Vendor claims CMMC 110/110

Teal said this week that it earned a perfect 110 out of 110 on a Cybersecurity Maturity Model Certification Level 2 assessment conducted by an accredited third-party assessor. (tealtech.com) The company’s April 21 statement said the review produced “zero findings” and no open plans of action and milestones, the remediation lists companies can use when some gaps remain. Teal said it used the same compliance program it sells to defense-contractor clients. (tealtech.com) CMMC is the Pentagon’s contractor cyber-check program. The Defense Department’s final program rule says it exists to verify that contractors protecting federal contract information and controlled unclassified information have actually put required safeguards in place. (federalregister.gov) For Level 2, the rule points companies to the 110 security requirements in NIST Special Publication 800-171 Revision 2. The scoring rule says 110 is the maximum score and points are subtracted for each requirement marked “not met.” (ecfr.gov) A perfect 110 does not mean the program has only 110 boxes to tick. The assessment guide breaks those requirements into multiple testable objectives, and companies can still receive a Conditional Level 2 result if they miss some items but qualify to close them through a formal remediation plan within 180 days. (dodcio.defense.gov) (ecfr.gov) That timing matters because CMMC is no longer a future concept. The Defense Department says the acquisition rule that puts CMMC clauses into contracts took effect on November 10, 2025, starting a three-year rollout across new solicitations and awards. (business.defense.gov) The sales pitch behind announcements like Teal’s is shifting with that rollout. Instead of selling a one-time readiness project, providers are increasingly selling managed compliance programs that promise to keep documentation, evidence, system boundaries, and security controls in shape between assessments. (tealtech.com) (abacode.com) Teal is not the only company using certification news as marketing. In the past week alone, Monalytic, Supplynet and Castellum have also publicized Level 2 results or perfect 110 scores in press releases aimed at defense-industry buyers. (marketwatch.com) (usatoday.com) (tmcnet.com) The harder question for contractors is not whether a vendor can post a score, but whether the assessor was authorized and the scope matches the systems that will handle controlled data. The CMMC rule requires Level 2 certification assessments to be performed by an authorized or accredited C3PAO, with results entered into the CMMC instance of eMASS and transmitted to SPRS, the Pentagon’s supplier-risk system. (ecfr.gov) Teal’s announcement gives it a clean proof point at the moment more contractors are being asked for one. As CMMC clauses spread through contracts, vendors are turning their own audit outcomes into product demos. (tealtech.com) (business.defense.gov)