Tech Armada logo

Tech Armada

CMMC Compliance Manager

Mission-ready workflow and evidence management for CMMC Level 1 and Level 2 programs

Help Center & User Guide

How to use the application, what to put in the required documents, and where the official FAR, DFARS, NIST, and SPRS references live.

Sign In
Quick Start Using the App Document Guide Templates SSO Setup Billing & Payments AI Help Prompts Level 1 Steps Level 2 Steps Official Links

Quick Start

  1. Create or sign into your account and update your company profile so the app reflects the right organization, users, and contact details.
  2. Create a new project and choose Level 1 or Level 2.
  3. On the project form, set FAR 52.204-21, DFARS 252.204-7012, FCI, and CUI applicability as accurately as you can.
  4. Build out the project evidence in this order: assets, information categorization, SSP / plans, risk assessments, contingency tests, and self-certification.
  5. Use the project dashboard to watch readiness scores, required-practice completion, and SPRS prep status.
  6. When the project is mature enough, open SPRS Prep & Export and use the bundle and worksheets to prepare for SPRS entry.

This app is a management and drafting workspace. Final contractual interpretation and official SPRS entry should always be checked against the solicitation, contract clauses, and current DoD guidance.

How to Use the Application

Core workflow inside the app

  1. Profile: Confirm company name, contact info, and login details.
  2. Project: Create the project and select L1 or L2.
  3. Scope: Record the system, organization, contract applicability, and notes about the assessment boundary.
  4. Assets: Record devices, servers, SaaS, endpoints, network gear, and any other in-scope assets.
  5. Information Categorization: Record whether the system handles FCI, CUI, or both, and identify the categorization type.
  6. Documents: Draft the SSP and associated plans. Upload final signed or approved versions as attachments when available.
  7. Risk Assessment: Record threats, vulnerabilities, likelihood, impact, and mitigation status.
  8. Testing & Certification: Record contingency test results and complete self-certification when the project is ready.

When to choose L1 vs L2

  • Level 1: Best fit when the scoped environment is handling FCI and the contract lane is tied to FAR 52.204-21.
  • Level 2: Best fit when the scoped environment is handling CUI, the contract invokes DFARS 252.204-7012, or the solicitation / contract requires L2 Self or L2 C3PAO.
  • You can upgrade a project from L1 to L2 or downgrade it back to L1 later. The app preserves collected evidence when you switch.
  • The Level 2 calculator in this app is a planning aid. The official assessment path and status still come from the contract language and current DoD rules.

How to Complete the Required Documents

System Security Plan (SSP)

Describe the system boundary, system name, owner, environment, users, data types in scope, connections to external systems, inherited services, and how each requirement is implemented or planned. For Level 2, the SSP should be detailed enough to support assessment evidence.

Good source material: NIST SP 800-18, NIST SP 800-171, the NIST CUI SSP template, and the relevant CMMC assessment guide.

Incident Response Plan

Document who detects, triages, escalates, contains, eradicates, recovers, and approves communications. Identify evidence handling, contacts, internal notification, and external reporting triggers.

If DFARS 252.204-7012 applies, make sure the plan accounts for DoD cyber incident reporting and related preservation obligations.

Contingency Plan

Document critical functions, backup methods, restoration priorities, alternate procedures, key vendors, dependencies, and who performs restoration. Use contingency tests to prove the plan is usable.

Tie the plan to specific systems and data, not just general statements.

Risk Assessment

Each record should identify the threat source, vulnerability, affected asset or process, likelihood, impact, current controls, and recommended mitigation. Keep mitigation owners and due dates current.

A good risk entry should be specific enough that someone else could act on it without guessing.

Asset Inventory

List endpoints, servers, network components, cloud services, security tools, SaaS platforms, and supporting systems that process, store, or transmit FCI or CUI. Include owner, function, and where the asset sits in the boundary.

This inventory is one of the easiest places to lose scope discipline. Keep it aligned with the official scoping guide.

Information Categorization

Record what information is in scope, who uses it, where it moves, and whether it is FCI, CUI, both, or support-only data. The better this is documented, the easier the boundary discussion becomes.

Use this section to distinguish ordinary business data from contract-triggering data.

Self-Certification / Affirmation

Use the in-app form to gather the internal statements and readiness signals you will need before official submission or affirmation. Keep the project’s clause and data-scope flags accurate so the text matches the right lane.

The app helps organize inputs, but the official status still depends on the assessment rules and SPRS process in effect for the contract.

POA&M Working Paper (Level 2)

Use this to track remaining actions, owners, target dates, dependencies, and evidence needed to close items. Keep it synchronized with your SSP and risk register.

Whether POA&Ms are allowed for a particular assessment outcome depends on the current CMMC / contract rules. Treat this as a working record, not an automatic entitlement.

Templates & Downloads

Use these editable Word and Excel files when you want offline drafting support or a quick starting point outside the in-app forms. The workbook includes tabs for asset inventory, information categorization, risk assessment, and contingency test tracking.

