🛡️ archetype: defense-govcon

Win DoD contracts without failing the CMMC assessment.

Building for a DoD contract, handling CUI (Controlled Unclassified Information), or in the defense supply chain? GreatCTO auto-detects the defense-govcon archetype and ships CMMC 2.0 level selection, NIST SP 800-171 (110 controls), DFARS 252.204-7012 72-hour incident reporting, CUI boundary scoping, ITAR/EAR export controls, and Section 889 supply-chain screening from day one.

$ npx great-cto init Back to home ↗
What you avoid

The 5 defense-contract bugs that lose the award.

Without GreatCTO

  • CUI sent to a generic LLM API / non-FedRAMP SaaS — out-of-boundary leak
  • CMMC level chosen before deciding FCI vs CUI — wrong scope, failed assessment
  • SPRS score overstated vs the SSP — False Claims Act exposure
  • DFARS 72-hour incident clock not wired — reporting breach
  • Hikvision/Huawei component in the BOM — Section 889 violation
  • Contract award lost · False Claims liability · debarment.

With GreatCTO

  • cmmc-reviewer forces FCI-vs-CUI determination, then the CMMC level
  • CUI assessment boundary mapped — no out-of-boundary flows
  • SSP reflects the code; POA&M covers every unmet 800-171 control
  • DFARS 72h (DIBNet) + ≥90-day media preservation path wired
  • Section 889 + ITAR/EAR screening on stack, BOM, and cloud regions
  • CMMC-assessment ready · SPRS-defensible · award-clean.
Auto-applied gates

Detected: README mentions CMMC / NIST 800-171 / DFARS / CUI / ITAR / Section 889
defense-govcon archetype.

Compliance auto-suggested: cmmc-2.0 · nist-800-171 · dfars-252.204-7012 · itar · ear · section-889 · fedramp. Specialist agents activated:

01 · cmmc-reviewer

CMMC 2.0 + NIST 800-171 + DFARS

CMMC level selection (FCI vs CUI) · 110-control NIST SP 800-171 gap analysis · DFARS 252.204-7012 72-hour reporting + media preservation · CUI boundary/data-flow · SPRS/SSP/POA&M integrity · ITAR/EAR export controls · Section 889 supply-chain screening.

02 · gov-reviewer

FedRAMP + NIST 800-53

FedRAMP Moderate equivalence for cloud storing CUI · NIST 800-53 control mapping · authorization-boundary scoping · Section 508 accessibility for federal-facing apps.

03 · security-officer

CUI protection + access

Access-control by citizenship for ITAR data · encryption of CUI at rest/in transit · incident-response path to DIBNet · least-privilege for the CUI enclave.

30 seconds

Drop into any DoD prime / sub / defense-supply-chain repo handling CUI.

$ npx great-cto init
no signup·runs locally·pay your own API