CUI safety note. Do not enter CUI, classified information, contract numbers, solicitation details, personally identifiable information, or sensitive technical data into the routing tool. The tool asks only about your CMMC level, data scope, environment type, current maturity stage, and timeline. No input to the tool is transmitted to DoD, the Cyber AB, or any government agency.
What the tool does
The CMMC path router asks a short set of plain-language questions and maps your answers to a provider-category recommendation — the type of CMMC provider you need, not a named firm. It implements the DCR CMMC Path Framework, which is documented in full on the methodology page.
The tool is independent and vendor-neutral. It does not pass your answers to any provider, and it does not produce a ranked or scored list of named firms. The output is a provider-category recommendation with a checklist of questions to ask any provider in that category.
Inputs
The router collects five inputs:
- CMMC level required.Derived from your contract clause — specifically whether DFARS 252.204-7021 is present and what level and assessment type it specifies. If you have not confirmed the clause, you can select “Not sure / need to check.”
- FCI/CUI data scope. Whether you handle Federal Contract Information (FCI) only, FCI and Controlled Unclassified Information (CUI), or are unsure. This drives the enclave question.
- Current environment. Where your relevant IT systems live — on-premises infrastructure, commercial Microsoft 365 or Google Workspace, GCC, GCC High, a FedRAMP-authorized cloud service, or a mix.
- Current maturity stage.Where you are in the CMMC readiness lifecycle: no SSP started, SSP in progress, SSP complete and self-assessed, SPRS score posted, or active POA&M remediation underway.
- Timeline. How much time you have before your contract compliance deadline — under 6 months, 6 to 12 months, 12 to 24 months, or more than 24 months.
Decision rules
The router applies these rules in order. The first matching rule produces the output:
Level 1 — FCI only, no CUI
- Output: Self-preparation only. Level 1 is a self-assessment against 15 basic safeguarding requirements from FAR 52.204-21. No C3PAO is required. No RPO is required. A GRC tool or CMMC consultant can help structure the documentation, but the posture goal is narrow and the cost of outside help often exceeds the value at this level.
Level 2 — self-assessment pathway
- If CUI scope is unclear or the environment is commercial (non-GCC) Microsoft 365 or on-prem: Readiness/RPO first, then self-assessment. The first priority is getting the SSP and SPRS score right; the second is closing the practice gaps before the self-assessment date.
- If the environment is already GCC or GCC High and the SSP is complete: GRC software + readiness RPO for gap closure, no enclave migration required.
- If CUI lives in a commercial environment that cannot reach FedRAMP Moderate equivalency: CUI enclave provider first, then readiness.
Level 2 — C3PAO assessment pathway
- C3PAO assessment is at the end of the readiness work, not the beginning. The router always recommends completing readiness and gap closure before engaging a C3PAO for formal assessment.
- If the SSP is complete and SPRS score is posted and the timeline allows it: Readiness RPO for final gap closure → C3PAO for assessment.
- If the timeline is under 6 months and no SSP exists: CUI enclave + MSP/MSSP concurrently, C3PAO assessment after 90-day minimum readiness period. Flag: at this timeline, successful Level 2 C3PAO certification before the deadline is low probability without significant existing maturity.
Level 3 — DIBCAC
- Level 3 requires a DoD DIBCAC assessment on top of Level 2 C3PAO certification. Output: Readiness RPO → C3PAO (Level 2) → DIBCAC (Level 3). The router flags that Level 3 is not a commercial provider engagement — DIBCAC is a government-run assessment; providers help with readiness, not the assessment itself.
Outputs
For each combination of inputs, the router produces:
- A provider-category recommendation — one of: self-only, readiness/RPO, CUI enclave, MSP + readiness, C3PAO assessment, or a multi-phase combination.
- A sequencing note — the order in which to engage provider categories (e.g., enclave first, then readiness, then C3PAO).
- A checklist of questions to ask any provider in the recommended category before signing an engagement.
- A DCR Quote Readiness Score(0–5) — a score of the buyer's readiness to request and meaningfully compare quotes. See the methodology page for the five dimensions.
What the tool does not do
- Name or rank specific providers. The output is a provider category, not a shortlist of named firms. Source-checked provider profiles are published separately at /cmmc-providers/.
- Score your compliance posture.The tool does not produce a CMMC score, a SPRS score, or any score that reflects your organization's regulatory status.
- Provide legal or compliance advice. The output is editorial guidance based on publicly documented CMMC program rules. It is not legal, contractual, or compliance advice. Binding interpretations require a CMMC Registered Practitioner or qualified attorney.
- Accept or transmit sensitive information. The tool does not accept CUI, classified information, contract numbers, solicitation identifiers, or PII. Do not enter any of these into the tool.
- Guarantee certification outcomes. Provider-category recommendations are based on publicly documented program rules at the time of publication. Contract clauses, Cyber AB processes, and CMMC Phase timelines change. Verify the current rules before making compliance decisions.
Use the interactive tool
The interactive version of the router — which applies these rules through a two-minute question sequence — is at /find-my-path/. No contact information is required. The routing logic documented on this page is the same logic the interactive tool applies.
For the full decision framework and evaluation methodology behind the tool, see our methodology page.