CMMC LEVEL 2 COMPLIANCE AUTOMATION

CMMC Compliance That Runs In Your Azure, Not Ours

The only CMMC compliance platform deployed in your own environment. Your CUI never leaves your tenant. No FedRAMP obligations. Full data ownership.

Try Live Demo → See How It Works ↓
110
NIST 800-171 Controls
< 20 min
Deploy to Azure
~$40/mo
Azure Infrastructure Cost
SPRS SCORE
80
94
CONTROLS MET
5
PARTIAL
11
OPEN POA&Ms
AC
86%
IA
73%
SC
94%
CM
78%
AU
89%
Customer-Deployed
CMMC Level 2
NIST SP 800-171 Rev 2
DFARS 252.204-7012
Azure Native
The Problem

CMMC Level 2 Is Mandatory. Your Options Are Broken.

📊

Spreadsheets Don't Scale

Manual tracking across 110 controls, 14 domains, and dozens of evidence artifacts. No audit trail. No SPRS calculation. No way to prove continuous compliance to a C3PAO assessor.

☁️

Cloud GRC Creates New Problems

Enterprise platforms store your CUI on their servers. That means FedRAMP authorization requirements, data residency concerns, and another vendor in your supply chain risk profile. Starting at $10,000+/year.

📄

Static Documents Go Stale

A consultant builds your SSP and leaves. Within months, your POA&Ms are outdated, your evidence is expired, and your SPRS score is fiction. CMMC requires continuous compliance, not a point-in-time snapshot.

ControlPoint GRC is the alternative: a compliance platform that runs in your environment, monitors your security posture, and keeps your documentation current.

Why ControlPoint GRC

Built Different. On Purpose.

Five architectural decisions that make ControlPoint fundamentally different from every other GRC platform.

ARCHITECTURE

Your Data Never Leaves Your Environment

ControlPoint GRC deploys as a Docker container in your own Azure subscription via a one-click ARM template. Your PostgreSQL database, your App Service, your network rules. CUI never touches vendor infrastructure. No FedRAMP obligation for the platform itself. Your IT team controls the infrastructure — we provide the application and updates.

No FedRAMP Required Full Data Ownership One-Click ARM Deploy ~$40/mo Azure Cost
YOUR AZURE SUBSCRIPTION
App Service
Docker Container
🗃
PostgreSQL
Your Database
🔑
Key Vault
Secrets Mgmt
╵ Your network • Your rules • Your data ╵
Only license validation crosses this boundary
CONTROLPOINT GRC (Vendor)
Container registry + License API — no CUI access
AUTOMATION

Your Microsoft Stack Does the Monitoring

ControlPoint connects to your existing Microsoft 365 environment to automate the compliance work that other platforms make you do manually. Intune auto-discovers every device and installed application. Defender scans for vulnerabilities across your endpoints. Every finding is matched against the CISA Known Exploited Vulnerabilities catalog. Results flow directly into your Operational POA&M — no manual data entry, no spreadsheet imports.

Microsoft Intune Microsoft Defender CISA KEV Catalog Automatic POA&M
💻
Intune
Devices & Software
🛡
Defender
Vulnerabilities
🏴
CISA KEV
Known Exploits
↓ ↓ ↓
CONTROLPOINT GRC
Auto-maps to NIST 800-171 controls
Operational POA&M
Automated entries with severity & deadlines
HW/SW Inventory
Auto-populated from Intune discovery
VISIBILITY

One Dashboard. Every Business Unit. Every Assessor.

Prime contractors and multi-division organizations need visibility across all business units from a single interface. ControlPoint provides a corporate dashboard showing SPRS scores, control status, and open vulnerabilities for every BU. Assessors get their own login — no screenshots, no exported PDFs. They see the live compliance state.

Up to 10 Business Units Real-Time SPRS Scores Assessor Portal Role-Based Access
ControlPoint GRC Risk Assessment dashboard showing vulnerability register with severity ratings, risk scores, and remediation tracking
COVERAGE

Every Phase. Every Document. Every Deadline.

Most tools cover assessment. ControlPoint covers the entire compliance lifecycle — from initial scoping through continuous maintenance. All connected, all traceable, all exportable.

SSP Builder Self-Assessment POA&M Manager Evidence Locker SPRS Calculator Risk Assessment Vendor Risk Training Tracker Incident Manager Policy Generator Monthly Reviews Change Management

Plus: HW/SW Inventory, CUI Scoping, C3PAO Interview Prep, Readiness Scorecard, and more.

ControlPoint GRC CISA KEV Vulnerability Scanner with CVE details, severity badges, and one-click POA&M creation
SECURITY

Enterprise Security, Not Startup Shortcuts

The platform that manages your security compliance is itself built with enterprise security practices. Secrets stored in Azure Key Vault using managed identity — no stored credentials. PostgreSQL with enforced SSL. Comprehensive audit logging for every user action. Role-based access control. Azure AD single sign-on.

