CMMC  ·  CPCSC  ·  GSA

Know Your SPRS Score.
Start Your CMMC
Self-Assessment.

CSATool guides defense contractors and Canadian businesses through every cybersecurity control — then generates your SPRS score, System Security Plan, and POAM automatically.

Start Free Assessment See Pricing
Supported
CMMC Level 1 CMMC Level 2 NIST SP 800-171 CPCSC / ITSP.10.171 GSA Cybersecurity DoD SPRS Scoring
Features
Built for the entire compliance lifecycle

From your first assessment to your final audit package — CSATool handles every step without the spreadsheets.

Guided Control Assessments

Walk through every required control across CMMC, CPCSC, and GSA frameworks. Mark each practice as implemented, planned, or not applicable — with supporting notes and evidence uploads.

  • All domains covered with official control language
  • Save progress and resume at any time
  • Multi-framework: run separate assessments per framework
AC.1.001 — Limit system access Implemented
AC.1.002 — Authorized users only Implemented
AU.2.041 — Audit user activity Planned
CM.2.061 — Establish config baselines Not Implemented
IA.1.076 — Identify system users Not Answered

Automatic SPRS Score & SSP Export

Your SPRS score is calculated in real time using the official DoD Annex A point values — no manual math. When ready, generate your complete System Security Plan as a formatted PDF.

  • Official DoD Annex A SPRS scoring (−203 to +110)
  • Executive Summary PDF for leadership reporting
  • SSP includes organization profile, control responses, and evidence
SPRS Score
88
out of 110 · DoD Annex A
−2030+110

POAM Management & Team Tasks

Every gap in your assessment automatically becomes a POAM task. Assign tasks to team members, set target dates, and track remediation progress through to closure.

  • POAM auto-generated from all non-implemented controls
  • Assign tasks to individuals with due dates and priority
  • Track open, in-progress, and closed items
Remediate CM.2.061 High · Open
Implement MFA for remote access Medium · In Progress
Deploy endpoint logging agent Closed
Update Incident Response Plan Medium · Open

Policy Generation Wizard

Enterprise users can build all 14 CMMC domain policy documents through a guided Q&A wizard. Policies are pre-populated with your organization's details and exported as signed PDFs.

  • All 14 CMMC domains covered
  • Q&A wizard auto-populates policy content
  • Export individual policies or a complete Policy Handbook PDF
Policy Documents
Access Control PolicyFinalized
Awareness & Training PolicyFinalized
Configuration Management PolicyDraft
Incident Response PolicyNot Started
How It Works
From sign-up to SPRS score in four steps
01
Create your account
Register with your corporate email. Set up your organization profile with CAGE code, system boundary, and environment details.
02
Select a framework
Choose CMMC Level 1 or 2, CPCSC, or GSA. The assessment loads every required control for your chosen framework.
03
Complete the assessment
Work through each domain at your own pace. Mark controls, add notes, and upload evidence files. Save and resume anytime.
04
Download your reports
Get your SPRS score instantly. Download your SSP, Executive Summary PDF, and Excel workbook. Review your auto-generated POAM.
Pricing
Simple, transparent pricing

All plans include all frameworks, unlimited assessments, and SSP export. No setup fees.

Basic
$49
per month
  • 1 user
  • All frameworks — CMMC, CPCSC, GSA
  • Unlimited assessments
  • POAM management
  • SSP & Executive PDF export
  • Excel export
Get Started
Professional
$99
per month
  • Up to 3 team members
  • Everything in Basic
  • POAM task assignment
  • Evidence file management
  • Full audit log
Get Started
Enterprise
$199
per month
  • Unlimited team members
  • Everything in Professional
  • Policy Generation Wizard
  • Policy Handbook PDF export
  • Priority email support
Get Started
FAQ
Common questions
The Supplier Performance Risk System (SPRS) score is a DoD-required number from −203 to +110 reflecting your cybersecurity posture under NIST SP 800-171. Contracting officers verify your SPRS score before awarding DoD contracts. CSATool calculates yours automatically using official DoD Annex A point values.
No. CSATool is a self-assessment and documentation platform. It helps you evaluate your readiness, calculate your SPRS score, and prepare your SSP and POAM. CMMC Level 2 certification still requires a formal assessment by an accredited C3PAO. CSATool helps you prepare for that assessment.
Yes. CSATool includes the Canadian CPCSC (Canadian Program for Cyber Security Certification) framework based on ITSP.10.171, which mirrors CMMC requirements for Canadian government suppliers and defense contractors.
The Policy Wizard generates all 14 CMMC domain policy documents — Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity. Each is pre-populated with your organization's details and exported as a signed PDF.
Yes. CSATool is built and operated by Softchoice Solutions with security-first practices. Data is encrypted in transit (TLS) and at rest. Every organization's data is fully isolated. We do not share or sell assessment data to any third party.

Ready to know your SPRS score?

Start your first assessment today. No credit card required.

Create Your Account