CMMC Level 2  ·  ITAR  ·  Open Source

Built for environments
that get audited.

A self-hosted dashboard for defense contractors tracking CMMC Level 2 and ITAR posture. Real-time SPRS scoring, full POA&M lifecycle, evidence management — all data stays on your machine.

Get the code See features
130 practices tracked
·
14 CMMC domains
·
4 Microsoft overlays
·
0 cloud dependencies
CMMC Dashboard overview — SPRS score gauge, domain health, burndown chart

Overview — SPRS score, domain health, burndown chart, critical practices

Capabilities

Everything the program needs.
Nothing it doesn't.

110 CMMC + 20 ITAR practices
Full CMMC Level 2 practice set pre-loaded across all 14 domains, plus a complete ITAR controls track. Set status, risk level, owner, due date, and notes on each practice. Filterable, sortable, fully audited.
DoD Assessment Methodology v1.2.1
Real-time SPRS score
Live SPRS score from practice statuses using DoD weighting. Per-domain breakdown, historical trend, at-a-glance gauge.
POA&M lifecycle
Create findings, assign remediation plans, track milestone progress (0–100%), record responsible parties. Full change history on every item.
Evidence management
Attach files or URLs to any practice. Per-practice evidence drawer with assessment objective status tracking (met / partial / not met).
Microsoft overlay packs
Built-in mappings for M365 GCC High, Azure Government, Defender, and Purview. See which controls are inherited vs. customer-owned.
Printable assessment report
Cmd+P renders a clean report — no export wizard, no formatting issues. Optimized print stylesheet, ready for C3PAO briefings.
Activity & audit log
Immutable record of every practice change, login event, and admin action. Who changed what field, from what value, at what time.
Automated nightly backups
Dockerized backup: pg_dump + evidence files every night. 30-day retention, weekly verification, one-command restore.

Security

Built for environments
that get audited.

A compliance tool that isn't itself secure undermines the program it tracks. Every layer reviewed against OWASP Top 10.

  • bcrypt password hashing Cost factor 13 (OWASP ASVS §2.4.1). Complexity enforced: uppercase, lowercase, digit, symbol. Password history blocks reuse of last 5. Dummy hash on unknown users prevents timing oracle.
  • JWT sessions · token revocation 8-hour absolute TTL with 30-minute inactivity timeout. Per-token JTI blacklist on logout + per-user invalidation on deletion — enforced on every request.
  • CSRF double-submit cookies Timing-safe comparison via crypto.timingSafeEqual on all mutation endpoints (POST, PATCH, DELETE)
  • Database-backed rate limiting 5 failed logins → 15-minute lockout in PostgreSQL (survives restarts). Nginx: 3 req/s login, 10 req/s API, 2 req/s evidence upload, 1 req/min backup.
  • Zod schema validation on every endpoint All mutating routes validate against typed schemas before the DB. Parameterized queries throughout — no raw SQL with user input.
  • Role-based access control viewer / editor / admin enforced at the API layer. Backup restore never imports password hashes.
  • Docker secrets — never env vars Postgres password and NextAuth secret stored as Docker secret files. Injected at runtime, never written to environment or logs.
  • Nonce-based CSP · 12 security headers Per-request cryptographic nonce in script-src — no unsafe-inline or unsafe-eval. Backup exports are HMAC-signed; imports verify integrity. File uploads checked against magic bytes. HSTS, X-Frame-Options, Referrer-Policy at the proxy layer.
CLIENT Browser HTTPS :80/:443 nginx reverse proxy · rate limiting · TLS · 12 sec headers :3000 Next.js 14 app TypeScript · standalone build · auto-migrations SQL 127.0.0.1 db PostgreSQL 15 · not exposed to host network pg_dump backup nightly pg_dump · 30-day retention · verify on restore

Four containers.
No cloud required.

Everything runs in Docker Compose on a single machine. No vendor accounts, no SaaS billing, no data leaving your network.

Next.js 14 · TypeScript 5 · PostgreSQL 15 · Node 20
Tailwind · Radix UI · NextAuth · Recharts · Zod 4 · Nginx
nginx Proxy, rate limits, TLS, 12 security headers
app Next.js 14 · standalone · auto-migrations
db PostgreSQL 15 · bound to 127.0.0.1 only
backup Nightly pg_dump · 30-day retention · verify
bash
$ git clone https://github.com/gtj105/cmmc-dashboard
$ bash scripts/deploy-prod.sh
[OK] Generated postgres secret
[OK] Generated nextauth secret
[?] App URL [http://localhost]:
[OK] Starting containers...
[OK] Migrations applied (000–007)
[OK] Seeded 110 CMMC + 20 ITAR practices
[?] Admin email: admin@company.com
[OK] Admin user created
[DONE] Dashboard at http://localhost

Running in
under a minute.

One script handles secrets generation, database seeding, and first-run setup. Updates are a single command — migrations run automatically on startup.

1
Clone and run setup Generates Docker secrets, prompts for org URL, creates admin account
2
130 practices seeded automatically All CMMC Level 2 and ITAR controls pre-loaded at Not Started
3
Updates: git pull && docker compose up -d --build Migrations run automatically — no manual database steps ever