New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

AT.L2-3.2.1
AT.L2-3.2.2
AT.L2-3.2.3
AC.L2-3.1.1
AU.L2-3.3.1
CM.L2-3.4.1
IA.L2-3.5.3
IR.L2-3.6.1
MA.L2-3.7.1
MP.L2-3.8.1
PS.L2-3.9.1
PE.L2-3.10.1
RA.L2-3.11.1
CA.L2-3.12.1
SC.L2-3.13.1
SI.L2-3.14.1
AT.L2-3.2.1
AT.L2-3.2.2
AT.L2-3.2.3
AC.L2-3.1.1
AU.L2-3.3.1
CM.L2-3.4.1
IA.L2-3.5.3
IR.L2-3.6.1
MA.L2-3.7.1
MP.L2-3.8.1
PS.L2-3.9.1
PE.L2-3.10.1
RA.L2-3.11.1
CA.L2-3.12.1
SC.L2-3.13.1
SI.L2-3.14.1

CMMC 2.0 · ITAR · FedRAMP · IRAP

Compliance training for government – and the suppliers who work with it.

Your people already use AI every day. One pasted prompt can be an uncontrolled CUI disclosure – or an ITAR export. Train every employee – including AUKUS authorized users in the defense industrial base – to work safely inside your CMMC 2.0, FedRAMP, or IRAP boundary, and export the evidence your assessor asks for.
  1. AT Family Evidence

    Mapped to NIST SP 800-171 AT family

    Completion records mapped to the NIST SP 800-171 Awareness & Training family – AT.L2-3.2.1 through 3.2.3 – with per-user, per-course, per-content-version exports your assessor can verify.

  2. Cleared AI Awareness

    FedRAMP boundary literacy for the workforce

    Interactive courses teach what CUI and FCI are, why commercial AI endpoints sit outside your authorization boundary, and which cleared alternatives exist – from practitioners who have carried a product through FedRAMP Moderate.

  3. Assessor-Ready Exports

    Versioned records for your assessor

    Versioned completion records, per-seat pricing that covers the whole workforce, and a training-evidence pack you can hand to a C3PAO on demand – no slideware, no annual checkbox event.

Industries

Built for every corner of the defense industrial base.

From precision manufacturing to secure comms, we train the workforces that handle CUI and ITAR technical data every day – with evidence mapped to the NIST SP 800-171 AT family.

Compliance regimes

Built for the rules your contracts actually name.

Heavy focus on the regimes that shape US defense and federal work – with allied-nation coverage for suppliers who operate under the same standards.

  • CMMC 2.0

    US · DoD

    Workforce training for CMMC Level 2 environments: CUI handling, AI data spillage, and assessor-ready evidence mapped to the NIST SP 800-171 AT family.

    AT.L2-3.2.1–3.2.3 completions, per user, per content version.

  • ITAR

    US · Export control

    ITAR awareness for everyone who isn't the export-compliance officer: technical data, U.S.-persons rules, deemed exports, and the AI-prompt-as-export framing.

    Role-based paths for engineers, program staff, and admins.

  • FedRAMP

    US · Cloud

    What an authorization boundary covers, what “FedRAMP-authorized” does and doesn't mean, and how to evaluate AI tools before they leave the perimeter.

    Literacy for vendors, buyers, and the people who paste.

Allied nations

Australian and UK defense suppliers under AUKUS – and teams operating in IRAP-assessed environments – face the same AI and export-control exposure. The training obligation crosses borders with the data.

  • IRAP

    AU · Up to SECRET

    Training for staff who work inside IRAP-assessed environments under the Protective Security Policy Framework – classifications up to SECRET, and what “assessed” does and doesn't cover for AI use.

    Workforce literacy for ISM / PSPF operating environments.

  • AUKUS

    AU · UK · US

    The license-free export environment brings Australian and UK defense suppliers inside the ITAR perimeter – with authorized-user obligations, DISP context, and the same AI-as-export risk.

    Bridge training for AUKUS authorized users and DISP members.

Live demo

Would your people catch it before they paste it?

A slice of our AI Prompt Safety Lab, running live and tuned for regulated government and defense workforces. Paste a prompt the way your engineers would – it flags CUI and export-controlled technical data, explains the risk, and rewrites what can safely leave the boundary.

Prompt check
Try an example:
0/1200

Demo only – prompts are sent to a commercial AI model for analysis and never stored. Don't paste real CUI or export-controlled data; that's rather the point.

Open the full lab →

US CMMC clock

The clock is not hypothetical. CMMC certification requirements are phasing into DoD contracts now – and every control family you can close without a consultant is money and calendar recovered. Allied suppliers under AUKUS and DISP face the same flow-down timelines from their primes.

Certification enters contracts
Nov 10, 2026Phase 2 of the CMMC rule brings third-party (C3PAO) certification into new DoD contracts.
Companies need Level 2
~80,000Organizations in the defense industrial base the DoD estimates will need Level 2 certification.
Authorized C3PAOs
<100Authorized assessment organizations serving that entire population. Calendars are already full.
Per assessment
$75k+Projected cost of a Level 2 assessment as demand outstrips assessor capacity. Evidence gaps mean re-work.

Figures reflect DoD CMMC program estimates and industry projections as of 2026.

The exposure

Your people are already pasting into AI. The question is what.

AI adoption didn't wait for your acceptable-use policy. In a regulated environment, the gap between what your people do daily and what your boundary allows is the risk.

A prompt is a data transfer
A prompt is an outbound data transfer. CUI pasted into a commercial chatbot is an uncontrolled disclosure; ITAR technical data can be an unauthorized export. Your people don't think of a chat box that way – yet.
Commercial endpoints aren't cleared
The consumer AI tools your staff reach for sit outside any FedRAMP or IRAP authorization boundary. No contract, no audit trail, no data-handling commitments – regardless of how good the model is.
Bans don't hold. Training does.
Sanctioned paths now exist – government-cleared AI offerings inside authorized environments – and the list changes quarterly. A blanket ban just drives usage into the shadows. Training is what holds.

