Three plans · L1, L2, L3

Built for every CMMC level.

Start with FAR 52.204-21 self-attestation on Starter, scale to full CMMC L2 with Pro, or deploy Self-hosted on-prem for CMMC L3 and air-gapped environments.

Every plan starts with a 30-minute founder-led demo. No deck, no pressure.

Recommended

Pro

CMMC L2 / NIST 800-171 R2 + R3
CMMC L2 coverage

5 seats included

For DoD contractors pursuing CMMC L2 certification. Full 800-171 R2/R3 catalog, risk register, C3PAO assessor mode, and auditor-ready exports.

Book a demo 30 min · founder-led · no slides
Who this is for
  • 5-100 employee DoD subcontractor
  • Pursuing CMMC L2 certification this year
  • Handles CUI or has flow-down from a prime
  • Has a C3PAO walkthrough booked or coming up
What's included
  • Everything in Starter, plus:
  • Full NIST 800-171 R2 (110 controls)
  • NIST 800-171 R3 + R2↔R3 crosswalk
  • Risk Register 5×5 NIST 800-30 + treatment plan PDF
  • 24 policy templates · Asset inventory
  • Personnel training tracker · Evidence freshness monitor
  • C3PAO assessor mode (scoped, time-limited)
  • 4-role taxonomy · Per-tenant IP allowlist
  • Login alerts + MaxMind geo · MFA admin reset
  • SSP L1+L2 variants · Revision history archive
  • Priority email support (24h)

Starter

CMMC L1 / FAR 52.204-21
CMMC L1 coverage

2 seats included

For small DoD subs that only need to self-attest FAR 52.204-21 and CMMC Level 1 (17 practices).

  • L1 Auto-Pilot Wizard: 20-min SSP
  • NIST 800-171 R2 (17 L1 controls)
  • FAR 52.204-21 self-attestation
  • SSP PDF (L1 variant) · SPRS auto-calc
  • POA&M tracker (basic)
  • See full feature breakdown
Book a demo 30 min · founder-led · no slides

Self-hosted

CMMC L3 / NIST 800-172 (24 reqs selected for CMMC L3) · on-prem deployment
CMMC L3 coverage

Custom seat count · self-hosted

Deploy Readyline GRC inside your own infrastructure, including air-gapped environments. Full CMMC L1+L2 catalog plus our NIST 800-172 module in active development — ready before the DoD's L3 window opens (Phase 3, Nov 2027). For prime contractors and primes-by-flow-down who can't put compliance data in a shared SaaS tenant.

  • Everything in Pro, plus:
  • On-premise deployment: your infrastructure, your control
  • Air-gapped operation supported
  • NIST 800-172 (24 enhanced reqs selected for CMMC L3)
  • SSP L3 variant
  • See full feature breakdown
Book a demo On-prem · Self-hosted · Air-gapped option

Feature comparison

All three plans, side by side. A check means it ships today; a clock marks an item still on the L3 roadmap.

Feature

Starter

CMMC L1

Pro

CMMC L2

Self-hosted

On-prem · L3
Scope · CMMC level L1 only L1 + L2 L1 + L2 + L3
Users included 2 · seats per add-on 5 · seats per add-on Unlimited
L1 Auto-Pilot Wizard
NIST 800-171 R2 (110 controls)
17 L1 subset
NIST 800-171 R3 + R2↔R3 crosswalk
NIST 800-172 (24 reqs for CMMC L3)
FAR 52.204-21 · SPRS auto-calc · SSP PDF
POA&M tracker
Basic
+ evidence
Risk Register (5×5 NIST 800-30)
24 policy templates
Asset inventory · Training tracker · Evidence freshness
C3PAO read-only assessor mode
Per-tenant IP allowlist · Login alerts + geo
4-role taxonomy
2 roles
4 roles
+ custom
SSP revision history archive
Audit log retention 90 days Unlimited Unlimited
2FA TOTP · 8 recovery codes · MFA admin reset
SSO / SAML
Support Email · 48h Priority email · 24h Phone + Slack + SLA

Pro is the recommended starting point for any contractor pursuing CMMC Level 2.

See the full capability matrix

33+ capabilities mapped to NIST 800-171 + 800-172

CMMC Level 3 · Phased rollout

Get notified when L3 opens for new tenants

The DoD CMMC Level 3 program is in phased rollout under DCMA DIBCAC. We notify you the week L3 opens to new prime contractors, with no drip emails in between.

  • First-week alert when L3 opens to new prime contractors.
  • Honest read on whether L3 is right for your CUI scope.
  • No drip emails. No follow-up sales pressure.

Join the L3 waitlist

Five fields. Single confirmation email.

Looks good.
Please enter your name.
Looks good.
Please enter your company.
Looks good.
Please enter a valid work email.
Looks good.
Please choose your DoD contract status.
Enter a number between 1 and 100,000.

We use this only to notify you about L3 availability. See our privacy policy.

Premium onboarding · Founder-led

Skip the learning curve. Spend an hour with the founder.

1-hour video call. Your tenant configured together.

Walk through tenant configuration, review your first 10 controls, and validate the SSP export. Each call is a working session, not a sales demo.

  • Tenant configuration walkthrough end-to-end
  • First 10 L1/L2 controls reviewed together
  • First SSP PDF export validated on the call
  • Personalized roadmap for the rest of the catalog
  • Direct line to the founder for 30 days post-call
Add it to your demo

Mention it on your demo call. On Self-hosted, this onboarding call is included.

Ready to talk?

30 minutes. Founder-led. No slides. Walk away with a clearer view of your CMMC posture, either way.

Book a demo

Reply within 1 business day · ES/EN · or email us directly.

Ready to talk?
FAQ

Common questions

FAQ

Self-hosted is Readyline GRC deployed inside your own infrastructure: on-prem, air-gapped, or inside a sovereign cloud. We help you stand it up, you own the data and the runtime. It's the path for prime contractors, primes-by-flow-down, and anyone whose compliance/audit posture can't tolerate a shared SaaS tenant. Comes with CMMC L1+L2+L3 (including NIST 800-172), SSO/SAML, unlimited users, and SLA + Slack support. Pricing is custom based on user count and deployment scope.

Yes. Request the upgrade to Pro from your billing page and we'll send a Stripe invoice; once it's settled, your tenant unlocks the full L2 catalog, Risk Register, C3PAO assessor mode, and every other Pro feature. Your existing L1 assessments and SSP carry over.

30 minutes with our team. No slides, we walk through your CUI scope, look at the L1 Auto-Pilot Wizard on a fresh tenant, and answer compliance questions in plain English. If Readyline is a fit, we set up your tenant same day and you start uploading evidence. If it's not, you walk away with a clearer view of your CMMC posture either way.

No. Readyline is a compliance tracking platform, not a CUI handler. The NIST 800-171 §3.13.11 cryptography requirement applies to the tools that actually store your CUI (PreVeil, Kiteworks, Virtru), not to a compliance tracker. Upload your non-CUI artifacts: policies, procedures, screenshots, training records.

Starter includes 2 seats, Pro includes 5. Need more? Extra seats are sized on the demo call and added to your invoice. Self-hosted is unlimited users. Per-seat pricing is set to your commitment length and total team size.