# CMMC Command — Complete Site Content for LLMs

> CMMC Level 2 compliance platform for Defense Industrial Base (DIB) contractors.
> URL: https://cmmccommand.org
> Contact: sales@cmmccommand.org

---

## About CMMC Command

CMMC Command is a multi-tenant SaaS platform that helps Defense Industrial Base (DIB) contractors achieve CMMC Level 2 compliance. It provides the fastest path from NIST SP 800-171 self-assessment to being audit-ready for C3PAO third-party assessment.

The platform covers the entire compliance lifecycle: self-assessment of all 110 NIST SP 800-171 controls, real-time SPRS score calculation, gap analysis, evidence collection, SSP/POA&M document generation, remediation task management, and AI-powered compliance analysis.

### Key Statistics
- 100,000+ DIB contractors affected by CMMC requirements
- CMMC Phase 2 C3PAO certification deadline: November 2026
- $50,000+ maximum fine per violation
- NIST SP 800-171 Rev 2 aligned
- All 110 controls covered
- No CUI (Controlled Unclassified Information) stored

---

## Pricing

CMMC Command offers 4 subscription tiers. No free trials — the Free tier IS the trial. No credit card required to start. All paid plans can be cancelled anytime. Annual billing saves 2 months (roughly 17% discount).

### Free — $0 forever
- 1 user seat
- All 110 NIST SP 800-171 controls
- Real-time SPRS score calculation (range: -203 to +110, DOD-weight accurate)
- Gap analysis dashboard
- SPRS Impact Simulator (what-if scoring tool)
- Assessment Readiness dashboard (C3PAO audit simulation)
- No credit card required

### Starter — $249/month (or $207/month billed annually at $2,490/year, save $498)
- Up to 10 user seats
- Everything in Free, plus:
- Evidence vault with expiration tracking and CUI scanning
- SSP (System Security Plan) generation — full DOD-expected format with cover page, 7 numbered sections, per-control implementation statements, SPRS weights, evidence counts, family compliance scoring, dual approval signature block
- POA&M (Plan of Action & Milestones) generation — SPRS-weighted prioritization (Critical/High/Medium), score impact analysis, 30/60/90 day targets, per-item milestones, resource estimates
- 5 policy templates with team acknowledgment tracking
- SPRS score trend history
- CSV export (controls, evidence, audit log, tasks)
- Team management with role-based access (company_admin, assessor, employee, auditor)
- Audit log of all state-changing actions

### Professional — $749/month (or $624/month billed annually at $7,490/year, save $1,498) — Most Popular
- Up to 25 user seats
- Everything in Starter, plus:
- 8 AI-powered compliance features (powered by Anthropic Claude, with OpenAI GPT-4o fallback):
  1. AI Executive Summary — generates compliance posture narrative from control metadata
  2. AI Gap Analysis — per-control risk analysis with SPRS-weighted remediation guidance
  3. AI Policy Drafting — generates audit-ready CMMC policy documents with proper formatting
  4. AI SSP Narratives — per-control implementation statements for System Security Plan
  5. AI Compliance Advisor — chat-based Q&A grounded in your actual assessment data
  6. AI Remediation Plans — step-by-step fix instructions per control with effort estimates
  7. AI Evidence Review — automated assessment of evidence sufficiency for C3PAO review
  8. AI Interview Prep — realistic C3PAO assessor questions tailored to your implementation
- All 20 CMMC policy templates (vs. 5 in Starter)
- Remediation task board with priority levels, deadline email alerts, and assignee management
- 320-objective NIST SP 800-171A assessment tracking (detailed per-control objectives)
- Up to 10 security tool integrations with automated evidence collection
- Compliance drift monitoring (automated checks every 4 hours, email alerts on regression)
- Task analytics with burn-down and velocity charts (30d/60d/90d views)
- Executive PDF compliance report (company-wide score, control summary, top gaps, remediation snapshot)

