About CMMC Compass

# CMMC Compass - Application Documentation ## Table of Contents 1. [Introduction](#1-introduction) 2. [Core Features](#2-core-features) 3. [Getting Started & Usage](#3-getting-started--usage) * [Navigation](#navigation) * [Dashboard](#dashboard) * [Checklists](#checklists) * [Document Repository](#document-repository) * [AI Gap Analyzer](#ai-gap-analyzer) * [Reports](#reports) * [Settings](#settings) 4. [Security and Encryption](#4-security-and-encryption) 5. [Supporting NIST SP 800-171 Compliance](#5-supporting-nist-sp-800-171-compliance) 6. [Frequently Asked Questions (FAQ)](#6-frequently-asked-questions-faq) 7. [Future Development Considerations](#7-future-development-considerations) --- ## 1. Introduction **CMMC Compass** is a web application designed to assist organizations in navigating the complexities of the Cybersecurity Maturity Model Certification (CMMC). It provides a suite of tools to help manage compliance activities, track progress against CMMC practices, organize evidence, identify gaps, and generate essential compliance reports. The primary goal of CMMC Compass is to streamline the CMMC preparation process, making it more manageable and organized for businesses handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). --- ## 2. Core Features CMMC Compass offers the following key features: * **Compliance Dashboard**: Provides a high-level overview of your CMMC compliance status, including overall progress, practice completion rates, and a calculated NIST SP 800-171 score. Visual charts help in quickly assessing readiness. * **Interactive Checklists**: Detailed checklists for CMMC practices across different levels and domains. Users can: * Track the status of each practice ('Not Started', 'In Progress', 'Completed', 'Needs Review'). * Manage sub-tasks associated with each practice. * Filter practices by domain, level, or search terms. * **Import Statuses via CSV**: Bulk update practice statuses by uploading a CSV file containing Practice IDs and their corresponding statuses. * **Document Repository**: A centralized location to upload, store, and manage compliance-related documents and evidence. Documents can be: * Categorized by type (e.g., Policy, Procedure, Log File). * Linked to specific CMMC practices. * **AI Gap Analyzer**: An AI-powered tool to analyze potential gaps for a selected CMMC practice. It considers: * The current status of related CMMC practices. * (Conceptually) Information from linked documents to assess evidence sufficiency. * Provides a justification and lists potentially missing documentation. * **Report Generation**: Ability to generate key compliance documents: * **System Security Plan (SSP)**: Generates a foundational SSP document based on NIST SP 800-18 guidance, populated with CMMC practice data. Allows for uploading a system boundary diagram (image) and a detailed scope document (text) to be included in the SSP. * **Plan of Action & Milestones (POAM)**: Generates a POAM template for CMMC practices that are not yet 'Completed', helping to track remediation efforts. * Other placeholder reports for overall compliance, practice-level details, and evidence inventory. * **User Access Controls (Placeholder)**: The application includes UI elements for user role management, but full backend implementation of role-based access control (RBAC) is a future consideration. * **Settings**: Allows users to manage profile information (placeholder) and application preferences like theme (light/dark mode). --- ## 3. Getting Started & Usage ### Navigation The application features a persistent sidebar menu for easy navigation between different sections: * **Dashboard**: The main landing page for a compliance overview. * **Checklists**: Manage and update CMMC practice statuses. * **Documents**: Upload and organize evidence. * **Gap Analysis**: Use AI to identify compliance gaps. * **Reports**: Generate SSP, POAM, and other reports. * **Settings**: Manage application and user preferences. ### Dashboard * View overall CMMC compliance percentage and target level. * See the number of completed practices versus total practices. * Monitor your calculated NIST SP 800-171 score (based on CMMC practice completion). * Check the total number of uploaded evidence documents. * Interactive charts display CMMC Level Readiness and Compliance by Domain. * Quick Actions provide shortcuts to common tasks. ### Checklists * **Filtering**: Use the search bar, domain dropdown, and level dropdown to filter the list of CMMC practices. * **Viewing Practice Details**: Click on a practice in the accordion to expand its details, including its description, current status, and any associated tasks. * **Updating Status**: Change a practice's status using the "Status" dropdown within its details. * **Managing Tasks**: Check/uncheck task checkboxes to mark them as complete/incomplete. * **Importing Statuses from CSV**: 1. Prepare a CSV file with two columns: `PracticeID` (e.g., "AC.1.001") and `Status` (e.g., "Completed", "In Progress", "Not Started", "Needs Review"). 2. Click the "Import Statuses from CSV" button on the Checklists page. 3. Select your CSV file. 4. The application will parse the file and update the statuses of matching CMMC practices. 5. Toast notifications will indicate the success or any issues during the import. * *Note*: Edit/Add/Delete practice/task functionalities are placeholders and not fully implemented. ### Document Repository * **Uploading Documents**: 1. Navigate to the "Documents" page. 2. In the "Upload New Document" card, select a file using the "Document File" input. 3. The document name will often auto-populate from the filename but can be edited. 4. Select a "Document Type" from the dropdown. 5. Optionally, link the document to one or more CMMC practices using the multi-select popover. 