CMMC 2.0 · ITAR · FedRAMP · IRAP
Compliance training for government – and the suppliers who work with it.
AT Family Evidence
Mapped to NIST SP 800-171 AT family
Completion records mapped to the NIST SP 800-171 Awareness & Training family – AT.L2-3.2.1 through 3.2.3 – with per-user, per-course, per-content-version exports your assessor can verify.
Cleared AI Awareness
FedRAMP boundary literacy for the workforce
Interactive courses teach what CUI and FCI are, why commercial AI endpoints sit outside your authorization boundary, and which cleared alternatives exist – from practitioners who have carried a product through FedRAMP Moderate.
Assessor-Ready Exports
Versioned records for your assessor
Versioned completion records, per-seat pricing that covers the whole workforce, and a training-evidence pack you can hand to a C3PAO on demand – no slideware, no annual checkbox event.
Industries
Built for every corner of the defense industrial base.
From precision manufacturing to secure comms, we train the workforces that handle CUI and ITAR technical data every day – with evidence mapped to the NIST SP 800-171 AT family.
Precision Manufacturing
CNC operators, quality inspectors, and shop-floor staff who handle technical data and CUI every shift.
Read more →
Aerospace & Defense
Prime and subcontractor workforces handling ITAR technical data, avionics specs, and program CUI – including AUKUS authorized suppliers.
Read more →
Industrial Equipment
Heavy machinery and automation teams supporting defense programs and government supply chains.
Read more →
Engineering Services
Design firms and consulting engineers working controlled projects for defense primes and allied government programs.
Read more →
Laser Technologies
Photonics and directed-energy teams where export-controlled performance data is everyday work.
Read more →
Chemical & Materials
Specialty chemical and advanced-materials workforces supporting defense and aerospace programs.
Read more →
Electronics & Semiconductors
Component and semiconductor teams building for defense and critical infrastructure programs.
Read more →
Defense Communications
Secure comms, satellite, and cyber teams operating inside strict authorization boundaries – US ATO and allied IRAP-assessed environments alike.
Read more →
Compliance regimes
Built for the rules your contracts actually name.
Heavy focus on the regimes that shape US defense and federal work – with allied-nation coverage for suppliers who operate under the same standards.
CMMC 2.0
US · DoDWorkforce training for CMMC Level 2 environments: CUI handling, AI data spillage, and assessor-ready evidence mapped to the NIST SP 800-171 AT family.
AT.L2-3.2.1–3.2.3 completions, per user, per content version.
ITAR
US · Export controlITAR awareness for everyone who isn't the export-compliance officer: technical data, U.S.-persons rules, deemed exports, and the AI-prompt-as-export framing.
Role-based paths for engineers, program staff, and admins.
FedRAMP
US · CloudWhat an authorization boundary covers, what “FedRAMP-authorized” does and doesn't mean, and how to evaluate AI tools before they leave the perimeter.
Literacy for vendors, buyers, and the people who paste.
Allied nations
Australian and UK defense suppliers under AUKUS – and teams operating in IRAP-assessed environments – face the same AI and export-control exposure. The training obligation crosses borders with the data.
IRAP
AU · Up to SECRETTraining for staff who work inside IRAP-assessed environments under the Protective Security Policy Framework – classifications up to SECRET, and what “assessed” does and doesn't cover for AI use.
Workforce literacy for ISM / PSPF operating environments.
AUKUS
AU · UK · USThe license-free export environment brings Australian and UK defense suppliers inside the ITAR perimeter – with authorized-user obligations, DISP context, and the same AI-as-export risk.
Bridge training for AUKUS authorized users and DISP members.
Live demo
Would your people catch it before they paste it?
A slice of our AI Prompt Safety Lab, running live and tuned for regulated government and defense workforces. Paste a prompt the way your engineers would – it flags CUI and export-controlled technical data, explains the risk, and rewrites what can safely leave the boundary.
Demo only – prompts are sent to a commercial AI model for analysis and never stored. Don't paste real CUI or export-controlled data; that's rather the point.
Open the full lab →US CMMC clock
The clock is not hypothetical. CMMC certification requirements are phasing into DoD contracts now – and every control family you can close without a consultant is money and calendar recovered. Allied suppliers under AUKUS and DISP face the same flow-down timelines from their primes.
- Certification enters contracts
- Nov 10, 2026Phase 2 of the CMMC rule brings third-party (C3PAO) certification into new DoD contracts.
- Companies need Level 2
- ~80,000Organizations in the defense industrial base the DoD estimates will need Level 2 certification.
- Authorized C3PAOs
- <100Authorized assessment organizations serving that entire population. Calendars are already full.
- Per assessment
- $75k+Projected cost of a Level 2 assessment as demand outstrips assessor capacity. Evidence gaps mean re-work.
Figures reflect DoD CMMC program estimates and industry projections as of 2026.
The exposure
Your people are already pasting into AI. The question is what.
AI adoption didn't wait for your acceptable-use policy. In a regulated environment, the gap between what your people do daily and what your boundary allows is the risk.
