If your prime says "you need CMMC," what does that actually mean?
Free calculators, quizzes, and checklists that translate CMMC, CUI, SPRS, and DFARS into answers a contractor's CFO can act on. Built for owners, GMs, and compliance officers — not security engineers. No jargon. No email gate on the primary answer.
Pick the question keeping you up at night
Each tool answers one specific question every defense contractor eventually faces. Most take under five minutes. None require an account.
CUI or FCI?
LiveA 6-question quiz that tells you whether your contract data is Controlled Unclassified Information, Federal Contract Information, or neither — and what each one obligates you to do.
False Claims Act risk
LiveEstimate your False Claims Act exposure based on contract value, SPRS score, and CUI handling. The number that should be keeping your CFO up at night — grounded in real DoJ settlement data.
Would I get fined?
SoonTell us your industry, state, and what data you handle. We tell you which regulators care, what they can fine you, and how likely it is — across CMMC, HIPAA, FTC Safeguards, and state breach laws.
SPRS score calculator
SoonCompute your SPRS score the same way the DoD does. Find out exactly what each missing control costs you — before your prime asks for the number.
The docs weren't written for the people who have to comply
If you've ever opened NIST 800-171 looking for a straight answer about whether you need CMMC Level 2, you know the problem. The official guidance is written by compliance professionals, for compliance professionals. The contractors actually on the hook — the owners, COOs, CFOs, and office managers asked to "handle this CMMC thing" — are left translating jargon into action items.
What is CMMC?
CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that defense contractors safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It rolls up NIST SP 800-171 controls into three levels, with third-party assessment required at Level 2 for most contractors handling CUI.
Do I need CMMC Level 1 or Level 2?
Level 1 applies if your contracts only involve Federal Contract Information. Level 2 applies if you handle Controlled Unclassified Information — which is most defense work involving technical drawings, specifications, or DoD program data. The CUI or FCI? quiz walks you through 6 questions to determine which category your contract data falls into.
What is the False Claims Act risk?
The DoJ Civil Cyber-Fraud Initiative pursues False Claims Act cases against contractors who misrepresent their NIST 800-171 compliance in SPRS submissions. Settlements have ranged from roughly $875K (Georgia Tech) to $11.2M (Health Net). Exposure scales with contract value, the duration of the misrepresentation, and the gap between the SPRS score submitted and the score actually supportable. The risk calculator estimates your specific exposure.
Are these tools really free?
Yes. No email gate on the primary answer, no signup, no paywall. The tools are funded by sales of the optional CMMC Survival Guide and related books, for readers who want a deeper walk-through after seeing their result. If the free answer is enough, that's a win too.
Is this legal or compliance advice?
No. Everything here is general information based on public regulations. Before acting on a result — especially anything involving the False Claims Act, DoD reporting deadlines, or CUI handling — consult a qualified compliance professional or attorney. Every tool cites its sources so you can verify independently.
Get notified when new tools ship
We email occasionally when something material changes — a new free tool goes live, a CMMC rule update lands, or DoJ posts a settlement that shifts the risk math. No newsletter, no drip sequence, no spam.
Double opt-in · unsubscribe in one click · email only