🛡️ Built for small DoD subcontractors

The controls aren't the hard part.
The documentation is.

CMMC Map turns 110 controls into a documented SSP, POA&M, and policy set you can hand to an assessor — built for the 5–50 person defense sub that doesn't have a compliance team.

See Where You Stand — Free See How It Works

A 15-minute readiness check — no credit card, no signup to start. Plans from $49/mo · see plans · schedule a call →

70%
Of CMMC work is documentation
110
Level 2 controls, in plain English
~40%
Pre-filled after the wizard

Helping U.S. defense contractors prepare for CMMC Level 2 certification  ·  Compliance documentation, not CUI  ·  Built by ProphetMind, Fairfax VA

See It In Action

From a blank spreadsheet to most of the way there

Four steps. About 15 minutes to your first real starting point — and roughly 70–80% of the documentation work done for you.

1 Screenshot — Scoping wizard CMMC Map scoping wizard — plain-English questions about your shop

Answer the scoping wizard

15 minutes of plain-English questions about your shop — your people, your work, the tools you use. No CMMC background needed.

2 Screenshot — The 110 controls CMMC Map list of all 110 CMMC Level 2 controls in plain English

Walk all 110 controls — in plain English

Every control explained for a small business, with an evidence checklist for each. No 400-page NIST PDF to decode.

3 Screenshot — Document generator CMMC Map document generator producing SSP, POA&M and policies

Generate your documents

One click produces your SSP, POA&M, and all 14 required policies — formatted and ready to hand to an assessor.

4 Screenshot — Readiness report CMMC Map readiness report showing SPRS score and per-control status

See exactly where you stand

A live SPRS score and pass/fail per control, with evidence gaps called out — so there are no surprises at your assessment.

That's the self-serve portion — roughly 70–80% of the documentation. A C3PAO handles the formal certification; CMMC Map gets you ready for it.

The Timeline

Two dates, in plain terms.

The DoD's CMMC FAQ Revision 2.3 (April 2026) lays out the schedule. Here's what it means for a small sub — no alarm bells, just the facts.

Source: DoD CIO — CMMC FAQ Revision 2.3 (April 29, 2026)

The Problem

Documentation is 70% of the work.

"Following the controls is the easy part. Proving that you follow them is a whole different beast." This is the gap CMMC Map fills.

Not documented = Not Met

You can have MFA, encryption, and logging all in place. If the SSP, policies, and procedures aren't written, the assessor marks the control "Not Met." Documentation is what gets you certified.

Assessment costs are brutal

A formal C3PAO assessment runs $50K+. A mock assessment to find out if you'd pass — same price range. CMMC Map gives you self-serve readiness at $149/month — before you spend that.

Sunday night, NIST PDF, you

NIST 800-171 was written for federal agencies with compliance teams — not 12-person shops. Three hours in, you've made it through 4 of 110 controls. You're not slow. The docs weren't built for you.

Where do you even start?

Open the DoD's 110-control spreadsheet and it's a wall of acronyms. Most owners stall before control five. CMMC Map turns it into a prioritized starting point in about 15 minutes.

Who CMMC Map is for

Built for shops like yours

If three of these sound like you, you're our target customer:

If even two of those land, we built this for you. See where you stand — free →

Features

Solves the #1 stated pain: documentation

Click any feature to see how it works.

Document Generator

One-click generation of every document your C3PAO will ask for — formatted and ready to hand over. This is the part everyone leaves until the last minute and then panics over.

  • System Security Plan (SSP) — auto-filled from your control answers
  • Plan of Action & Milestones (POA&M) — gaps and remediation timeline
  • All 14 required policies — password, access control, incident response, and more
  • SPRS submission, gap report, and deficiency report

What you get

  • SSPFormatted for C3PAO review. Not a blank template.
  • POA&MOpen findings with remediation steps and target dates.
  • 14 PoliciesDownloaded as Word documents. Edit and sign.
  • Audit ZIPOne bundle, everything organized. Pro tier.

Readiness Report

Pass/fail per control with evidence gaps identified — the self-serve version of a formal consultant engagement. Walk into your C3PAO knowing exactly where you stand.

