CMMC 2.0 LEVEL 1 & LEVEL 2 · NIST SP 800-171 · DFARS

CMMC Compliance.
Without the $60K Consultant.

Answer plain-English questions about your environment. Baseplate’s AI engine writes your SSP, builds your POA&M, and tracks your evidence vault — no consultant required.

Request a Demo See How It Works

Qualified Veteran-Owned Small Business for Federal Procurement Mandates

[Tier 2 Aero Supplier][DoD IT Services][Electronic Component MFG][Software Subcontractor]

Platform Capabilities

Everything You Need to Pass Your Assessment.

Plain-English Logic Engine

The TurboTax for CMMC.

Instead of staring at a blank 110-control template, Baseplate walks you through plain-English conditional questions. Answer what applies to your environment — the engine handles the compliance logic.

✓Conditional Q&A covers all 110 NIST 800-171 controls
✓Plain language — no security certification required
✓Skips irrelevant controls automatically based on your answers

Logic Engine · AC — Access Control

Progress24 / 110 controls

Do all users have unique login credentials?Yes

Is MFA enforced for all remote access sessions?Yes

Are inactive accounts disabled after 90 days?No

Is privileged access reviewed quarterly?Yes

⚠ AC-2.3 — Gap flagged · Remediation steps ready

AI-Generated SSP & POA&M

Your SSP Written by AI. In Hours.

Your answers become formal, auditor-ready SSP prose — translated by a secure LLM into the exact language C3PAOs expect. No templates, no blank documents, no $250/hour consultant.

✓AI converts your answers into formal SSP control narratives
✓POA&M auto-built from every gap you identify
✓Export a complete, assessor-ready package in one click

SSP Generator · AC-2 — Account Management

AI-Generated SSP Narrative

“The organization employs automated mechanisms to audit account creation, modification, enabling, disabling, and removal actions and notifies account managers within 24 hours of those actions...”

POA&M — Auto-Generated1 open item

AC-2.3 · Disable Inactive Accounts

Owner: IT Admin · Due: 30 days

Evidence Vault

Organize Your Evidence Before the Auditor Arrives.

Upload your screenshots, policy docs, and configuration exports. The Evidence Vault maps each piece to the exact NIST control it satisfies — so your C3PAO walks into a clean, organized package.

✓Upload and tag evidence against specific controls
✓Track what's covered and what's still missing
✓Share a secure, auditor-facing evidence package directly

Evidence Vault · 87 / 110 controls covered

87%

📄

MFA_Policy_v2.pdfIA-3

✓

📄

Account_Audit_Log_Q2.xlsxAC-2

✓

📄

Firewall_Config_Export.txtSC-7

✓

📄

Access_Review_June.docxAC-2.3

…

Your Compliance Roadmap.

Set Up & Scope

1–2 hours

Define your CUI boundary: what systems touch Controlled Unclassified Information, who has access, and what's in scope. This keeps your assessment focused and your costs down.

Work Through 110 Controls

2–4 days

Answer plain-English conditional questions for all 110 NIST 800-171 controls. Baseplate's logic engine handles the branching — skipping inapplicable controls and surfacing every gap.

AI Generates Your SSP & POA&M

Instant

Your answers are translated by a secure LLM into formal, auditor-ready SSP prose. Every gap becomes a POA&M item with owner, deadline, and remediation guidance auto-assigned.

Build Your Evidence Vault

2–4 weeks

Work through your POA&M. Upload screenshots, policy docs, and configurations to the Evidence Vault. Each upload is tagged to the specific control it closes.

Export & Hand Off to C3PAO

1 day

Export your complete SSP, POA&M, and evidence package in one click. Your C3PAO gets a clean, organized submission — and you walk into the assessment ready.

Estimated total time~5–8 weeks

Why Baseplate?

Purpose-Built for the Defense Industrial Base.

	Generic Compliance Platforms	Baseplate Security
Primary Focus	50+ frameworks (SOC 2, ISO, HIPAA…)	CMMC 2.0 + NIST 800-171 only
Built For	Enterprise IT & compliance teams	Defense subcontractors, any size
SSP Generation	Template-based, manual fill-in	Auto-generated from your environment
POA&M Tracking	Manual spreadsheet workflow	Auto-populated from gap analysis
CUI Scoping	Not included	Built-in scoping engine
SPRS Score Reporting	Not included	Auto-calculated & exportable
Defense Context	Generic guidance	DFARS & DoD-specific throughout
Pricing	Enterprise ($15K–$50K+/yr)	SMB-friendly (from $499/mo)

Transparent Pricing

No Enterprise Sales Call Required.

Koop and Vanta make you book a demo to see a price. We don’t. Sign up with a credit card and start your assessment today.

CMMC Level 1

For companies handling FCI

$207/mo

$2,490 billed annually

vs. $40K–$80K for a consultant

✓15 FAR 52.204-21 practices
✓Plain-English Q&A assessment
✓Auto-calculated SPRS score
✓Annual self-attestation letter
✓Evidence Vault (10GB)
✓1 admin user
✕AI SSP generation
✕POA&M dashboard
✕C3PAO export package

Start Free Trial

Win Contracts. Keep Them.

Achieve DoD audit-readiness up to 10× faster — without the $60K consultant.

⚡Automated Platform

🛡CMMC-Focused Only

🤝White-Glove Onboarding

Book a Demo

Have Questions?

Everything You Need to Know.

Does this replace our MSP or IT team?−

No. Baseplate works alongside your Managed Service Provider or internal IT team. They handle your infrastructure; we handle your compliance documentation, SSP generation, and audit evidence. Think of us as the compliance layer on top of whatever IT you already have.

How long does it take to get audit-ready?+

Are you a C3PAO? Do you do assessments?+

Is my data secure on Baseplate?+

What's the difference between CMMC Level 1 and Level 2?+

What if we already have a compliance tool like Vanta or Drata?+

How much does CMMC compliance normally cost without Baseplate?+

CMMC Compliance.Without the $60K Consultant.