The assessor packet, line by line.
Pre-sale buyers should start at /security. New to CMMC? Start with the plain-English explainer → This page is for the CMMC assessor and the customer compliance team documenting Garde1 in an OSC's scope. 32 CFR §170.19 places Garde1 in the Security Protection Asset (SPA) lane and names a single regulatory deliverable: a published Customer Responsibility Matrix. Below, in reading order: the §170.19 framing, the per-feature data taxonomy, the CRM itself, pasteable SSP boilerplate, and the regs we track to.
A Security Protection Asset under 32 CFR §170.19. Documented, scoped, accounted for in your CRM.
The DoD framework that governs Garde1's customers — CMMC Level 2 under 32 CFR Part 170 — defines a specific lane for External Service Providers that process, store, or transmit Security Protection Data without touching CUI. §170.19 places those ESPs in the OSC's assessment scope as Security Protection Assets and names a single deliverable from the ESP: a published Customer Responsibility Matrix. We've read the regulation closely — the DoD CMMC Level 2 Scoping Guide v2 is the assessor-facing companion — and built Garde1 to land cleanly in that lane. The CRM below is what your assessor will ask for.
Four facts your assessor can rely on. One, Garde1 doesn't ask for, accept, or store CUI (see the published No-CUI Policy). Two, customers document Garde1 in their SSP as the CMMC-relevant ESP supporting readiness and reference the CRM below. Three, the regulation doesn't require Garde1 to hold its own CMMC certification or FedRAMP authorization — §170.19(c)(2) is explicit that SPD-only ESPs are scoped via a published CRM, not via independent certification of the provider. Our GovCloud tenancy and FedRAMP 20x roadmap commitments are voluntary — we're pursuing them because serious DIB buyers eventually ask, not because §170.19 requires them. Four, we don't make claims we can't back — “out of CMMC scope”, “CMMC certified”, “FedRAMP compliant”, “performs assessments” are all phrases you will never see on this site.
Platform function, data category, CMMC implication.
Per-feature accounting. Each platform function maps to the data category it produces and the CMMC consequence of using it.
| Platform function | Data category | CMMC implication |
|---|---|---|
| Generates SSP drafts | SPD / security-sensitive | Customer owns the final SSP; Garde1 must protect drafts. |
| Stores SSPs and document packages | SPD / possibly sensitive business | Needs retention, deletion, access controls, auditability. |
| Generates POA&M / remediation items | SPD | Customer owns remediation decisions. |
| Pulls connector configuration and security posture | SPD | Read-only / default scopes; documented connector scope matrix. |
| Produces evidence summaries | SPD | Customer validates final evidence. |
| Produces SPRS self-assessment packet | Assessment support data | Customer / Affirming Official submits. Garde1 does not affirm. |
| Interview prep | Assessor-prep only | Cannot satisfy controls on its own. |
| Mock assessment / readiness scoring | Advisory | Not a C3PAO assessment. No certification outcome. |
| AI recommendations | Advisory | Customer reviews and applies. Garde1 does not make changes autonomously. |
The CRM, line by line.
Most assessors expect this matrix on file before they accept Garde1 in the scope discussion. Paste it verbatim into your CRM or adapt to match your environment.
Garde1 uses read-only integrations for assessment and recommendation workflows by default. Write-capable scopes are opt-in per connector for remediation and baseline workflows only; those require explicit customer authorization and run on customer-owned credentials. Garde1 does not make autonomous changes to customer environments — see connector scopes for the per-category breakdown.
Pasteable boilerplate. Drop it in. Adjust to your scope.
Two paragraphs your assessor expects. The first describes Garde1's role under §170.19; the second states the no-CUI / SPD-handling posture explicitly.
Garde1, operated by ComplAI Solutions, LLLP, is a mock-assessment and CMMC readiness platform used by the OSC as an External Service Provider. Garde1 is not a C3PAO and does not issue CMMC certifications or determine official CMMC status. Under 32 CFR §170.19, Garde1 is treated as a Security Protection Asset within this OSC's CMMC assessment scope because the service processes and stores Security Protection Data on the OSC's behalf. As an SPD-only, non-CSP ESP, Garde1 is not required under §170.19 to obtain its own CMMC certification; the Garde1-published Customer Responsibility Matrix at garde1.com/compliance documents the security-responsibility split that satisfies the §170.19 ESP-documentation requirement. Garde1 does not require customers to provide CUI to generate SSPs or readiness artifacts. Garde1 may process security-sensitive information, including SSP drafts, assessment metadata, sanitized configuration data, evidence summaries, and Security Protection Data.
Regs and DoD guidance this page tracks to.
- 32 CFR §170.4 — CMMC definitions (ESP, SPA, SPD, CUI, FCI).
- 32 CFR §170.19 — CMMC Level 2 scoping. SPA treatment of ESPs that process / store / transmit SPD without CUI.
- DoD CMMC Level 2 Scoping Guide v2 — assessor-facing reference.
Topic-specific deep dives.
- No-CUI Policy →What we don't take, and what to do if it lands.
- Connector scopes →Read-only by default; write authorization audit.
- AI data use →Azure OpenAI + Cohere Rerank, zero-retention, what we send.
- Subprocessors →All vendors, data classes, DPAs.