CMMC Compliance

CMMC compliance evidence
for every code change.

80,000 defense contractors need CMMC Level 2 certification. Phase 1 enforcement is live since November 2025. MergeWhy automates the change management evidence that DIBCAC assessors require.

99% of DIB companies are not ready for CMMC assessment. Don't be one of them.

Install GitHub App — Free Talk to sales →

80,000

contractors need L2

110

NIST 800-171 controls

99%

not ready for assessment

Nov 2025

Phase 1 enforcement live

Capabilities

Built for the
Defense Industrial Base.

SPRS Score CalculatorUnique to MergeWhy

Automated Supplier Performance Risk System scoring with all 110 NIST SP 800-171 controls weighted per DoD methodology. Track your score from -203 to 110 in real time as evidence improves. Conditional scoring for MFA (3.5.3) and FIPS (3.13.11) built in.

110 NIST SP 800-171 Controls

Full CMMC Level 2 coverage across all 14 control families. Every code change is evaluated against applicable controls — Access Control, Configuration Management, Identification & Authentication, System & Communications Protection, and more.

Air-Gapped Collector

Deploy the MergeWhy collector agent inside your classified network. Source code never leaves your boundary. Only attestation results (scores, control pass/fail, gap types) are transmitted. Ed25519 signed for integrity.

Tamper-Proof Evidence Vault

SHA-256 cryptographic sealing at merge time. Every Decision Evidence Record captures the complete audit trail — ticket, approval, review, tests, deployment — sealed and immutable for DIBCAC assessors.

How It Works

Three steps to CMMC-ready evidence.

Install the GitHub App

Connect your repositories in under 2 minutes. Or deploy the self-hosted collector for air-gapped environments.

Merge as usual

Engineers change nothing. Every merge generates a Decision Evidence Record mapped to NIST SP 800-171 controls with automatic SPRS impact scoring.

Prove compliance

Generate audit bundles with per-control evidence packages. Your SPRS score updates in real time. DIBCAC assessors get cryptographic proof.

SPRS Scoring

Know your SPRS score before the assessor does.

MergeWhy calculates your Supplier Performance Risk System score using the official DoD methodology: start at 110, subtract weighted deductions per unmet control. 44 controls at 5 points, 14 at 3 points, 51 at 1 point. Grades A through F with risk level classification.

Access Control (3.1)Awareness & Training (3.2)Audit & Accountability (3.3)Configuration Management (3.4)Identification & Authentication (3.5)Incident Response (3.6)Maintenance (3.7)Media Protection (3.8)Personnel Security (3.9)Physical Protection (3.10)Risk Assessment (3.11)Security Assessment (3.12)System & Comms Protection (3.13)System & Info Integrity (3.14)

Get Started

Phase 1 is live.
Start collecting evidence now.

Free for your first repository. Self-hosted deployment available for classified environments.

Install GitHub App — Free Request a demo →

CMMC compliance evidencefor every code change.

Built for theDefense Industrial Base.