DOCX

SSP Starter Template (Word)

Starter document for documenting scope, architecture, users, and requirement implementation.

Download Template
DOCX

Incident Response Plan Template (Word)

Editable template for incident response planning, escalation, and reporting.

Download Template
DOCX

Contingency Plan Template (Word)

Editable template for backup, restoration, and recovery planning.

Download Template
XLSX

CMMC Project Readiness Workbook (Excel)

Excel workbook with tabs for asset inventory, information categorization, risk register, and contingency testing.

Download Template

Google / Microsoft / Outlook SSO Setup

  1. Create a web application OAuth client in Google Cloud and/or Microsoft Entra.
  2. Add the callback URLs used by this application:
  1. Populate the client ID and client secret values in config/config.php or environment variables.
  2. Return to Login or Create Account and use the SSO buttons.
  3. Existing local users are matched by email. If no local account exists, the app can auto-provision one and send the user into the normal dashboard flow.

Use the Microsoft option for Outlook.com, Microsoft 365, and many work or school accounts, depending on how your Microsoft Entra app registration is configured.

Billing & Payments (Stripe + Hostinger)

Use Billing Settings to save the billing contact, accept the terms, and optionally save a card-on-file summary through Stripe setup mode. Use a completed Level 1 project's Billing page to launch Stripe Checkout, record payment, and download the receipt.

  1. Create a Stripe account and copy the publishable key and secret key from the Stripe Dashboard.
  2. Open Admin → Payment Settings in this app.
  3. Paste the Stripe publishable key, secret key, currency, Level 1 project fee, and billing terms text.
  4. Open Profile → Billing Settings and save the billing contact details.
  5. Accept the billing terms and, if desired, click Set / Update Card with Stripe to save a reusable payment method through Stripe setup mode.
  6. Finish the Level 1 project so the Project Billing page unlocks.
  7. Open the project's Billing page and verify the invoice summary.
  8. Click Pay with Stripe to go to Stripe Checkout.
  9. After Checkout succeeds, Stripe sends the customer back to the Project Billing page using the configured success URL.
  10. The Project Billing page records the paid Checkout Session and stores the hosted Stripe receipt URL when available.
  11. Use Open Stripe Receipt to open the hosted receipt in the browser.
  12. Use Download Receipt to export the local receipt file from this app.
  13. For production use on Hostinger, add the Stripe checkout script/server files to the live site, keep the Stripe keys server-side only, and test the full flow in Stripe test mode before switching to live mode.
The app stores only Stripe IDs and a card summary such as brand / last four digits. Raw card numbers and CVC values should stay inside Stripe-hosted flows.

AI Help Prompt Pack

These prompts are ready to copy into ChatGPT when you want drafting help, a gap review, or step-by-step guidance tied to this application workflow.

App navigation and usage help

SSP drafting help

Gap analysis and readiness help

Plan and policy drafting help

Note: This build includes copy-ready ChatGPT prompts in the help system. It does not embed ChatGPT account sign-in directly inside the PHP app.

Step-by-Step Guide for CMMC Level 1

  1. Confirm the project belongs in the Level 1 / FAR 52.204-21 / FCI lane.
  2. Use the Level 1 scoping guide to define the systems and assets that process, store, or transmit FCI.
  3. Build the asset inventory and identify how FCI enters, moves through, and leaves the environment.
  4. Complete the SSP and supporting documents in the app, especially incident response, contingency planning, and risk records.
  5. Work through the required Level 1 practices until the dashboard shows full required-practice completion.
  6. Review the self-certification page and make sure the project is internally ready for affirmation.
  7. Open SPRS Prep & Export, download the prep bundle, and complete the official annual self-assessment and affirmation process in SPRS.
Tip: For Level 1, the strongest evidence usually comes from a clean scope statement, a complete asset list, a credible SSP, and proof that the 15 basic safeguarding practices are actually implemented in the in-scope environment.

Step-by-Step Guide for CMMC Level 2

  1. Check the solicitation or contract clause to determine whether the requirement is L2 Self or L2 C3PAO.
  2. Use the Level 2 scoping guide to define the CUI boundary and classify assets accurately.
  3. Populate assets, data categorization, and boundary notes before drafting the SSP so the SSP reflects the actual scope.
  4. Draft or upload the SSP, incident response plan, contingency plan, and other supporting material. Keep the risk register current.
  5. Use the L2 / SPRS calculator and the Level 2 assessment guide to work through the 110 NIST SP 800-171 requirements systematically.
  6. Track remaining actions in the POA&M working paper and align them with the SSP, risks, and evidence records.
  7. Use SPRS Prep & Export to assemble the evidence bundle and worksheets for the self-assessment lane, or to prepare for a certification assessment if the contract requires a C3PAO.
  8. Complete official SPRS entry or assessment coordination based on the contract-required Level 2 path.
Tip: For Level 2, the SSP and evidence trail matter more than the score alone. The calculator helps you organize readiness, but assessors and reviewers will look for a coherent boundary, evidence-backed implementation, and consistency across documents.

How to Use This Page with the App