CMMC 2.0 GitHub Repository Research Report
Generated: 2026-03-11
Scope: CMMC 2.0 Level 2 / NIST SP 800-171 compliance tools, templates, and resources
Repos found: 30 | Downloaded: 26 | Skipped (>100MB): 1 (ckyriaco/Capstone)
1. Executive Summary
After searching GitHub across 9 CMMC-related queries and scanning 26 downloaded repositories, the landscape breaks down into four categories:
- Assessment tracking tools β Web apps and Power BI templates for tracking 110 control compliance (CMMC-Bagel, cmmc-tracker, checkpoint)
- Documentation templates β Markdown/Excel SSP, POA&M, and checklist templates (capetron suite, OpenCMMC)
- Technical audit scripts β PowerShell/Python scanners that test actual system configuration (CMMC-L2-Baseline-Auditor, nistify-800-171r2, WaypointCA)
- Reference/data resources β Control data in machine-readable formats, curated lists (awesome-cmmc, control-parser, datapact-cmmc)
Key finding: The combination of CMMC-Bagel (Power BI dashboard + Excel templates) + jonathancaruso/cmmc-tracker (self-hosted Flask tracker) + neatlabs-ai/checkpoint (standalone HTML assessment) + OpenCMMC (per-control evidence guide) gives you a complete, free CMMC Level 2 compliance program toolkit.
SPRS Note: As of November 10, 2025, DFARS 252.204-7021 is active in DoD contracts. SPRS score reporting is mandatory. Several tools here calculate SPRS automatically.
2. Top 10 Most Useful Repos (Ranked for CMMC Level 2)
π₯ #1 β SecurityBagel/CMMC-Bagel
β 109 stars | GPL-3.0
https://github.com/SecurityBagel/CMMC-Bagel
The gold standard open-source CMMC tool. Power BI dashboard + Excel templates for assessment tracking and POA&M management. Calculates SPRS score automatically (required under 32 CFR Part 170). Works with Excel locally or SharePoint Online.
Immediate value: Download Templates/800-171 Assessment Template.xlsx and Templates/POA&M Template.xlsx and start filling them in today.
π₯ #2 β jonathancaruso/cmmc-tracker
β 1 star | MIT
https://github.com/jonathancaruso/cmmc-tracker
Self-hosted Flask web app tracking all 14 families, 110 requirements, 320 assessment objectives. Docker-ready. Evidence uploads, team assignments, POA&M generator, assessment reports. Deployable on Sean's homelab in 10 minutes.
Immediate value: docker compose up and you have a full compliance tracking system. Includes nist-800-171.xlsx and nist-800-171a.xlsx as data sources.
π₯ #3 β neatlabs-ai/checkpoint
β 2 stars | MIT
https://github.com/neatlabs-ai/checkpoint
Single standalone HTML file covering all 110 NIST 800-171 Rev.2 controls. No setup. Open in browser and go. Tracks SPRS readiness score in real-time. Exports HTML + TXT readiness report. Built by 28-year federal cybersecurity practitioner with C3PAO assessment experience.
Immediate value: Open checkpoint.html right now for an instant gap assessment tool.
#4 β leehowder/OpenCMMC
β 1 star | MIT
https://github.com/leehowder/OpenCMMC
Assessor-aware framework with 35+ markdown files covering SSP templates, per-control evidence artifacts, and continuous monitoring guidance. Written to match what C3PAO assessors actually look for β not just what the standards say.
Immediate value: Per-control evidence files in 05-Evidence/AC/ etc. β exactly what evidence to gather for each requirement.
#5 β capetron/cmmc-compliance-toolkit
β 2 stars | MIT
https://github.com/capetron/cmmc-compliance-toolkit
(by Petronella Technology Group β CMMC Registered Practitioner)
Ready-to-use markdown templates: SSP outline, POA&M template, gap analysis, Level 1 and Level 2 checklists. All version-controllable in git.
Immediate value: templates/ssp-outline.md, templates/poam-template.md, checklists/cmmc-level2-checklist.md
#6 β CainLabs/CMMC-L2-Baseline-Auditor
β 5 stars | MIT
https://github.com/CainLabs/CMMC-L2-Baseline-Auditor
Read-only PowerShell script for Windows systems. Audits against CMMC Level 2 access control, authentication, and logging controls. Generates HTML or CSV pass/fail report. Zero dependencies, just PowerShell.
Immediate value: Run on any Windows system to get an instant compliance snapshot. Perfect for DIB client assessments.
#7 β jonathancaruso/awesome-cmmc
β 0 stars | CC0
https://github.com/jonathancaruso/awesome-cmmc
Curated "awesome list" linking official DoD resources, C3PAO tools, training programs, books, podcasts, cloud infrastructure guides, and open-source tools. Best starting reference index.