### Enterprise — Custom pricing (Coming Soon)
- Unlimited user seats
- Everything in Professional, plus:
- Multi-entity portfolio management (up to 10 subsidiaries/sub-contractors with CAGE code, UEI tracking)
- C3PAO assessor collaboration portal (time-limited invite links, read-only or assessor access, no auth required)
- SSO / SAML authentication
- REST API with API key management (4 endpoints: controls, tasks, evidence, score)
- Unlimited integrations (vs. 10 in Professional)
- Dedicated success manager + SLA

### Comparison: CMMC Command vs. Hiring a Consultant

| Capability | Manual / Consultant | CMMC Command |
|---|---|---|
| 110-control NIST 800-171 assessment | Spreadsheets & Word docs | Guided walkthrough with SPRS scoring (Free) |
| SPRS score calculation | Manual formula, error-prone | Real-time, DOD-weight accurate (Free) |
| Gap analysis & prioritization | Consultant required ($200–400/hr) | AI-generated, SPRS-weighted (Professional) |
| SSP & POA&M document generation | 40–80 hours to write manually | Auto-generated, DOD format (Starter) |
| Evidence collection & vault | Screenshots & file shares | Upload + 10 integrations auto-collect (Starter) |
| Policy documentation | Hire consultant or write from scratch | 5–20 audit-ready templates + AI drafting (Starter) |
| Remediation task management | Spreadsheet tracking | Task board with deadline alerts & analytics (Professional) |
| C3PAO audit preparation | Hope for the best | AI interview prep + readiness scoring (Professional) |
| Continuous monitoring | Not feasible manually | Drift alerts every 4 hours (Professional) |
| Typical cost | $30,000–$80,000+ | Free to start, from $249/mo |
| Time to audit-ready | 6–12 months | 8–12 weeks |

---

## Platform Features (Detailed)

### Self-Assessment (Free)
Walk through all 110 NIST SP 800-171 controls across 14 control families with plain-English guidance. Track each control as Implemented, Partially Implemented, or Not Implemented.

### SPRS Score Calculation (Free)
Real-time Supplier Performance Risk System score using DOD-assigned weights (1, 3, or 5 per control). Score range: -203 to +110. Uses the same weight table as the DOD.

### SPRS Impact Simulator (Free)
Interactive what-if tool: toggle controls between statuses and see your projected SPRS score update in real time before you do the work.

### Assessment Readiness Dashboard (Free)
C3PAO audit simulation showing: readiness percentage gauge, domain breakdown across 14 control families (sorted by risk), assessment timeline, and top 5 high-weight unimplemented controls.

### Evidence Vault (Starter+)
Upload, organize, and link evidence documents to controls. Features: expiration date tracking, CUI (Controlled Unclassified Information) scanning (client-side pre-upload check for text files, server-side post-upload scan for all file types including PDF and DOCX), and per-evidence status tracking.

### SSP Generation (Starter+)
Full DOD-expected format System Security Plan: cover page, table of contents, 7 numbered sections, system identification, CUI boundary, roles & responsibilities, per-control implementation statements with SPRS weights and evidence counts, family-level compliance scoring, policy cross-references, POA&M cross-reference, dual approval signature block.

### POA&M Generation (Starter+)
Plan of Action & Milestones with SPRS-weighted prioritization (Critical = weight 5, High = weight 3, Medium = weight 1), score impact analysis (current vs. potential SPRS), 30/60/90 day targets, per-item milestones, resource estimates, and evidence status.

### Policy Template Library (Starter: 5 templates, Professional: all 20)
20 audit-ready policy templates mapped to NIST SP 800-171 control families. Supports team acknowledgment tracking so you can verify team members have reviewed and accepted policies.

### Remediation Task Board (Professional+)
Create, assign, prioritize, and track remediation tasks linked to specific controls. Features: priority levels, deadline management, assignee tracking, email alerts for upcoming deadlines (weekdays 9am UTC), and burn-down/velocity analytics.

