How it works

From questionnaire to assessment ready in five stages

No cybersecurity background required. Plain English questions, plain English answers. Verdiex turns what you know about your business into a complete CMMC Level 2 System Security Plan.

Verdiex prepares you for CMMC assessment. Formal certification is performed by a C3PAO (Certified Third Party Assessment Organization). We do not certify anyone.

1
Setup

Sign up and scope your company

A five-screen setup wizard captures your company profile: what you do, how many employees you have, the types of DoD contracts you hold, which categories of Controlled Unclassified Information (CUI) you handle, and how many information systems are in scope.

Based on your answers, Verdiex flags whether you need Level 1 self attestation (17 controls) or Level 2 third party assessment (all 110 controls, C3PAO required). If you already know your level, the scoping just confirms it and you move on.

Takes about 10 minutes
Determines whether you need Level 1 or Level 2
Saved progress, resume any time
Company Setup Wizard Step 3 of 5
Company profile and size
Contract types and CUI categories
3
System count and boundary
4
CMMC level determination Auto
5
Confirm scope
2
Questionnaire

Answer the guided questionnaire

70 to 90 plain English questions covering all 14 NIST SP 800-171 control families. Each question maps directly to one or more of the 110 controls. You are never asked a question that does not have a clear purpose.

The questionnaire saves automatically after every answer. Close the browser and pick up where you left off. Most small contractors complete the questionnaire in two to four focused work sessions. You do not need to finish in one sitting.

Plain English, no technical jargon required
Each question explains why it is being asked
Saves automatically, resume any time
Progress shown across all 14 control families
Questionnaire: Access Control Family 1 of 14
42 of 110 controls
AC 3.1.3
Do you have documented policies that prevent CUI from being accessed by unauthorized systems or individuals?
Yes
Partial
No
N/A
AC 3.1.4
Is the ability to approve and execute significant transactions separated between different individuals?
Yes
Partial
No
N/A
3
SSP Generation

Your System Security Plan, drafted automatically

As you answer the questionnaire, Verdiex builds your System Security Plan in the background. Your answers become implementation statements for each of the 110 controls. The SSP is structured in the format DoD expects from a System Security Plan document.

Every control is editable. The automatically generated text is a starting point; add specifics about your environment, attach evidence, and refine the language until it accurately reflects your actual implementation. When you are done, export to Word or PDF for your C3PAO.

Generated from your questionnaire answers
Every control is individually editable
Word and PDF export when ready
Assessment-ready format
System Security Plan 14 of 14 families
Access Control (AC): 22 controls Complete
Audit and Accountability (AU): 9 controls Complete
Incident Response (IR): 3 controls In review
System and Comm. Protection (SC): 16 controls Complete
Export Word (.docx)
Export PDF
4
SPRS Score

Watch your SPRS score in real time

Your Supplier Performance Risk System (SPRS) score is calculated automatically from your control responses, using the DoD methodology. The score runs from negative 203 to positive 110. You are required to submit this score to the DoD SPRS system.

The score is broken down by control family so you can see exactly which domains are driving gaps. A "projected score after POA&M completion" view shows you what your score would be once planned remediation is done.

Calculated using DoD's point-deduction methodology
Broken down by all 14 control families
Updates instantly when you update control responses
Projected score view after planned remediation
SPRS Score Dashboard 14 gaps
82
out of 110 maximum  |  14 gaps remaining
AC
20/22
AU
7/9
IA
8/11
SC
10/16
SI
4/7
5
Evidence and Gaps

Manage evidence and close your gaps

The evidence vault organizes your supporting documentation by control family. Attach policies, screenshots, configuration exports, or any other artifacts that demonstrate a control is implemented. Your C3PAO will want to see this evidence during assessment.

Any control that is not fully implemented generates a POA&M (Plan of Action and Milestones) entry automatically. Assign due dates, owners, and remediation steps. As gaps close, your SPRS score updates in real time.

Evidence organized by all 14 control families
POA&M generated automatically for every gap
Assign owners and due dates to each gap
SPRS score updates as gaps close
Evidence Vault and POA&M 14 open items
Access Control
Access policy v2.pdf
AD screenshot.png
MFA screenshot needed
Audit
Log config export.txt
SIEM policy needed
Alert config needed
Open POA&M items
High
3.5.3: MFA for privileged accounts
High
3.13.11: FIPS-validated cryptography
Med
3.3.5: Correlate audit records
Get started

Ready to build your System Security Plan?

Join the early access list. We will email you when the product opens and walk you through your first SSP draft.

Get early access Free readiness checklist

Free trial on every plan. No card required.