Explore AskCMMC.ai's powerful features, from intelligent Q&A and document analysis to AI-powered gap assessments, SSP generation, and cross-framework mapping.
Sign in, ask your first question, and learn the basics in under two minutes.
Manage chats, revisit conversation history, and organize your compliance research.
Pick between lightning-fast answers or deep, multi-agent analysis.
10 specialized agents for compliance, gap analysis, SSP drafts, and more.
Upload your policies, SSPs, and documents for AI-powered review and analysis.
Zero data collection. No training on your data. Files processed in-memory only.
Up and running in under two minutes
Quick tip: The welcome screen includes ready-made prompts you can click right away, like "Summarize Level 1 practices", "List policy gaps", "Create an AUP Policy Draft", or "Give Level 2 checklist".
Organize your compliance research across multiple sessions
Create separate conversations for different compliance topics. Each chat maintains its own context and history, so access control research never bleeds into incident response discussions.
Full control over every conversation through the three-dot menu on each chat entry.
AskCMMC.ai remembers your full conversation history within each chat session. You can ask natural follow-ups like "Tell me more about that", "How does this apply to Level 2?", or "Can you give me an example?" and the AI will understand exactly what you're referring to from earlier messages. No need to repeat yourself or re-explain your question.
Answers arrive in real time, token by token, so you can start reading immediately without waiting for the full response to generate. A live progress indicator shows exactly where the AI pipeline stands, from retrieval to reranking to generation, so you always know what's happening behind the scenes.
Keyboard shortcuts: Press Ctrl+Shift+O to create a new chat, / to focus the input, and Ctrl+B to toggle the sidebar.
Tailored guidance for the maturity level that applies to your organization
Covers 17 CMMC practices derived from FAR 52.204-21, focused on protecting Federal Contract Information (FCI). This is the baseline for every DoD contractor.
Covers all 110 security requirements from NIST SP 800-171 Rev. 2 for protecting Controlled Unclassified Information (CUI). This is where most defense contractors need to certify.
Level 3 support is in active development and will cover the enhanced security requirements from NIST SP 800-172, designed for the most sensitive defense programs handling high-value CUI. This level adds controls beyond 800-171 to defend against advanced persistent threats (APTs). Reach out if you would like early access or want to be notified when it launches.
Use the level toggle in the top header to switch between Level 1 and Level 2 at any time. When you switch, the entire knowledge base, FAISS document index, BM25 search index, and response context adjust automatically so every answer is scoped to the correct set of controls, practices, and assessment requirements for your selected level.
Pick speed or depth depending on what you need right now
| Feature | Flash Mode | Thinking Mode |
|---|---|---|
| Speed | Instant (1 to 3 seconds) | Thorough (10 to 30 seconds) |
| AI Agents | Basic retrieval only | Full agent pipeline |
| Query Expansion | Not available | Multi-query variants |
| BM25 Keyword Search | Not available | Hybrid dense + sparse |
| Cross-Encoder Reranking | Not available | Precision reranking |
| Parent Retrieval | Not available | Full section context |
| Contextual Compression | Not available | Noise reduction |
| Best For | Quick lookups, control ID queries, simple definitions | Complex analysis, gap assessment, implementation guidance, policy drafting |
Use Flash for quick lookups like "What is control 3.5.3?" and switch to Thinking for deeper analysis, such as "Perform a gap analysis of my access control policies against Level 2 requirements."
Decide how much detail you want in each answer
Lets the AI decide the best response length based on your question. Simple queries get short answers; complex topics get detailed ones.
Concise responses under 200 words. Ideal for quick lookups, control definitions, or straightforward compliance answers.
Balanced responses in the 300–600 word range. Covers key points with clear structure without overwhelming detail.
Comprehensive answers between 600–1,200 words. Includes implementation guidance, reference tables, and thorough explanations for compliance planning.
Exhaustive responses in the 1,200–2,500 word range. Step-by-step guidance, checklists, control mappings, and actionable recommendations for deep research.
10 specialized agents that collaborate to answer your compliance questions
In Thinking Mode, your question is automatically routed to the best agent (or combination of agents) by the Orchestrator. You can also select an agent manually using the "+" button next to the chat input.
Classifies your question's intent, extracts key entities like control IDs and families, and decides which agent pipeline to activate.
Performs deep compliance analysis against CMMC and NIST frameworks. Returns authoritative answers with exact control references you can cite.
Reviews uploaded documents (SSPs, policies, procedures) against CMMC requirements. Processes the entire file without chunking so nothing gets missed.
Identifies compliance gaps in your security posture and generates POA&M entries with specific remediation steps to close each one.
Searches the web for the latest CMMC and NIST updates, policy changes, and security advisories. Uses DuckDuckGo for privacy-respecting real-time results.
Maps controls across CMMC, NIST 800-171, ISO 27001, SOC 2, and other frameworks. Essential when your organization carries multiple compliance obligations.
Generates System Security Plan drafts with proper structure, control descriptions, and implementation statements. A fast way to jump-start your documentation.
Calculates CMMC readiness percentages and risk scores so you can prioritize remediation efforts effectively.
