The SMPL-C Assessment Accelerator is designed to save CCA’s time when reviewing OSC documentation as part of their C3PAO CMMC Level 2 assessment. This saves CCAs time, while focusing their authority and expertise to deliver a high quality assessment. The information below addresses how our AI tools can be used responsibly by C3PAOs within the proper use terms of the CMMC ecosystem.
Proper Use of Technology and Artificial Intelligence (AI)
All CMMC ecosystem members must ensure the responsible and ethical use of AI and other emerging technologies in their conduct of CMMC activities. The CMMC proper use of technology and AI includes the following practices:
● Avoid use of AI or automated assessment technology that renders subservient or diminishes the authority and autonomy of CCAs in a CMMC certification assessment
○ The SMPL-C platform is designed to support the expertise of licensed CCAs and does not diminish, nor place their role subservient to, the provided analysis. CCAs remain highly engaged and complete all necessary elements of an assessment, determining by their own standards and judgement, the outcomes of all assessments.
● Avoid biases in AI systems and algorithms used for assessment preparation and assessment conduct
○ The SMPL-C analysis provides factual information about the provided documentation, noting gaps such as missing time stamps, retention periods, lack of enforcement mechanisms, etc. The analysis provided is not based upon opinion, but rather comparison against the requirements of the CMMC framework. The documentation grading relies upon a standard grading system similar to what US schools use, with points being deducted for missing information that is necessary to meet the standard. As such it does not apply a bias, and the end decision for how to proceed and evaluate the OSC always remains with the CCAs.
● Prohibiting providing customer data to a public internet-accessible AI application
○ All data is encrypted as a binary stream and only the metadata is analyzed through our secure cloud-based middle tier AI model in transit to the OSC’s secure storage location. SMPL-C does not store any data for processing. SMPL-C's cloud-based software platform relies upon a closed Large Language Model (LLM) for AI processing and does not engage or provide data to public internet-accessible AI models.
■ This means no public data is used by the AI, it uses exclusively the government issued regulatory text the SMPL-C model was trained on and
it will not access information from the public internet at any point.
■ Additionally no public access is allowed so only SMPL-C, their customers and their customers’ approved partners (MSP/MSSPs, RPOs, C3PAOs,
etc) have access to the data.
● Ensuring transparency in technology employment in CMMC activities.
○ SMPL-C is transparent about our handling of customer data. C3PAOs who use our tools for assessment preparation should disclose the use of the SMPL-C platform as a tool in their engagements. The OSC uploads their documentation directly through SMPL-C to the CsPAO’s secure storage, with full transparency.
○ Data is stored within the C3PAO’s secure storage environment, subject to the configuration and terms set by the C3PAO’s policies, thus use of SMPL-C does not alter the DIBCAC scope or boundaries of the C3PAO’s environment.
● Upholding data privacy and security when employing technology solutions
○ SMPL-C respects customer data privacy by requiring MFA upon login, automated logout after inactivity periods, encryption in transit and at rest and storage of customer documents in the C3PAO or OSC’'s authorized, secure storage. Our full DPA can be seen here: https://www.smpl-c.com/data-processing-addendum
