As of February 2026, 1,042 organizations out of approximately 76,598 that need CMMC Level 2 certification have completed it. Phase 2 enforcement begins November 10, 2026. C3PAO assessment wait times are already projected at 18+ months for new clients booking in Q3 2026. The math is uncomfortable for any defense contractor still in the planning phase.
What makes this window genuinely different from prior CMMC deadlines is the POA&M prohibition: FIPS-validated encryption, key management, and media protection on contractor devices cannot be deferred. If those controls aren't implemented before your assessment, you don't get conditional certification while you fix them. You don't get certified.
This buyer's guide covers the tools defense contractors are using to close their CMMC gaps, honestly, with specific coverage areas and limitations noted. Because choosing the wrong tool for the wrong gap costs time you don't have.
Stop Managing CMMC Compliance on Trust
The countdown to November 10 is moving faster than C3PAO waitlists. Legacy perimeters won't save your defense contracts if your files leave your network unprotected. Secure your CUI at the asset layer now.
How to Evaluate CMMC Compliance Tools
CMMC Level 2 has 110 practices across 14 domains. No single tool covers all of them, and most tool comparisons fail to make this clear. Before evaluating any platform, identify which control families represent your gaps:
Access Control (AC) — IAM, MFA, least privilege, remote access controls. Most organizations have coverage here through existing identity infrastructure.
Audit and Accountability (AU) — System activity logging, audit review, and protection of audit logs. Often partially covered by SIEM; gaps appear at the file-access level.
Configuration Management (CM) — Baseline configurations, change control, software usage restrictions. Endpoint management tools address this.
Identification and Authentication (IA) — User authentication, multi-factor, re-authentication. Covered by modern IAM.
Incident Response (IR) — Incident handling, reporting. Process and tooling gap for smaller contractors.
Maintenance (MA) — Controlled maintenance, sanitization of media. Process-heavy, minimal tooling.
Media Protection (MP) — MP.2.121 specifically: protection of CUI on contractor-controlled devices, including portable and removable media. Frequently, the gap that surprises contractors — it requires technical controls, not just policy.
Personnel Security (PS) — Screening, termination procedures. Largely process-based.
Physical Protection (PE) — Physical access controls. Largely non-tooling.
Risk Assessment (RA) — Risk assessments, vulnerability scanning. Covered by vulnerability management tools.
Security Assessment (CA) — System assessment, plan of action tracking (POA&M). Assessment planning tools.
System and Communications Protection (SC) — SC.3.177 (FIPS encryption), SC.3.187 (key management), SC.3.176 (boundary protection). These are where most assessments find gaps.
System and Information Integrity (SI) — Malware protection, patch management, security alerts. Endpoint and patch management tools.
Situational Awareness — Cyber threat intelligence.
The controls that cannot be deferred to a POA&M — SC.3.177 (FIPS-validated encryption), SC.3.187 (key management), and MP.2.121 (media protection) — are the ones to resolve first, before booking an assessor.
The Platforms
Kiteworks
Kiteworks is a content exchange platform explicitly built for defense contractors and regulated industries. It supports approximately 90% of CMMC Level 2 controls and holds FedRAMP Moderate authorization (since 2017), with FedRAMP High Ready status achieved in February 2025. FIPS 140-3 Level 1 validated encryption. Strong ITAR compliance positioning.
What it covers well: Secure file sharing, secure email, SFTP, and managed file transfer workflows — all under a single platform with comprehensive audit logging. For contractors whose primary CUI handling occurs through file exchange with primes or government customers, Kiteworks provides a strong governed channel.
Coverage map: Strong on AU (audit logging), SC (transmission security), and SI (integrity verification). Supports the file-sharing workflows most commonly flagged in assessments.
Limitations: Kiteworks protects files within its managed exchange platform. Once files are downloaded and leave the Kiteworks environment, the platform's controls end. It doesn't provide persistent file-level encryption that travels with the document to unmanaged devices or external parties.
Ideal for: Defense contractors needing a governed, CMMC-compliant content exchange platform for CUI communications with primes and government.
Microsoft GCC High
Microsoft's Government Community Cloud High environment provides the infrastructure layer for CMMC compliance. GCC High stores all customer data within the continental US, limits access to US persons, provides FedRAMP High authorization, and supports DoD IL4 and IL5 standards. For contractors already operating in the Microsoft 365 ecosystem, GCC High is the required migration path for any M365 deployment handling CUI.
