Straight CMMC answers.

No. Every connector is scoped to configuration metadata only, never the data itself. AWS uses the AWS-managed SecurityAudit + ReadOnlyAccess policies (no decryption, no object reads). Azure / M365 use Reader + Security Reader at subscription scope. Okta and CrowdStrike use vendor-defined read-only token scopes. The agents read who has MFA enabled, whether CloudTrail is on, whether a bucket policy is permissive, not what’s in the bucket.

Credentials are encrypted at rest with AES-GCM and decrypted in-process only at scan time. The evidence binder stores hashed API responses, not data payloads. Every connector is revocable in 30 seconds by deleting the IAM role, Service Principal, API token, or OAuth2 client on your side. Revocation takes effect on the next scan cycle, no support ticket required.

Details in the privacy policy and the DPA attached to every subscription.

No platform can guarantee that, the C3PAO decides. The honest answer: assessments fail when evidence is disorganized, stale, or doesn’t map cleanly to a control ID. They rarely fail because a control was missing entirely.

What the platform does: every one of the 110 controls and 320 assessment objectives has current measured evidence in a format your assessor can consume on the first pass. Every artifact has a SHA-256 hash and a NIST control ID stamped on it. Your SPRS submission reflects measured posture, not self-attestation. That removes the most common reason assessments stretch from five days to eight.

Your C3PAO retains its independence and its judgment. We don’t talk to your assessor on your behalf; we hand you the package they expect to see.

Those platforms are dashboards. They were built to serve SOC 2 first, then bolted CMMC features on. You log in, you see your control score, you go assemble the SSP and evidence binder yourself or hire a consultant to do it.

Enclave AI is Agent-as-a-Service. The work product lands in your inbox each cycle, written by the agents and ready to forward to your C3PAO: the SSP Word document, the POA&M tracker, the evidence binder, and the SPRS posture report. The agents work whether you log in or not. The deliverables ship whether you read them or not.

Practical implication: if you don’t want to spend your week inside another compliance dashboard, you don’t have to. If your team is one person wearing the compliance hat alongside three other hats, the tier subscriptions are designed for that situation.

A 5-page PDF in your inbox within minutes of intake submission. Three things on it:

• Your self-reported SPRS score side-by-side with the measured score from the live scan of any cloud you connect (AWS via CloudFormation role, Azure / M365 via Service Principal, Okta via API token, CrowdStrike via OAuth2 client, connect any combination, including zero).
• The top NIST 800-171 control gaps driving the difference, each with a control ID (3.1.1, 3.13.8, etc.), the SPRS deduction weight per the DoD Assessment Methodology, and the evidence file with its SHA-256 hash.
• A 30-day remediation list ordered by point recovery impact, with expected point recovery per item.

What it is not: a C3PAO pre-assessment, a certification, a legal opinion, or consulting. It is a measurement, nothing more.

The $799 credits to month one if you start a subscription within 30 days. Net cost of a Readiness Snapshot that converts: $0. Net cost of a Readiness Snapshot that confirms you’re not ready and you walk away: $799 well spent.

The full subscription. From minute zero you get the welcome email, the intake, the read-only cloud connectors, the first multi-cloud scan, and the first deliverable bundle (SSP draft, POA&M, evidence binder, readiness analysis, 30-day remediation list). On Fortress, you also get twice-monthly scan cycles and a reviewer pass on every deliverable before send. On Sovereign, per-entity bundles, the parent-level roll-up, and the founder as your named account contact.

Monthly subscription. The card you provide at checkout is charged the tier price on the day you subscribe and on the same day each month going forward. Cancellation is one click in your Stripe billing portal; no email, no call. Access continues through the end of the paid period after cancellation.

The trial is designed to deliver enough real work product in the first 60 minutes for you to judge whether your C3PAO would accept it. If the answer is no, cancel before day 14.

No. Stripe checkout, intake, scan, PDF in inbox, the entire buy-and-deliver path is self-service. Reply to any deliverable email with a question; agents answer in minutes, humans inside four business hours when judgment is needed.

The only path that requires a call is custom engagement above 10 entities or in classified / IL5+ environments, handled by partners@ai4cmmc.ai.

Three subscription tiers, all on monthly billing with cancel-anytime in the Stripe billing portal:

• Standard, $4,995/mo. Single entity. One full readiness package per month: SSP, POA&M, evidence binder, SPRS submission. For OSCs more than 60 days from a C3PAO date, or with no specific date yet but a contract that’ll require it soon.
• Fortress, $9,995/mo. Single entity. Twice-monthly scan cycles + reviewer pass on every deliverable before send + pre-assessment dry run when your C3PAO is engaged. For OSCs inside 60 days of a confirmed assessment date.
• Sovereign, $19,995/mo. Up to 10 entities under one contract. Per-entity deliverables, parent-level roll-up posture report, cross-entity consistency review, founder as your named account contact. For parent organizations with multiple subsidiaries holding separate CUI. (Custom integration into legacy on-prem GRC / ticketing / SIEM available under MSA on top of Sovereign.)

Annual prepay on any tier is 10% off (Standard $53,946, Fortress $107,946, Sovereign $215,946). Subscriptions are billed monthly in advance. Month-to-month; fees already billed are not refunded. Fair-use thresholds in Terms of Service.

It means the deliverables ship in your inbox each cycle: the SSP file, the POA&M file, the evidence binder, the SPRS posture report, and the 30-day remediation list. You don’t open a dashboard to assemble them. You don’t schedule a check-in to review them. The agents ingest your environment, map controls, draft documentation, collect evidence, and produce the deliverables. You and your team remain in the loop for the executive decisions (what to remediate first, what to accept as a residual risk, what to flag to your prime), but the production work is done.

