Accelera · AI-First compliance engineering

Our AI Team replaced our CMMC consultants.
Our Level 2 posture is affirmed in SPRS and under independent assessment.

Accelera is an AI-First company, so we pointed our own AI Team at our own compliance: AI processes, Skills, and Authorized Agents, directed by one engineer, on models we self-host on our closed network. The system it built, Affirmark, monitors all 110 NIST SP 800-171 requirements and 320 assessment objectives on our real posture, and has carried our Level 2 self-assessment to a signed affirmation in SPRS. The independent C3PAO assessment runs on its own clock, with its outcome still pending.

Request a capability briefing →

Affirmark Level 2 posture view for a synthetic Apex Logistics self-assessment: the cycle navigation, an attested-versus-assessed summary reading 107 to 107, aligned, stat cards for attested, assessed, and POA&M-projected, a Conditional status, and the control breakdown.

I · The Receipt

What it cost. What it replaced.

5 weeks

Kickoff to full L2 monitoring

2 weeks to the Level 1 baseline, 3 more to full Level 2 coverage: all 110 requirements under continuous monitoring. Our Level 2 self-assessment is affirmed in SPRS; the C3PAO assessment runs on its own clock.

1 engineer

Total headcount

One engineer directed the AI Team. No consultants, no implementation staff. The processes, Skills, and Agents are documented and versioned: the capacity is institutional, not a person.

$90k → $9k

Annual spend

Third-party monitoring consultants and SaaS, before and after. What remains is ticket-system licensing.

$40k

Assessment prep saved

What we paid readiness consultants ahead of our previous assessment cycle. This time, the AI Team prepared the package our C3PAO is now assessing.

New subscriptions

No new SaaS, no new vendors. Affirmark runs on compute we already operate inside our boundary; the only net-new line item is Azure Government backup, under $1 a month.

Commercial AI APIs

Models self-hosted on our closed network, inside the same boundary they monitor. Nothing about our posture leaves.

Wk 0 Kickoff
Wk 2 L1 baseline
Wk 5 Full L2 coverage
Signed SPRS affirmation

Wk 0 Kickoff
Wk 2 L1 baseline
Wk 5 Full L2 coverage
Signed SPRS affirmation

C3PAO assessment · runs on its own clock · outcome pending

II · The Mandate

Every contractor that touches CUI pays this bill.

CMMC Level 2 is the Department of Defense's bar for any contractor handling Controlled Unclassified Information. Meeting it is not optional, and neither is keeping it met. Most contractors pay for third-party consultants and SaaS monitoring products, every year, to stay current. That recurring overhead is what we erased for ourselves.

110 requirements

CMMC Level 2 maps to all 110 security requirements in NIST SP 800-171 Rev 2, across 14 control families. Every requirement that applies to your CUI environment has to be implemented, documented, and kept current.

320 assessment objectives

NIST SP 800-171A decomposes those 110 requirements into 320 testable objectives. Each one needs an implementation narrative, evidence, and a determination of met, not met, or not applicable.

C3PAO every three years

Unlike L1 self-attestation, Level 2 is assessed by a certified third party, a C3PAO, on a three-year cycle, with an annual affirmation in between. The evidence has to satisfy an outside assessor, not just your own sign-off.

The stakes

A lapsed posture can suspend contract performance and cost future awards. A knowingly false affirmation in SPRS triggers False Claims Act exposure: civil penalties run roughly $14K-$28K per false claim, plus treble damages, and the DOJ has settled cybersecurity-attestation FCA cases for over $9M. That is the posture our AI Team keeps current. The affirmation it supports is still signed by a senior official, personally.

III · What the Team Did

Agents did the work.
One engineer reviewed and signed.

Accelera's AI Team is AI processes, Skills, and Authorized Agents, running on models we self-host on our closed network. It drafted the implementation narratives, mapped the evidence, and now keeps all 110 requirements under continuous monitoring: where evidence is machine-collectable, drift surfaces in near real time, and procedural controls sit on enforced review clocks. One engineer directed it and reviewed every result, with the same RMF discipline we bring to customer systems. Below: an Authorized Agent doing the work, live.

Live capture · Apex Logistics (synthetic) · the Level 2 surfaces in about 17 seconds

Our boundary · GCC High

Entra ID
Intune
Network logs

Authorized Agents
Open-weight models
Self-hosted

Affirmark
Hash-chained audit log

⊘ 0 commercial AI APIs · nothing about our posture leaves

encrypted backup · Azure Government · under $1/mo

Notional architecture · assessor-grade detail lives in the SSP

Drafted every narrative, grounded in our real stack.

