Built for Defense Contractors & Canadian Businesses

Complete Your CMMC Self-Assessment
Know Your SPRS Score

CSATool guides you through every CMMC, CPCSC, and GSA control, calculates your real SPRS score, builds your System Security Plan, and generates all 14 policy documents automatically — no cybersecurity degree required.

Start Your Assessment See How It Works
5
Frameworks Supported
110
CMMC L2 Controls
14
Policy Documents
-203
to +110 SPRS Range
Supported Frameworks

Every Framework You Need — One Platform

Whether you're a US defense contractor, a Canadian defence supplier, or a federal agency vendor, CSATool has your framework covered.

CMMC L1
CMMC Level 1
17 basic cyber hygiene controls. Pass/fail scoring. Required for DoD contractors handling FCI. Includes self-attestation guidance.
CMMC L2
CMMC Level 2
All 110 NIST SP 800-171 controls. Official DoD Annex A SPRS scoring (-203 to +110). Required for contracts involving CUI.
CPCSC
CPCSC / ITSP.10.171
Canada's Defence Supply Chain cybersecurity program. Level 1 and Level 2 assessments for Canadian defence contractors.
GSA
GSA Cybersecurity
Maturity-based scoring for General Services Administration vendors. Five maturity levels from Ad Hoc to Optimized.
Platform Features

Everything You Need to Pass Your Audit

CSATool replaces spreadsheets, consultants, and guesswork with a guided, evidence-backed compliance workflow.

📋
Guided Assessment Runner
Answer each control in plain language with status options (Implemented, Not Implemented, Planned, N/A), implementation descriptions, and evidence uploads — domain by domain at your own pace.
📊
Real SPRS Score Calculation
Your SPRS score is calculated using the official DoD Annex A point values from NIST SP 800-171 Assessment Methodology v1.2.1. No estimates — the exact score you'd submit to SPRS.mil.
📌
POAM Management
Gaps automatically generate Plan of Action and Milestones tasks. Assign to team members, set due dates, track status, and attach evidence — all in one place.
📄
System Security Plan (SSP)
Generate a professional, audit-ready SSP PDF with your company logo, control-by-control implementation status, evidence references, and environment description.
🗂️
Evidence Management
Upload screenshots, configuration files, policies, and any supporting documents directly against each control. Evidence is linked to your assessment and included in your SSP.
👥
Team Collaboration
Invite team members with role-based access (Owner, Admin, Member). Assign POAM tasks, track who answered what, and maintain a complete audit trail of all activity.
Enterprise Feature

Your Compliance Policies — Written in 15 Minutes

Most organizations spend weeks working with consultants and ESPs to produce the required policy documents for CMMC Level 2. CSATool's Policy Wizard does it by asking you plain-language questions about how your organization actually operates.

Answer questions like "How do users authenticate?" and "Who approves access requests?" — and the policy writes itself, pre-populated with your company name, CAGE code, and assessment data.

1
Answer guided questions Section by section, one question at a time. No blank pages. No legal jargon.
2
Policy generates automatically Your answers populate the policy document. Company name, dates, and framework details fill in from your profile.
3
Sign, download, and done Finalize, add your authorized representative's signature, and download individual PDFs or a complete Policy Handbook.
Simple, Transparent Pricing

Less Than One Hour of Consultant Time — Per Month

No setup fees. No long-term contracts. Cancel anytime. All plans include access to all supported frameworks.

Basic
For solo practitioners and small teams
$49
per month · billed monthly
  • 1 user account
  • All 5 frameworks (CMMC L1/L2, CPCSC L1/L2, GSA)
  • Unlimited assessments
  • POAM management
  • Evidence upload per control
  • SSP + Executive Summary PDF export
  • Audit log
Get Started
MOST POPULAR
Professional
For teams managing compliance together
$99
per month · billed monthly
  • Everything in Basic
  • Up to 3 team members
  • Role-based access (Owner, Admin, Member)
  • Task assignment to team members
  • Company profile with logo
  • CAGE code and environment description
  • Network diagram upload
Get Started
Enterprise
For organizations serious about CMMC certification
$199
per month · billed monthly
  • Everything in Professional
  • Unlimited team members
  • Policy Generation Wizard (14 policies)
  • Policy Handbook PDF export
  • Individual policy PDF downloads
  • Priority support
  • Dedicated onboarding
Get Started

Prices shown in USD. Canadian pricing available at checkout. Secure payments via Stripe.
Questions? [email protected]

Frequently Asked Questions

Everything You Need to Know

What is CMMC and why do I need it?
CMMC (Cybersecurity Maturity Model Certification) is a DoD requirement for all defense contractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Without CMMC compliance, you cannot bid on or perform DoD contracts. CSATool guides you through every control requirement so you know exactly where you stand — before an assessor does.
What is an SPRS score and how does CSATool calculate it?
The Supplier Performance Risk System (SPRS) score is a DoD-mandated self-assessment score ranging from -203 to +110. It starts at 110 and deducts points for each CMMC control not fully implemented, using official DoD Annex A point values (1, 3, or 5 points per control). CSATool calculates your SPRS score automatically and accurately — using the exact methodology from NIST SP 800-171 Assessment Methodology v1.2.1.
Does CSATool support Canadian frameworks?
Yes. CSATool fully supports CPCSC (Canadian Program to Strengthen Cybersecurity in the Defence Supply Chain) Level 1 and Level 2, which is Canada's equivalent framework to CMMC for defence contractors supplying the Department of National Defence.
What is the Policy Generation Wizard?
The Policy Generation Wizard is an Enterprise plan feature that guides you through building all 14 CMMC domain policy documents by asking plain-language questions about your organization — things like "How do users authenticate?" and "Who approves software installation?" Based on your answers, the policies are written automatically, pre-populated with your company name, CAGE code, and assessment data. You can edit, sign, and download them as individual PDFs or as a complete Policy Handbook.
Can I use CSATool if I'm a CMMC consultant?
Absolutely. CSATool is built by a CyberAB-trained CMMC consultant and is designed to be used both by DIB companies doing self-assessments and by consultants managing multiple client assessments. Contact [email protected] for information about multi-client arrangements.
Is my data secure in CSATool?
Yes. CSATool uses multi-factor authentication, session management, role-based access controls, encrypted data transmission (TLS), and per-organization data isolation. All data is hosted on secured infrastructure with audit logging of every action. Your assessment data and CUI-related information never leaves your organization's account.
Can I cancel my subscription at any time?
Yes. All CSATool plans are billed monthly with no long-term contracts. You can cancel at any time from the Billing page in your account. Your data remains accessible until the end of your billing period.

Your CMMC Compliance Journey Starts Here.

Join defense contractors and Canadian defence suppliers who use CSATool to take control of their cybersecurity compliance — systematically, confidently, and affordably.

Start Your Self-Assessment Talk to an Expert

No credit card required to start. Cancel anytime.