have a documented CUI scope, a current System Security Plan, and a posted SPRS score, your next step is readiness, not assessment.

Editorial triage only. This tool routes your commercial next step. Some provider categories shown may later include sponsors, referral partners, or paid placements; we disclose commercial relationships when they exist. Read our editorial review process.