6. Click "Upload Document". * **Viewing Documents**: Uploaded documents are listed in a table showing their name, type, size, upload date, and linked practices. * **Actions**: * **Download**: Download a copy of the uploaded document. * **Edit (Disabled)**: Placeholder for future edit functionality. * **Delete**: Remove the document from the repository. ### AI Gap Analyzer * Navigate to the "Gap Analysis" page. * Select a CMMC practice from the dropdown list. * Click "Run Analysis". * The AI will process information based on the selected practice's requirements, current checklist completion data (across all practices), and (conceptually) any linked documents. * The results will indicate if sufficient evidence is perceived, provide a justification, and list any identified missing documentation or information. * *Note*: The effectiveness of the AI depends on the quality and completeness of data available to it. Currently, document content is not deeply analyzed, and the assessment relies more on checklist statuses and the AI's general knowledge of CMMC. ### Reports * Navigate to the "Reports" page. * **System Security Plan (SSP)**: 1. Optionally, upload a System Boundary Diagram (image file) and/or a Detailed Scope Document (text file) in the "Define System Scope for SSP" card. 2. Click "Generate Report" on the "System Security Plan (SSP)" card. 3. A `.txt` file containing the SSP, populated with CMMC practice data and any uploaded scope information, will be generated and downloaded. The SSP will contain placeholders that require manual completion with organization-specific details. * **Plan of Action & Milestones (POAM)**: 1. Click "Generate Report" on the "Plan of Action & Milestones (POAM)" card. 2. A `.txt` file will be generated, listing all CMMC practices not yet 'Completed'. It provides a template for detailing remediation plans, responsibilities, and timelines. * Other reports are placeholders and will generate simulated content. ### Settings * **Profile**: (Placeholder) View and update user profile information. * **Preferences**: * **Theme**: Toggle between light, dark, and system default themes. * **Email Notifications**: (Placeholder) Toggle email notification preferences. * **User Access Control**: (Placeholder) UI for managing user roles and permissions (requires backend). * **Security**: (Placeholder) UI for password changes and 2FA enablement (requires backend). --- ## 4. Security and Encryption * **Data in Transit**: When deployed, the application should be served over HTTPS (standard for Next.js deployments via platforms like Vercel or Firebase App Hosting). HTTPS encrypts data transmitted between your browser and the server, protecting it from eavesdropping. * **Data at Rest**: * The current CMMC Compass application, as a frontend-focused prototype, primarily manages data in the browser's memory during a session. Uploaded files (like documents or scope images for SSP) are handled as client-side `File` objects and Object URLs, meaning they are not persistently stored on a backend server by default in this version. * For a production system handling sensitive CUI, data at rest (e.g., in a database or file storage) would need robust encryption. CMMC Level 2 practice SC.2.179 calls for FIPS-validated cryptography when protecting CUI. The choice and implementation of this would depend on the backend and database technologies used in a full deployment, which are outside the current scope of this prototype. * **Application Security**: The application is built with Next.js and React, leveraging modern web development practices. Regular updates to dependencies and adherence to secure coding practices are important for maintaining application security. * **AI Data Handling**: AI features (Gap Analyzer) send data (practice IDs, checklist statuses, document URLs/names) to a Genkit-configured AI model (e.g., Google's Gemini). The security of this data during transit to and processing by the AI model is governed by the terms and security practices of the AI provider. Sensitive document *content* is not explicitly sent to the `cmmcGapAnalyzer` flow in the current implementation, only filenames/URLs and metadata. The `evidenceSufficiencyEvaluator` flow *can* send document content if files are uploaded to it. --- ## 5. Supporting NIST SP 800-171 Compliance CMMC Compass is a tool designed to *assist* organizations in their efforts to comply with NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." CMMC itself is built upon NIST SP 800-171 controls. The application does **not** make your IT systems compliant, but it helps you manage and document your compliance activities. Here's how CMMC Compass features support your NIST SP 800-171 compliance journey: * **Checklists & Practice Tracking (Supports multiple NIST SP 800-171 control families)**: * The CMMC practices within the application are largely derived from or map directly to NIST SP 800-171 controls. By tracking the status of these practices (AC.1.001, SI.1.210, etc.), you are, in effect, tracking your implementation of the corresponding NIST SP 800-171 requirements. * This helps address controls across families like Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI). * **Document Repository (Supports multiple NIST SP 800-171 control families)**: * NIST SP 800-171 requires various policies, procedures, and records (e.g., AC Policy, IR Plan, training records, visitor logs). The Document Repository allows you to store and link these evidentiary documents to the relevant CMMC practices (and thus to NIST SP 800-171 controls). * This is crucial for demonstrating due diligence and providing evidence during assessments. * **System Security Plan (SSP) Generation (Directly supports NIST SP 800-171 3.12.4)**: * NIST SP 