  • Every control scored: Met, Partially Met, or Not Met
  • Evidence gaps called out explicitly — no surprises at assessment
  • Generated on demand, always reflects your current state
  • Shareable PDF for your assessor, your team, or your prime
★ Pro tier

Sample output

  • AC.L2-3.1.1 — MetEvidence on file. Access control policy documented.
  • IA.L2-3.5.3 — Partially MetMFA enabled but not enforced for VPN access.
  • MP.L2-3.8.3 — Not MetNo media sanitization procedure documented.

Control Walkthrough

All 110 CMMC Level 2 controls translated into plain English — what each one actually means for a small business, and exactly what you need to do to satisfy it.

  • Plain-English explanation of every control — no compliance background needed
  • "What this means for your business" context per control
  • Evidence checklist — what to gather, what to document
  • Phased priority order — tackle the highest-impact controls first

Control families

  • Access Control (AC) — 22 controlsWho can see what, and how it's enforced.
  • Identification & Auth (IA) — 11 controlsMFA, password policies, user management.
  • Incident Response (IR) — 3 controlsWhat you do when something goes wrong.
  • + 11 more familiesAll 110 controls, fully guided.

AI-Powered Q&A

Ask anything about any control and get an expert answer instantly. Powered by Claude Sonnet — built into every plan. No API key, no per-token billing, no setup required.

  • Ask in plain English: "Does Microsoft 365 with MFA satisfy IA.L2-3.5.3?"
  • Control interpretation, policy language, remediation how-tos
  • 150 queries/month on Starter · Unlimited on Pro
  • Does NOT process CUI — see the disclaimer on this page

Example questions

  • Policy language"Write an acceptable use policy for Microsoft Copilot that satisfies SC.L2-3.13.1."
  • Control interpretation"We use a shared admin account for our firewall. Does that violate IA.L2-3.5.5?"
  • Evidence guidance"What screenshots does an assessor need to verify AC.L2-3.1.6?"

Readiness Dashboard

Real-time view of exactly where you stand — always. Your SPRS score, completion by control family, evidence coverage, and a prioritized list of what to tackle next.

  • Live SPRS score — recalculates as you work through controls
  • Completion percentage by all 14 control families
  • Evidence coverage — what's documented vs. missing
  • Prioritized next actions — not a 110-item flat list

At a glance

  • SPRS ScoreUpdates automatically as you complete controls and add evidence.
  • Completion by FamilySpot which areas are done, in-progress, or not started.
  • Evidence GapsSee which controls are at risk of "Partially Met" or "Not Met."

AI Tool Usage Policy NEW

Generate the AI Tool Usage Policy your C3PAO is about to ask about — including the SSP language you need to document AI in your environment.

  • Define which AI tools are sanctioned for your organization
  • Explicit prohibition on CUI in public AI systems
  • Ready-to-attach SSP language for SC and AC control families
  • Nobody else has this wizard yet
★ Pro tier

Why this matters now

  • Assessors are askingC3PAOs are now flagging AI tool usage as a control gap in SC.L2-3.13.1 and AC.L2-3.1.20 assessments.
  • Copilot, ChatGPT, GeminiIf your employees use any public AI, you need a written policy. Period.
  • One wizard, doneAnswer 8 questions. Get a policy you can sign and attach to your SSP.

CUI Document Scanner

Every uploaded compliance document is automatically scanned for CUI indicators before it enters our system. CLEAR or FLAGGED — you decide before anything is stored.

  • AI pre-screens every document before it touches our servers
  • CLEAR or FLAGGED result shown before you confirm upload
  • Full audit log with timestamp and scan result retained 12 months
  • Our Terms of Service explicitly prohibit CUI uploads

Live scanner results

CLEAR — Safe to upload

MFA_Policy_v2.docx · No CUI indicators detected.

🚩

FLAGGED — Review before uploading

TechSpec_Drawing_A7.pdf · Potential CUI indicators found:

DoD contract refs Technical specs

Team Collaboration

Invite your IT lead, HR, and management to work together on the same assessment. Multiple workspaces supported — one per client if you're an MSP.

