From compliance automation through audit, the Thoropass compliance delivery platform helps you get and stay compliant.
Modern audits delivered by expert auditors
Maintain compliance with real-time monitoring and alerts
Identify vulnerabilities with CREST-accredited pentest experts
Leverage AI for smarter compliance solutions
Streamline audits and improve accuracy with evidence automation
Simplify user reviews to enhance security
Automate responses to security questionnaires
Track and mitigate security risks in one place
Build trust with a professional, public-facing portal
Seamlessly connect your tools for streamlined compliance
Audits done the modern way. Leverage AI-powered compliance solutions with expert guidance for seamless, scalable audits.
From controls to audit, rapidly achieve infosec compliance with a single vendor
Manage your risk and streamline compliance
Meet your auditor on day 1 and eliminate any surprises
Discover proven compliance outcomes in the words of our customers.
Catch up on the latest industry trends and expert insights
Watch the latest webinar or meet us in person
Expert-curated resources for your compliance journey
A "true crime" styled podcast for anyone in the compliance industry
Actionable tools for your compliance journey
Implement audit-ready compliance solutions for friction-free infosec compliance outcomes.
Go beyond readiness with unmatched expertise
Stay updated with the latest Thoropass news and insights
Join the team that's reimagining compliance
Let's make compliance easier—together
We're committed to unbiased audits and superior service
The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 represents more than a regulatory checkpoint; it’s a strategic inflection point that’s reshaping how defense contractors approach cybersecurity. While CMMC Level 1 may be positioned as the foundational tier, forward-thinking organizations are discovering that meeting these requirements can catalyze broader security transformation and competitive advantage in the defense sector.
For compliance professionals managing complex audit portfolios, CMMC Level 1 presents both an immediate challenge and a strategic opportunity. The question isn’t just whether your organization can meet the baseline requirements for handling Federal Contract Information (FCI), but how effectively you can leverage this compliance effort to build a scalable, multi-framework security program that positions your business for sustained growth in the defense ecosystem.
CMMC Level 1 establishes baseline cybersecurity practices for defense contractors handling Federal Contract Information—non-classified but sensitive government data that requires protection from unauthorized disclosure. This includes technical specifications, project schedules, supplier information, and other materials that, while not classified, could provide competitive advantage if compromised.
The certification applies to any organization in the Defense Industrial Base (DIB) that processes, stores, or transmits FCI as part of their DoD contracts. This encompasses prime contractors, subcontractors, and suppliers across the defense supply chain, from major aerospace manufacturers to specialized component suppliers and professional services firms.
However, viewing CMMC Level 1 purely through a compliance lens misses its strategic significance. Organizations that treat Level 1 as a stepping stone rather than a destination position themselves for multiple advantages:
The business case for proactive compliance extends beyond risk mitigation. Defense contractors with established compliance programs demonstrate operational maturity that influences contract awards, partnership opportunities, and investor confidence. In an increasingly competitive defense market, cybersecurity maturity becomes a differentiating factor that enables organizations to pursue higher-value, more strategic contracts.
Integration with broader compliance frameworks amplifies this strategic value. The access controls, documentation practices, and monitoring capabilities required for CMMC Level 1 align closely with:
Organizations that map these overlapping controls can satisfy multi-framework compliance obligations simultaneously, transforming what traditionally represents separate, resource-intensive audit cycles into a coordinated compliance strategy.
CMMC Level 1 encompasses 15 security practices organized across six domains, each addressing critical aspects of information security for organizations handling FCI.
The self-assessment process for CMMC Level 1 requires annual evaluation and executive affirmation of compliance. Unlike higher CMMC levels that mandate third-party assessments, Level 1 places responsibility on organizations to accurately evaluate their own compliance posture. This self-assessment model demands thorough documentation, consistent monitoring, and executive accountability for compliance claims.
Documentation and evidence collection best practices center on creating defensible, audit-ready records that demonstrate consistent implementation of required controls. This includes maintaining policy documents, implementation procedures, training records, incident logs, and regular assessment reports. The documentation must demonstrate not just that controls exist on paper, but that they’re actively implemented and monitored.
Common implementation gaps often emerge around continuous monitoring, documentation consistency, and control integration. Many organizations successfully implement individual controls but fail to establish the ongoing monitoring and documentation practices necessary to demonstrate sustained compliance. Others create policies and procedures but struggle with consistent implementation across distributed teams or complex technology environments.
