Back to Blogs
FAQ: Seekr Attains CMMC Level 2 Certification via C3PAO
BLUF: Seekr has achieved Cybersecurity Maturity Model Certification (CMMC) Level 2 with a perfect score, validated by an authorized CMMC Third-Party Assessment Organization (C3PAO) against all 110 NIST SP 800-171 controls and 320 assessment objectives.
The certification validates Seekr’s ability to handle Controlled Unclassified Information (CUI) on behalf of the U.S. Department of War, federal civilian agencies, and other government and defense customers—and confirms that Seekr’s security posture has been independently audited, not self-claimed.
Read the full press release HERE.
Section 1 – Foundations: What CMMC is and how it works
1.) What is CMMC Level 2 Certification?
The Department of War established the Cybersecurity Maturity Model Certification (CMMC) program to set a uniform cybersecurity standard for any organization that processes, stores, or transmits Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) on behalf of the U.S. government.
Level 2 is the standard required for vendors handling CUI. It maps directly to the 110 security controls in NIST SP 800-171 and is the level most defense and government-adjacent contracts will require under the program’s phased rollout, culminating in full enforcement on November 10, 2026.
2.) What is Controlled Unclassified Information (CUI)?
CUI is sensitive but unclassified information the U.S. government requires to be protected. It covers categories like technical drawings, engineering specifications, contract details, personnel and program records, research data, financial information, and law enforcement records – information that doesn’t rise to the level of classified material, but still carries real risk if exposed to adversaries, competitors, or the public.
Most defense and federal civilian work involves CUI in some form. Any vendor that processes, stores, or transmits CUI on behalf of the government – including AI platforms operating on customer data, models, and workloads – is subject to the protection standards CMMC Level 2 codifies.
3.) What is the difference between self-assessment and C3PAO Certification – and which did Seekr pursue?
CMMC is rolling out in phases. During Phase 1, which began November 10, 2025, many vendors were able to satisfy Level 2 requirements through a self-assessment – they evaluate their own compliance against the 110 NIST SP 800-171 controls and submit the result through the Supplier Performance Risk System (SPRS). Even during Phase 1, the Department of War can require third-party certification by an authorized C3PAO under DFARS 252.204-7021, and prioritized acquisitions increasingly do.
Starting November 10, 2026, Phase 2 begins. C3PAO certification becomes the default standard for any new contract handling CUI. Self-assessment will no longer satisfy most Level 2 requirements.
Seekr pursued C3PAO certification – the standard the program is moving to – and earned a perfect score across all 110 controls and 320 assessment objectives, with no findings, six months ahead of the Phase 2 deadline. Buyers evaluating AI partners that will handle CUI should confirm whether a vendor’s Level 2 status came from a self-assessment or from a C3PAO, and whether that posture will hold once Phase 2 takes effect.
4.) What does a third-party assessment actually involve?
The assessor reviews documented evidence for every control, interviews personnel responsible for implementing them, and tests technical controls against the 110 requirements in NIST SP 800-171 and the 320 underlying assessment objectives in NIST SP 800-171A. Each control is rated MET, NOT MET, or NOT APPLICABLE. Results are submitted into the Department of Defense’s Enterprise Mission Assurance Support Service (eMASS), and the certificate is issued only when the assessor confirms full compliance.
For Seekr, every control was rated MET. No controls were rated NOT MET, and no Plan of Action and Milestones (POA&M) was required.
5.) What does “perfect score” actually mean?
A perfect score means all 110 controls were rated MET and no controls required a POA&M to remediate. Most certified organizations score lower at initial assessment and use the 180-day POA&M window to close gaps before final certification is issued. Seekr’s assessment had no findings – the certification was final at issuance.
6.) Who is the Cyber AB, and who authorized Seekr’s assessor?
The Cyber AB is the DoW’s official accreditation body for the CMMC ecosystem. It authorizes the C3PAOs that conduct Level 2 assessments and accredits the certified assessors who perform them. The chain of authority runs from the DoW through the Cyber AB to authorized C3PAOs – assessors with the standing to issue Level 2 certifications recognized for federal contract eligibility.