What it covers well: Data residency, US-person-only access controls, deep integration with Microsoft's compliance tooling (Purview, Intune, Sentinel), and a contractual CMMC commitment from Microsoft. Covers a substantial portion of CMMC practices across AC, AU, IA, and SI through native platform capabilities.
Coverage map: Broad coverage across multiple control families through the Microsoft 365 compliance stack. The strongest single platform for contractors already in M365.
Limitations: GCC High addresses the infrastructure and platform layer. Key limitations that assessors specifically probe: SC.3.177 requires a FIPS 140-3 validated cryptographic module certificate number (not just AES-256 as an algorithm); Microsoft-managed keys may not satisfy SC.3.187 independent key management requirements; and MP.2.121 coverage on unmanaged contractor devices is limited.
Ideal for: Medium to large defense contractors already invested in Microsoft 365 who need to migrate their CUI environment to a CMMC-compliant infrastructure layer.
CrowdStrike Falcon (CMMC-relevant controls)
CrowdStrike Falcon provides endpoint protection, threat detection, and device health assessment that addresses several CMMC control families, particularly around system integrity and incident response. The Falcon platform's continuous monitoring and behavioral analytics align with SI (malware protection, security alerting), IR (incident handling), and RA (vulnerability scanning) requirements.
What it covers well: Endpoint protection (SI.3.218, SI.3.219), vulnerability management (RA.2.141, RA.2.142), and incident response capabilities (IR.2.092, IR.2.093). For contractors without a SOC, CrowdStrike's managed detection and response capability fills a significant gap.
Coverage map: Strong on SI, IR, and RA control families. Less relevant for the SC (encryption and key management) and MP (media protection) families, which cannot be deferred.
Limitations: CrowdStrike protects the endpoint and detects threats. It doesn't provide FIPS-validated file-level encryption for CUI (SC.3.177) or the key management controls required by SC.3.187. These are separate requirements that endpoint detection doesn't address.
Ideal for: Defense contractors with endpoint security gaps needing SI and IR coverage alongside their encryption and access control remediation.
CyberSheath
CyberSheath provides CMMC compliance services and technology specifically for the defense industrial base. Their platform covers CMMC gap assessments, SSP and POA&M documentation, C3PAO readiness preparation, and ongoing compliance monitoring across the full 110 NIST SP 800-171 controls.
What it covers well: Program management, documentation, evidence collection, and assessment preparation. CyberSheath's focus on the assessment process means they understand what C3PAOs specifically look for and how to document compliance effectively.
Coverage map: Broad across all control families from a documentation and program management perspective. Particularly strong on CA (assessment planning), with POA&M tracking, SSP management, and readiness monitoring.
Limitations: CyberSheath is primarily a compliance services and governance platform; it documents and monitors compliance rather than implementing the technical controls directly. Organizations still need to deploy technical tools (encryption, access control, endpoint protection) and then document them through CyberSheath.
Ideal for: Defense contractors who need professional program management for their CMMC project, including SSP development, POA&M tracking, and C3PAO readiness preparation.
Theodosian (Data-Centric)
Theodosian is a file-level encryption and access control platform designed to address the specific CMMC controls that sit at the top of the POA&M prohibition list and most frequently cause assessment failures.
What it covers:
SC.3.177 — Requires FIPS 140-3 validated cryptographic modules for CUI. Theodosian provides per-file FIPS 140-3 validated encryption with unique keys per document. The CMVP validation certificate is available for documentation in the SSP.
SC.3.187 — Requires that the organization establish and manage cryptographic keys. Theodosian's zero-knowledge architecture and FILE_SEED mechanism provide key management under the organization's authority, with joint custody options for business continuity. This directly addresses the "cloud provider manages our keys" failure mode that generates the most SC.3.187 assessment findings.
MP.2.121 — Requires media protection on contractor-controlled devices. Per-file encryption means CUI files remain protected on any device, managed or unmanaged, regardless of endpoint security controls.
AU.2.041 — Requires audit logging of CUI access. Per-file access logs record every open, view, download, and denied access attempt at the document level, providing assessor-ready evidence that goes beyond platform-level event logging.
Coverage map: Strongest on SC, MP, and AU control families. Complements platforms covering IA, AC, SI, and IR.
Limitations: Theodosian is a data-layer tool, not a comprehensive CMMC platform. It doesn't provide SSP or POA&M management, access control at the network or identity layer, endpoint protection, or vulnerability management.
