Complete CMMC Compliance Suite

📧 Support

📊 Compliance Dashboard

Real-time overview of your CMMC Level 2 compliance status

Overall Compliance

✅

SPRS Score

🎯

Target: 110 points

Open POA&Ms

📋

No active items

Total Assets

💻

Not configured

Pending Tasks

📝

No tasks

🛡️ Control Family Progress

👤 Assigned to Me

✨

No items assigned to you

📈 Implementation Status

⚠️ POA&M Summary by Priority

🛡️

SOC 2 Compliance NEW

Add Trust Services Criteria tracking alongside your CMMC compliance

🛡️ SOC 2 Type II Compliance Trust Services Criteria

Track your organization's compliance with AICPA Trust Services Criteria

Overall Readiness

0 of 0 criteria met

Security (CC)

Required

Availability

Not Selected

Confidentiality

Not Selected

Processing Integrity

Not Selected

Privacy

Not Selected

📋 Select Trust Services Criteria

Security (Common Criteria) is required for all SOC 2 reports. Select additional criteria based on your service commitments.

Security (CC) Required Availability Confidentiality Processing Integrity Privacy

Loading SOC 2 controls...

🔍

Gap Analysis & Remediation

Track gaps identified during your SOC 2 readiness assessment and manage remediation plans.

📁

Evidence Repository

Organize and manage evidence artifacts for your SOC 2 audit.

📁

Upload Resources

Click to upload policy templates, procedures, and compliance documentation

Maximum file size: 5 MB per file

📄 Document Template Library

Pre-built policy and procedure templates to accelerate your CMMC compliance. Download, customize with your company info, and use as evidence.

🔌 Integrations

Connect your security tools to automatically verify compliance and generate evidence

Available Integrations

Microsoft 365

Auto-verify MFA, devices, and access policies

MFA Status Users & Roles Devices Audit Logs

Select Environment

Standard Microsoft 365 for business

Endpoint / MDM

Auto-verify device encryption, patching & antivirus

Encryption Status Patch Level Antivirus Compliance Score

Select Provider

Security Awareness Training

Auto-verify training completion and phishing simulations

Training Completion Phishing Tests Risk Scores

Select Provider

API Key

Find your API key in your training platform's admin settings

Vulnerability Scanner

Connect to Nessus to auto-import vulnerability scan results

Nessus Qualys (Soon) Rapid7 (Soon)

💾

Backup & Recovery

Connect to Veeam to verify backup policies and recovery compliance

Veeam B&R Commvault (Soon) Rubrik (Soon)

🎫

Ticketing System

Connect to Jira to track incidents, changes, and remediation tasks

Jira ServiceNow (Soon) ConnectWise (Soon)

🛡️

SIEM

Connect to Microsoft Sentinel for centralized logging, alerts, and incident detection

Microsoft Sentinel Splunk (Soon) Elastic (Soon)

🔗 Auto-Verified Controls

These NIST 800-171 controls can be automatically verified when you connect integrations. Connected integrations will sync compliance data and update control statuses.

🔷 Microsoft 365 / Entra ID Not Connected

🔒 Endpoint / MDM Not Connected

🎓 Security Awareness Training Not Connected

💾 Backup & Recovery Not Connected

🎫 Jira Service Management Not Connected

🛡️ Microsoft Sentinel Not Connected

👥 Team

Manage your organization and team members

✅ Tasks

Track and manage compliance tasks and assignments

📋

No tasks created yet.

📜 Activity Log

Track all changes and actions for audit accountability

Timestamp	User	Category	Action	Details
📜 No activity recorded yet. Actions will appear here as you use the app.

📈 Executive Summary

One-page compliance overview for leadership and stakeholders

📈 Executive Summary Report

A concise one-page report designed for executives, board members, and prime contractors. Includes SPRS score, overall compliance percentage, risk breakdown, open POA&M count, and estimated timeline to full compliance.

📊 Compliance Summary Report

Generate comprehensive compliance documentation and export as PDF

📄 Compliance Summary Report

A comprehensive report including your SPRS score (calculated using official DoD methodology), control assessment status, assessment objectives progress, open POA&Ms, asset inventory, company information, and compliance statistics. Perfect for audits and management reviews.

Report Contents

✓ Executive Summary

✓ SPRS Score

✓ Control Status Summary

✓ Open POA&Ms

✓ Assessment Objectives

✓ Asset Inventory

✓ Company Information

📋 System Security Plan (SSP)

Generate your System Security Plan based on control implementation details

📋 System Security Plan

The System Security Plan (SSP) is a formal document required for CMMC Level 2 certification. It describes your organization's security controls, how they are implemented, and your overall security posture. This generator creates an SSP based on your control implementation notes.

