Frequently Asked Questions

Our three specialties cover the compliance frameworks most SMBs actually face: CMMC for DoD contractors and SBIR applicants, HIPAA for healthcare providers and digital health SaaS, and PCI-DSS for merchants and payment processors. Veteran-owned ourselves, we understand what it takes to get through an audit the first time.

Check your DoD contract. If you handle Federal Contract Information (FCI), Level 1 applies — annual self-assessment of 15 practices. If you handle Controlled Unclassified Information (CUI), Level 2 applies — 110 practices across 14 domains with a C3PAO certification every three years. Level 3 is for a small subset of critical programs and requires DIBCAC assessment. Not sure which applies? Look at your contract clauses (DFARS 252.204-7012, 252.204-7019, 252.204-7020, 252.204-7021). Still unclear? Start with our Mission Brief — it flags which level your environment actually requires.

Quick Scan: Around 15 minutes. CMMC L1 is 15 practice-level questions. CMMC L2 Quick Scan is 14 domain-level questions covering all 110 practices.

Deep Dive: 2–4 hours, but you can pause and resume. Available across CMMC L2 (110 practices), HIPAA Security Rule (55 safeguards), and PCI-DSS v4.0 (260+ sub-controls).

Most clients complete their first Quick Scan in one sitting and then drill down into weak domains over the following week.

Immediate access to the portal. Run your first compliance assessment, see your domain scores and gaps, and your Evidence Package Tracker auto-populates with items to collect. You also get access to Tammie, our AI compliance advisor, for any questions. Within 24 hours we follow up by email to answer questions and help you decide if your plan fits your needs.

The Mission Brief is a $624 gateway engagement designed to answer one question: where do you actually stand against the framework that matters to you? You complete a focused intake, our system runs an AI-assisted gap analysis tuned to CMMC, HIPAA, or PCI-DSS, and we deliver a real PDF brief — yours to keep, share with your team, or take to any consultant. If you decide to keep going with us within 14 days, the full $624 converts 1:1 into credit on any annual subscription. The brief either pays for itself or pays you back.

Two dimensions. Pick a framework — Aegis (HIPAA), Vault (PCI), or Fortress (CMMC). Then pick a service level — Self-Service (you do the work, Tammie helps), Guided (we add async RP review), or Managed (we run the engagement). Most subscriptions can be paid monthly or annually, with annual saving you about 8%. A few engagements — Managed tiers, CMMC Level 2, and our Vanguard offering — are scoped individually and quoted on a custom basis. Mission Brief and Office Hours are one-time products that work alongside any tier.

Both are 12-month commitments — that part doesn't change. The difference is how you pay. Monthly bills you each month for the same total; annual charges the full year upfront and saves you about 8%. Pick annual if your accounting prefers a single line item or if the discount matters; pick monthly if monthly billing fits your cash flow better. The Mission Brief credit only redeems against annual prepay, which is worth knowing if you bought a brief and are deciding which way to go.

It comes down to two things: how much of the work you want to own, and how soon you need to be audit-ready. Self-Service is for teams that want to drive the assessment themselves with Tammie as their copilot — you generate the artifacts, you own the timeline. Guided adds asynchronous RP review of your work — you still drive, but you get a credentialed second pair of eyes on policies, scoping, and evidence before they're final. Managed is for teams who'd rather hand off the engagement entirely; we run the assessment, build the evidence, and deliver the package. If you're not sure, start with a Mission Brief — the gap analysis usually makes the right tier obvious.

Yes, and we made it painless. Plan changes happen through the Stripe Customer Portal in your dashboard. Upgrades apply immediately with prorated billing. Downgrades take effect at the end of your current billing period. Adding a second framework — say you start with HIPAA and decide you also need PCI — is just adding another subscription; the two run in parallel in the same portal. Most clients start with one framework and layer in others as their business expands.

No — and that's intentional. Only a Certified Third-Party Assessment Organization (C3PAO) can perform the official CMMC Level 2 certification assessment. We're a readiness partner — we prepare you so you pass the C3PAO's assessment on the first try. Separating the two roles avoids the conflict of interest that comes with a firm both preparing and assessing the same client. When you're ready for the official assessment, we connect you with trusted C3PAOs.

Our assessments are readiness tools, not official certifications. Only a C3PAO can conduct the Level 2 certification assessment. That said, every question in our assessment is mapped to exact practice IDs from the official DoD CIO CMMC Assessment Guide v2.13 (AC.L2-3.1.1 through SI.L2-3.14.7). Think of us as your practice exam — using the same questions, scoring methodology, and evidence expectations a C3PAO will apply. For CMMC Level 1, self-assessments posted to SPRS are valid official attestations, and our platform helps you produce them.

No. We do not process, store, transmit, or assess classified information. Our platform and services are scoped to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) only. For classified programs (SECRET, TOP SECRET, SAP), work through your Facility Security Officer (FSO) and engage DoD-cleared consultants who can operate within a SCIF environment. Do not upload any classified materials to our platform under any circumstances.