Menu
CRS Logo White

CMMC Assessment Tool Features

A single HTML file that replaces $10K–$100K GRC platforms. 100% offline. Air-gap ready. Deploys in seconds. The only CMMC tool approved for Top Secret environments.

67

TOTAL FEATURES

110

NIST800-171 PRACTICES

0

NETWORK REQUESTS

v1.0

CURRENT VERSION/BUILD
Request a Demo

Feature Catalogue — v1.0

67 Features. Four Pillars. Zero Compromises.

Every capability your assessment team needs — from AES-256 encrypted backups to OSCAL exports — in a single file that never phones home.

67

Total Features

15

Security & Auth

31

Assessment

11

Reporting

10

User Experience

Security & Auth

Security Highlight

The tool operates 100% offline. No assessment data, user credentials, telemetry, or usage data is ever transmitted to Cyber Risk Service or any third party. All cryptographic operations use the Web Crypto API (AES-256-GCM, PBKDF2-SHA-256, HMAC-SHA-256) running entirely in the client browser.

AES-256-GCM Encrypted Backups

All backup exports are encrypted using AES-256-GCM with PBKDF2-SHA-256 key derivation (1,500,000 iterations). Lost passwords cannot be recovered — by design.

PIN Hashing (PBKDF2)

User PINs are never stored in plaintext. Each PIN is hashed with PBKDF2-SHA-256 at 1,500,000 iterations with a unique per-user random salt. Legacy PINs are automatically migrated on next login.

WebAuthn Passkey Authentication

Supports Face ID, Touch ID, and Windows Hello via the Web Authentication API. Passkeys are stored locally and tied to the device — no server required.

Machine Fingerprinting

License keys are cryptographically bound to the device at activation using a stable browser fingerprint (user agent, screen, timezone, hardware concurrency). Prevents license key copying to other machines.

License Key System (AES-256-GCM)

Per-organisation license keys are encrypted with AES-256-GCM and signed with HMAC-SHA-256. Validation checks: product code, HMAC signature, not-before date, expiry, grace period, and machine fingerprint.

14-Day Grace Period

After a license expires, the tool remains accessible for 14 days with a prominent renewal warning banner — preventing abrupt access loss for clients with delayed renewals.

5-Attempt Lockout with Countdown

After 5 consecutive failed PIN attempts, the login screen is locked for 5 minutes. A live countdown timer is displayed. Lockout state persists across page reloads.

Recovery Codes

16-character alphanumeric recovery codes are generated for each user. Codes are single-use — automatically rotated after use. Allows account recovery without administrator intervention.

Session Integrity Signing

Active sessions are signed with a derived HMAC key tied to the admin PIN. Tampering with session data in localStorage is detected and rejected on next verification.

Role-Based Access Control (RBAC)

Three roles: Admin (full access), Reviewer (read + approve + export), Assessor (assess + CAP + export, scoped to assigned domains). All UI elements and actions are gated by role check.

IndexedDB Encryption (Dexie)

Evidence files and user/client data are stored in an encrypted IndexedDB via Dexie. The database encryption key is derived from the admin PIN using PBKDF2 at first run and re-keyed on PIN change.

Full Audit Log

Every assessment action, login, export, user management event, and backup operation is recorded with user, timestamp, and detail. The audit log is stored in IndexedDB and exportable as CSV.

EULA Acceptance Gate

A full End User License Agreement must be accepted before first use. Acceptance is recorded in localStorage with a timestamp. The EULA covers disclaimer, data responsibility, IP ownership, and liability limits.

100% Offline Operation

The application operates entirely in the browser with no network requests during use. No assessment data, user data, or telemetry is ever transmitted to external servers. Suitable for CUI-adjacent environments.

Encrypted License Request Files

License request payloads (.lreq files) are AES-256-GCM encrypted before being emailed to CRS for activation. Prevents interception of organisation details in transit.
Back to top

Assessment

Assessment Highlight

The tool supports the complete CMMC Level 2 journey from self-assessment through formal C3PAO certification — covering all 110 practices across 17 domains, with built-in SPRS scoring, CAP building, POA&M management, and objective-level evidence linking aligned to NIST SP 800-115 methodology.