“One of the biggest pitfalls I see companies make when looking at CMMC compliance is misunderstanding what it takes to actually be CMMC compliant. It goes beyond just having policies and procedures. It’s actual implementation and ensuring the right evidence is documented to show the control is effective.” – Jay Trinckes, Data Protection Officer, Thoropass
Successful CMMC Level 1 implementation follows a structured approach that transforms complex requirements into manageable, sequential steps that build upon each other.
The CMMC implementation follows a phased rollout schedule through 2028, with increasing requirements based on contract types and sensitivity levels. Phase 1 begins with self-assessments for Level 1 contractors, providing organizations time to establish foundational practices before more stringent assessment requirements take effect.
Strategic preparation recommendations focus on building compliance momentum that extends beyond immediate CMMC Level 1 requirements. Organizations should establish governance structures, documentation practices, and monitoring capabilities that can scale to support higher certification levels and additional frameworks. This approach transforms compliance from a reactive burden into a proactive competitive advantage.
Building compliance momentum for future levels requires intentional alignment between Level 1 implementation and broader security strategy. The policies, procedures, and technologies implemented for Level 1 should be designed with scalability in mind, enabling efficient progression to CMMC Level 2 when business requirements demand handling of CUI or pursuing contracts with enhanced security requirements.
Organizations should also consider how CMMC Level 1 compliance integrates with other regulatory requirements they face. Many defense contractors also serve commercial markets with SOC 2, ISO 27001, or industry-specific compliance requirements. A strategic approach to CMMC Level 1 can create synergies that reduce the overall compliance burden while strengthening the organization’s security posture across all market segments.
The platform capabilities built into Thoropass streamline the traditionally manual and fragmented process of CMMC assessment and maintenance. Thoropass provides automated evidence collection, policy template libraries, and integrated monitoring tools specifically designed for CMMC requirements. This eliminates the common pain points of scattered documentation, manual tracking, and assessment preparation uncertainty.
Expert guidance from experienced compliance professionals ensures that organizations avoid common implementation pitfalls while building sustainable compliance programs. Thoropass compliance specialists bring a deep understanding of both CMMC requirements and practical implementation challenges, providing guidance that goes beyond checklist completion to create robust, defensible security programs.
Automated evidence collection and continuous monitoring transform compliance from an annual scramble into an ongoing state of readiness. Instead of gathering evidence during assessment preparation, organizations maintain real-time visibility into their compliance posture through integrated monitoring and automated documentation collection.
The multi-framework approach enables organizations to leverage CMMC Level 1 implementation across multiple compliance requirements simultaneously. By mapping controls across CMMC, SOC 2, ISO 27001, and other frameworks, organizations can achieve multiple certifications through coordinated audit processes rather than separate, resource-intensive cycles.
Reduced time-to-compliance and predictable costs address two of the most significant pain points for compliance professionals managing complex audit portfolios. Traditional compliance approaches often involve unpredictable timelines, escalating costs, and endless revision cycles. Thoropass’s platform-driven approach provides visibility and control over both timeline and budget from project initiation through ongoing maintenance.
The recent launch of CMMC Level 2 capabilities within the Thoropass platform creates natural progression paths for organizations that begin with Level 1 and subsequently need to handle CUI or pursue contracts requiring advanced security practices. This integrated approach eliminates the need to rebuild compliance infrastructure when advancing to higher certification levels.
The audit pain points that plague enterprise compliance programs—manual processes, unpredictable costs, and endless cycles—stem from fundamental limitations in traditional audit approaches.
Scaling compliance across large organizations compounds these challenges, particularly when different business units or geographic locations operate with varying security maturity levels. Traditional approaches require significant coordination overhead and often result in inconsistent implementation across the organization.
Technology-enabled solutions address these challenges through automation, integration, and continuous monitoring capabilities that traditional approaches cannot match. Instead of periodic assessment preparations that disrupt business operations, modern compliance platforms maintain ongoing readiness through integrated monitoring and automated evidence collection.
Multi-framework efficiency represents a paradigm shift from treating each compliance requirement as a separate project to managing an integrated compliance portfolio. By leveraging CMMC Level 1 controls to satisfy SOC 2 trust service criteria, ISO 27001 control objectives, and other framework requirements, organizations can achieve multiple certifications through coordinated audit processes that share evidence, documentation, and assessment activities.
