What is CMMC? What is NIST 800-171? The 110 controls SSP guide POA&M guide SPRS guide
How it works Pricing FAQ Log in Get started

Get ready for your CMMC assessment. Without the detour.

Answer a guided interview. Walk away with a readiness score, a prioritized list of gaps, and a draft System Security Plan. Built for small defense contractors.

Get your readiness report See how it works
All 110 controls covered
~60 minute interview
30-day money back
The current options

How contractors handle CMMC today.

Most options cost too much or do too little. Here's how Baseline fits.

Hire a consultant
$15,000 – $40,000

A Registered Practitioner drafts your SSP. Quality varies. You wait three to six months.

Cost
$$$$
Time
3–6 months
DIY the template
Free

Download the NIST template. Stare at 110 blank narratives. Hope you got it right.

Cost
$0
Time
80–200 hrs
GRC platform
$15k – $30k/year

Enterprise software built for primes with security teams. Overbuilt for the small end.

Cost
$$$
Time
Ongoing
Baseline
From $695 once

A guided interview. A readiness score. A ranked gap list. An SSP draft based on your environment.

Cost
$
Time
~60 min
How it works

From blank page to first draft.

A structured interview, a clear diagnostic, and the documentation your team needs to move forward.

1

Tell us about your environment

A guided interview walks you through your tools, team, and processes. Plain English, no jargon, with hover-definitions for any term you don't know.

~60 min total
2

See where you stand

The moment you finish, your answers are scored against the framework. You see exactly which controls you meet, where you fall short, and what to focus on first.

Generated in minutes
3

Walk away with the documents you need

The drafts your assessor will ask for, generated from your answers and traceable back to them. Ready for your team to review, refine, and submit.

Same-day output
About your company 5 of 30
Section 01 · About your company
Hover any underlined term
What types of Controlled Unclassified InformationCUIGovernment information that requires safeguarding but isn't classified. If you handle sensitive material for a federal agency that doesn't carry a "Secret" or "Top Secret" marking, it's likely CUI. do you handle?
Check all that apply. Not sure? Pick the closest match — we'll help you confirm later.
CTIControlled Technical InformationEngineering drawings, technical specs, source code, and other technical data with military or space application. Common for defense contractors. — Controlled Technical Information
Export Controlled (ITARInternational Traffic in Arms RegulationsU.S. rules controlling the export of defense-related articles and services. If your work involves military technology, ITAR likely applies. / EARExport Administration RegulationsU.S. rules controlling exports of dual-use items — products with both commercial and military application.)
Privacy / PII
Knowing what categories of CUI you handle determines which marking, handling, and protection requirements apply to your environment. The answer flows into multiple SSP control narratives.
MP.L2-3.8.1Media ProtectionProtect physical and digital media containing CUI wherever it lives. MP.L2-3.8.4Media MarkingMark media with appropriate CUI labels so handlers know what protections apply. AC.L2-3.1.9Privacy NoticesDisplay CUI privacy and security notices before granting access to sensitive systems.
Inside the interview

The product, up close.

A look at the actual interview interface — what your team will fill out, in plain English. Three real moments from the flow, in sequence.

1
Structured questions
Your tech stack 14 of 30
Section 03 · Tech stack
What do you use to sign in to your business systems?
Your identity provider — the system that authenticates users across your tools.
Okta Workforce Identity Common for federated sign-on
Microsoft Entra ID / Azure AD
Active Directory (on-premises)

Multiple-choice questions handle the structured parts of your environment — tools, platforms, configurations. With descriptions on every option so you don't need to be a security expert.

2
Open-ended detail
How people work 22 of 30
Section 04 · How people work
What happens when someone leaves the company?
Tell us how fast access is removed and who's responsible.
HR notifies IT within 4 hours of termination. IT disables the Okta account immediately, which cascades to M365, GitHub, and Splunk. Devices are collected the same day

Open-ended questions capture the things only you know — your processes, your roles, your edge cases. Plain English, with example answers shown to guide you.

3
Final review
Interview complete 30 of 30
All sections answered
Review your answers
Edit any section before we generate your report.
About your company 5/5
Your people 4/4
Tech stack 8/8
How people work 5/5
Operations 5/5

A summary screen lets you review and edit before generation. Nothing is locked — change anything that doesn't reflect your environment, then continue.

