Built for small defense contractors handling Federal Contract Information. Answer a guided interview. Walk away with a self-assessment report mapped to all 17 FAR 52.204-21 practices, plus the affirmation paperwork your contract requires.
Most options cost too much or do too little. Here's how Baseline compares.
A consultant drafts your SSP. Quality varies. You wait three to six months.
Download the NIST template. Stare at 110 blank narratives. Hope you got it right.
Enterprise software built for primes with security teams. Overbuilt for small and mid-sized contractors.
A guided interview. A readiness score. A ranked gap list. The documents your assessor expects, generated from your specific environment.
Real CMMC readiness without enterprise overhead or five-figure consulting fees.
If you handle Federal Contract Information for DoD work, CMMC Level 1 applies — and Baseline's built specifically for this case.
Your prime is asking for proof of compliance. You need a defensible posture, not aspirational claims.
You'd rather document what you do — and close the gaps — than migrate everything into a vendor's compliance environment.
Learn more about environment types →A structured interview, a clear diagnostic, and the documentation your team needs to move forward.
A guided interview walks you through your tools, team, and processes. Hover over any term you don't know for an instant definition.
~60 min totalThe moment you finish, your answers are scored against the framework. You see exactly which controls you meet, where you fall short, and what to focus on first.
Generated in minutesThe drafts your assessor will ask for are generated from your answers and traceable back to them. Ready for your team to review, refine, and submit.
Same-day outputWhat the interview actually looks like. Three real moments, in plain English.
Multiple-choice questions handle the structured parts of your environment. Hover over any underlined term for an instant definition, or expand "Why are we asking?" to see how your answer flows into the framework.
Open-ended questions capture the things only you know — your processes, your roles, your edge cases. Example answers shown to guide you.
A summary screen lets you review and edit before generation. Nothing is locked — change anything that doesn't reflect your environment, then continue.
The Level 1 interview takes about 30 minutes. Your answers are auto-saved as you go, so you can pause and resume anytime.
Try the interview →Every one of the 17 FAR 52.204-21 practices, evaluated against your interview answers. Status, evidence, regulatory references — the artifact a prime asks for when they want proof of compliance.
Pre-filled with your company information, ready for your senior official to sign. The legally operative document for your annual CMMC Level 1 affirmation.
If your interview surfaces any gaps, you get a step-by-step closure plan for each one — what's required, recommended approach, estimated effort. Level 1 doesn't allow open gaps at affirmation; this gets you there.
A step-by-step walkthrough of the SPRS portal at sprs.csd.disa.mil — how to log in, where to enter your affirmation, common submission issues and how to fix them.
CMMC Level 1 is self-attested — there's no third-party assessment. But your prime contractor can (and often does) ask to see your self-assessment report and affirmation as proof you're complying. Baseline produces a structured self-assessment report that maps every interview answer to a specific FAR 52.204-21 practice, plus a senior-official affirmation form pre-filled with the right legal language. If a prime asks "what's your CMMC posture?", you have a real artifact to share — not a hand-waved response.
Those platforms are priced for mid-market and enterprise — typically $15–30k/year. Baseline is built for small and mid-sized defense contractors at CMMC Level 1, with annual subscriptions starting at $249/year. A guided interview, a self-assessment report, and the affirmation paperwork your contract requires — without months of platform configuration before you see any output.
You'd get generic narratives that don't match what FAR 52.204-21 actually requires. The work isn't "write me a self-assessment" — it's the structured interview, the mapping of every answer to one of the 17 practices, the binary MET/NOT MET determinations, and the affirmation language that holds up under scrutiny. The IRS publishes every tax form for free; TurboTax charges $100 because someone figured out the right questions to ask.
No — intentionally. The interview captures descriptions of how you handle FCI (your processes, your environment, your controls), never FCI itself. You can use Baseline without bringing us into your CMMC assessment boundary or giving us access to anything sensitive.
Baseline is currently optimized for small defense contractors with relatively standard cloud-based environments — typically 10 to 50 employees, primarily working in Microsoft 365 GCC High, providing software or professional services to DoD customers. If your environment fits that profile, the generated documentation will closely match how your business actually operates.
If your environment is substantially different — heavy on-premises infrastructure, manufacturing or industrial control systems, classified networks, or specialized regulated workloads — the generated draft will need more revision to reflect your reality. The interview will still produce useful starting documentation, but you'll likely want hands-on help refining sections that fall outside the standard archetype — either from your internal compliance team or from a CMMC consultant familiar with your environment type. We're working to expand support for more environment types over time.
A guided interview. A self-assessment report mapped to every practice. An affirmation form ready for your senior official to sign.