Azure Key Vault Managed Identity SSL-Only Database Full Audit Trail Azure AD SSO
🔑
Azure Key Vault
JWT secrets, DB credentials, license keys — never in env vars or config files
🔐
Managed Identity
App authenticates to Key Vault with zero stored credentials
🔒
SSL-Only Database
PostgreSQL with enforced TLS. AES-256 encryption at rest.
📝
Full Audit Trail
Every user action logged with timestamp, user ID, and IP address
👥
Role-Based Access
Owner, Admin, BU User, Viewer, Assessor — least privilege enforced
🆔
Azure AD SSO
Microsoft single sign-on with MFA support via your existing tenant
How It Works

From Microsoft 365 to Compliance Dashboard — Automatically

ControlPoint connects to your existing M365 environment and turns raw security data into actionable compliance intelligence.

1

Deploy to Your Azure

One-click ARM template provisions the entire platform in your Azure subscription. App Service, PostgreSQL, Key Vault — all in your tenant. Under 20 minutes.

2

Connect Your M365 Environment

Authorize read-only access to Microsoft Intune and Microsoft Defender. ControlPoint discovers your devices, installed software, and security posture automatically.

3

Automated Discovery & Scanning

Intune inventories every managed device and application. Defender identifies vulnerabilities across your endpoints. Each finding is cross-referenced against the CISA Known Exploited Vulnerabilities (KEV) catalog.

4

Compliance Mapping

Discovered assets populate your HW/SW inventory. Vulnerabilities are mapped to affected NIST 800-171 controls. Findings that require remediation are automatically pushed to your Operational POA&M with severity ratings and deadlines.

5

Continuous Monitoring

The cycle repeats on schedule. New devices appear in inventory. New vulnerabilities generate POA&M entries. Your SPRS score updates in real time. Monthly control reviews verify nothing has drifted.

This is not a checklist. ControlPoint actively monitors your environment and updates your compliance posture as things change.
Who It's For

Built for Everyone in the CMMC Ecosystem

Whether you're pursuing certification, advising clients, or conducting assessments — ControlPoint gives you a shared source of truth.

🏥

Defense Contractors (OSCs)

Build your SSP, track all 110 controls, manage POA&Ms, and maintain continuous compliance. Everything your C3PAO needs to see — organized and live.

💼

Consultants & RPOs

Manage multiple clients from a single platform. Each client gets their own isolated deployment in their Azure tenant. No commingling of data. Scale your practice without scaling your risk.

🔎

C3PAO Assessors

Log in with a read-only assessor account and see the live compliance state. No more requesting screenshots or chasing exported PDFs. Evidence, controls, and SPRS scores — all in one place.

Pricing

Flat-Rate Pricing. Unlimited Users. No Surprises.

Enterprise GRC platforms charge $10,000–$100,000+ per year with per-seat fees. ControlPoint is a fraction of the cost because you run it yourself.

Starter
Starter
For small contractors starting their CMMC journey
$199/mo
$2,190/yr — save $198
  • SSP Builder with auto-populated narratives
  • 110-control NIST 800-171 assessment
  • Real-time SPRS score calculation
  • POA&M Manager with deadline tracking
  • Evidence Locker with SHA-256 hashing
  • Policy Generator (20+ templates)
  • Vendor Risk tracking
  • Training Tracker
  • Customer-deployed in your Azure
  • Unlimited users
Professional
Professional
For contractors actively preparing for C3PAO assessment
$449/mo
$4,940/yr — save $448
  • Everything in Starter
  • M365 Integration (Intune + Defender)
  • CISA KEV vulnerability scanning
  • Operational POA&M (automated)
  • Monthly Control Reviews + Annual Schedule
  • Risk Assessment (5×5 matrix)
  • Incident Manager (DCISE-aligned)
  • CUI Scoping & Data Flow Mapping
  • C3PAO Interview Prep (350+ questions)
  • Assessor Portal & Readiness Scorecard
Enterprise
Enterprise
For primes managing compliance across multiple business units
$899/mo
$9,890/yr — save $898
  • Everything in Professional
  • Multi-BU support (up to 10 units)
  • Corporate Compliance Dashboard
  • SPRS roll-up across all BUs
  • Role-based access control (RBAC)
  • Assessor Share Portal
  • Change Management tracking
  • Shared Responsibility Matrix
  • Priority support
All plans include: customer-deployed Azure architecture, unlimited users, no FedRAMP obligations, data stays in your tenant.
Annual billing saves ~8% (1 month free). Government purchase orders accepted.
Comparison

