CLI tool for CMMC readiness, documentation, and reference. Conduct gap assessments, build your System Security Plan, analyze policy coverage, browse controls, and look up terminology. All from the terminal.
Crafted by networkbm
| Tool | Description |
|---|---|
| CMMC Gap Assessment | Evaluate readiness against Level 1 or Level 2 with SPRS scoring, POA&M, and CSV export |
| Policy Gap Analyzer | Compare required CMMC policies against your existing documentation |
| SSP Builder | Document all practices guided question by question and export a complete SSP |
| Control Library | Browse and search all 110 CMMC practices by ID or domain |
| CMMC Glossary | Search and browse CMMC terms and definitions |
git clone https://github.com/networkbm/cmmc-toolkit.git
cd cmmc-toolkit
pip install -r requirements.txt
python3 cmmc_toolkit.pyWalk through every practice question by question, get your SPRS score, and export a POA&M and CSV ready for audits and C3PAO preparation.
Launch → CMMC Gap Assessment
→ New Assessment or Resume Saved Session
→ Organization / assessor / boundary setup
→ CMMC Level (Level 1 or Level 2)
→ Question by question through every practice
→ SPRS score + domain breakdown
→ Reports generated
Each practice shows:
- Practice ID and title
- Assessment question
- Evidence a C3PAO may request
- Status options: MET / PARTIAL / NOT MET / N/A
- Optional evidence note
Output files generated in reports/<session_name>/:
| File | Contents |
|---|---|
poam_<id>.txt |
Plan of Action and Milestones with one entry per gap |
gap_assessment_<id>.csv |
All practices with status, SPRS value, and evidence notes |
Assessments auto-save after each practice. Resume any time via CMMC Gap Assessment → Resume Assessment. Sessions are stored in sessions/ as JSON files.
Review your organization's documentation against the policies required for CMMC compliance. The tool identifies which required policies are present, missing, or only partially covered based on the documents you provide.
Launch → Policy Gap Analyzer
→ Provide your documentation
→ View coverage by policy area
→ Export gap report
Guided System Security Plan documentation for all 110 CMMC practices (or 17 for Level 1). Answer sub-questions per practice, review an auto-assembled implementation statement, edit if needed, then export.
Launch → SSP Builder
→ New SSP or Resume Saved Session
→ Select CMMC Level (Level 1 or Level 2)
→ System overview (org name, system name, owner, description, CUI categories)
→ Practice by practice:
→ Answer guided sub-questions (each field shows a dim example hint that disappears when you start typing)
→ Review generated implementation statement
→ Accept, edit, or skip
→ Set implementation status
→ Add responsible party and evidence reference
→ Summary with SPRS readiness and show stopper warnings
→ Select export format(s)
→ SSP document(s) generated
Show Stoppers are 5-point practices marked Planned or Not Applicable. These are POA&M-ineligible and are flagged inline and summarized at the end of the session. They will impact assessment readiness if not fully implemented.
Export formats:
| Format | Description |
|---|---|
.txt |
Plain text structured with ASCII dividers |
.md |
Markdown with tables and headings that renders in GitHub, Obsidian, and Notion |
.docx |
Word document with cover table, section headings, and practice detail tables |
.pdf |
PDF with styled headings, bordered tables, and show stopper callouts |
Aligned to: NIST SP 800-171 Rev 2 | DFARS 252.204-7012 | DFARS 252.204-7021
Progress auto-saves after each practice. Resume any time via SSP Builder → Resume SSP.
Import from Gap Assessment — If you have already completed a CMMC Gap Assessment, the SSP Builder can import your results directly. Practice statuses pre-populate (MET becomes Implemented, PARTIAL and NOT MET become Planned, N/A becomes Not Applicable) and evidence notes carry over. The import option appears automatically in the SSP Builder start menu once a gap assessment session exists.
Browse and search all CMMC practices without running a full assessment.
Launch → Control Library
→ Search by Practice ID or Browse by Domain
→ View full practice details
Each practice shows:
- Practice ID, domain, and level
- NIST SP 800-171 reference
- SPRS point value
- Full description
- Assessment question
- Evidence a C3PAO may request
Search and browse CMMC terminology directly in the terminal. Useful for quick reference during assessments or documentation reviews.
The SPRS (Supplier Performance Risk System) score is required for all DoD contractors handling CUI. Contractors must self-assess against NIST SP 800-171 and report their score to SPRS under DFARS 252.204-7019 prior to contract award.
- Maximum score: 110
- NOT MET = full point deduction. PARTIAL = half deduction.
- Score can go negative if deductions exceed 110.
| Score | Readiness |
|---|---|
| 110 | Ready for C3PAO audit |
| 90-109 | Likely ready with minor gaps to close |
| 70-89 | Needs work with a 60 to 90 day remediation plan recommended |
| 50-69 | Not ready due to significant gaps |
| Below 50 | Critical gaps requiring extensive remediation |
CMMC Toolkit is a self-assessment and readiness tool. Results reflect self-reported data and do not constitute a CMMC certification or official assessment. A certified C3PAO assessment is required for CMMC Level 2 certification under DFARS 252.204-7021.
ModuleNotFoundError Run pip install -r requirements.txt.
Session not found Check the sessions/ directory for saved .json files.