NIST SP 800-171 Rev 2 — All 110 Practices

Complete library of all 110 NIST SP 800-171 Rev 2 practices across 17 domains. Each practice includes ID, title, full description, implementation level (L1 or L2), SPRS weight, implementation guidance, evidence suggestions, and objective-level assessment detail.

CMMC Level 1 / Level 2 Mode

Toggle between Level 1 (17 practices, FAR 52.204-21 alignment) and Level 2 (all 110 practices, DFARS 252.204-7012). Separate scoring, reporting, and SPRS calculation per level.

SPRS Score Calculator

Real-time SPRS score computed per NIST SP 800-171 DoD Assessment Methodology. Starts at 110, deducts weighted points for non-met and partial practices. Displayed on the dashboard and all report exports.

Practice Risk Prioritization

Each practice is scored by combining SPRS weight with a criticality multiplier. The dashboard surfaces highest-risk gaps first, helping assessors prioritise remediation effort for maximum SPRS score improvement.

Objective-Level Scoring

Every practice can be broken down to individual assessment objectives. Each objective is scored as Satisfied, Not Satisfied, or N/A. Objective scores roll up to the practice-level status.

Objective-Level Evidence Linking

Evidence files can be linked to specific objectives within a practice — not just the practice overall. Supports the granular evidence mapping required for C3PAO assessment packages.

Evidence File Storage

Upload evidence files (any type) against any practice. Files are stored in encrypted IndexedDB (Dexie) — fully local, no cloud upload. Supports bulk upload and drag-and-drop.

Evidence Tagging & Classification

Each evidence file can be tagged by type (policy, procedure, screenshot, log, interview record, etc.), CUI category, and sufficiency rating (sufficient, partial, insufficient). Used to drive the Evidence Sufficiency Dashboard.

Evidence Cross-Mapping

A single evidence file can be mapped to multiple practices simultaneously. Prevents evidence duplication and highlights files that satisfy multiple controls — critical for large evidence packages.

Evidence Sufficiency Dashboard

All-practices grid view showing evidence count and sufficiency rating per practice. Instantly surfaces which practices have no evidence, partial evidence, or sufficient evidence. Colour-coded at a glance.

POA&M Management

Full Plan of Action & Milestones module aligned to 32 CFR 170.21. Each POA&M item captures: tracking ID, CMMC UID, identified date, responsible owner, affirming official, risk level, scheduled completion, milestones, resources, evidence, and closure criteria. Supports Conditional CMMC Level 2 status.

POA&M Eligibility Enforcement

Only POA&M-eligible practices (per 32 CFR 170.21 — single-point deductions) can be added to the POA&M. Ineligible practices are blocked at the UI level. Minimum 88/110 SPRS score enforced for Conditional status.

180-Day Conditional Status Countdown

Once a conditional status date is recorded, a live countdown widget on the dashboard tracks the 180-day deadline per 32 CFR 170.21. Displays days remaining with colour-coded urgency.

Finding & Observation Tracker

Log findings and observations discovered during assessment. Each finding has a severity (critical, high, medium, low), status (open, in-progress, closed), and can be promoted directly to a POA&M item with one click.

Interview Log

Structured interview sessions linked to specific practices. Records interviewer, interviewee, date, questions, and responses. Supports NIST SP 800-115 examine/interview/test methodology. Exportable as a standalone HTML document.

CMMC Assessment Plan (CAP)

Full Assessment Plan builder aligned to 32 CFR 170.17 requirements. Sections: identification, OUA details, system boundary, CUI categories, assessment team (with CCA credentials), conflict of interest declaration, domain methods plan, evidence request list, rules of engagement, POA&M pre-review, and lock/attest function.