Seekr’s assessment was conducted by CyberRx, an authorized C3PAO listed in the Cyber AB Marketplace. The assessment was led by Cyber AB-Certified CMMC Assessors and the final certification was issued upon successful completion of the assessment process.
7.) What’s the difference between CMMC Level 2 and Level 3?
Level 2 is the standard for vendors handling CUI and covers the 110 controls in NIST SP 800-171. It is assessed by an authorized C3PAO and applies to the broad majority of defense and government-adjacent contracts that involve CUI.
Level 3 applies to a narrow group of contractors handling the most sensitive CUI – typically tied to advanced persistent threat protection and high-value programs. It requires the 110 Level 2 controls plus 24 enhanced controls from NIST SP 800-172, and is assessed by the government itself through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) rather than a third party. Level 2 is the appropriate certification for the work most defense and intelligence customers will deploy AI against; Level 3 is reserved for a small subset of programs.
8.) How long does CMMC Level 2 certification last?
CMMC Level 2 certification is valid for three years, with annual affirmations required to confirm continued compliance. Significant changes to the assessed environment must be documented, evaluated for impact on CUI flow and assessment scope, and reflected in the System Security Plan. Certification is not a one-time event – it is an ongoing commitment to maintain the security posture that earned it.
9.) Is CMMC Level 2 required to do business with the DoW today?
It depends on the contract. CMMC requirements are being phased in. Under DFARS 252.204-7021, the Department of War can already require C3PAO certification as a condition of award for prioritized acquisitions, and is increasingly doing so. Starting November 10, 2026, C3PAO certification becomes the default standard for any new contract or subcontract involving CUI. By November 10, 2028, CMMC will fully apply to all applicable Department of War contracts where a vendor handles FCI or CUI.
10.) How does CMMC relate to FedRAMP?
CMMC and FedRAMP are complementary federal cybersecurity frameworks that cover different things. FedRAMP authorizes cloud services for use by federal agencies – it governs how a cloud platform protects federal data. CMMC governs how defense contractors protect CUI across their own environments, including but not limited to the cloud. A vendor selling AI capabilities into the DoW may need both: FedRAMP for the cloud infrastructure carrying federal workloads, and CMMC for the broader handling of CUI. SeekrFlow is available on AWS GovCloud and accredited for DoD Impact Level 5 (IL5) workloads; CMMC Level 2 certification adds an independently audited cybersecurity baseline on top of that infrastructure.
11.) How does CMMC related to AI-specific frameworks like NIST AI RMF?
CMMC is a cybersecurity framework – it covers how a vendor protects data, systems, and infrastructure. It does not assess how an AI system behaves. AI-specific frameworks like the NIST AI Risk Management Framework and emerging AI assurance standards address risks unique to AI: bias, explainability, robustness, governance, and accountability.
Seekr’s CMMC Level 2 certification establishes the cybersecurity foundation. The architectural properties of SeekrFlow – traceability from data to outcome, output explainability, and governance at the model level – address the AI-specific layer. The two are designed to work together: secure infrastructure underneath, accountable AI on top.
Section 2 – What this means for customers and the market
1.) Why does CMMC Level 2 matter specifically for AI Platforms?
Most enterprise AI platforms entering the federal market lead with claims — trusted, secure, explainable. Few have been independently audited against an objective standard the vendor cannot grade.
CMMC Level 2 closes that gap. For AI platforms in particular, it independently validates that the controls protecting customer data, model artifacts, training pipelines, and inference workloads meet the standard required for handling Controlled Unclassified Information. As government and enterprise buyers move AI from experimentation to operational deployment, certifications like CMMC Level 2 separate platforms built for that environment from platforms retrofitted for it.
2.) What does this mean for the Department of War and defense customers?
Because Seekr is independently verified to meet the strict cybersecurity requirements for handling sensitive and prioritized CUI under CMMC Level 2, Defense customers can adopt SeekrFlow for AI workloads involving CUI with confidence that Seekr’s controls have been audited against the same standard the Department of War uses to gate access to its contracts.
The certification was completed approximately six months ahead of the DoW’s November 10, 2026 Phase 2 enforcement deadline – when C3PAO certification becomes the default condition for any contract or subcontract involving CUI.
3.) What does this mean for federal civilian agencies and the intelligence community?
