If you're an MSP serving defense contractors, or a defense contractor managing your own IT infrastructure, CMMC Level 2 is no longer something you can plan for later. The final rule took effect in December 2024, and as of November 2025, contracting officers are putting CMMC clauses into new DoD solicitations. By November 2026, third-party certification is the default for any contract involving CUI.
This isn't a drill. And there's a compliance gap hiding in your stack that most people aren't talking about: your IT documentation platform.
The External Service Provider Problem
CMMC Level 2 maps to the 110 controls in NIST SP 800-171. One of the foundational requirements is that any cloud service processing, storing, or transmitting CUI must meet FedRAMP Moderate authorization (or an approved equivalency). A cloud service either appears on the FedRAMP Marketplace or it doesn't.
Now think about what lives inside your documentation platform. Network diagrams. Firewall configurations. Credentials. IP addressing schemes. Runbooks. If any of that belongs to a defense contractor handling CUI, your documentation platform just became an External Service Provider (ESP) inside the CMMC assessment boundary.
That means your documentation platform needs to be FedRAMP authorized. And right now, no commercial SaaS IT documentation platform is on the FedRAMP Marketplace. Not ours in cloud form. Not any of the competitors. None of them.
This is the part that catches people off guard. You can have SOC 2 Type II. You can have ISO 27001 certified datacenters. You can have encryption at rest and in transit. All of those are real security measures, and they all matter. But none of them are FedRAMP, and a C3PAO assessor is going to flag it.
The On-Premises Path
There is a clean path through this, and it doesn't require waiting for any vendor to get FedRAMP authorized (which is a multi-year, multi-million dollar process that most documentation vendors will never pursue).
The answer is on-premises deployment inside the customer's own assessed boundary.
When you deploy IT Portal on-premises, whether that's in your own datacenter, Azure GCC High, AWS GovCloud, or any other assessed enclave, the application inherits the authorization boundary of your environment. Your C3PAO assesses IT Portal as an internal application, not as an external service provider. The FedRAMP question goes away entirely because IT Portal is inside your fence, not outside it.
This is called boundary inheritance, and it's the same model used by thousands of internal applications across the defense industrial base. Your ERP system, your ticketing system, your file shares — they all live inside your boundary and get assessed as part of your environment. IT Portal works the same way.
What Makes This Work
Deploying any application inside a CMMC Level 2 enclave isn't just about where it runs. The application itself needs to support the controls your assessor will test. Here's where IT Portal stands.
Authentication and Identity. SSO via SAML 2.0 and OIDC, tested with Entra ID, ADFS, Okta, and Duo. MFA enforceable organization-wide. Configurable password policy including complexity, length, history, expiration, and account lockout. These map to the entire IA domain in CMMC.
FIPS 140 Cryptography. IT Portal uses Windows CAPI/CNG exclusively for cryptographic operations. No OpenSSL or third-party crypto libraries in the application. When you enable FIPS mode on your Windows Server host, IT Portal runs cleanly under FIPS-validated modules. TLS 1.2+ enforced for all connections with configurable cipher suites.
Audit Logging via REST API. This is where it gets interesting. IT Portal exposes five audit log endpoints through a REST API:
/api/2.1/logs/loginLogout/— authentication events with source IP/api/2.1/logs/userAccess/— all CRUD operations on records, filterable by item type/api/2.1/logs/adminAccess/— admin area entry and configuration changes/api/2.1/logs/passwordAccess/— password views/api/2.1/logs/passwordChanges/— password modifications
Your SIEM pulls from these endpoints on a schedule. IT Portal doesn't push logs outbound, which means no outbound connections from your CUI enclave for log delivery. Your SIEM owns the polling, maintains an independent copy, and provides tamper-evidence. This is the preferred architecture for CUI environments. Standard integration patterns work out of the box: Splunk REST Modular Input, Azure Sentinel Logic Apps, Elastic HTTP JSON input, or a simple scheduled PowerShell script. Full details are in the API 2.1 release notes.
Role-Based Access Control. Custom roles scoped to record types. Separation of duties between admin and user functions. Least privilege enforced at the application layer.
AI That Stays in Boundary. IT Portal's AI features use a proxy architecture. The application never calls an AI service directly. A customer-defined proxy endpoint handles all AI requests. Three options: leave the proxy unconfigured and AI features are cleanly disabled; point the proxy at AWS Bedrock on GovCloud (Claude on Bedrock GovCloud is FedRAMP High authorized) to keep CUI in boundary; or point it at a commercial endpoint for non-CUI environments. The customer controls the data flow. For CUI, only options one and two are acceptable.
What We Publish for Your Assessor
We've done the compliance homework so you don't have to start from scratch.
CMMC Level 2 Customer Responsibility Matrix. All 110 CMMC Level 2 practices mapped to IT Portal, customer, or shared responsibility, with CMMC practice IDs (AC.L2-3.1.1 format) and NIST SP 800-171 cross-references. Each practice has implementation notes and customer configuration guidance. This is the format your C3PAO works from.
On-Premises Deployment and Compliance Guide. Covers deployment targets (datacenter, GCC High, GovCloud), host hardening (FIPS mode, BitLocker, TLS baseline), application configuration (SSO/MFA, RBAC, audit logging, encryption), SIEM integration patterns with sample queries, and the AI proxy architecture.
Software Bill of Materials (SBOM). Available on request for your vulnerability management program.
Both documents are transparent about what's fully implemented and what's planned for a future release. We'd rather you trust 108 practices than doubt all 110.
What This Means for MSPs
If you're an MSP with defense industrial base clients, this affects you in two ways.
First, if your systems touch client CUI (and if you're storing their network configs, credentials, and infrastructure documentation, they probably do), you're an External Service Provider and you're in scope for their assessment. Your documentation platform is part of that scope.
Second, this is a market opportunity. The DoD estimates over 76,000 organizations need CMMC Level 2 certification. Most of them need help getting there. An MSP that can demonstrate a compliant documentation stack — not just talk about compliance but actually show the CRM and the deployment architecture — is ahead of the competition.
The Honest Bottom Line
CMMC compliance is not something any single vendor solves for you. It's 110 practices spanning access control, physical security, personnel security, incident response, and more. IT Portal covers the documentation platform piece: we give you an application that supports the controls, runs inside your boundary, and provides your assessor with the artifacts they need.
The rest — your network architecture, your physical security, your training program, your incident response plan — that's on you or your compliance partner. But at least your documentation platform won't be the thing that trips you up.
If you're evaluating documentation platforms for a CMMC environment, download the full compliance package — the CRM and deployment guide in one request — or contact us for a technical walkthrough of the on-premises deployment.
