FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMCCMMC 2.0

The CMMC Phase 1 Reality Check: What Defense Contractors Should Have Done by Now

By Basel IsmailMay 10, 2026

The CMMC Phase 1 Reality Check: What Defense Contractors Should Have Done by Now

The CMMC 2.0 final rule (32 CFR Part 170) went effective on December 16, 2024. The companion DFARS rule (48 CFR) is expected to take effect later in 2025, which is when CMMC requirements will actually start appearing in contracts. Phase 1 of the rollout covers self-assessments for Level 1 and certain Level 2 contractors, plus the initial wave of Level 2 certification assessments by C3PAOs. If you are a defense contractor and you are reading this in mid-2025 without a clear picture of where you stand, you are behind. But you are not dead. Let's talk about what the timeline actually looks like and what catching up requires.

Where You Should Be Right Now

By this point, a contractor tracking CMMC seriously should have completed several concrete steps. Not aspirational ones. Actual, documented, defensible ones.

Scoping is done. You should know exactly which systems, assets, and enclaves process, store, or transmit CUI or FCI. If you have not completed a scoping exercise aligned with the CMMC Assessment Guide, you are building on sand. The DoD's scoping guidance distinguishes between CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets. These categories matter for determining what is in and out of your assessment boundary.
Your SSP is written and current. A System Security Plan is not optional at any CMMC level above Level 1 self-assessment. For Level 2, your SSP needs to address all 110 security requirements from NIST SP 800-171 Rev 2. If your SSP is a template you downloaded in 2022 and never updated, it will not survive scrutiny from a C3PAO assessor.
You have a POA&M strategy, and it is realistic. CMMC 2.0 allows Plans of Action and Milestones, but with limits. Under the final rule, you cannot have POA&Ms for more than 20% of the Level 2 requirements (that is 22 of the 110 controls). And none of the controls weighted as "highest" in the CMMC scoring methodology can be on a POA&M. You also get 180 days to close them. If your remediation plan assumes you can park 40 controls on a POA&M and deal with them later, that math does not work.
You have identified your assessment path. Level 1 contractors self-assess and affirm annually in SPRS. Level 2 contractors handling critical CUI need a C3PAO assessment. Level 2 contractors handling non-critical CUI may be able to self-assess, but the specific determination depends on the contract. You should already know which bucket you fall into.
Your SPRS score is accurate. The Supplier Performance Risk System score has been a requirement under DFARS 252.204-7012 for years. If your score in SPRS does not match your actual implementation status, you have a False Claims Act problem, not just a compliance gap. The DOJ's Civil Cyber-Fraud Initiative, launched in October 2021, has already produced settlements. Jericho Security paid $11.7 million in 2024 related to cybersecurity misrepresentations. Penn State settled for $1.25 million in 2024 over NIST 800-171 compliance failures. These are real numbers attached to real enforcement actions.

What "Behind" Actually Looks Like

There is a spectrum. Some contractors have done nothing beyond checking a box in SPRS years ago. Others have started but stalled somewhere between scoping and remediation. The most common failure patterns I see are worth naming specifically.

The Scope Creep Problem

Many mid-size contractors never properly bounded their CUI environment. CUI ended up everywhere: shared drives, personal laptops, email threads with subcontractors. Without a defined boundary, every system becomes in-scope, and the cost and complexity of compliance explodes. The fix is to reduce your CUI footprint before you try to secure it. Enclave strategies, dedicated CUI environments, and cloud-based solutions like GCC High exist for exactly this reason.

The "We Have an MSSP" Assumption

Hiring a managed security services provider does not make you CMMC compliant. MSSPs can help with monitoring, logging, and incident response, but the responsibility for meeting all 110 Level 2 controls remains with you. An MSSP that runs your SIEM does not mean you have satisfied AC.L2-3.1.3 (control CUI flow) or SC.L2-3.13.11 (CUI encryption). You need to map their services to specific controls and identify what is still on your plate.

The Subcontractor Blind Spot

If you flow CUI down to subcontractors, they need to meet CMMC requirements too. Under DFARS 252.204-7012, the flow-down obligation already exists. CMMC formalizes the verification mechanism. If your subs are not on their own compliance path, that is your supply chain risk, and assessors will ask about it.

What Catching Up Looks Like

If you are behind, the priority stack is straightforward, even if execution is not.

First, get your scoping right. Spend the time and, if necessary, the money to accurately identify where CUI lives. This is foundational. Everything downstream depends on it.

Second, do an honest gap assessment against NIST SP 800-171 Rev 2. Not a self-congratulatory one. Use the DoD Assessment Methodology scoring (the one that generates your SPRS score). Every control you have not fully implemented is a negative point. A perfect score is 110. Many contractors who thought they were at 90 discover they are closer to 40 when someone applies the methodology rigorously.

Third, prioritize remediation based on the CMMC scoring weights. The highest-weighted controls cannot go on a POA&M. If you fail those, you fail the assessment, period. Focus there first. Controls related to access management, audit logging, incident response, and encryption tend to cluster in the high-weight category.

Fourth, get in the C3PAO queue if you need a certification assessment. The Cyber AB (formerly the CMMC Accreditation Body) has been accrediting C3PAOs, but capacity is a real constraint. The number of authorized C3PAOs is growing but still limited relative to the tens of thousands of contractors in the DIB. Waiting until contracts require certification to book an assessment is a recipe for missing deadlines.

Fifth, fix your SPRS score now. If your posted score is inaccurate, update it. An inflated score is a liability. Under the False Claims Act, the qui tam provisions mean your own employees can bring a case. The DOJ has made clear that cybersecurity misrepresentations are an enforcement priority.

The Timeline Pressure Is Real but Not Impossible

Phase 1 focuses on Level 1 self-assessments and the initial wave of Level 2 C3PAO assessments. Phase 2, expected roughly a year after Phase 1, expands the requirement to more contracts. Phase 3 brings Level 3 (NIST SP 800-172 based) into play. The ramp is deliberate, and the DoD has signaled it understands the ecosystem needs time. But "time" is not "infinite time." Contractors who wait for a contract clause to force their hand will find themselves scrambling against a wall of C3PAO scheduling backlogs and remediation timelines that do not compress well.

The contractors who are in the best position right now treated DFARS 252.204-7012 seriously when it went into effect in 2017. They built real SSPs, implemented real controls, and maintained real SPRS scores. CMMC, for them, is a verification exercise, not a transformation project. If that is not you, the gap is closable, but it requires honest assessment and sustained effort starting now.

How FirmAdapt Addresses This

FirmAdapt's platform is built around maintaining continuous compliance documentation, which is exactly what CMMC demands. Rather than treating compliance as a periodic audit exercise, FirmAdapt maps your operational controls to specific NIST SP 800-171 requirements, tracks POA&M timelines, and flags when implementation gaps create scoring risks. The system maintains an auditable record of control status that aligns with what a C3PAO assessor will actually look for.

For contractors managing CUI across multiple systems or flowing requirements down to subcontractors, FirmAdapt provides a single environment to track scoping decisions, SSP updates, and evidence collection. The architecture is designed for regulated environments from the ground up, so the platform itself does not create additional compliance complications. If you are trying to close gaps before a certification assessment, having a structured, defensible compliance record is the difference between a smooth assessment and a painful one.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free