Resolute SecurityRESOLUTE
Sign inFree scan

← Compliance

Live · paid plan

CMMC L1 · L2 · L3

Self-paced readiness for every level the DoD asks SMBs to attest to. Pick the one your contract requires.

Same team, same subscription, same evidence library across every level and every other Resolute Security assessment.

Open assessmentSee pricing

Three levels, one workflow

Level 1 — Foundational17

FAR 52.204-21

Basic safeguarding of Federal Contract Information (FCI)

Required for any contractor handling Federal Contract Information. 17 practices drawn directly from FAR 52.204-21 — the universal baseline every DoD subcontractor must meet. Annual self-attestation.

Level 2 — Advanced110

NIST SP 800-171 Rev. 2

Protect Controlled Unclassified Information (CUI)

All 110 NIST 800-171 controls across 14 families. Required for any contractor handling CUI. Triennial self-assessment for low-risk programs; C3PAO-led assessment for prioritized acquisitions.

Level 3 — Expert24

NIST SP 800-172

Defend against advanced persistent threats

24 enhanced security requirements layered on top of Level 2, drawn from NIST 800-172. Required for programs handling CUI critical to national security. Government-led assessment.

The levels are cumulative — Level 2 assumes Level 1 is met, and Level 3 assumes Level 2 is met. Each one ships with its own evidence library, SSP markdown, and POA&M CSV so you can produce the artifacts for just the scope your contract requires.

How it works

  1. 1. Pick your levelLevel 1 (17 FAR practices) is the universal baseline for any DoD subcontractor. Level 2 (110 NIST 800-171 controls) covers CUI. Level 3 (24 NIST 800-172 enhanced practices) is for programs handling CUI critical to national security.
  2. 2. Self-assessWalk through each control in plain English. Answer yes/partial/no with notes — assessor jargon decoded inline, not handed to you in a separate spec.
  3. 3. Generate artifactsSSP markdown and POA&M CSV for the level you picked. Same evidence library shared across all three levels and the rest of Resolute Security.
  4. 4. Keep it currentDrift alerts from your email-security monitoring feed straight into your POA&M. Don't re-prove the same control twice.