- A prompt is a data transfer
- A prompt is an outbound data transfer. CUI pasted into a commercial chatbot is an uncontrolled disclosure; ITAR technical data can be an unauthorized export. Your people don't think of a chat box that way – yet.
- Commercial endpoints aren't cleared
- The consumer AI tools your staff reach for sit outside any FedRAMP or IRAP authorization boundary. No contract, no audit trail, no data-handling commitments – regardless of how good the model is.
- Bans don't hold. Training does.
- Sanctioned paths now exist – government-cleared AI offerings inside authorized environments – and the list changes quarterly. A blanket ban just drives usage into the shadows. Training is what holds.
The course line
AI in the Regulated Workplace.
Not generic security awareness with the logo swapped. A course line built for people who work under CMMC, ITAR, FedRAMP, and IRAP – taught through interactive scenarios, kept current as the rules move.
- RW-101Flagship
AI in CUI environments
The flagship. What CUI and FCI are, why commercial AI endpoints are off-limits, which cleared alternatives exist, prompt hygiene, and what to do in the first hour after a spillage.
- RW-201Whole workforce
ITAR awareness for the workforce
ITAR for everyone who isn't the export-compliance officer: what technical data is, U.S.-persons rules, deemed exports in everyday tools, and the AI-prompt-as-export framing.
- RW-211AUKUS / DISP
AUKUS export controls
The license-free AUKUS environment, authorized-user obligations, DISP membership context, and AI prompts as exports under both US and Australian rules – for suppliers stepping inside the ITAR perimeter for the first time.
- RW-301AT family
CUI handling & insider threat
DIB-specific security awareness and insider-threat recognition – the AT.L2-3.2.1 and 3.2.3 content, taught through scenarios instead of slideware.
- RW-401Vendors & buyers
FedRAMP literacy
What an authorization boundary actually is, what “FedRAMP-authorized” does and doesn't cover, and how to evaluate tools – from practitioners who have carried a product through authorization.
- RW-501AU · Up to SECRET
IRAP & ISM awareness
Operating inside IRAP-assessed environments under the Protective Security Policy Framework: classifications up to SECRET, ISM awareness expectations, and what “assessed” does and doesn't mean for everyday AI use.
Assessment evidence
Walk in with the Awareness & Training family closed.
Assessors ask a precise question: who was trained, on what content, on which version, when – and can you prove it? That record is what the platform produces, continuously.
- AT.L2-3.2.1Security awareness trainingEvery user completes DIB-specific awareness content – CUI handling, AI data spillage, phishing – with per-user completion records.
- AT.L2-3.2.2Role-based security trainingTraining paths assigned by group and role, so admins, engineers, and program staff each carry the training their duties require.
- AT.L2-3.2.3Insider threat awarenessRecognition and reporting of insider-threat indicators, woven into scenarios and tracked to completion for every seat.
- VersioningCurrency of training contentCompletions are recorded against the content version. When the rules change and content updates, stale seats are flagged for retraining – provably.
Training and evidence support your assessment; they are one input to your broader System Security Plan, not a certification of compliance. For Australian readers, the NIST SP 800-171 AT family crosswalks to equivalent ISM personnel-security and awareness expectations – the same completion ledger underpins both.
Enroll, train, reinforce, prove.
Compliance training isn't an annual event. It's a standing capability with a monthly cadence and evidence on demand.
- 01
Enroll the workforce
Provision the org, import your people, and assign role-based training paths by group – engineers, program staff, admins.
- 02
Train on live content
Interactive, DIB-specific courses: redaction labs on realistic documents, “may I paste this?” drills, branching spillage scenarios.
- 03
Reinforce monthly
A short monthly scenario keeps readiness current: new cleared-AI authorizations, fresh incident patterns, rule changes as they land.
- 04
Prove it on demand
Export the training-evidence pack mapped to the NIST SP 800-171 AT family – per user, per course, per content version.
Who it's for
Built by practitioners who live under these rules.
This isn't compliance content written from a checklist. Our practitioners have carried a product through FedRAMP Moderate authorization and work daily in ITAR- and CMMC-regulated file sharing – the same boundary your people operate inside.
And with the AUKUS license-free environment now live, Australian and UK defense suppliers are stepping inside the ITAR perimeter for the first time – with the same training obligations and almost no local supply. We cover both sides of that bridge, including staff who work in IRAP-assessed environments under the Protective Security Policy Framework up to SECRET.
- Defense primes and subcontractors handling CUI
- Suppliers facing CMMC flow-down from their primes
- ITAR-registered manufacturers and exporters
- Australian AUKUS authorized users and DISP members
- Teams working in IRAP-assessed environments up to SECRET
- Government agencies and departments adopting AI
- Cloud vendors pursuing or holding FedRAMP authorization
- Anyone whose contracts reference NIST SP 800-171
Next step
A 30-minute briefing, not a sales demo.
Bring your assessment timeline. We'll walk your team structure, map the training obligation, and show you the evidence pack your assessor would receive.