This integrated approach not only reduces the resource burden of maintaining multiple certifications but also creates more robust security programs by eliminating gaps and inconsistencies that often emerge when compliance requirements are managed in isolation.
CMMC Level 1 compliance doesn’t have to slow down your defense contracting ambitions or drain resources through manual processes and unpredictable audit cycles. Thoropass provides the expertise, automation, and integrated platform capabilities that transform compliance from a burden into a competitive advantage.
Whether you’re entering the defense supply chain for the first time or adding CMMC to an existing compliance portfolio, Thoropass makes it possible to achieve certification efficiently while building the foundation for future growth and additional frameworks. Talk to an expert today.
CMMC Level 1 compliance is mandatory for any organization handling Federal Contract Information (FCI) in DoD contracts. Without certification, your organization will be automatically disqualified from bidding on these opportunities, regardless of technical capabilities or competitive pricing.
Beyond immediate contract eligibility, defense contractors evaluate partners based on compliance maturity. Organizations with established CMMC compliance demonstrate operational sophistication that influences partnership opportunities and positions them for higher-value contracts requiring enhanced security practices.
Early compliance provides competitive advantages during the phased rollout. As CMMC requirements take effect across different contract types, compliant organizations can pursue opportunities that non-compliant competitors must pass over.
Yes, significant overlap exists between CMMC Level 1 and SOC 2 Type II or ISO 27001 requirements. Many access control, system monitoring, and documentation practices established for these frameworks directly satisfy CMMC Level 1 obligations, reducing implementation effort and costs.
Strategic control mapping identifies overlapping requirements across frameworks. SOC 2 access control measures often exceed CMMC Level 1 requirements, while ISO 27001 documentation practices provide foundations for CMMC evidence collection. Organizations with mature programs typically need to address specific CMMC requirements around Federal Contract Information handling rather than rebuilding entire security programs.
Leveraging existing controls requires careful gap analysis to ensure CMMC-specific requirements are fully addressed. A multi-framework compliance approach enables organizations to satisfy multiple standards through coordinated processes rather than separate audit cycles.
Failing a CMMC Level 1 self-assessment immediately disqualifies your organization from pursuing or maintaining DoD contracts requiring Level 1 certification. This impacts both new opportunities and existing contracts, as CMMC compliance is an ongoing obligation.
The self-assessment model places responsibility on organizations to accurately evaluate their compliance posture and provide executive affirmation. Unlike third-party assessments with external validation, Level 1 requires internal accountability for compliance claims. Inaccurate self-assessments can result in contract termination if discovered during DoD reviews.
Recovery requires addressing identified gaps through remediation, reassessment, and new executive affirmation. The timeline depends on the scope of compliance gaps. Organizations should establish robust internal assessment processes and continuous monitoring to minimize assessment failure risk.
Modern compliance platforms like Thoropass enable seamless progression from CMMC Level 1 to Level 2 without rebuilding compliance infrastructure. The policies, procedures, and monitoring capabilities established for Level 1 create foundational elements that extend to Level 2’s comprehensive requirements for handling Controlled Unclassified Information (CUI).
Level 2 builds upon Level 1 foundations while adding advanced practices. Organizations that implement Level 1 strategically position themselves for efficient Level 2 progression by establishing scalable governance structures and technology integrations that support expanded requirements.
The platform approach eliminates common scaling challenges like data migration and process redesign. Instead of starting fresh, organizations extend their existing compliance infrastructure through additional controls and enhanced monitoring.
CMMC implementation begins 60 days after publication of the final Title 48 CFR CMMC acquisition rule, with a phased rollout over approximately three years. Different contract types and dollar thresholds become subject to requirements at different times.
Phase 1 focuses on self-assessments for Level 1 contractors, providing time to establish foundational practices before more stringent requirements take effect. Subsequent phases expand coverage to additional contract types while implementing third-party assessments for higher CMMC levels.
Contract-specific requirements depend on the information types handled and contract characteristics. Organizations should review existing DoD contracts and anticipated opportunities to understand specific timeline requirements.
CMMC Level 1 aligns closely with existing Federal Acquisition Regulation (FAR) 52.204-21 basic safeguarding requirements but introduces formal certification and ongoing compliance obligations that extend beyond previous expectations.