📋 POA&M Export

Export your Plan of Action & Milestones in standard DoD format

📋 DoD POA&M Format Export

Generate a formal Plan of Action & Milestones document following the standard DoD format. This report is required for CMMC Level 2 assessments and includes all open POA&Ms with weakness descriptions, remediation plans, resources, milestones, and target completion dates.

POA&M Summary

🔍 Gap Analysis Report

Identify compliance gaps and prioritize remediation efforts

🔍 Compliance Gap Analysis

Analyze controls that are "Not Met" or "Partially Met" to identify gaps in your security posture. This report provides prioritized remediation recommendations, estimated effort levels, and helps you plan your path to full CMMC Level 2 compliance.

Gap Summary

📚 CMMC Compliance Guide

Your comprehensive resource for understanding CMMC requirements, controls, and assessment objectives

🎯

What is CMMC?

▼

Overview

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB). It was developed by the Department of Defense (DoD) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors.

Why CMMC Matters

Required for DoD Contracts: CMMC certification will be required to bid on and win DoD contracts
Protects Sensitive Information: Ensures proper safeguards for CUI and FCI
Standardizes Security: Creates a common framework across all defense contractors
Third-Party Verification: Level 2+ requires independent assessment

CMMC Levels

Level 1 - Foundational: 17 controls from FAR 52.204-21, self-assessment, protects FCI

Level 2 - Advanced: 110 controls from NIST 800-171, C3PAO assessment, protects CUI

CMMC Level 2 Requirements

CMMC Level 2 is required for organizations that handle CUI. It includes:

All 110 security controls from NIST SP 800-171 Rev 2
Verification through 320 assessment objectives from NIST SP 800-171A
Achievement of a minimum SPRS score of 110 (perfect compliance)
Documentation of any weaknesses through a Plan of Action & Milestones (POA&M)

The Certification Process

Self-Assessment: Conduct internal gap analysis and implement required controls
Prepare Documentation: Create System Security Plan (SSP), POA&Ms, and evidence
C3PAO Assessment: Schedule assessment with a certified third-party assessor
Assessment Execution: Demonstrate compliance through interviews, reviews, and testing
Receive Certification: Obtain CMMC certificate valid for 3 years
Maintain Compliance: Continue monitoring and updating controls

🛡️

Understanding the 110 Controls

▼

NIST SP 800-171 Foundation

CMMC Level 2 is based on the 110 security requirements defined in NIST Special Publication 800-171 Revision 2. These controls are derived from FIPS Publication 200 and represent the minimum security requirements for protecting CUI in nonfederal systems and organizations.

The 14 Control Families

AC - Access Control (22)

Limit system access to authorized users, processes, and devices

AT - Awareness & Training (3)

Ensure personnel are trained in security awareness

AU - Audit & Accountability (9)

Create, protect, and retain audit records

CA - Assessment, Authorization (3)

Periodically assess and authorize security controls

CM - Configuration Management (11)

Establish and maintain baseline configurations

IA - Identification & Authentication (11)

Identify and authenticate users and devices

IR - Incident Response (5)

Establish incident handling capability

MA - Maintenance (6)

Perform maintenance and control maintenance tools

MP - Media Protection (8)

Protect information on digital and non-digital media

PE - Physical Protection (6)

Limit physical access to systems and facilities

PS - Personnel Security (2)

Screen personnel and protect during termination

RA - Risk Assessment (3)

Assess risks and vulnerabilities periodically

SC - System & Communications (16)

Monitor, control, and protect communications

SI - System & Information (7)

Identify, report, and correct information system flaws

Control Status Options

Met: Control is fully implemented

Partial: Control is partially implemented

Not Met: Control is not implemented

N/A: Control does not apply

✅

Assessment Objectives Explained

▼

What Are Assessment Objectives?

Assessment objectives are specific, measurable criteria defined in NIST SP 800-171A that assessors use to verify whether a security control is properly implemented. They break down each of the 110 controls into granular checkpoints that can be objectively evaluated.

Why 320 Objectives?