The course line

AI in the Regulated Workplace.

Not generic security awareness with the logo swapped. A course line built for people who work under CMMC, ITAR, FedRAMP, and IRAP – taught through interactive scenarios, kept current as the rules move.

  • RW-101Flagship

    AI in CUI environments

    The flagship. What CUI and FCI are, why commercial AI endpoints are off-limits, which cleared alternatives exist, prompt hygiene, and what to do in the first hour after a spillage.

  • RW-201Whole workforce

    ITAR awareness for the workforce

    ITAR for everyone who isn't the export-compliance officer: what technical data is, U.S.-persons rules, deemed exports in everyday tools, and the AI-prompt-as-export framing.

  • RW-211AUKUS / DISP

    AUKUS export controls

    The license-free AUKUS environment, authorized-user obligations, DISP membership context, and AI prompts as exports under both US and Australian rules – for suppliers stepping inside the ITAR perimeter for the first time.

  • RW-301AT family

    CUI handling & insider threat

    DIB-specific security awareness and insider-threat recognition – the AT.L2-3.2.1 and 3.2.3 content, taught through scenarios instead of slideware.

  • RW-401Vendors & buyers

    FedRAMP literacy

    What an authorization boundary actually is, what “FedRAMP-authorized” does and doesn't cover, and how to evaluate tools – from practitioners who have carried a product through authorization.

  • RW-501AU · Up to SECRET

    IRAP & ISM awareness

    Operating inside IRAP-assessed environments under the Protective Security Policy Framework: classifications up to SECRET, ISM awareness expectations, and what “assessed” does and doesn't mean for everyday AI use.

Assessment evidence

Walk in with the Awareness & Training family closed.

Assessors ask a precise question: who was trained, on what content, on which version, when – and can you prove it? That record is what the platform produces, continuously.

  • AT.L2-3.2.1Security awareness trainingEvery user completes DIB-specific awareness content – CUI handling, AI data spillage, phishing – with per-user completion records.
  • AT.L2-3.2.2Role-based security trainingTraining paths assigned by group and role, so admins, engineers, and program staff each carry the training their duties require.
  • AT.L2-3.2.3Insider threat awarenessRecognition and reporting of insider-threat indicators, woven into scenarios and tracked to completion for every seat.
  • VersioningCurrency of training contentCompletions are recorded against the content version. When the rules change and content updates, stale seats are flagged for retraining – provably.

Training and evidence support your assessment; they are one input to your broader System Security Plan, not a certification of compliance. For Australian readers, the NIST SP 800-171 AT family crosswalks to equivalent ISM personnel-security and awareness expectations – the same completion ledger underpins both.

Operating rhythm

Enroll, train, reinforce, prove.

Compliance training isn't an annual event. It's a standing capability with a monthly cadence and evidence on demand.

  1. 01

    Enroll the workforce

    Provision the org, import your people, and assign role-based training paths by group – engineers, program staff, admins.

  2. 02

    Train on live content

    Interactive, DIB-specific courses: redaction labs on realistic documents, “may I paste this?” drills, branching spillage scenarios.

  3. 03

    Reinforce monthly

    A short monthly scenario keeps readiness current: new cleared-AI authorizations, fresh incident patterns, rule changes as they land.

  4. 04

    Prove it on demand

    Export the training-evidence pack mapped to the NIST SP 800-171 AT family – per user, per course, per content version.

AT.L2-3.2.1
AT.L2-3.2.2
AT.L2-3.2.3
AC.L2-3.1.1
AU.L2-3.3.1
CM.L2-3.4.1
IA.L2-3.5.3
IR.L2-3.6.1
MA.L2-3.7.1
MP.L2-3.8.1
PS.L2-3.9.1
PE.L2-3.10.1
RA.L2-3.11.1
CA.L2-3.12.1
SC.L2-3.13.1
SI.L2-3.14.1
AT.L2-3.2.1
AT.L2-3.2.2
AT.L2-3.2.3
AC.L2-3.1.1
AU.L2-3.3.1
CM.L2-3.4.1
IA.L2-3.5.3
IR.L2-3.6.1
MA.L2-3.7.1
MP.L2-3.8.1
PS.L2-3.9.1
PE.L2-3.10.1
RA.L2-3.11.1
CA.L2-3.12.1
SC.L2-3.13.1
SI.L2-3.14.1

Who it's for

Built by practitioners who live under these rules.

This isn't compliance content written from a checklist. Our practitioners have carried a product through FedRAMP Moderate authorization and work daily in ITAR- and CMMC-regulated file sharing – the same boundary your people operate inside.

And with the AUKUS license-free environment now live, Australian and UK defense suppliers are stepping inside the ITAR perimeter for the first time – with the same training obligations and almost no local supply. We cover both sides of that bridge, including staff who work in IRAP-assessed environments under the Protective Security Policy Framework up to SECRET.

  • Defense primes and subcontractors handling CUI
  • Suppliers facing CMMC flow-down from their primes
  • ITAR-registered manufacturers and exporters
  • Australian AUKUS authorized users and DISP members
  • Teams working in IRAP-assessed environments up to SECRET
  • Government agencies and departments adopting AI
  • Cloud vendors pursuing or holding FedRAMP authorization
  • Anyone whose contracts reference NIST SP 800-171

Next step

A 30-minute briefing, not a sales demo.

Bring your assessment timeline. We'll walk your team structure, map the training obligation, and show you the evidence pack your assessor would receive.