While FAR 52.204-21 established security requirements for protecting Federal Contract Information, enforcement mechanisms were limited. CMMC transforms these requirements into formal certification standards with mandatory self-assessment, executive affirmation, and ongoing compliance maintenance.
The substantive security controls remain largely consistent, but CMMC introduces enhanced documentation requirements, formal assessment processes, and accountability mechanisms. Organizations that effectively implemented FAR 52.204-21 typically need to strengthen documentation practices and establish formal assessment processes rather than implementing entirely new security controls.
At Thoropass, we’re not just talking about simplifying compliance—we’re doing it. Today, we’re thrilled to announce the addition of five new frameworks to our platform. This release is part of our accelerated framework expansion initiative, as we roll out new frameworks every month. Why? Because we want to enable you to expand your compliance footprint without the usual headaches, late nights, and spreadsheet nightmares.
Whether you’re diving into privacy management, polishing your quality controls, boosting cybersecurity, or securing defense contracts, these new frameworks give you the structure and guidance you need to broaden your compliance footprint—without the compliance chaos.
Let’s explore what’s new:
What it is: An extension to ISO 27001 that addresses privacy management and data protection within your information security program.
Why it matters: With increasing privacy regulations worldwide, ISO 27701 helps organizations demonstrate responsible PII handling, build customer trust, and align privacy practices with international security standards.
Who it’s for: Organizations that process personally identifiable information (PII) as controllers or processors, especially those subject to privacy laws like GDPR and CCPA.
What it is: A European Union directive establishing cybersecurity risk management and reporting requirements for essential and important entities.
Why it matters: NIS 2 strengthens the original NIS Directive with broader scope and stricter enforcement, helping organizations enhance trust with customers and reduce downtime through standardized incident response.
Who it’s for: Medium and large entities in critical sectors (energy, transport, banking, health, digital infrastructure) operating within or providing services to the EU.
What it is: An internationally recognized standard for establishing a Quality Management System that consistently delivers products and services meeting customer and regulatory requirements.
Why it matters: ISO 9001 builds confidence in consistent quality delivery, reduces defects, increases reliability, and demonstrates your commitment to customer satisfaction.
Who it’s for: Any organization, regardless of size or industry, seeking to improve quality control processes and customer satisfaction.
What it is: A cybersecurity framework for organizations handling Controlled Unclassified Information (CUI) in the U.S. Defense Industrial Base.
Why it matters: CMMC Level 2 ensures protection of sensitive defense information through verified cybersecurity maturity, promoting accountability and trust within defense contracts.
Who it’s for: U.S. Department of Defense contractors and subcontractors that process, store, or transmit CUI and need to bid on or renew defense contracts.
What it is: A prioritized set of 18 cybersecurity best practices designed to defend against common threats and improve baseline cyber hygiene.
Why it matters: CIS Controls v8 provides a clear, practical roadmap for improving security posture, helping organizations address real-world threats with actionable controls.
Who it’s for: Organizations of all sizes and sectors seeking practical, prioritized cybersecurity guidance, especially those with resource constraints.
All five frameworks are now live in Thoropass—and available to all customers. As always, we’ve designed each implementation to be:
No matter your size, industry, or security goals, our platform is built to help you take the next step with clarity and control.
Talk to a Thoropass expert today and learn how we can help you implement complex compliance programs with confidence.
At Thoropass, we believe compliance should enable progress—not slow it down. That’s why we’re constantly expanding our framework library to meet customers where they are and help them scale with confidence.
Today, we’re excited to announce support for three new frameworks:
Whether you’re strengthening your baseline security posture, preparing to do business with the U.S. Department of Defense, or aligning with the latest industry guidance, our platform and experts are here to help you move forward with clarity and speed.
Let’s take a closer look.
What it is:The updated NIST Cybersecurity Framework (CSF) 2.0 offers a flexible, scalable approach to managing cybersecurity risk. It’s built around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
Why it matters:With NIST CSF 2.0, you get a structured path to maturity, better risk visibility, and alignment with global standards like ISO 27001 and NIST 800-53. It’s ideal for both scaling startups and critical infrastructure providers.
What’s included:
Who it’s for:Any business looking to formalize, modernize, or scale its cybersecurity program—especially in regulated sectors or critical infrastructure.