Assessment Templates

Save any client assessment state as a named template. Apply templates to new clients to pre-populate practice statuses and notes — useful for common system types or baseline configurations.

Assessment Comparison

Select multiple clients and compare their assessments side-by-side across all 110 practices. Highlights divergences, tracks improvement over time, and supports multi-client portfolio management.

Assessment Snapshots

Save point-in-time snapshots of an assessment. Used to track SPRS score improvement over time and feed the SPRS Trend Chart. Snapshots are stored per client.

SPRS Score Trend Chart

Visual line chart of SPRS score history across saved snapshots. Shows trajectory of remediation progress over time. Supports the narrative required in CMMC annual affirmations.

Compensating Controls Registry

Document and manage compensating controls for practices that cannot be fully implemented. Each entry links to the associated practice and POA&M item. Provides an auditable record of alternative mitigations.

Scope & System Boundary Documentation

Structured fields for defining the assessment scope: system name and description, in-scope locations, out-of-scope items, cloud providers, CUI categories, and SSP reference. Feeds into all exported reports.

Batch Status Update

Select multiple practices simultaneously and apply a status (Met, Partial, Not Met, N/A) to all in a single action. Dramatically accelerates bulk assessment work for large domains.

Assessment Work Queue

Filterable task queue showing all practices assigned to a specific assessor. Shows completion percentage, status breakdown, and outstanding items — designed for daily assessment workflow management.

Assessor Progress Tracker

Per-team-member completion dashboard. Shows each assessor’s assigned domains, percentage of practices assessed, and status breakdown. Useful for managing large multi-person assessment teams.

Domain-Based Assessor Assignment

Admins can assign specific CMMC domains to individual assessors. Assessors only see and work on their assigned domains — enforcing separation of duties and simplifying workflow in large assessments.

Corrective Action Plan (CAP) Notes

Per-practice corrective action notes distinct from assessment notes. Tracks planned remediation actions, owners, and due dates at the practice level. Separate from the formal POA&M.

Client Notes / Scratchpad

Freeform rich text scratchpad per client for general assessment notes, meeting summaries, and working documentation. Separate from practice-level notes.

C3PAO Readiness Checklist

Pre-assessment readiness checklist covering documentation completeness, evidence package status, team preparation, and scheduling. Helps clients understand what a C3PAO will expect on assessment day.

Gap Analysis View

Summarises all non-met and partial practices with their SPRS impact, domain, level, and current notes. Designed as a gap analysis deliverable — can be printed or exported.

Risk Heatmap

Domain-level heat map colouring each of the 17 CMMC domains by the proportion of practices met. Provides immediate visual identification of the most deficient domains.

Back to top

Reporting

Print Report (Assessment Report)

Full printable CMMC assessment report covering all 17 domains. Shows SPRS score, Met/Not Met/Partial counts, POA&M count, and a per-practice table with status, notes, and POA&M details. Includes Level 1 and Level 2 modes.

POA&M Report

Printable POA&M report with full detail per item: all 6 NIST SP 800-115-aligned sections (identification, description, risk, timeline, resources, closure), plus signature blocks for responsible owner, affirming official, and lead assessor (CCA).

Executive Summary Report

One-page printable executive summary with SPRS score gauge, domain-level status breakdown, top-risk practices, POA&M summary, and key recommendations. Designed for presentation to leadership or government contracting officers.

SSP Export (HTML)

System Security Plan export in structured HTML format. Covers system description, CUI handling, all 110 control implementations, team and scope data. Compliant with NIST SP 800-171A SSP requirements.

OSCAL JSON Export

Assessment results export in NIST OSCAL (Open Security Controls Assessment Language) JSON format (v1.1.2). Includes all findings, party information, and assessment metadata. Machine-readable for downstream tooling.

CSV Export

Export full assessment data as a CSV file — all 110 practices with status, notes, SPRS weight, and POA&M data. Compatible with Excel, Google Sheets, and GRC platforms.