How ControlPoint Compares

ControlPoint GRCSpreadsheetsEnterprise GRC
CMMC Level 2 coverage✓ All 110 controlsManual
CUI stays in your environment
No FedRAMP obligation
M365 integration (Intune/Defender/KEV)Partial
Continuous automated monitoring
SPRS auto-calculation
SSP generation
Multi-business unit
Assessor direct accessVaries
Azure Key Vault secretsN/AVaries
Unlimited usersPer-seat
Starting price$199/moFree$833+/mo
FAQ

Frequently Asked Questions

Does ControlPoint GRC store our CUI?
No. ControlPoint is deployed in your own Azure subscription. Your CUI data is stored in your PostgreSQL database, on your infrastructure, in your tenant. Our servers never see, process, or store your CUI. We provide the application container and license validation only.
What does "customer-deployed" mean in practice?
You run a one-click ARM template that provisions an Azure App Service, PostgreSQL database, and Key Vault in your Azure subscription. The ControlPoint application runs as a Docker container on your App Service. You control network rules, access, backup policies, and data residency. We push application updates to our container registry — your App Service pulls them on restart.
How does the M365 integration work?
ControlPoint connects to your Microsoft Intune and Microsoft Defender environments via read-only API access (Azure AD app registration). Intune provides device and software inventory. Defender provides vulnerability scan results. Each vulnerability is automatically cross-referenced against the CISA Known Exploited Vulnerabilities (KEV) catalog. Findings are mapped to affected NIST 800-171 controls and pushed to your Operational POA&M.
What happens to our data if we cancel?
Everything stays in your Azure subscription. The application container stops running, but your PostgreSQL database, uploaded evidence files, and all compliance data remain in your tenant. You own the infrastructure. There is nothing to "export" — it is already yours.
How are secrets and credentials managed?
All application secrets (database credentials, JWT signing keys, license keys) are stored in Azure Key Vault. The application authenticates to Key Vault using Azure Managed Identity — no stored credentials anywhere. Database connections use SSL enforcement. Every user action is logged to a comprehensive audit trail.
Can assessors access the platform directly?
Yes. The Assessor Portal provides read-only access that C3PAO assessors can use directly. They see live compliance status, control evidence, SPRS scores, and POA&M status without requiring screenshots or exported documents. Assessor accounts are provisioned by your admin with the Assessor role.
Does this replace a C3PAO assessment?
No. ControlPoint prepares you for your C3PAO assessment by organizing your documentation, tracking your controls, calculating your SPRS score, and providing assessor access to your live compliance data. You still need a certified C3PAO to perform the official assessment. ControlPoint makes that assessment go smoother and faster.
How does multi-business-unit support work?
Enterprise tier supports up to 10 business units under a single deployment. Each BU maintains its own SSP, assessment, POA&M, and evidence — fully isolated. The corporate dashboard provides a unified view with roll-up SPRS scores and control status across all BUs. Users are assigned to specific BUs with appropriate role permissions.
Which Azure environment does this require?
ControlPoint runs on any Azure environment — commercial, GCC, or GCC High. The application manages your compliance documentation and connects to your M365 environment via read-only APIs for device inventory and vulnerability data. Deploy it wherever your organization's Azure policies require.
What does deployment cost on Azure?
Typical Azure infrastructure costs are approximately $40/month for a B1 App Service plan and a Basic-tier PostgreSQL database. This is your cost to Microsoft, separate from the ControlPoint license fee. The ARM template provisions the minimum required resources by default. Costs scale with your chosen Azure SKU.
How long does deployment take?
The ARM template deploys in under 20 minutes. You provide your license key, organization name, database password, and click deploy. The template provisions all Azure resources, creates the database, and starts the application. First login creates your admin account automatically.
Is annual billing required?
No. All plans are available month-to-month with no long-term commitment. Annual billing is optional and saves approximately one month (8% discount). We also accept government purchase orders for annual subscriptions.
Who Built This

Built by a CISO, for CISOs

👤

John Taggart

Founder & CISO, ControlPoint GRC — LTC, U.S. Army (Ret.)

After 20+ years in Army communications and cybersecurity, I've sat on both sides of the compliance table — as the person being assessed and as the assessor. I built ControlPoint because every CMMC tool I evaluated either stored CUI on someone else's servers, cost more than an entire security budget, or was just a glorified spreadsheet with a login page. As a CMMC Certified Lead Assessor and FedRAMP assessor, I know exactly what C3PAOs are looking for. ControlPoint is built to deliver it.

LTC, U.S. Army (Ret.) CISSP CMMC Certified Lead Assessor FedRAMP Assessor 20+ Years Cyber & Comms

Stop Managing Spreadsheets.
Start Passing Assessments.

Try the live demo with a realistic defense contractor dataset. See how ControlPoint manages 110 controls, generates your SSP, and monitors your posture — in your own Azure environment.

Try Live Demo → Contact Sales