  • Unlimited users on the same workspace — no per-seat pricing
  • Assign controls to specific team members
  • Multiple workspaces — each client gets their own isolated environment
  • Full audit trail of who did what and when
★ Pro tier

Who uses this

  • IT LeadHandles technical controls — access control, logging, encryption.
  • HR / AdminOwns training records, personnel agreements, physical security.
  • Owner / CFOReviews final documents and signs the SPRS attestation.
  • MSPsOne login, separate workspaces for every defense sub client.
Security First

We take CUI seriously. So our scanner does too.

Controlled Unclassified Information (CUI) should never leave your controlled environment. CMMC Map scans every upload before storage and flags anything that looks like CUI — so you make an informed decision before anything is stored.

  • AI pre-screens every document before it touches our servers
  • CLEAR or FLAGGED result shown before you confirm upload
  • Full audit log with timestamp and scan result retained 12 months
  • Our Terms of Service explicitly prohibit CUI uploads
Live scanner results

CLEAR — Safe to upload

MFA_Policy_v2.docx · No CUI indicators detected. This appears to be standard compliance documentation.

🚩

FLAGGED — Review before uploading

TechSpec_Drawing_A7.pdf · Potential CUI indicators found:

DoD contract refs Technical specifications Export-controlled markers

Scan happens before upload. You stay in control.

CMMC Map founder
From Someone Who's Been There

I've sat on both sides of this table.

Early in my career, I was with one of the first C3PAOs in the country — selling and delivering mock and full assessments to defense contractors of all sizes. I watched small businesses spend $50,000 on a mock assessment, hear "you're not ready," and face the same cost again for the formal certification.

After that, I spent years at a compliance firm helping organizations prepare their documentation packages for submission. The pattern was always the same: companies were doing the right things technically — they just couldn't prove it on paper. Pulling the documentation together was where they got stuck, every single time.

CMMC Map is the tool I wish those companies had. Not a $50K consulting engagement. Not a blank template. A guided system that turns your answers into the documents your assessor will actually review.

— David McLaughlin, Founder  ·  ProphetMind / Fairfax, VA

Why Nothing Else Fits

What changes when you use CMMC Map

Free PDFs leave you doing every line yourself. Enterprise GRC is built for 200-person teams. C3PAO assessments cost $50K+ and leave you to write your own documents anyway.

Without CMMC Map Current state for most small subs With CMMC Map Starting day one
Your SSP Blank government template. You write every line from scratch. Auto-generated from your control answers. Edit and export.
POA&M Manual spreadsheet. Updated by hand every time something changes. Always current. Gaps update as you work through controls.
SPRS Score Compute by hand using NIST scoring tables. Post manually to SPRS. Live score. Recalculates automatically. Know exactly where you stand.
Readiness Check Pay $50K+ for a consultant or C3PAO to tell you where you're failing. On-demand Readiness Report. Pass/fail per control. At $149/month.
Control Guidance 400-page NIST PDF written for federal agencies. Not for a 12-person shop. Plain English. 110 controls. What it means for YOUR business.
Audit Bundle Weeks gathering files, formatting, cross-referencing. Then doing it again. One-click Audit ZIP. Everything organized for your C3PAO. Pro tier.
AI Help None — unless you use a generic AI that doesn't know CMMC. Claude Sonnet, built in. CMMC-specific answers, every plan.
See Where You Stand — Free →

Free readiness check · No signup to start · See plans

Pricing

Less than a C3PAO assessment. By a lot.

Plans start at $49/month — a fraction of the $50K+ a formal C3PAO assessment costs. No contracts, cancel anytime.

See plans & what's included →
What CMMC Practitioners Are Saying
"Documentation is 70% of the work. Everyone focuses on technical control implementation and leaves documentation for later. Not documented = Not Met for CMMC purposes."

— CMMC practitioner, r/CMMC (May 2026)

"We wouldn't have passed without doing the mock first. Just having that information was worth it."

