Terms of Service

01 Service Description

MyCMMC.org provides automated compliance documentation services for organizations pursuing CMMC Level 2 certification. Our service generates documentation frameworks — including System Security Plans, policies, Plans of Action & Milestones, and supporting documents — based on information provided by the customer during the intake assessment.

Our documentation is designed to meet the formatting, structural, and content requirements expected by C3PAO assessors. However, the documentation reflects the environment as described by the customer. MyCMMC does not independently verify the accuracy of customer-provided information.

02 Customer Responsibilities

Because our documentation is built from information you provide, accuracy starts with you. Specifically:

• Accuracy of information. You are solely responsible for the accuracy and completeness of all information provided during the intake assessment. If you describe your environment incorrectly, the resulting documentation will reflect those inaccuracies.
• Environmental verification. Before presenting any documentation to a C3PAO, you are responsible for verifying that your actual IT environment matches what the documentation describes. Our Pre-Assessment Verification Workflow is designed to help you do this.
• Signing and attestation. When you sign the generated documents, you are attesting to the accuracy of the contents. This attestation carries legal significance under federal contracting law. Do not sign documents that do not accurately describe your environment.
• Technical implementation. MyCMMC generates documentation — we do not implement, configure, or manage security controls. You are responsible for implementing all technical controls described in the documentation before your assessment.
• Evidence collection. Documentation of controls is not the same as evidence of their operation. You are responsible for collecting and maintaining evidence that your controls have been running as described — audit logs, access reviews, scan reports, training records, and other artifacts your C3PAO will want to see.

03 Assessment-Ready Guarantee

The Assessment-Ready Guarantee applies exclusively to customers who meet all three of the following conditions before their C3PAO assessment:

Under this guarantee, if a C3PAO assessor rejects the format, structure, completeness, or content quality of any document generated by MyCMMC, we will remediate the document at no additional cost.

The guarantee does not cover:

• Assessment findings related to technical controls not being implemented
• Assessment findings related to insufficient evidence of control operation
• Assessment findings caused by inaccurate information provided during intake
• Assessment findings related to systems, processes, or personnel not described in the intake
• Changes to the customer's environment after documentation was generated
• Subjective assessor interpretations beyond published NIST 800-171A assessment objectives

04 Limitation of Liability

MyCMMC provides documentation services only. We do not guarantee CMMC certification outcomes. Certification decisions are made solely by authorized C3PAOs based on their independent assessment of the organization's complete security posture — including documentation, technical implementation, evidence, and personnel competency.

MyCMMC is not liable for:

• Assessment failures caused by factors outside the documentation we generate
• Costs associated with technical remediation, C3PAO assessments, or re-assessments
• Business losses resulting from delayed or failed certification
• Any liability arising from customers signing and submitting documentation that does not accurately reflect their environment

To the extent permitted by applicable law, MyCMMC's total liability under these terms is limited to the amount paid by the customer for the specific service that gave rise to the claim.

05 Practitioner Review

Certain MyCMMC packages include review by a CMMC Registered Practitioner (RP). The practitioner review covers document quality, completeness, and alignment with NIST 800-171 Rev 2 requirements.

The practitioner review does not constitute an independent assessment of the customer's environment or security posture. It is a review of the documentation itself — not an evaluation of whether the described controls are actually implemented or operating effectively.

06 Intellectual Property

Generated documents become the property of the customer upon delivery. You may use, modify, and submit them without restriction in connection with your CMMC certification.

The underlying templates, assessment logic, document generation engine, and platform code remain the intellectual property of MyCMMC. You may not resell or redistribute MyCMMC-generated documents as templates or starting points for third parties without our written permission.

07 Privacy & Data Handling

Information provided during the intake assessment is used for the purpose of generating your compliance documentation. We do not sell your intake data to third parties.

Contact information collected through our free readiness check quiz may be used to send you follow-up communications related to CMMC compliance resources, deadlines, and updates. You can opt out of these communications at any time.

We implement reasonable security measures to protect customer data. For detailed information about how we collect, store, and process your information, see our Privacy Policy.

08 Modifications to These Terms

We may update these terms from time to time as our service evolves or as legal requirements change. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify active customers by email.

Continued use of MyCMMC services after changes take effect constitutes your acceptance of the updated terms. If you disagree with a change, you may discontinue use of the service.

The most current version of these terms is always available at mycmmc.org/terms.html.