About

CMMC, without the consulting tax.

Garde1 was built by three people who've watched the CMMC ecosystem from the outside in — and got tired of watching defense contractors pay six figures for binders that drift the day they're signed. We're software, not a consulting engagement. And we'll tell you the truth even when it costs us the sale.

The problem

Traditional CMMC is a binder, not a system.

The default path to a CMMC Level 2 certification is a 6–18 month consulting engagement that costs $50K–$200K and ends with a stack of policies that don't reflect what your environment actually does. Three months later your stack has drifted, your evidence is stale, and the next assessment starts from scratch.

The 110 security practices in CMMC Level 2 are deterministic. The 320 assessment objectives are deterministic. The work of mapping a real environment to them, generating the documents, and keeping evidence fresh — that work belongs in software.

Our approach

Automate what you can. Simplify what you can't.

Three things we do that the binder-and-consultant model can't:

  • AI-generated policies. Answer a guided onboarding; Garde1 generates the 14 domain policies, SSP, and POA&M tailored to your scope. Not boilerplate — deep, control-specific prose grounded in your real environment.
  • API evidence collection. Connect Microsoft 365, Google Workspace, AWS, Okta, your SIEM — Garde1 pulls live evidence and maps it to the controls automatically. Stop chasing screenshots. Stop emailing PDFs at 2am.
  • Bring-your-own evidence, analyzed by computer vision. The controls software can't observe directly — physical security walk-throughs, training records, signed acknowledgments, hand-written logs — you upload the artifact your C3PAO accepts (photo, PDF, screenshot, log export), and Garde1's computer vision pipeline reads it against the control objective, scores completeness, and flags whatever's missing before the assessor sees it. Scheduled SOP reminders keep the cadence honest. No attestation shortcuts — C3PAOs don't take them.

When a control drifts, you know in hours. When the C3PAO arrives, you hand them a signed export — not a fire drill.

Where we sit

The practice room. The C3PAO is the real test. We're built for the run-through.

Garde1 runs internal mock assessments so you find every gap before paying for the real one with a C3PAO. The DoD designed the readiness lane and the certification lane as separate roles for a reason — the room where you fix things sits separate from the room where you get certified. That's the lane Garde1 is built for. Registered Provider Organization (RPO) status is in progress as a formal credential within that lane.

We don't adjudicate our own customers' controls. If the evidence says fail, the system says fail. The remediation path is “upload more evidence” — not a button to mark something satisfied.

The team

Three people. Enough scar tissue between them to know what to build.

Andrew Erne
Andrew Erne
CEO

Andrew has spent 25 years inside the federal cybersecurity ecosystem — six of them as a Vice President and Solutions Architect at a federal cybersecurity firm, and currently as a part-owner of one of the first C3PAOs the DoD authorized. He's watched DIB contractors hire consultants for six-figure CMMC engagements and still fail their first assessment, because the consulting-binder model treats compliance as a one-time deliverable instead of an operating discipline. Garde1 is the product Andrew built against that pattern: assessor-grade scoping, document generation, and evidence review delivered as software instead of slides. He brings the assessor- and integrator-side view of CMMC — the angle most contractors never get, and the one the platform builds against.

Kyle Fahey
Kyle Fahey
CTO

Kyle has been shipping production software since he was thirteen. Twenty years later he leads distributed engineering teams across three continents — SOC 2 implementation and ABAC-enforced security at Litehouse, backend ownership through 1,000+ PRs at the Anaheim Ducks' technology arm, and a 2M-MAU search microservice plus the GraphQL Council he founded at AbbVie. The thread through all of it — turning complex domain knowledge into software the people who actually do the work want to use. At Garde1 he learned CMMC from the ground up — the 110 controls, 320 assessment objectives, §170.19 ESP framing — then designed and built the platform around the pain the framework actually imposes on contractors. The outcome he's building toward: a platform defense contractors open on Monday, not a dashboard they ignore until the day before their assessment.

Michael Hayles
Michael Hayles
COO

Mike's specialty is scaling services businesses into government. At Faye Digital he built the Asana consulting practice from zero, then closed and personally onboarded the firm's defense and federal accounts — NASA, U.S. Space Force, and multiple DC government agencies. At TekConnected, the consultancy he founded, he grew a 10-person team delivering CRM, project management, and automation systems to clients ranging from SMB to the Tennessee Department of Health. Before the software chapter: two decades founding and scaling companies across UK trades, construction, and infrastructure subcontracting, plus a stint as a British Army paratrooper. At Garde1 he runs operations — building the machinery that lets a small team deliver mock assessments at DIB cadence without becoming the bottleneck.

Why we’re building this

We've seen, first-hand, how painful CMMC has become when it doesn't have to be.

Every one of us has watched smart contractors burn out their best people on screenshots and spreadsheets. Watched six-figure engagements end with binders that diverge from reality the day they're signed. Watched well-intentioned compliance programs collapse the moment the consultant's contract ends.

We didn't start Garde1 to add another vendor to the ecosystem. We started it to take a stack of work that has been served by consultants for fifteen years and finally move it into software — where it should have been the whole time.

Get started

See how Garde1 maps your scope, generates your documents, and gets you assessment-ready.

Book a DemoSee the Product