Skip to content
CMMC

CMMC Level 2 compliance, assembled from source-linked evidence, scored, and packaged for your DIB contracts.

The CMMC Phase 2 window is scheduled to begin November 10, 2026. Valty maps all 320 NIST SP 800-171A assessment objectives, computes your SPRS score, runs the POA&M clock, and generates the OSCAL assessment package — so a defense industrial base supplier can build a defensible readiness package and see exactly where evidence is still missing. Readiness evidence, not an authorization.

Design partnerPublic / indexed
Request a CMMC readiness package
The deadline

The CMMC Phase 2 window is expected to open in November 2026.

Certification is being phased into defense solicitations. Once Phase 2 opens, awards involving Controlled Unclassified Information can require a CMMC Level 2 certification assessment. The public basis is 32 CFR Part 170 — the CMMC Program rule — and the DoD CIO CMMC program, not a Valty projection. Building the evidence base before a contract requires it is the difference between competing and waiting.

Phase 2 window

November 10, 2026

The 48 CFR CMMC acquisition rule (effective November 10, 2025) phases requirements in over three years; its Phase 2 — Level 2 C3PAO certification as a condition of award — is scheduled to begin November 10, 2026, with DoD retaining discretion per solicitation. The timeline is set by the rule, not by Valty.

DoD CIO CMMC program · 48 CFR rule
In scope

~80,000 contractors

Roughly 80,000 defense industrial base contractors are estimated to need a CMMC Level 2 assessment to keep bidding on work involving Controlled Unclassified Information. Figure per DoD program estimates.

Defense industrial base
The public basis

32 CFR Part 170

The CMMC Program is codified in 32 CFR Part 170. Certification requirements reach contracts through the companion DFARS acquisition rule. Valty tracks the rule; it does not set the date.

32 CFR Part 170 · CMMC Program rule
What Valty ships for CMMC

A defensible readiness package, generated from evidence you already hold.

Valty maps CMMC Level 2 to all 320 assessment objectives in NIST SP 800-171A, lets you attach source-linked evidence to each one, and computes the SPRS score the way an assessor reads it. CMMC Level 2 is one of 30+ framework catalogs Valty maintains — 2,700+ source-cited controls in total — and it reads from 36 supported connectors, so the evidence behind each objective stays current. Valty generates the readiness evidence and the OSCAL package; it does not grant an authorization.

  • 800-171A objective crosswalk, with source-linked evidence attached per objective
  • SPRS score view across the 110 NIST 800-171 requirements
  • POA&M with the 180-day closeout clock tracked per item
  • OSCAL 1.1.2 SSP, SAP, SAR, and POA&M generation
  • A factual readiness status statement — not an authorization

Valty generates readiness evidence and OSCAL packages. It does not grant a CMMC certification or an authorization to operate. Product framework coverage is a readiness aid, never a company certification.

CMMC Control Catalog product surface
CMMC Control CatalogCMMC Level 2 mapped to all 320 NIST SP 800-171A assessment objectives, each with source-linked evidence, coverage state, and the SPRS score computed the way an assessor reads it. Illustrative design-partner surface.
The depth

Six capabilities behind the package, each one an assessor can trace.

These are product capabilities, evidenced to source. Nothing here asserts a certification — every output is readiness material a supplier and a C3PAO can inspect.

Assessment objectives

All 320 objectives, evidenced individually

CMMC Level 2 maps to the 110 requirements of NIST SP 800-171 and the 320 assessment objectives of 800-171A. Valty holds every objective as its own line item, so you attach evidence and see coverage at the exact granularity an assessor works from.

NIST SP 800-171A crosswalk
SPRS scoring

Your score, the way an assessor reads it

Valty computes the SPRS score across the 110 security requirements using the standard weighting, so the number you brief internally matches the one that lands in the Supplier Performance Risk System.

SPRS score computation
POA&M lifecycle

The 180-day clock, tracked per item

Requirements eligible for a Plan of Action & Milestones carry the 180-day closeout clock. Valty tracks each POA&M item, its owner, and its deadline, and flags items approaching the window before it closes.

180-day POA&M closeout clock
OSCAL generation

SSP, SAP, SAR, and POA&M in OSCAL 1.1.2

Valty generates the System Security Plan, assessment plan, assessment results, and POA&M as OSCAL 1.1.2 packages — machine-readable artifacts an assessor or downstream tool can ingest, not just PDFs.

OSCAL 1.1.2 package generation
Assessment package

Assembled for your C3PAO

The readiness output assembles into the package a supplier hands to a C3PAO for the Level 2 assessment: crosswalk, SPRS view, POA&M, OSCAL SSP, and a factual status statement. Valty assembles it; the C3PAO assesses it.

C3PAO assessment-package assembly
CUI boundary

Scope what is in and out

Define the CUI boundary — the systems, people, and data in scope for assessment — so evidence, scoring, and the SSP all describe the same environment the assessor will walk.