Monitors changes to DoD, NIST, and CMMC policies and keeps you informed about regulatory shifts that could affect your compliance.
The conductor behind the scenes. Analyzes your query and routes it to the optimal agent or combination of agents. Runs automatically in Thinking Mode, so you never interact with it directly.
Upload your compliance documents for AI-powered review
Click the "+" button next to the chat input and choose "Upload File", or drag and drop files directly into the chat area.
Handles the document formats compliance teams use every day:
The Document Analyzer Agent processes your entire file without chunking, giving it the full context needed for a thorough review. You can ask it to:
Uploaded files are processed entirely in-memory. They are never written to disk, cached, or retained after processing. Once the response is generated, all file data is discarded immediately. No copies are stored anywhere, not in logs, not in temporary storage, and not in the database. Your documents stay yours.
Note: For scanned PDFs (image-based), AskCMMC.ai uses OCR (Optical Character Recognition) to extract text. Results may vary depending on scan quality. Native or digital PDFs will always produce the best results.
Every answer is backed by traceable, verifiable references
Every response includes numbered citations, small inline badges that link directly to the source document used for that part of the answer, similar to how Perplexity works. Click any citation to jump to the source panel and see the exact passage that informed the response. This makes it easy to verify, audit, and share findings with your team.
Below each answer, a source panel displays all referenced documents as clickable cards. Each card shows the source name, relevance score, and a snippet preview on hover. You can expand any card to read the full retrieved passage in context, making it simple to trace exactly where every claim in the response came from.
All answers are grounded in official, authoritative sources. The knowledge base includes:
Built-in guardrails prevent hallucinated control IDs, incorrect framework labels, and common AI errors. The system clearly distinguishes mandatory requirements from recommended best practices and cross-references every claim against the official source documents. If a control ID or framework mapping can't be verified, it won't appear in the response.
Help us improve by reporting issues or suggesting features
Visit /report to submit a bug report or feature request. The form supports categories, severity levels, screenshots, and detailed descriptions so we can triage quickly.
Reports are automatically created as GitHub Issues with the appropriate labels and metadata. Our team reviews every submission and triages by severity and category.
Purpose-built for organizations handling sensitive defense information
No personal information, conversation data, or usage patterns are collected, sold, or shared. There is no analytics, no behavioral tracking, and no fingerprinting of any kind.
Your questions, documents, and conversations are never used to train or fine-tune any AI model. Data is processed solely to generate your response, then immediately discarded.
Uploaded documents are processed entirely in-memory, never written to disk, never cached, and never retained beyond response generation.
OAuth 2.0 SSO via Google, Microsoft, or GitHub. Session cookies are HttpOnly, SameSite=Lax, and Secure in production, with single active session enforcement.
Every third-party library (Hugging Face, PyTorch, Transformers) has been audited. All telemetry, phone-home calls, and usage reporting have been programmatically disabled.
When you delete a conversation, clear history, or remove your account, the data is permanently destroyed. No shadow copies, no hidden backups, no recycle bins.
Your profile, usage, and data at a glance
Your current query count is shown in the header. Free trial accounts include a limited number of complimentary queries. Unlimited access is available after a free consultation.
Open Settings from the avatar dropdown in the top-right corner. From there you can:
Only one active browser session is allowed per account at a time. If you sign in from a new device or browser, you'll be prompted to either continue there (which automatically signs out the other session) or cancel. This prevents unauthorized concurrent access and ensures your account stays secure across devices.
Click your avatar in the sidebar and then Sign Out to end your session securely. Your full chat history is preserved server-side and will be waiting for you when you return. Signing out invalidates your session token immediately, so no one else can use your browser session after you leave.
Navigate faster without reaching for the mouse
| Action | Shortcut |
|---|---|
| New chat | Ctrl + Shift + O |
| Focus chat input | / |
| Send message | Enter |
| New line in message | Shift + Enter |
| Toggle sidebar | Ctrl + B |
| Dismiss / unfocus | Esc |
Answers to the questions we hear most often
Get the most out of AskCMMC.ai with these recommendations
The more specific your question, the more precise the answer. Instead of "Tell me about CMMC," try "What are the access control requirements for Level 2 that apply to remote workers?" Specificity helps the retrieval pipeline find the right source passages.
Start broad, then drill deeper. Ask "What is required for media protection at Level 1?" and follow up with "How should I implement that for USB drives?" Conversation context carries forward automatically.
Use Flash for quick control lookups and definitions. Switch to Thinking for gap analysis, SSP drafts, cross-framework mapping, or anything that benefits from multi-agent collaboration.
Native or digital PDFs produce the best results. For scanned documents, ensure the scan quality is high and text is legible. Clear formatting helps the AI extract content more accurately.
Every response includes numbered citations for a reason. Before making compliance decisions, review the cited sources to confirm the information matches your interpretation. The AI is a powerful research tool, but human judgment should always be the final authority.
Use separate chats for different topics. Pin important conversations, name them descriptively, and treat AskCMMC.ai like a compliance notebook to keep your work organized.