Primes: Map and Manage Your Entire Contractor Flow Down
Using the SecurityMetrics CMMC Compliance Portal, your entire flow-down of subcontractors are managed in one, easy-to-navigate place. You can discover your network's CMMC status, identify next steps, and stay updated on their progress.
Level 2 Contractors: Get Expert CMMC Guidance from a Certified RPO
As a certified RPO (Registered Provider Organization), we offer a hands-on, detailed approach to all CMMC controls. Get a complete gap analysis, mock assessment, and readiness overview from our team, ensuring your company leaves no stone unturned.
PCI program solutions for acquirers and ISOs
SecurityMetrics PCI programs are merchant-friendly, keeping them and you happy.
Feature
Basic
Plus
Pro
Advisor
Online Portal
Merchant PCI SAQ
SAQ Pre-Population
ASV scans (1/merch)
PCI Policy Template
24/7 Help Desk
24/7 Scan & SAQ Support
Partner+ Portal
Custom Email Campaigns
Assigned CSM
ASV scans (5/merch)
$100,000 Merchant Premium Service Warranty
Card Data Discovery
Mobile Device Scan
AI-Powered PCI Compliance (Spectre AI)
Anti-Malware Software
Get started on your PCI program, request a quote now.
Request a QuoteLite
Basic
Advanced
PCI for small businesses starting at
Price discounts available depending on merchant processor
- External Vulnerability Scan (1 IP)
- Online PCI Self Assessment Questionnaire (SAQ)
- Online compliance reporting portal
- Non-compliance notification
- Compliance reporting to merchant processor
- Compliance certificate
- PANscan® (Card discovery software for 1 machine)
- Service warranty (Up to $100,000 reimbursement in case of a breach)
- Security Awareness Training (1 seat)
*We discount our services for most merchants because of our relationship with their merchant processor.
Looking for Acquirer or PCI program pricing? Click here.
Level 1 Contractors: Get Fully-Supported Self Assessment Tools
- Add your compliance status to our platform for Free: Add your compliance information into our system for free, advertise your compliance status, and allow prime contractors to include your status in their flow down tracking.
- Simplified Compliance with our Self-Assessment Portal: Get a smooth, simple process that guides you through each control in easy-to-understand terms with our CMMC self assessment portal.
- 24-Hour Live Support Backed by Compliance Expert: Contact our 24/7/365 support team to get immediate, hands-on help wherever you’re at in your CMMC journey. Our support staff is supported by CMMC experts and compliance assessors.
- Get a Ready-to-Submit Report on Compliance: Once your guided self-assessment is finished, we provide a report on CMMC compliance that you can take to the DoD/DoW official Supplier Performance Risk System (SPRS) website and affirm your compliance.
Basic
- Online Portal Access (Software to help you work towards HIPAA compliance)
- Security Fundamentals Checklist
- $100,000 Service Guarantee
- Monthly Perimeter Scans: 1 IPs
- Risk Analysis
- Risk Management Plan
- Monthly HIPAA Newsletter
- HIPAA Policies & Procedures (including Breach Notification Policy and Business Associate Agreement Template
- HIPAA Training: 3 seats
- 5 Hour Technical Support (inbound tech support only)
Plus
- Online Portal Access (Software to help you work towards HIPAA compliance)
- Security Fundamentals Checklist
- $100,000 Service Guarantee
- Monthly Perimeter Scans: 3 IPs
- Risk Analysis
- Risk Management Plan
- Monthly HIPAA Newsletter
- HIPAA Policies & Procedures (including Breach Notification Policy and Business Associate Agreement Template
- HIPAA Training: 15 seats
- Unlimited Support (specialized HIPAA support agents available for guidance on all HIPAA tools)
Pro
- Online Portal Access (Software to help you work towards HIPAA compliance)
- Security Fundamentals Checklist
- $100,000 Service Guarantee
- Monthly Perimeter Scans: 5 IPs
- Risk Analysis
- Risk Management Plan
- Monthly HIPAA Newsletter
- HIPAA Policies & Procedures (including Breach Notification Policy and Business Associate Agreement Template
- HIPAA Training: 25 seats
- Unlimited Support (specialized HIPAA support agents available for guidance on all HIPAA tools)
Basic
- Portal access
- 1 payment path supported
- User-initiated scanning process
- Fulfills req’s. 6.4.3 & 11.6.1
- Add-on consultation credits available
- Partner discounts available
Plus
- Portal access
- 1 payment path supported (option to add on)
- Automated scanning process
- Fulfills req's. 6.4.3 & 11.6.1
- Add-on consultation credits available
- Partner discounts available
Pro
- Portal access
- 3 payment paths supported (option to add on)
- Automated scanning process
- Fulfills req's. 6.4.3 & 11.6.1
- Forensic annual baseline assessment
- 12 annual consultation credits included
- Partner discounts available
Frequently Asked Questions
I’m a Level 1 contractor, what do I need to do for CMMC compliance?