While there are 110 security controls, many controls have multiple components that need independent verification:

Simple controls may have 1-2 objectives (e.g., "personnel security screening")
Complex controls may have 8-12 objectives (e.g., "boundary protection" with multiple technical requirements)
Each objective is labeled with a letter suffix: [a], [b], [c], etc.
Total of 320 distinct assessment objectives across all 110 controls

Assessment Methods

Each assessment objective specifies how it should be verified using three methods:

📋 Examine

Review documentation, policies, procedures, configuration files, and system specifications

💬 Interview

Discuss with personnel responsible for implementing, managing, or using the control

🔬 Test

Execute technical tests, observe system behavior, verify control functionality

Example: Control 3.1.1

Control: Limit system access to authorized users

Assessment Objectives:

[a] authorized users are identified
[b] processes acting on behalf of authorized users are identified
[c] devices (and other assets) are identified
[d] system access is limited to authorized users
[e] system access is limited to processes acting on behalf of authorized users
[f] system access is limited to authorized devices (including other systems)

Tracking Objectives in This App

Click the checkboxes next to each assessment objective as you gather evidence and verify compliance. Your objective completion percentage contributes to your Overall Compliance score, which is calculated as the average of your Control Compliance percentage and Assessment Objectives percentage.

📊

SPRS Scoring System

▼

Official DoD NIST SP 800-171 Assessment Methodology

The Supplier Performance Risk System (SPRS) score is calculated using the official DoD Assessment Methodology. Unlike a simple 1-point-per-control system, each control has a weighted point value based on its security impact.

Maximum possible score: 110 points
Minimum possible score: -203 points
Controls are weighted: 5, 3, or 1 point based on security impact
The goal for CMMC Level 2 is a perfect score of 110

Control Point Values

Each of the 110 controls has a designated point value based on potential security impact:

5-Point Controls (54 controls)

Significant risk to CUI confidentiality

-5 pts

3-Point Controls (20 controls)

Specific, limited impact on CUI

-3 pts

1-Point Controls (36 controls)

Limited effect on CUI protection

-1 pt

Score Deductions by Status

Met / Fully Implemented: No deduction (0 pts)

Partial Implementation: -1 point (always)

Not Met / Not Implemented: Full deduction (-1, -3, or -5)

Not Applicable: No deduction (excluded)

SPRS Score Requirements

For CMMC Level 2 certification:

Organizations must achieve a score of 110 points
This means all applicable controls must be fully implemented
Any gaps must be documented in a POA&M with remediation plans
Scores can be negative (minimum -203) if many controls are not met
Self-attestation alone is no longer sufficient - third-party assessment required

How This Application Calculates Your Score

This application uses the official DoD methodology to calculate your SPRS score:

Start with the base score of 110 points
For each "Not Met" control, deduct its full point value (1, 3, or 5)
For each "Partial" control, deduct 1 point
"Met" controls have no deduction
"N/A" controls are excluded (no deduction)
The resulting number is your SPRS score (can be negative)

📌 Note: The point values for each control are defined in the DoD Assessment Methodology and are built into this application. You can view a control's point value in the assessment guide section when viewing each control's details.

💡

Best Practices for CMMC Compliance

▼

Documentation Tips

Be Specific: Provide concrete examples, not generic statements
Use Screenshots: Visual evidence of configurations and implementations
Date Everything: Include timestamps on all documentation and evidence
Link to Policies: Reference your security policies and procedures by name/version
Keep It Current: Update documentation when systems or processes change
Organize Systematically: Use this app to keep all evidence in one place

Evidence Collection

Strong Evidence Examples:

Configuration file exports from firewalls, routers, servers
Screenshots of security settings in applications and systems
Audit logs showing access control enforcement
Training completion certificates and attendance records
Vulnerability scan reports and remediation tracking
Incident response exercise documentation
Change management tickets and approval workflows
Vendor assessment and agreement documentation

Common Pitfalls to Avoid

❌ Self-Attestation Without Evidence

Saying you do something isn't enough - you must prove it with documentation

❌ Incomplete POA&Ms

Vague remediation plans without specific tasks, resources, or timelines will be rejected

❌ Outdated Documentation

Documentation from 2+ years ago doesn't reflect your current security posture

❌ Missing Scope Boundaries

Clearly define what systems and data are in scope for CUI processing

❌ Ignoring Personnel Controls

Technical controls are important, but don't overlook training, background checks, and policies

POA&M Management

A strong POA&M includes:

Specific Weakness: Clearly describe what control element is missing or inadequate
Detailed Remediation Plan: Step-by-step actions to achieve full compliance
Resources Required: Budget, personnel, tools, or services needed
Realistic Timeline: Achievable milestones and target completion date
Interim Risk Mitigation: What compensating controls are in place
Regular Updates: Track progress and adjust plans as needed

📖

Quick Reference

▼

Key Terms Glossary

CMMC: Cybersecurity Maturity Model Certification - DoD's cybersecurity standard

CUI: Controlled Unclassified Information - sensitive but unclassified data

FCI: Federal Contract Information - data provided by or generated for the government