An Authorized Agent drafted implementation narratives for all 110 requirements, grounded in the tools we actually run, with verbatim NIST SP 800-171 text alongside. The engineer reviewed and approved every one before it counted.

Mapped the evidence once, and keeps it fresh.

Agents pull evidence directly from Microsoft Entra ID, Microsoft Intune, and our network logs, with more sources wired in as the posture grows. Every artifact is hashed, supports multiple objectives, and carries a freshness clock. Where evidence is machine-collectable, drift surfaces in near real time; procedural controls sit on review clocks the system enforces.

Walked the cycle to a closed assessment package.

Every one of the 320 assessment objectives was walked by examine, interview, or test, and closing is blocked while any finding is open. The package our C3PAO is now assessing came out of this cycle.

Keeps an audit chain an assessor can verify offline.

Every write appends to a hash-chained log, and a single command walks the chain end to end. Each closed cycle snapshots the chain head, so nothing can be altered after the fact without breaking the cascade.

The agents run on open-weight models, self-hosted on our closed network, inside the same boundary they monitor: no commercial AI APIs, no posture data leaving. And nothing counts on an agent's word. Every determination is backed by mapped evidence and scored attested against assessed, so an overclaim surfaces instead of hiding, and every change is hash-chained. The engineer directs and reviews the work; a senior official signs the Level 2 affirmation in SPRS personally, accountable under the False Claims Act. The portal is human-driven by regulatory design.

IV · See it running

Every claim, on a real screen.

These are the Level 2 surfaces: the weighted SPRS score, the plan of action and milestones, the affirmation, continuous monitoring, and the C3PAO engagement. We don't publish screenshots of our own posture, so they run against synthetic data: Apex Logistics, LLC, a fictional freight subcontractor on the same build. Every surface shown is the real system the AI Team built and operates.

L2 posture

The score a senior official signs.

The weighted SPRS score (the DoD Assessment Methodology score, out of 110), attested against assessed across all 110 requirements, with the conditional status the 180-day POA&M clock runs against. One screen answers what a contracting officer asks first.

Affirmark POA&M panel listing three open items for AU.L2-3.3.4, CM.L2-3.4.3, and MA.L2-3.7.6. Each row carries a weakness narrative, a risk rating of moderate or low, a target completion date, an Open status, an owner, and two milestones, above the cycle's Affirmation section.

Plan of Action & Milestones

Every gap, with a date and an owner.

Each open requirement becomes a POA&M with a plain-English weakness, the evidence that will close it, a risk rating, milestones, and a target date inside the 180-day window. Nothing sits unaccounted for.

Affirmark affirmation panel showing a certification valid until 2029-06-01, a next-affirmation-due date of 2027-06-01, an Affirm cycle action, a recorded affirmation by Daniel Mendez dated 2026-06-01 with a Conditional badge, and a Documents section offering one-click generation of the System Security Plan and the Security Assessment Plan.

Affirmation & SPRS

Affirmed in SPRS, package on demand.

The senior official affirms the cycle personally. The system records who signed, when, and the conditional certification, and generates the System Security Plan and Security Assessment Plan from the same data.

Affirmark monitoring configuration page with policy defaults for a 365-day reassessment interval and 365-day evidence freshness, and a per-artifact-type table of freshness windows such as policy document at 365 days and screenshot at 90 days.

Continuous monitoring

The clocks that keep posture current.

Reassessment cadence and evidence-freshness windows the system enforces between assessments, set once as policy and overridable per control and per artifact type. Drift surfaces against these, not a calendar reminder.

C3PAO engagement

The third-party assessment, tracked.

When a C3PAO assessment is the path, the engagement is recorded end to end: the assessor organization, the marketplace ID, the lead assessor, and the assessment window, with the result left open until the assessor records it.

V · Inward & Outward

Built for our posture. Pointed at your mission.

Affirmark is not for sale. It is how Accelera runs its own compliance, and the proof of what our AI Team delivers when we point it at a hard problem.

Applied inward

It runs our compliance.

The AI Team replaced our third-party CMMC Level 2 and GCC High monitoring consultants and SaaS, cut the annual spend from $90k to $9k, and keeps our posture current every day. Our C3PAO is now assessing the package it prepared.

Applied outward

It works your mission.

The same AI processes, Skills, and Authorized Agents take on accreditation, monitoring, maintenance, and enhancement for our customers, under the same RMF discipline we have carried on systems across DoD, the Defense Health Agency, the Air Force, the Army, and NASA, without adding consultant overhead to your program.

with