Level 1 contractors handle FCI (Federal Contract Information) and must complete a self-assessment of 17 different CMMC controls. They’re also required to annually attest their CMMC compliance.
For Level 1 contractors and those new to CMMC, we offer the ability to begin with no previous understanding of data security frameworks, guiding you from start to finish, and reporting your compliance up the chain to the Prime contractor.
Trained CMMC experts can help you fulfill CMMC deadlines, report your compliance status to the SPRS website, and connect with Prime contractors.
I’m a Level 2 contractor, what do I need to do for CMMC compliance?
Level 2 contractors handle CUI (Controlled Unclassified Information) and must complete an audit of 110 different CMMC controls.
CMMC Audit controls are based entirely on the 110 controls in the NIST SP 800-171 framework.
Our audit team can assist with all of these controls and requirements. They have extensive experience with NIST frameworks and can perform a CMMC Readiness Assessment to efficiently scope your CMMC environment and conduct a thorough Gap Analysis.
I’m a Prime contractor with a flow-down network, what do I need to do for CMMC compliance?
A prime contractor must be able to verify that all of their subcontractors are also CMMC compliant.
As a Prime Contractor, you are also tasked with collecting and verifying compliance information from your entire flow down of subcontractors.
We offer Prime contractors a compliance management database and platform that makes it easy to track and verify the CMMC status of all subcontractors, making your CMMC experience simple to organize and manage.
What exactly is CMMC and why is the DoD requiring it?
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program designed to validate that private companies working with the military have strong cybersecurity. The DoD is moving to a "verify before you trust" model to stop foreign adversaries from stealing intellectual property and national security data from the defense supply chain.
How do I know which CMMC Level applies to my company?
The program works in a tiered system based on the type of data you handle:
- Level 1 (Introductory): For companies handling Federal Contract Information (FCI). This involves standard practices like passwords and antivirus software.
- Level 2 (Advanced): For companies handling Controlled Unclassified Information (CUI). This requires strict protocols (NIST standards) and an audit by a CMMC authorized private third party (C3PAO).
- Level 3 (Expert): For a small subset of companies working on critical programs. This assessment is conducted directly by government officials. (Note: If you’re unclear what level you are, reach out and we can help you figure out your needs.)
Can we just self-certify like we used to in the past?
For most companies, the answer is no. The biggest change under CMMC is the move away from the "honor system" where you could simply sign a paper claiming you followed the rules. While Level 1 still allows for self-assessment, Level 2 and Level 3 now require formal audits by outside assessors to prove compliance.
Is this happening right now, or can I wait to prepare?
You should prepare now. As of late 2025, the phased rollout has begun, and these requirements are already appearing in contracts. CMMC is a "go/no-go" requirement; without the certification in hand, you cannot be awarded the contract. You must determine your level and prepare for assessment to ensure you can win future bids.
Does this requirement apply to my subcontractors?
Yes. If you share Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) with subcontractors to fulfill a contract, they must also achieve the appropriate CMMC level. The program is designed to secure the entire supply chain, meaning you are responsible for ensuring your partners and vendors meet these requirements before sharing data with them.
How often do I need to be re-certified?
It varies by level. Level 1 requires an annual self-assessment and affirmation. Level 2 and Level 3 certifications are generally valid for three years. However, you are still required to submit an "annual affirmation" in the Supplier Performance Risk System (SPRS) to verify that your security remains compliant during the years between your full assessments.
What if I miss a few requirements during my audit? (POA&Ms)
It depends on the severity. For Level 1, you must pass 100% of the requirements immediately; no exceptions are allowed. For Level 2 and 3, if you miss certain non-critical requirements, you may be granted "Conditional" status. This allows you to continue working, but you must create a Plan of Action and Milestones (POA&M) and fix the issues within 180 days. If you do not close out these issues within that timeframe, your conditional certification will expire.
Resources
The following are related resources that we have prepared for you. Find more answers to your questions in our Learning Center.
.svg)