What it is:CMMC Level 1 focuses on basic cybersecurity hygiene to protect Federal Contract Information (FCI). It includes 17 foundational practices and is required for many U.S. Department of Defense (DoD) contracts.
Why it matters:Defense contractors and suppliers need to meet these requirements to remain eligible for DoD work. Thoropass helps you implement the controls efficiently and prepares you for self-assessment—without slowing your team down.
Who it’s for:Subcontractors, suppliers, and businesses working with (or planning to work with) the U.S. Department of Defense.
What it is:Cyber Essentials is a UK government-backed framework designed to protect organizations from the most common cyber threats. It’s simple, self-assessed, and often a requirement for UK government contracts.
Why it matters:If you’re expanding into the UK market or supporting public sector clients, Cyber Essentials is a powerful signal of trust. And with Thoropass, you can manage it alongside your other frameworks—no duplicate work required.
Who it’s for:Any organization that wants to reduce risk from common cyberattacks—especially those working with UK government agencies or regulated industries.
All three frameworks are now live in Thoropass—and available to all customers. As always, we’ve designed each implementation to be:
Talk to a Thoropass expert today and learn how we can help you meet NIST CSF 2.0, CMMC Level 1, or Cyber Essentials—with confidence.
Per the Undersecretary of Defense, the CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.
According to the Federal Acquisition Regulation (FAR), FCI is defined as non-public information provided by or generated for the government under a contract to develop or deliver a product or service to the federal government. This does not include information provided by the government to the public (like on public websites) or simple transactional information.
Similarly, CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government. A law, regulation, or policy requires or permits an agency to handle this information using safeguards or dissemination controls. The CUI Registry provides information on specific CUI categories and subcategories and can be accessed through the National Archives and DoD websites.
The Department of Defense created an IT compliance program called the Cybersecurity Maturity Model Certification. This certification requires DoD contractors to implement security practices designed to protect Controlled Unclassified Information (CUI) & Federal Contract Information (FCI).
Additionally, the CMMC program creates an assessment program designed to ensure that DoD contractors are implementing security practices.
CMMC 2.0 is the next iteration of the Department’s cybersecurity model. It streamlines requirements to three levels of cybersecurity – foundational, advanced, and expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
DoD contractors need a CMMC certification. Contractors will need a 2.0 certification around late 2022 or 2023.
It will not become a contractual requirement immediately. However, after the DoD completes the rulemaking process for implementing CMMC, they will require certification. The DoD expects the rulemaking process to take anywhere from 9 to 24 months, bringing us to late 2022 or 2023.
The DoD specifies the required level in the solicitation and in any Requests for Information (RFIs). Contractors pursuing DoD business opportunities need to be on the lookout for requirements.
Currently, the DoD expects to require CMMC for roughly 220,996 DoD contractors. They expect revised figures once the DoD submits the proposed model through the Federal Rulemaking Process.
The Proposed 2.0 Model is the next iteration of the DoD’s Model. This update to the model is designed to:
Streamline the model by removing most of the net new requirements (practices & process maturity) introduced in CMMC 1.0. This leaves most contractors with implementing practices required under their existing IT Compliance requirements.
Reduce assessment costs by decreasing the number of contractors that will need a 3rd party certification.
The DoD outlined six major changes to CMMC 2.0.
CMMC 2.0 will reduce the number of levels from 5 to 3.
CMMC 2.0 will only require some Level 2 contractors and all Level 3 contractors to obtain a 3rd party certification. In lieu of third-party certification, all other contractors can perform self-assessments.
The DoD will not require contractors to implement policies, procedures, and other CMMC 1.0 process maturity requirements.
Eliminates all unique practices leaving only practices aligned to NIST 800-171 & NIST 800-172
CMMC 2.0 will allow contractors to successfully complete 3rd party certifications and self-assessments with a limited number of POAMs/remediation plans.
CMMC 2.0 will allow contractors to obtain waivers from the DoD for the entire requirement.
After implementation, businesses with Level 1 or a subset of Level 2 programs can self-assess annually. The program requires third-party and government-led assessments for some Level 2 and all Level 3 programs on a 3-year cycle.
The DoD will only accept CMMC assessments by an authorized and accredited C3PAO or certified assessor.
Find additional details on the DoD’s CMMC website.
Get the Guide
Take security one step further, find out which frameworks are best for your business.