CAP HTML Export

Export the CMMC Assessment Plan as a standalone, signed HTML document. Includes all 8 CAP sections with signature lines for the lead assessor (CCA) and OUA authorised representative.

Interview Log HTML Export

Export structured interview records as a standalone HTML document. Includes all sessions with linked practices, questions, responses, and metadata.

Audit Log CSV Export

Export the full audit log as a CSV file from the Audit Log Viewer. Supports filtered export (by user, date range, action type).

Encrypted Backup / Restore

Export all assessment data as an AES-256-GCM encrypted backup file. Restore on any machine by providing the original encryption password. Backup includes all clients, users, audit log, and evidence metadata.

License Request File Export

Generate an encrypted .lreq license request file from within the tool. Email to CRS for activation. Prevents need to share organisation details in plaintext.

Back to top

User Experience

Dark / Light Mode

Full dark and light theme toggle. Persistent across sessions in localStorage. All UI elements — including modals, tables, forms, and charts — respect the active theme.

Collapsible Sidebar

The navigation sidebar can be collapsed to icons-only mode to maximise screen real estate during assessment work. State is persisted per session.

Keyboard Shortcuts

Global keyboard shortcuts: N (next practice), P (previous practice), M (cycle status), X (clear status), E (open evidence), ? (show shortcut reference). Designed for rapid keyboard-only assessment workflow.

Side Panel Detail View

Slide-in side panel for any practice showing full description, implementation guidance, evidence suggestions, objectives, and current assessment data — without leaving the main practice list.

Toast Notifications

Non-blocking toast notification system for all actions (save, export, error, success). Disappears automatically after a short delay. Does not interrupt workflow.

Multi-Client Management

Create and manage multiple client organisations within a single tool instance. Each client has independent assessments, evidence, users, notes, and snapshots. Switch between clients from the client list.

Search & Filter (Practices)

Real-time search across practice IDs, titles, and descriptions. Filter by domain, status, level, and risk category. Sortable by risk score or practice ID.

Mobile-Responsive Layout

Fully responsive design tested for iPad and mobile. Sidebar collapses automatically on small screens. All modals and forms are touch-optimised with minimum 44px touch targets.

Domain Assignment UI

Admin can assign/unassign CMMC domains to individual assessors via a visual domain picker in the Staff Panel. Domains display with colour-coded badges.

Build Version Display

Current app version, build number, and build timestamp are displayed in the footer on every screen. Ensures unambiguous identification of the tool version in use during audit or support.

Back to top

Why Choose Our Tool Over the Competition

We’re the only solution that combines compliance, security, and offline operation in a single file.

FEATURE

Annual Price

Offline / Air-Gap

SPRS Scoring (Verified)

POA&M Auto-Enforcement

OSCAL Export

Encrypted Backup

Integrity Validation

Deploy Time

Infrastructure Required

Top Secret / SCIF

CRS TOOL

$499–$25K/yr

✓ YES

✓ 32 CFR 170.24

✓ 32 CFR 170.21

✓ v1.1.2

✓ AES-256-GCM

✓ SHA-256

 Seconds

None

✓ ONLY OPTION

GRC PLATFORMS

ARCHER, KITEWORKS

$10K–$100K/yr

 ✗ No

Varies

Manual

Some

 Cloud-dependent

 ✗ No

Weeks–Months

 Cloud + Servers

 ✗ Prohibited

CMMC SAAS

COALFIRE, SCHELLMAN

 $3K–$20K/yr

 ✗ No

✓ Yes

Some

Some

 Cloud

 ✗ No

Days-Weeks

 Cloud

 ✗ Prohibited

SPREADSHEETS

EXCEL TEMPLATES

 $0–$500

~ Partial

 ✗ No

 ✗ No

 ✗ No

 ✗ No

 ✗ No

Minutes

None

No features

Ready to See It in Action?

80,000+ organizations need CMMC Level 2 certification. Only 773 have it. Don’t wait for the backlog — start your readiness assessment today.

Request a Demo
Visit cyberiskservice.com