### 320-Objective Assessment Tracking (Professional+)
Detailed tracking of all 320 assessment objectives from NIST SP 800-171A, organized per control. Provides granular visibility into exactly which objectives are satisfied, partially met, or not met.

### Compliance Drift Alerting (Professional+)
Automated monitoring every 4 hours compares current control statuses against last sync snapshot from integrations. Sends email alerts when security posture regresses.

### Task Analytics (Professional+)
Burn-down and velocity analytics for remediation tasks: 30-day, 60-day, and 90-day views with line charts and bar charts showing progress over time.

### Executive PDF Report (Professional+)
One-click HTML report generation with: company-wide compliance score, control summary, top gaps, remediation snapshot. Opens in new tab for print-to-PDF.

---

## AI Features (Professional+ only)

All AI features are powered by the Vercel AI SDK with multi-provider support: Anthropic Claude (preferred) with OpenAI GPT-4o fallback. AI never sees uploaded documents or CUI — only control metadata and company name.

1. **AI Executive Summary** — Generates a compliance posture narrative from your control metadata. Streaming response displayed on the dashboard.

2. **AI Gap Analysis** — Per-control risk analysis with SPRS-weighted remediation guidance. Triggered per control on the gap analysis page.

3. **AI Policy Drafting** — Generates audit-ready CMMC policy documents with proper formatting for C3PAO review. Available per template on the policies page.

4. **AI SSP Narratives** — Generates per-control implementation statements for your System Security Plan. Toggle during SSP generation.

5. **AI Compliance Advisor** — Chat-based Q&A grounded in your actual assessment data. Full chat interface at /dashboard/ai-advisor. Like having a CMMC consultant on demand.

6. **AI Remediation Plans** — Step-by-step fix instructions per control with effort estimates and evidence checklists.

7. **AI Evidence Review** — Automated assessment of whether your evidence is sufficient for C3PAO review against NIST SP 800-171A objectives.

8. **AI Interview Prep** — Practice with realistic C3PAO assessor questions tailored to your specific implementation status.

---

## Supported Integrations (Professional+, up to 10; Enterprise: unlimited)

Each integration auto-collects compliance evidence mapped to specific NIST SP 800-171 controls.

1. **Microsoft Entra ID** — Identity, MFA, conditional access, audit logs (OAuth, maps to 16 controls)
2. **Microsoft 365 & Defender** — Endpoint protection, encryption, patch compliance (OAuth, 14 controls)
3. **CrowdStrike Falcon** — EDR, vulnerability management, incident response (API key, 11 controls)
4. **Google Workspace** — Identity, 2-step verification, admin audit, drive policies (OAuth, 11 controls)
5. **AWS** — IAM, CloudTrail, S3 encryption, VPC, Security Hub (API key, 15 controls, Enterprise only)
6. **SentinelOne** — Endpoint protection, threat detection (API key, 9 controls, Enterprise only)
7. **Tenable.io** — Vulnerability scanning, scan coverage, risk assessment (API key, 7 controls)
8. **KnowBe4** — Security awareness training, phishing simulations (API key, 3 controls)
9. **Jamf Pro** — Apple MDM, FileVault encryption, patch management (API key, 6 controls)
10. **Okta** — Identity, MFA, group access control, audit logs (API key, 8 controls)

---

## Frequently Asked Questions

**Q: What is CMMC Level 2 and who needs it?**
A: CMMC Level 2 requires compliance with all 110 controls from NIST SP 800-171 Rev 2. Any Defense Industrial Base (DIB) contractor that handles Controlled Unclassified Information (CUI) on DoD contracts will need CMMC Level 2 certification. This affects an estimated 80,000+ contractors.

**Q: When is the CMMC certification deadline?**
A: CMMC Phase 2 requires C3PAO third-party assessments starting November 2026. However, DoD is already including CMMC requirements in new contracts. Starting now gives you time to close gaps, build evidence, and avoid last-minute scrambles when every C3PAO is booked solid.