If a dashboard is what you want, this isn’t the right product. If outcome-shaped work product is what you want, it is.

Each connector is read-only, scoped, and revocable:

• AWS. One-click CloudFormation role with SecurityAudit + ReadOnlyAccess. Scans IAM, MFA, CloudTrail, S3 bucket policies, GuardDuty, VPC, KMS, Config. Maps findings to 3.1.x (Access Control), 3.3.x (Audit & Accountability), 3.13.x (System & Communications Protection).
• Azure / M365. Service Principal with Reader + Security Reader. Scans Azure AD / Entra, Conditional Access, Defender for Cloud posture, Sentinel, Key Vault, Storage encryption. Maps to 3.1.x, 3.5.x (Identification & Authentication), 3.13.x.
• Okta. Read-only API token. Scans MFA enforcement, password policies, session settings, sign-on policies. Maps to 3.5.x.
• CrowdStrike Falcon. Read-only OAuth2 client. Scans sensor coverage, detection posture, prevention policies. Maps to 3.14.x (System & Information Integrity).

Each scan stores its API responses with SHA-256 hashes for chain-of-custody. Cycle cadence: monthly on Standard, twice-monthly on Fortress, per-entity on Sovereign.

You still get a readiness package. The intake captures the parts the cloud connectors can’t reach, on-prem infrastructure, niche SaaS, process-only controls, contractual posture. Findings derived from intake answers are labeled as such on the report (versus connector-measured findings); your C3PAO sees the distinction. On Sovereign, custom integration into legacy on-prem GRC, ticketing, SIEM, and IAM tools brings additional environments into the measured path.

On the next scan cycle. When the scan runs and a configuration has changed since the previous cycle, the diff appears on the first page of that cycle’s deliverable bundle: which control moved, which API response changed, when it changed, and what the POA&M needs to reflect. We do not promise “drift detected in minutes”, that’s a SaaS-dashboard claim. We promise the deliverable bundle reflects current posture each cycle.

SSP as a Word .docx and a signed PDF. POA&M as a Word .docx with an embedded table (so your team can edit in Word) plus an .xlsx export for GRC tool import. Evidence binder as a folder of JSON evidence files (one per finding, with SHA-256 hash) plus a PDF index that maps each evidence file to its NIST control ID and assessment objective. SPRS posture report as a PDF.

No, and the framing matters. Operational leverage, not headcount elimination. The platform handles continuous measurement, evidence collection, and document production. Your compliance lead keeps making executive decisions, what residual risk to accept, what to escalate, what to flag in board reporting. Human-in-the-loop by design. The platform is the leverage that lets one compliance person do the work a small team used to do.

No. Enclave AI is software for CMMC Level 1 and Level 2 readiness. Assessments are conducted exclusively by independent Certified Third Party Assessment Organizations (C3PAOs) authorized by the Cyber AB. We’re a software vendor in the CMMC ecosystem, built to make life easier for the OSCs preparing for assessment, the C3PAOs assessing them, and the RPOs guiding them.

Read more in our Policy Position on the structural integrity of the CMMC ecosystem.

No. ElasticD3M, LLC is a CMMC compliance software vendor. We are not an RPO and we do not provide consulting, advisory, or readiness services as defined under 32 CFR Part 170. We make software that customers operate themselves, and that RPOs can use to deliver their consulting work more efficiently if they choose.

No. Under 32 CFR 170.9 a C3PAO cannot provide consulting to an organization it will assess. The CMMC Readiness Snapshot is a measurement product, not a consulting engagement, no advisor, no SOW, no recommendation to take specific remediation actions beyond the factual gap list. Running a Readiness Snapshot before assessment is something many contractors do, and it does not affect your C3PAO’s independence.

Not today. Level 3 (CUI Specified, the highest sensitivity tier) is currently out of scope. If your contracts require Level 3, contact partners@ai4cmmc.ai for a custom engagement conversation. We will not sell you a Level 2 subscription and tell you it covers Level 3.

No. The Readiness Snapshot and the subscription tiers are CMMC / NIST 800-171-specific. If your compliance need is SOC 2, ISO 27001, HIPAA, PCI, or anything other than CMMC / NIST 800-171, this is not the right product for you. Buying it anyway would waste your money.

Stripe Checkout. Card on the trial. After conversion: card, ACH, or wire for annual prepay. Stripe sends receipts automatically. Invoices on request to agents@ai4cmmc.ai.

Inside the Stripe billing portal, one click, no email, no call. Subscriptions are month-to-month; auto-renewal stops at the end of the then-current paid month. Fees already billed are not refunded. The $799 Readiness Snapshot is non-refundable once the PDF is delivered. Full cancellation policy.

For Standard and Fortress, no, the Stripe-signed terms cover the engagement. For Sovereign, an ElasticD3M-signed mutual NDA is delivered for executive countersign within 24 hours of intake submission, most parent-organization legal teams require it before subsidiary data flows.

If your procurement requires a custom MSA before any data touches the platform, email agents@ai4cmmc.ai with “MSA request” and entity name.

The platform is compliance management software, not a legal opinion, not a certification, not a substitute for a C3PAO assessment, not a guarantee of pass. Every material compliance decision requires executive approval on your side. Full liability terms in the Terms of Service.

Yes. The C3PAO Partner Program includes a discount code C3PAOs provide to their referred OSC clients, redeemable at Enclave AI checkout. Partner C3PAOs receive a separate revenue share on referred subscriptions. Details on the For C3PAOs page.