CUI boundary scoping
Readiness workflow

Scope in. Assessment package out.

The same evidence spine runs the whole path: define the boundary, evidence the objectives, score against SPRS, and export the OSCAL package a C3PAO can assess.

OSCAL Assessment Package product surface
OSCAL Assessment PackageSSP, SAP, SAR, and POA&M generated as OSCAL 1.1.2 — the machine-readable package a supplier assembles for a C3PAO assessment. Valty assembles it; the C3PAO assesses it. Illustrative design-partner surface.

The artifact

The package you hand a C3PAO — not a certificate you print yourself.

The workflow ends in an OSCAL 1.1.2 package: SSP, SAP, SAR, and POA&M, plus the 800-171A crosswalk, the SPRS score view, and a factual readiness statement. It is machine-readable, assembled for the assessment, and honest about what is not yet closed.

Valty assembles the assessment package. A C3PAO conducts the Level 2 assessment and the DoD accepts it. The package is readiness evidence, not an authorization.

01

Draw the CUI boundary

Define the systems, users, and data in scope. Everything downstream — objectives, evidence, scoring, and the SSP — describes this boundary, so the package matches the environment the assessor walks.

CUI boundary definition
02

Map and evidence 320 objectives

Read from your connectors and attach source-linked evidence to each 800-171A objective. Coverage is measured per objective; missing or stale evidence stays visible instead of being assumed closed.

800-171A objective crosswalk
03

Compute SPRS, open the POA&M

Valty computes the SPRS score across the 110 requirements and opens POA&M items for eligible gaps — each with the 180-day closeout clock, an owner, and a deadline.

SPRS score + 180-day POA&M clock
04

Generate the OSCAL package

Export the SSP, SAP, SAR, and POA&M as OSCAL 1.1.2, assembled into the package you bring to a C3PAO — with a factual readiness statement, never an authorization claim.

OSCAL 1.1.2 package for C3PAO
Readiness, not authorization

Valty is not a C3PAO.

Valty the company is not a CMMC Third-Party Assessment Organization (C3PAO), a C3PAO-accredited assessor, or a certifying body. It does not issue CMMC certifications, authorizations, or attestations of compliance.

The product produces readiness evidence and assessment artifacts: the 800-171A crosswalk, the SPRS score, the POA&M, and the OSCAL package. A C3PAO conducts the certification assessment and the DoD accepts it. Valty helps you arrive prepared.

Product CMMC coverage is never presented as a company certification. Where evidence is missing or stale, Valty flags the gap rather than closing it.

Proof matrix

What Valty can claim for CMMC, and what it cannot.

Every CMMC output carries a source, a confidence label, and a freshness rule. The last row is the one that matters most: certification is not a Valty claim.

ClaimCMMC Level 2 objective coverage
Source800-171A crosswalk: 320 objectives with evidence attached per objective
ConfidenceReadiness evidence, source-linked. Not a certification
FreshnessRecomputed as connector evidence refreshes
ClaimSPRS score
SourceComputed across the 110 NIST 800-171 requirements with standard weighting
ConfidenceSelf-assessment aid; the official score is the one you submit to SPRS
FreshnessRecalculated on evidence or scope change
ClaimPOA&M item
SourceEligible gaps opened with owner, milestone, and deadline
Confidence180-day closeout clock tracked; closure requires evidence
FreshnessClock runs from the item open date; flagged before expiry
ClaimOSCAL assessment package
SourceSSP, SAP, SAR, and POA&M generated as OSCAL 1.1.2
ConfidenceMachine-readable readiness artifact for a C3PAO
FreshnessRegenerated on evidence, scope, or scoring change
ClaimCMMC certification / authorization
SourceIssued by a C3PAO and accepted by the DoD, not by Valty
ConfidenceNot a Valty claim. Valty produces readiness evidence only
FreshnessDetermined by your C3PAO assessment, not by the product
Free tool

Estimate your SPRS score in minutes — free, no sign-in.

Not ready for a full readiness engagement? Start with the free SPRS score estimator. Answer for the 110 requirements and get an indicative SPRS score plus the gaps that cost you the most points — no account, no evidence upload.

The estimator returns an indicative self-assessment score for planning. It is not an official SPRS submission or a CMMC certification.

Build your CMMC readiness package before a contract requires it.

Valty maps the 320 objectives, computes your SPRS score, runs the POA&M clock, and generates the OSCAL assessment package from evidence you already hold. Request a readiness package and see exactly where you stand — and what is still missing.

Valty is in design-partner and early-access stage. Valty generates CMMC readiness evidence and OSCAL assessment artifacts; it does not issue CMMC certifications or authorizations, and it is not a C3PAO. Product framework coverage is decision-support for readiness, never a company certification. No customer names or logos are shown.