CMMC compliance, from assessment to certification
The CMMC 2.0 final rule is effective as of December 2024, with phased enforcement rolling through 2025. Over 220,000 defense contractors must certify. Thalorin provides the platform to map your posture, close gaps, and maintain certification readiness.
Self-Assessment
Level 1 and Level 2 self-assessments begin appearing in new DoD contracts. Contractors must affirm compliance through SPRS scoring.
C3PAO Certification
Level 2 C3PAO certification assessments required in applicable contracts. Third-party assessors validate all 110 practices.
Level 3 DIBCAC
Level 3 DIBCAC assessments introduced for contracts involving the most sensitive CUI. Full NIST 800-172 requirements enforced.
Full Implementation
CMMC requirements fully integrated across all applicable DoD contracts. Non-compliant contractors excluded from new awards.
Three levels. One path to certification.
Each CMMC level builds on the previous one, with increasing practice requirements and assessment rigor based on the sensitivity of information you handle.
Thalorin automates self-assessment scoring and generates SPRS submission packages.
Full gap analysis, evidence automation, and C3PAO-ready documentation across all 110 practices.
Enhanced security requirements mapped and tracked, with air-gapped deployment for sensitive environments.
How Thalorin supports CMMC
From initial gap assessment through certification and ongoing monitoring, Thalorin provides purpose-built tooling for every phase of the CMMC compliance lifecycle.
Gap Analysis
Automated assessment against all 110 Level 2 practices. Identify exactly where you stand and what needs remediation before engaging a C3PAO.
Practice Implementation
Guided workflows for each NIST 800-171 practice family. Step-by-step implementation guidance with policy templates and configuration baselines.
Evidence Automation
Continuous evidence collection from your environment. System configurations, access logs, and policy artifacts gathered automatically and mapped to practices.
POA&M Management
Track and remediate findings with timelines, milestones, and accountability. Demonstrate progress to assessors with clear remediation documentation.
Supply Chain Flow-Down
Manage subcontractor CMMC requirements. Track flow-down clauses, monitor sub-tier compliance status, and document supply chain risk posture.
Continuous Monitoring
Maintain certification readiness between assessments. Detect control drift, track configuration changes, and keep evidence current for triennial reassessment.
CMMC work carries over
Work you do for CMMC carries over to other frameworks. Thalorin's Feynman Engine maps control relationships automatically—evidence collected once satisfies overlapping requirements.
Deploy where CUI lives
Most compliance platforms are cloud-only. When your CUI environment can't connect to a vendor's cloud, you need a platform that deploys where your data lives.
Cloud
Fully managed SaaS deployment with continuous updates and zero infrastructure overhead.
On-Premises
Deploy within your controlled environment. Your data never leaves your infrastructure.
Air-Gapped
Disconnected environments for classified and high-sensitivity CUI programs.
Hybrid
Split workloads across cloud and on-premises based on data sensitivity requirements.
Ready to start your CMMC journey?
See how Thalorin maps your current posture to CMMC requirements and builds a clear path to certification.