FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMCCMMC 2.0

Why a CMMC Level 1 Self-Assessment Is Not a Get-Out-of-Jail Card for AI Risk

By Basel IsmailMay 13, 2026

Why a CMMC Level 1 Self-Assessment Is Not a Get-Out-of-Jail Card for AI Risk

A lot of defense contractors are breathing a sigh of relief about CMMC Level 1. Self-assessment, 17 practices from NIST SP 800-171, no third-party auditor breathing down your neck. For companies that only handle Federal Contract Information (FCI), this is genuinely the right scope. But here is where things get uncomfortable: a surprising number of contractors who think they only handle FCI are actually handling Controlled Unclassified Information (CUI) and have been for years. When you layer AI tools into that environment, the risk profile changes fast, and a Level 1 self-assessment does almost nothing to address it.

FCI vs. CUI: The Distinction That Keeps Getting Blurred

FCI is information provided by or generated for the government under a contract that is not intended for public release. It is a broad, relatively low-sensitivity category. CUI is a different animal entirely. Governed by 32 CFR Part 2002 and defined across 125 category and subcategory markings in the CUI Registry maintained by the National Archives, CUI includes technical data subject to export controls (ITAR/EAR), Critical Infrastructure Security Information, and various categories of controlled technical information that flow through defense supply chains every day.

The problem is that CUI markings are inconsistent in practice. A 2023 DoD Inspector General report (DODIG-2023-063) found that DoD components were not consistently marking CUI, which meant contractors were receiving controlled information without the markings that would tip them off. If your prime sends you a technical drawing with performance specifications for a weapons subsystem and nobody stamps it CUI, you might reasonably assume it is just FCI. You would be wrong, and your CMMC Level 1 self-assessment would be scoped to the wrong baseline.

The final CMMC rule, published in the Federal Register on October 15, 2024 (32 CFR Part 170), makes this consequential. If your contract includes DFARS 252.204-7012, you are handling CUI and you need Level 2 at minimum. Level 2 means all 110 security requirements in NIST SP 800-171 Rev 2, and for many contractors, it means a third-party assessment by a C3PAO. The gap between 17 practices and 110 is not a rounding error.

Where AI Makes This Worse

Now add AI tools to the mix. Contractors are adopting AI for everything from proposal writing to engineering analysis to supply chain optimization. Each of these use cases potentially involves ingesting, processing, or generating data that touches CUI. And the CMMC framework was not designed with AI-specific risks in mind.

Consider a concrete scenario. Your engineering team uses an AI-assisted design tool that pulls from a shared data lake containing technical specifications from multiple contracts. Some of those specs are FCI. Some are CUI. The AI model does not know the difference, and unless you have built data classification and access controls into your architecture, neither does your security boundary. Your Level 1 self-assessment, which only addresses basic safeguards like access control (AC.L1-3.1.1) and media protection, does not require you to have solved this problem. Level 2 does, through requirements like SC.L2-3.13.16 (protecting CUI at rest) and AU.L2-3.3.1 (system-level auditing).

There is also the data residency question. If your AI tool processes data through a cloud-based inference API, where does that data go? CMMC Level 2 requires that CUI be processed in environments that meet FedRAMP Moderate baseline or equivalent. Level 1 has no such requirement. A contractor who self-assesses at Level 1 while running CUI through a commercial AI API is exposed on multiple fronts: CMMC noncompliance, potential ITAR violations if the data includes export-controlled technical data, and False Claims Act liability if they have affirmed compliance in SPRS.

The False Claims Act Angle

This is worth pausing on. The Department of Justice's Civil Cyber-Fraud Initiative, launched in October 2021, uses the False Claims Act (31 U.S.C. 3729-3733) to pursue contractors who misrepresent their cybersecurity compliance. In 2022, Aerojet Rocketdyne settled a qui tam case for $9 million over allegations that it misrepresented its compliance with DFARS 252.204-7012 cybersecurity requirements. The case (United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc.) was brought by a former employee, and it established that cybersecurity compliance representations in government contracts are actionable under the FCA.

If you self-assess at Level 1, post a score in SPRS, and it later turns out you were handling CUI that required Level 2, you have a problem that goes well beyond a failed audit. You have a potential FCA exposure with treble damages. Adding AI tools that process CUI without appropriate controls makes the factual record worse, because it suggests the data handling environment was not just underscoped but actively expanding in ways that increased risk.

The Scoping Exercise Nobody Wants to Do

The root issue is that most contractors have not done a rigorous data flow analysis that accounts for AI. Traditional scoping for CMMC involves identifying where CUI enters, is stored, is processed, and exits your environment. When AI tools are in the picture, "processing" becomes a much more complex concept. Models may retain training data. Inference pipelines may log inputs and outputs. RAG architectures pull from document stores that may contain mixed-classification data. Fine-tuned models may embed patterns derived from CUI in their weights.

None of this is addressed by the 17 Level 1 practices. And honestly, even the 110 Level 2 requirements were written before these architectural patterns were common. But Level 2 at least gives you the framework to build controls around them: access control at the data layer, encryption in transit and at rest, audit logging, incident response procedures, and system boundary definitions that can account for AI components.

If you are a subcontractor and you think you only handle FCI, go back and look at your contracts. Look at DFARS clauses. Look at the actual data flowing into your systems, not just what is marked. Talk to your primes about what they are sending you. And if you have deployed AI tools that touch any of that data, map the data flows through those tools specifically. You may find that your Level 1 self-assessment is scoped to a reality that no longer exists.

What Contractors Should Actually Do

Audit your data classifications now. Do not rely on markings from primes. Use the CUI Registry categories and cross-reference against the actual content in your systems.
Map AI data flows explicitly. Every AI tool that touches contract-related data needs to be in your system security plan, with documented data flows, storage locations, and access controls.
Reassess your CMMC level honestly. If there is any chance you are handling CUI, scope to Level 2. The cost of a C3PAO assessment is a fraction of FCA exposure.
Evaluate your AI vendors against FedRAMP Moderate. If they cannot meet it, they should not be processing your CUI.

How FirmAdapt Addresses This

FirmAdapt was built for exactly this kind of problem. The platform enforces data classification and access controls at the architecture level, so AI workflows do not inadvertently process CUI in environments scoped for FCI. Data flow mapping, audit logging, and encryption controls are built into the AI pipeline rather than bolted on after the fact, which means your system security plan reflects what is actually happening in your environment.

For defense contractors navigating CMMC, FirmAdapt provides the compliance infrastructure to support Level 2 requirements across AI use cases, including data residency controls aligned with FedRAMP Moderate and granular access controls that map to NIST SP 800-171 security families. If your self-assessment is based on assumptions about data classification that have not been tested against your actual AI data flows, FirmAdapt gives you the tooling to close that gap before an auditor or a qui tam relator finds it first.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free