The interview takes about an hour. Auto-saves as you go. Pause and resume anytime.

Try the interview
What you get

A clear read. The core documents your assessor expects.

📊

CMMC Readiness Report

A score against all 110 controls based on your answers, with a ranked list of gaps to address. The first thing you want before you talk to an assessor.

📄

SSP Draft

110 control narratives drafted from your answers. Designed for review by you or your RP before submission.

🎯

POA&M Starter Template

A POA&M scaffold populated with your identified gaps. You add the remediation owners, timelines, and resources that fit your team.

🗺️

Boundary Diagram

A starting visual of your CUI environment scope, generated from your interview answers.

SPRS Score & Evidence Checklist

A worksheet for your SPRS submission, plus a checklist of artifacts assessors typically request.

Sample output

What your SSP draft looks like.

Every narrative is structured around NIST 800-171 expectations and tagged back to the interview answers that produced it — so you know what to verify before submission.

  • NIST SP 800-171 Rev 3 structure throughout
  • System description, boundary, roles, and 110 control narratives
  • Confidence flags on every section
  • Word and PDF export for review and editing
See a sample
DRAFT
Meridian Defense Systems
System Security Plan
3.1 AUTHORIZATION BOUNDARY
AC.L2-3.1.1 — LIMIT ACCESS
AC.L2-3.1.2 — TRANSACTION CONTROL
AC.L2-3.1.5 — LEAST PRIVILEGE
Pricing

Start with the diagnostic.
Add the documents when you're ready.

Diagnostic
Find out where you stand against all 110 controls.
$695
One-time
  • Full guided readiness interview
  • CMMC Readiness Report (110 controls)
  • Prioritized list of gaps
  • Remediation guidance
  • SPRS score worksheet
  • PDF export & email support
Start the diagnostic
Diagnostic + SSP
Everything above, plus the core documents your assessor will review.
$2,495
One-time
  • Everything in the Diagnostic tier
  • Full SSP draft (110 controls)
  • POA&M starter template
  • Authorization Boundary Diagram
  • Evidence checklist
  • Traceability annotations
  • Word + PDF export
Get the full package
Already started with the Diagnostic? Upgrade any time — your fee credits toward the SSP tier. 30-day money back guarantee on both.
Questions you should ask

Common questions, answered.

There's no tool — and no consultant — that can guarantee an assessment outcome. Your assessor is evaluating your actual environment, not just your document. What Baseline does is tell you, before you ever meet an assessor, where you're strong and where you're exposed. The readiness report scores all 110 controls and flags assessment risk; the SSP narratives are tagged with confidence flags so you know which sections need human review.

Those platforms are priced for mid-market and enterprise — typically $15–30k/year. We're built for the small end. Diagnostic, SSP, and remediation roadmap from a single guided interview, not a platform you configure for months before it produces output.

You'd get generic narratives that don't match assessor expectations. The work isn't "write me an SSP" — it's the structured interview, the diagnostic scoring, the mapping to all 110 controls, and the orchestration that keeps your output internally consistent and traceable. The IRS publishes every tax form for free; TurboTax charges $100 because someone figured out the right questions to ask.

No — intentionally. The interview captures descriptions of how you handle CUI, never CUI itself. You can use Baseline without bringing us into your CMMC assessment boundary.

Baseline is currently optimized for small defense contractors with relatively standard cloud-based environments — typically 10 to 50 employees, primarily working in Microsoft 365 GCC High, providing software or professional services to DoD customers. If your environment fits that profile, the generated documentation will closely match how your business actually operates.

If your environment is substantially different — heavy on-premises infrastructure, manufacturing or industrial control systems, classified networks, or specialized regulated workloads — the generated draft will need more revision to reflect your reality. The interview will still produce useful starting documentation, but you'll likely want a Registered Practitioner to refine sections that fall outside the standard archetype. We're working to expand support for more environment types over time.

Know where you stand. Know what to fix.

One hour of questions. A readiness report in minutes. An SSP draft the same day, ready for your review.

Get your readiness report See how it works