CMMC was established by the DoW, but its standards are increasingly being applied across federal civilian agencies and the intelligence community as a benchmark for vendors handling sensitive information. Just as FedRAMP standards for cloud security were eventually adopted well beyond the agencies that originally required them, CMMC is on a similar trajectory.
For civilian and intelligence community buyers prioritizing the identification of trusted AI partners, Seekr’s C3PAO certification is independent confirmation that Seekr meets the standard the most security-conscious federal customers are already applying.
4.) What does this mean for commercial enterprises in regulated industries?
Enterprises in financial services, healthcare, energy, and other regulated sectors face an accelerating set of requirements around data protection, model governance, and AI accountability. While CMMC itself is a Department of War program, the 110 NIST SP 800-171 controls underlying Level 2 are widely recognized as a baseline for handling sensitive information across any regulated environment.
For enterprise customers, Seekr’s C3PAO certification provides independent assurance that the platform handling their proprietary data, models, and AI workloads has been audited against a federally-recognized cybersecurity standard — not against the vendor’s own marketing.
5.) What changes for existing Seekr customers?
Operationally, nothing changes. The controls validated by the C3PAO assessment have already been in place across SeekrFlow deployments; the certification is independent confirmation of the security posture customers have already been operating under. For customers whose own compliance obligations require working with C3PAO-certified vendors, Seekr’s certification removes any open question about that requirement.
Section 3 – How Seekr operates
1.) How does Seekr handle Controlled Unclassified Information (CUI) in practice?
Seekr’s approach to handling CUI rests on three pillars:
- Independently verified controls. All 110 NIST SP 800-171 controls and 320 assessment objectives audited by an authorized C3PAO, with a perfect score and no findings.
- Customer data ownership and deployment flexibility. SeekrFlow operates across cloud, on-premises, air-gapped, and tactical edge environments. Customer data and models remain fully owned and fully controlled by the customer at every layer.
- Architectural explainability and governance. Every decision is traceable from data to outcome. Every output is explainable. Every model is governed at the model level — not retrofitted after deployment. This is the architectural foundation that the CMMC Level 2 certification independently verifies.
2.) Does this certification cover all of Seekr’s deployment environments?
The C3PAO assessment evaluated the systems, processes, and personnel responsible for handling CUI within Seekr’s defined assessment boundary. Customers evaluating SeekrFlow for a specific deployment mode – cloud, on-premises, air-gapped, or tactical edge – can request the assessment scope documentation through Seekr’s trust portal or by contacting their account team.
3.) What other security and compliance credentials does Seekr hold?
CMMC Level 2 builds on Seekr’s existing security and compliance foundation. Seekr is SOC 2 Type II compliant, with audited controls covering security, availability, and confidentiality of customer data. SeekrFlow is available on AWS GovCloud and accredited for DoD Impact Level 5 (IL5) workloads, and Seekr is an awardable vendor through the Tradewinds Solutions Marketplace, the DoD’s procurement vehicle for AI, data, and digital capabilities.
Seekr’s security architecture is designed for the most regulated environments by default:
- Customer data isolation. Customer data is isolated from all other customers and is never used to train Seekr’s models or any other customer’s models.
- Deployment flexibility. SeekrFlow runs across Seekr’s cloud, customer cloud, customer data centers (including on-premises), fully air-gapped environments, and tactical edge — without compromising the security posture in any deployment mode.
- Encryption and access controls. Data is encrypted in transit and at rest under an established classification policy, with validated access and auditing controls.
- Defense-in-depth. Multi-layer protection with real-time threat detection and response across systems, networks, and data.
Additional details, including Seekr’s full security documentation, sub-processor list, and current certifications, are available at the https://trust.seekr.com/.
4.) What’s next for Seekr’s compliance posture?
CMMC Level 2 – completed via C3PAO, with a perfect score – is the latest milestone in an active compliance roadmap. As government and enterprise customers move AI into more sensitive operational environments, Seekr continues to invest in the authorizations and certifications those environments require. Additional milestones will be announced as they are achieved.
Accelerate your path to AI impact
Book a consultation with an AI expert. We’re here to help you speed up your time to AI ROI.
Request a demo