Capability matrix

17 plain-English questions. Submit and get every CMMC L1 control assessed plus a finished SSP PDF.

Auto-generated System Security Plan PDF rolled up from your evidence, controls, and policies.

Plan of Action & Milestones with owner, due date, evidence linking, and dashboard widgets.

110 NIST 800-171 R2 controls mapped from official OSCAL. The NIST 800-172 catalog (24 reqs for CMMC L3) is in active development.

24 starter templates customized per tenant. Generate audit-grade policies grounded in your real state.

Automated control posture tracking with drift alerts and rollup metrics.

Automated quarterly SPRS score submission to DoD with reminder workflow and audit trail.

Time-limited (default 14 days), scope-bounded, read-only window into your tenant for an external assessor.

Every user action logged with user, IP, route, and timestamp. Append-only, exportable for an auditor.

Per-control evidence files with version history, control linking, and tagged-by-framework search.

Annual self-attestation cycle with status snapshots and SPRS score history.

Export-ready evidence packages, gap analyses, and control-by-control attestation documents.

Aggregated assessor activity dashboard: time-on-control, gaps identified, modules reviewed.

NIST SP 800-30 inherent + residual scoring with heatmap visualization.

Per-risk treatment PDF with mitigation steps, residual scoring, and assigned owner.

Spin up a POA&M item from any risk with the gap, owner, and due-date prefilled.

Per-scenario financial impact tied to each risk for boardroom-defensible decisions.

Score history per risk showing how the posture moved during the assessment window.

Supplier inventory with criticality scoring, DFARS flow-down tracking, and SPRS-from-vendors collection.

Curated CMMC training library (hybrid: central + tenant-custom courses).

Per-user training assignments with due dates and auto-reminders.

Auto-graded quizzes and downloadable completion certificates per user.

Awareness training to recognize and report insider-threat indicators.

Dedicated MySQL database per tenant. No row-level multi-tenancy. Tenant breach radius = your tenant only.

TOTP-based 2FA required for every user. No bypasses, no exceptions.

AES-256 field-level encryption for sensitive secrets (SSO config, integration keys), TLS 1.2+ in transit, and per-tenant database isolation.

Auto-timeout, IP-pinned sessions with full audit log of every login and elevation.

Deploy Readyline inside your own infrastructure, including air-gapped environments. The path for primes preparing for L3.

AI analysis of installed software for CVEs, license violations, and supply-chain red flags.

Single sign-on via Okta, Azure AD, Google Workspace, or any SAML 2.0 IdP.

Real OSCAL parsing from the official DoD methodology v1.2.1, not a custom retrofit.

Per-user locale. App surfaces, emails, policies, and PDFs all render in the recipient's language.

Tenant-branded notifications and reminders via Resend with full deliverability.

Programmatic access to controls, risks, POA&Ms, and evidence. Webhooks for event-driven workflows.