800-171 (Requirement 3.12.4) mandates the development and documentation of a System Security Plan. CMMC Compass generates a foundational SSP based on your CMMC practice data and allows inclusion of system boundary information. This SSP describes how security requirements are met or planned to be met. * **Plan of Action & Milestones (POAM) Generation (Directly supports NIST SP 800-171 3.12.2)**: * NIST SP 800-171 (Requirement 3.12.2) requires organizations to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems. The POAM generation feature creates a template for practices not yet 'Completed', helping you document these plans. * **AI Gap Analyzer (Supports ongoing assessment and improvement)**: * While not a direct replacement for manual assessments, the AI Gap Analyzer can help identify potential weaknesses or areas needing more attention for specific CMMC practices, prompting review and improvement, which aligns with the continuous improvement spirit of NIST SP 800-171. * **NIST SP 800-171 Score on Dashboard**: * The dashboard displays a calculated NIST SP 800-171 score. This score is based on the DoD Assessment Methodology, where a starting score of 110 is reduced for each unimplemented NIST SP 800-171 control. CMMC Compass simplifies this by deducting points for each CMMC practice not marked 'Completed'. This provides a quick reference for your assessment readiness. **Disclaimer**: CMMC Compass is a tool to aid in the management of CMMC and NIST SP 800-171 compliance activities. Using this application does not, by itself, guarantee compliance or certification. Organizations are responsible for ensuring their systems, policies, and procedures meet all applicable requirements. The generated SSP and POAM are templates and require thorough review and customization with organization-specific details. --- ## 6. Frequently Asked Questions (FAQ) * **Q: How is my data stored and protected?** * A: In its current prototype form, most data (like checklist statuses) is managed in your browser's memory during your session. Uploaded files for the Document Repository or SSP scope are handled as client-side objects and are not persistently stored on a backend server unless explicitly configured in a full deployment. For a production environment handling CUI, robust backend storage with encryption at rest (e.g., FIPS-validated) and secure access controls would be essential. * **Q: Can I customize the CMMC practices or add my own?** * A: Currently, CMMC Compass uses a predefined, comprehensive list of CMMC practices (from `src/lib/cmmc-data.ts`). Customization or addition of practices is not a built-in feature in this version. * **Q: Is CMMC Compass itself CMMC certified or NIST SP 800-171 compliant?** * A: No. CMMC Compass is a software tool designed to *help your organization* achieve and manage its CMMC certification and NIST SP 800-171 compliance. The tool itself is not subject to CMMC certification in the same way an organization's information system handling CUI is. * **Q: What if I find an error in a CMMC practice description or data?** * A: The CMMC practice data is sourced from `src/lib/cmmc-data.ts`. If you identify discrepancies, this file would need to be updated by a developer with access to the codebase. * **Q: How does the AI Gap Analyzer work? What data does it use?** * A: The AI Gap Analyzer (specifically `cmmcGapAnalyzer`) uses a Genkit flow that sends the selected CMMC Practice ID, a summary of all practice completion statuses (`checklistCompletion`), and a list of document URLs/names (`uploadedDocuments`) to an AI model. The AI then uses its knowledge of CMMC requirements to assess potential gaps based on this input. It does not deeply analyze the *content* of the documents in the `cmmcGapAnalyzer` flow but rather considers their presence as potential evidence. The `evidenceSufficiencyEvaluator` flow *can* analyze document content if files are provided to it. * **Q: Can multiple users collaborate using CMMC Compass?** * A: The current version is primarily designed as a single-user experience running in the browser. True multi-user collaboration with shared state would require a backend database and authentication system. * **Q: What does the NIST SP 800-171 Score on the dashboard represent?** * A: It's an estimated score based on the DoD Assessment Methodology. You start with 110 points, and points are deducted for each NIST SP 800-171 control not implemented. CMMC Compass approximates this by deducting 1 point for each CMMC practice in its list that is not marked as 'Completed'. This provides a snapshot of your compliance posture relative to a perfect score. --- ## 7. Future Development Considerations While CMMC Compass is a powerful tool, potential future enhancements could include: * **Backend Integration**: For persistent data storage, multi-user collaboration, and robust user authentication/authorization. * **Full User Access Control (RBAC)**: Implementing distinct roles (Admin, Manager, Contributor, Auditor) with granular permissions. * **Direct Evidence Linking in Reports**: Allowing generated SSPs to directly reference or even embed snippets from uploaded evidence documents. * **Advanced Reporting & Customization**: More sophisticated reporting options and the ability for users to build custom reports. * **Workflow & Notifications**: Features to assign tasks, set deadlines, and notify users of upcoming or overdue items. * **Deeper AI Integration**: Enhancing AI capabilities to provide more detailed analysis of uploaded document content against CMMC requirements. * **API for Integrations**: Allowing CMMC Compass to connect with other GRC or security tools. --- *This documentation is for CMMC Compass Version [Specify Version if Applicable, otherwise omit]. Information is subject to change.*