DIB: Defense Industrial Base - network of DoD contractors and suppliers

C3PAO: CMMC Third-Party Assessment Organization - certified assessors

POA&M: Plan of Action and Milestones - remediation plan for control gaps

SSP: System Security Plan - comprehensive documentation of security controls

SPRS: Supplier Performance Risk System - DoD's scoring portal

NIST SP 800-171: Security requirements for protecting CUI in nonfederal systems

NIST SP 800-171A: Assessment procedures for verifying 800-171 controls

Helpful Resources

🔗 Official CMMC Website

acq.osd.mil/cmmc - Official DoD CMMC program information

🔗 NIST SP 800-171 Rev 2

The 110 security requirements

🔗 NIST SP 800-171A

The 320 assessment objectives

🔗 SPRS Portal

Submit your official SPRS score

🔗 CISA Resources

Cybersecurity and Infrastructure Security Agency guidance

Frequently Asked Questions

Q: How long does CMMC certification last?

A: CMMC Level 2 certification is valid for 3 years, after which you must be reassessed.

Q: Can I have POA&Ms and still get certified?

A: Yes, but POA&Ms must be well-documented with realistic remediation plans. The number and severity of POA&Ms may impact your certification timeline.

Q: What if a control doesn't apply to my organization?

A: Mark it as "N/A" (Not Applicable) in your assessment. Be prepared to justify why it doesn't apply during the C3PAO assessment.

Q: Do I need to implement all 320 assessment objectives?

A: Assessment objectives are verification criteria, not additional requirements. If you've properly implemented the 110 controls, you should be able to satisfy all corresponding objectives.

Q: How much does CMMC certification cost?

A: Costs vary widely based on organization size and complexity. Budget for C3PAO assessment fees, potential remediation costs, and ongoing compliance maintenance.

Q: Can I use this app during my official assessment?

A: This app is designed for preparation and self-assessment. During official C3PAO assessments, you'll need to provide evidence directly from your systems and documentation repositories.

⚙️

Help & Settings

▼

Quick Actions

🎉

Show Onboarding

Reopen the getting started checklist

📦

Load Demo Data

Populate app with sample compliance data

🎬

Video Tutorial

Watch the getting started walkthrough

Data Management

⚠️ Caution: These actions affect your compliance data. Use carefully.

Need Help?

📧

Email Support

Get help from compliance experts - [email protected]

🤖

AI Assistant

Click the robot icon in the bottom-right corner for instant CMMC guidance

🐛

Report a Bug

Found an issue? Let us know so we can fix it

🤖 CMMC Assistant

👋 Hi! I'm your CMMC compliance assistant. Ask me anything about NIST 800-171, CMMC Level 2, or compliance requirements!

CMMC Compliance Suite

🚀 Starter — Your Company or 1-3 Clients

Level 1

Level 2

🤝 Need More Clients? Volume Pricing

Growth

Scale

Unlimited

Your Free Trial Has Ended

CMMC Level 1

CMMC Level 2

🤝 Need More Clients?

Complete CMMC Compliance Suite

Client Information

📊 Compliance Dashboard

📋 Level 1 Readiness Assessment

⚡ Quick Actions

🛡️ Control Family Progress

👤 Assigned to Me

📈 Implementation Status

⚠️ POA&M Summary by Priority

SOC 2 Compliance NEW

🔌 Connected Integrations

✍️ Self-Attestation Affirmation

🛡️ SOC 2 Type II Compliance Trust Services Criteria

📋 Select Trust Services Criteria

Gap Analysis & Remediation

Evidence Repository

Upload Resources

📄 Document Template Library

🔌 Integrations

Available Integrations

Microsoft 365

Endpoint / MDM

Security Awareness Training

Vulnerability Scanner

Backup & Recovery

Ticketing System

SIEM

🔗 Auto-Verified Controls

👥 Team

No Organization Yet

Organization Members

Pending Invitations

✅ Tasks

📜 Activity Log

📈 Executive Summary

📈 Executive Summary Report

📊 Compliance Summary Report

📄 Compliance Summary Report

Report Contents

📋 System Security Plan (SSP)

📋 System Security Plan

📋 POA&M Export

📋 DoD POA&M Format Export

POA&M Summary

🔍 Gap Analysis Report

🔍 Compliance Gap Analysis

Gap Summary

📚 CMMC Compliance Guide

Level 1 Quick Reference

CMMC Level 1 Overview

Key Differences from Level 2

Level 1 Assessment Process

What is CMMC?

Overview

Why CMMC Matters

CMMC Levels

CMMC Level 2 Requirements

The Certification Process

Understanding the 110 Controls

NIST SP 800-171 Foundation

The 14 Control Families

Control Status Options

Assessment Objectives Explained

What Are Assessment Objectives?

Why 320 Objectives?

Assessment Methods

Example: Control 3.1.1

Tracking Objectives in This App