We're a small software company (40 employees) who has a SaaS platform that's used in both the commercial and US Gov't space. Our government contracts are starting to require FedRAMP, CMMC, and others and we're trying to catch up where we can.

800-171 was suggested by our SOC2 auditor, as it aligns with CMMC L2. But the more I get into it, it seems to apply to the organization, not the software.

FedRAMP Moderate seems more appropriate as we do collect PII as part of the software, but it also seems like a huge undertaking for a small company. While there are clients are requesting as part of the FARS/DFARS boilerplate, I don't think any of our clients will actually pay for it.

Thoughts or suggestions for those who have been through it before?

​

**edited to reference fars and dfars