CMMC Compliance
GOVERN supports defense contractors operating under CMMC (Cybersecurity Maturity Model Certification) 2.0. GOVERN’s governance capabilities directly support several CMMC practice domains.
CMMC Level 2 — Advanced
Level 2 (110 practices from NIST SP 800-171) is required for contractors handling CUI.
Practices GOVERN Supports
| Domain | Practice | GOVERN Capability |
|---|---|---|
| Access Control (AC) | AC.L2-3.1.1 | RBAC, least privilege enforcement |
| Access Control (AC) | AC.L2-3.1.2 | Transaction privilege controls |
| Audit & Accountability (AU) | AU.L2-3.3.1 | System audit events, immutable logs |
| Audit & Accountability (AU) | AU.L2-3.3.2 | User and admin activity review |
| Configuration Management (CM) | CM.L2-3.4.1 | Baseline configuration establishment |
| Identification & Auth (IA) | IA.L2-3.5.3 | MFA for privileged access |
| Risk Assessment (RA) | RA.L2-3.11.2 | Vulnerability scanning |
| System & Comm Prot (SC) | SC.L2-3.13.8 | Cryptographic protection in transit |
| System & Info Integrity (SI) | SI.L2-3.14.6 | Monitor for security alerts |
| System & Info Integrity (SI) | SI.L2-3.14.7 | Identify unauthorized use |
Enabling CMMC Level 2
helm install govern govern/govern \ -f values-federal.yaml \ --set compliance.cmmc.level=2 \ --set compliance.cmmc.cui.enabled=trueThis activates:
- CUI data handling controls
- Enhanced audit logging (AU.L2 practices)
- MFA enforcement for all privileged accounts
- Vulnerability scan scheduling
- Security event monitoring with alerting
CMMC Level 3 — Expert
Level 3 (110+ practices from NIST SP 800-172) is required for contractors on critical DoD programs.
Additional Practices for Level 3
| Domain | Practice | GOVERN Capability |
|---|---|---|
| Access Control (AC) | AC.L3-3.1.3e | Dynamic access control |
| Awareness & Training (AT) | AT.L3-3.2.1e | Advanced training tracking |
| Audit & Accountability (AU) | AU.L3-3.3.1e | Centralized audit analysis |
| Configuration Management (CM) | CM.L3-3.4.1e | Automated config checks |
| Risk Assessment (RA) | RA.L3-3.11.1e | Risk assessments with threat intel |
| System & Info Integrity (SI) | SI.L3-3.14.1e | Threat intelligence correlation |
Enabling CMMC Level 3
helm install govern govern/govern \ -f values-federal.yaml \ -f values-il4.yaml \ --set compliance.cmmc.level=3 \ --set compliance.cmmc.threatIntel.enabled=true \ --set compliance.cmmc.advancedMonitoring.enabled=trueCMMC Assessment Evidence
GOVERN automatically generates evidence packages for CMMC assessments:
# Generate CMMC evidence packagegovern compliance export \ --framework cmmc \ --level 2 \ --format pdf \ --output cmmc-evidence-$(date +%Y%m%d).pdfThe evidence package includes:
- Control implementation statements
- Audit log samples (last 90 days)
- Configuration baseline screenshots
- Vulnerability scan summary
- Incident response log (if any)
- User access review records
Third-Party Assessment Support
For CMMC certification assessments (C3PAO), GOVERN can provide:
- Read-only C3PAO access to audit logs
- Direct API access for evidence collection
- Automated evidence export in OSCAL format
- SSP and CRM documentation
Contact federal@archetypal.ai to coordinate C3PAO access.