Ideal for: Defense contractors whose primary CMMC gaps are in the SC (encryption), MP (media protection), and AU (audit logging) families, particularly those approaching assessment with unresolved SC.3.177 and SC.3.187 findings.
Platform Comparison
| Platform | Primary Coverage | SC.3.177 (FIPS Encryption) | SC.3.187 (Key Management) | MP.2.121 (Media Protection) | SSP/POA&M Management |
|---|---|---|---|---|---|
| Kiteworks | File exchange, audit logging | ✅ FIPS 140-3 L1 | Partial (managed keys) | Partial (within platform) | ❌ |
| Microsoft GCC High | Full M365 infrastructure | ✅ AES-256 (document CMVP module) | Partial (Azure Key Vault) | Partial (Intune-managed devices) | Via Purview |
| CrowdStrike Falcon | Endpoint, threat detection, IR | ❌ | ❌ | Partial (endpoint monitoring) | ❌ |
| CyberSheath | Compliance program management | ❌ (documents existing controls) | ❌ (documents existing controls) | ❌ (documents existing controls) | ✅ Full |
| Theodosian | File-level encryption, access control, audit | ✅ FIPS 140-3 per-file | ✅ Zero-knowledge + joint custody | ✅ Device-agnostic | ❌ |
The Assessment-Ready Stack
No single platform satisfies all 110 CMMC Level 2 practices. The contractors who pass assessments have built a stack that covers the full control landscape, typically:
Infrastructure layer: Microsoft GCC High or equivalent US-person-only cloud infrastructure for data residency and platform-level controls.
Identity and access layer: Microsoft Entra ID, Okta, or equivalent IAM with MFA enforcement covering IA and AC control families.
Endpoint layer: CrowdStrike, SentinelOne, or equivalent endpoint protection covering SI and RA practices.
File exchange layer: Kiteworks — governed CUI communication with primes and government customers.
File-level layer: Theodosian — FIPS 140-3 validated per-file encryption for SC.3.177, SC.3.187, and MP.2.121, the controls that cannot be deferred.
Documentation layer: CyberSheath or equivalent for SSP management, POA&M tracking, and assessment preparation.
The gap most commonly discovered in assessment preparation is between the file exchange layer (which governs CUI in transit between parties) and the file-level layer (which governs CUI wherever it exists — on local workstations, portable media, subcontractor devices, and anywhere else CUI travels in a normal defense manufacturing workflow).
Close Your High-Weight CMMC Gaps in 14 Days
Theodosian resolves your highest-weight SC.3.177, SC.3.187, and MP.2.121 vulnerabilities simultaneously. By wrapping your unstructured data in self-defending, per-file cryptographic shells with localized key management, we turn your absolute liabilities into assessor-ready evidence.
FAQs: Best CMMC Compliance Tools
What CMMC controls cannot be deferred to a POA&M?
Controls weighted at 3 or 5 points in the CMMC model generally cannot be deferred to a Plan of Action and Milestones (POA&M). To even be eligible for a conditional 180-day certification window, a contractor must achieve a minimum baseline score of 88 out of 110 points, and only specific, lower-risk 1-point controls can populate the list. The technical practices most commonly triggering automatic day-one failures are SC.3.177 (FIPS-validated encryption), SC.3.187 (cryptographic key management), and MP.2.121 (media protection on contractor devices). The sole exception: if encryption is actively deployed but simply lacks formal FIPS validation, it can be deferred to a POA&M as a temporary 3-point deduction. If no encryption architecture exists at all, the assessment fails immediately.
What does SC.3.177 specifically require?
SC.3.177 requires that organizations employ FIPS-validated cryptographic modules when protecting CUI. This means the specific module must hold a current CMVP (Cryptographic Module Validation Program) validation certificate, not just use an algorithm (like AES-256) that is FIPS-approved. C3PAO assessors ask for the CMVP certificate number. Symmetric encryption using AES-256 is necessary but not sufficient on its own.
Should I use one CMMC compliance tool or multiple?
Multiple. CMMC Level 2 covers 110 practices across 14 domains, and no single platform addresses all of them. Most assessment-ready contractors are using a combination: cloud infrastructure (GCC High), identity/access management (Entra/Okta), endpoint protection (CrowdStrike/SentinelOne), secure file exchange (Kiteworks), file-level encryption (Theodosian), and compliance program management (CyberSheath or equivalent RPO). The critical decision is which controls to address first, specifically, the ones that cannot be deferred.