— DoD subcontractor who passed L2 with 100% score

Common Questions

Things people ask before signing up

When does CMMC actually become mandatory? +
Two phases. Phase 1 — self-assessment and SPRS score posting — has been required since November 10, 2025 for any DoD contractor handling CUI under DFARS 252.204-7012/7019/7020. Phase 2 — mandatory C3PAO third-party assessment — begins November 10, 2026. Source: DoD CIO CMMC FAQ Revision 2.3 (April 29, 2026).
Do I need to upload CUI to use this tool? +
No. CMMC Map is a compliance readiness tool. You upload compliance documentation — your policies, configuration screenshots, training records — not the controlled technical data those controls protect. Every upload is automatically scanned for CUI indicators before it enters our system.
Will this replace my C3PAO? +
No — and we're upfront about that. CMMC Map prepares you for a C3PAO assessment. The certification itself requires a Certified Third-Party Assessment Organization. We get you audit-ready; the C3PAO conducts the formal audit. Think of us as the prep work that makes your C3PAO engagement faster and cheaper.
Do I need to know CMMC to use this? +
Not at all. That's the whole point. Every control is explained in plain English with "what this means for your business" context and step-by-step guidance. If you've never heard of NIST 800-171, start here.
What is the AI assistant and do you see my conversations? +
The AI is powered by Claude Sonnet and is built into every plan — no separate API key to set up, no per-token billing. Starter includes 150 AI queries per month; Pro is unlimited. Your conversations are private to your workspace and never used to train models.
How long does CMMC Level 2 certification take? +
For most small defense contractors, 12–18 months from start to certification. CMMC Map structures that timeline into four phases so you're always moving forward — not staring at a 110-row spreadsheet wondering where to start.
Is this just for CMMC Level 2? +
Yes, CMMC Map is purpose-built for Level 2 — the tier required by most defense contractors handling Controlled Unclassified Information. Level 2 covers all 110 practices from NIST SP 800-171. Level 3 support is on our roadmap.
I don't have any IT staff. Can I still use this? +
Yes — this is exactly who we built it for. Every control is rewritten in plain English with a "what this means for YOUR business" explainer. The AI assistant answers questions about your specific setup ("we use Microsoft 365 with MFA — does that satisfy IA.L2-3.5.3?"). If you can run a small business, you can run this. Average shop hits audit-ready in 8–12 weeks of evening work.
What if I'm a 5–10 person shop? +
You're our target customer. The Starter plan ($49/month) is built for solo owners and very small teams — all 110 controls, all the document generation, 150 AI queries per month. The Pro plan ($149/month) makes sense once you have 2+ people working on compliance together and you want unlimited AI, the Readiness Assessment Report, the AI Tool Usage Policy wizard, and the one-click Audit ZIP bundle.
How is this different from hiring a consultant? +
A consultant or C3PAO engagement typically runs $50K+ for a formal assessment — and you still have to write your own SSP and policies afterward. CMMC Map is an ongoing self-serve tool: it generates the documentation as you work, keeps your readiness score current, and produces a Readiness Assessment Report on demand. At $149/month for Pro, you get the same kind of output — pass/fail per control with evidence gaps — at a fraction of the cost. Many practitioners do both: use CMMC Map to get audit-ready, then engage a C3PAO for the formal certification.
Can I paste CUI into the AI Q&A? +
No. The AI Q&A is a cloud-hosted assistant — it does not process Controlled Unclassified Information. Do not paste CUI, technical specs, drawings, or any contract data marked CUI into the Q&A textbox. Use the Q&A for control interpretation, policy language, and compliance how-tos. For document uploads, the CUI scanner flags anything that looks like CUI before storage. This is part of practicing what we preach on data egress.
I'm overwhelmed and don't know where to start. +
Start with the free readiness check — no signup required. It asks a short set of plain-English questions about your shop and gives you a prioritized starting point in minutes. Inside the app, the 15-minute scoping wizard then pre-fills ~40% of the 110 controls automatically, so you go from staring at 110 unknowns to a real starting point in one sitting.

Get audit-ready — without the scramble.

See where you stand in about 15 minutes. No credit card, no commitment.

See Where You Stand — Free → Prefer to talk? Schedule a call

Or email info@cmmcmap.com with any questions · Built for U.S. defense contractors · Powered by ProphetMind, Fairfax VA