**Q: Can I use CMMC Command for my self-assessment?**
A: Yes. The free tier gives you a complete 110-control NIST SP 800-171 assessment with real-time SPRS score calculation. You can document your status, identify gaps, and calculate your exact SPRS score — which you're already required to submit to SPRS.mil.

**Q: How does the AI compliance analyst work?**
A: The 8 AI features analyze your actual assessment data — not generic templates. The AI generates gap analysis narratives, remediation plans with effort estimates, SSP implementation statements, evidence sufficiency reviews, and realistic C3PAO interview questions. It never sees your uploaded documents or CUI — only control metadata.

**Q: Do you store CUI or sensitive documents?**
A: No. CMMC Command stores compliance metadata — control statuses, SPRS scores, task assignments, and evidence references. Uploaded evidence files are scanned for CUI markers and CMMC Command explicitly does not store controlled unclassified information. Security practices are documented at https://cmmccommand.org/security.

**Q: How does CMMC Command compare to hiring a consultant?**
A: A typical CMMC consultant charges $200–$400/hr, and most assessments require 80–200 hours ($16K–$80K). CMMC Command replaces the ongoing assessment tracking, gap analysis, document generation, and remediation planning — for $749/mo. You'll still want a consultant for the C3PAO assessment itself, but you'll arrive far more prepared.

**Q: What integrations are supported?**
A: 10 security tools: Microsoft Entra ID, Microsoft 365 & Defender, CrowdStrike Falcon, Google Workspace, AWS, SentinelOne, Tenable.io, KnowBe4, Jamf Pro, and Okta. Each integration auto-collects compliance evidence mapped to specific NIST controls — no manual screenshots needed.

**Q: Can I cancel anytime?**
A: Yes. All plans are month-to-month with no long-term contracts. Annual plans offer 2 months free. If you cancel, you retain read-only access to your data for 30 days. Full data export is also supported.

---

## Live Demo

A fully interactive demo is available at https://cmmccommand.org/demo with no login required. The demo includes:

- **Dashboard** — Overview with SPRS score, control status breakdown, compliance metrics
- **Assessment** — All 110 NIST SP 800-171 controls across 14 families, interactive status tracking
- **Gap Analysis** — Identified gaps with AI-powered analysis preview
- **Documents** — SSP & POA&M generation preview
- **Readiness** — C3PAO audit readiness dashboard with domain breakdown
- **SPRS Simulator** — Interactive what-if scoring tool
- **Remediation** — Task management board preview
- **Analytics** — Burn-down and velocity chart preview
- **AI Advisor** — Sample AI compliance conversation

Demo URLs:
- https://cmmccommand.org/demo
- https://cmmccommand.org/demo/assessment
- https://cmmccommand.org/demo/gap-analysis
- https://cmmccommand.org/demo/documents
- https://cmmccommand.org/demo/readiness
- https://cmmccommand.org/demo/sprs-simulator
- https://cmmccommand.org/demo/remediation
- https://cmmccommand.org/demo/analytics
- https://cmmccommand.org/demo/ai-advisor

---

## Security

CMMC Command does not store CUI. The platform stores compliance metadata only: control statuses, SPRS scores, task assignments, evidence references. All uploaded evidence files are scanned for CUI markers using a two-layer approach (client-side pre-upload for text files, server-side post-upload for all file types).

Full security documentation: https://cmmccommand.org/security
Privacy policy: https://cmmccommand.org/privacy
Terms of service: https://cmmccommand.org/terms

---

## Technical Architecture

- **Frontend:** Next.js App Router with server-side rendering
- **Backend:** Convex (real-time, serverless database and functions)
- **Auth:** Clerk with multi-organization support
- **Payments:** Stripe subscriptions with webhook-only tier changes
- **AI:** Vercel AI SDK + Anthropic Claude / OpenAI GPT-4o
- **Hosting:** Vercel + Convex Cloud

---

## Contact

- Sales: sales@cmmccommand.org
- Support: https://cmmccommand.org/support
- Website: https://cmmccommand.org