Cyber maturity certification for any contractor handling CUI in the US Defense Industrial Base.
All DoD prime and sub-contractors that store, process, or transmit CUI or FCI.
Safeguard supports both self-assessment (Level 1) and C3PAO-led (Level 2) workflows for customers.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Level 2: 110 NIST SP 800-171 Rev 2 controls + 320 assessment objectives.
Level 3: an additional 24 controls from NIST SP 800-172 plus enhanced threat-hunting and DLP.
C3PAO third-party assessment every three years (Level 2) or government-led assessment (Level 3).
Annual self-attestation by a senior officer of the company.
Documented System Security Plan (SSP) and POA&M with no critical gaps at assessment.
Incident reporting to DoD CYBER within 72 hours of discovery.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Each of the 110 Level 2 controls + 24 Level 3 controls has a written narrative tied to live telemetry.
C3PAO-ready evidence packets export as a single signed bundle including SSP, POA&M, and scan history.
Continuous control attestation replaces point-in-time snapshots — assessors see 24+ months of history.
SBOMs, dependency provenance, and patching cadence meet 800-171 §3.14 (system integrity) without screenshot work.
Crosswalk to NIST 800-53, FedRAMP, and ITAR/EAR control families bundled in the same export.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
SSP (System Security Plan) — exportable in DoD format.
POA&M with remediation owners and target dates.
Vulnerability scan history (90-day rolling window required for assessment).
Access review logs with quarterly attestations.
Configuration management baseline diffs.
Incident response plan + tabletop exercise records.
Gap assessment against NIST 800-171
Remediation + SSP authoring
C3PAO assessment (Level 2) or DIBCAC (Level 3)
Affirmation in eMASS / SPRS
These frameworks share substantial control overlap with CMMC L2 / L3. Customers running one assessment typically satisfy the others with the same evidence base.
North America
Federal cloud authorisation for systems handling High-impact CUI and mission data.
North America
The canonical federal information system controls catalogue — the source for FedRAMP, FISMA, and most US sovereign baselines.
North America
Supply Chain Risk Management practices for federal systems — the foundation for SBOM and software provenance requirements.
North America
The Secure Software Development Framework that backs EO 14028, the CISA attestation form, and most modern software supply-chain mandates.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.