Immediate value: Bookmark and use as your CMMC research hub.
#8 β capetron/nist-800-171-controls-matrix
β 1 star | CC BY-SA 4.0
https://github.com/capetron/nist-800-171-controls-matrix
All 110 NIST 800-171 controls mapped to NIST 800-53, CMMC 2.0, ISO 27001, and CIS Controls in a CSV spreadsheet.
Immediate value: nist-800-171-controls-matrix.csv β cross-framework reference in a single spreadsheet.
#9 β turnstonecompliance/AZ_ImpRef_NIST80053_CMMCKillChainMappings
β 0 stars | CC
https://github.com/turnstonecompliance/AZ_ImpRef_NIST80053_CMMCKillChainMappings
Excel mapping of every CMMC Level 2 control to specific Azure/M365 native services that satisfy it. Built for Microsoft GCC/GCCH environments.
Immediate value: If any DIB clients use Microsoft 365 GCC, this spreadsheet maps exactly which M365 feature addresses which control.
#10 β atkens4real2000-sudo/CMMC-Gap-Assessment-Toolkit
β 1 star | No license
https://github.com/atkens4real2000-sudo/CMMC-Gap-Assessment-Toolkit
Python CLI tool for interactive CMMC Level 2 gap assessment. Covers all 110 controls, estimates SPRS score, generates SSP templates and POA&M items from your responses.
Immediate value: Quick CLI-based gap assessment for technical users.
3. Templates Found
| File | Repo | Format | Purpose |
|---|---|---|---|
Templates/800-171 Assessment Template.xlsx |
CMMC-Bagel | Excel | Assessment tracking (use with Power BI) |
Templates/POA&M Template.xlsx |
CMMC-Bagel | Excel | POA&M management |
Data/Example Assessment.xlsx |
CMMC-Bagel | Excel | Complete filled example |
Data/Example POA&M.xlsx |
CMMC-Bagel | Excel | Complete filled example |
nist-800-171.xlsx |
cmmc-tracker | Excel | 800-171 requirements database |
nist-800-171a.xlsx |
cmmc-tracker | Excel | 800-171A assessment objectives |
templates/ssp-outline.md |
capetron-toolkit | Markdown | SSP template |
templates/poam-template.md |
capetron-toolkit | Markdown | POA&M template |
templates/cmmc-readiness-assessment.md |
capetron-toolkit | Markdown | Self-assessment template |
checklists/cmmc-level2-checklist.md |
capetron-toolkit | Markdown | All 110 controls checklist |
checklists/cmmc-gap-analysis.md |
capetron-toolkit | Markdown | Gap analysis template |
cmmc-level2-checklist.csv |
capetron-checklist | CSV | Level 2 checklist spreadsheet |
nist-800-171-controls-matrix.csv |
controls-matrix | CSV | 110 controls cross-mapped to frameworks |
reports/poam.csv |
rcd-cui | CSV | POA&M in CSV format |
AZ_ImpRef_NIST80053_ControlMapping_CMMCKillChainMappings.xlsx |
turnstonecompliance | Excel | CMMC β Azure services mapping |
checkpoint.html |
checkpoint | HTML | Standalone 110-control assessment tool |
05-Evidence/*/ |
OpenCMMC | Markdown | Per-control evidence requirements (35+ files) |
CMMC Bagel Lite.pbit |
russellmatt27/CMMCPBI | Power BI | Power BI template (CMMC-Bagel fork) |
Assessment Template.xlsx |
russellmatt27/CMMCPBI | Excel | Assessment template |
POA&M Template.xlsx |
russellmatt27/CMMCPBI | Excel | POA&M template |
4. Tracking & Tooling Options
Dashboard / Visual Tracking
| Tool | Tech | Complexity | Best For |
|---|---|---|---|
| CMMC-Bagel | Power BI + Excel | Low-Medium | Stakeholder reporting, SPRS tracking |
| checkpoint.html | Browser HTML | Zero | Quick gap assessment |
Self-Hosted Web Apps
| Tool | Tech | Complexity | Best For |
|---|---|---|---|
| cmmc-tracker | Python/Flask, Docker | Low | Full lifecycle tracking, team collaboration |
| gapps | Python/Flask, Docker | Medium | Multi-framework GRC platform |
| datapact-cmmc | Python + React, Docker | High | Modern stack alternative |
Automated Scanners
| Tool | Tech | Target | Best For |
|---|---|---|---|
| CMMC-L2-Baseline-Auditor | PowerShell | Windows | Quick Windows compliance snapshot |
| nistify-800-171r2 | Python | Network | Network-level compliance scanning |
| WaypointCA/compliance-scripts | Python | AWS | Cloud evidence collection |
Recommended Stack for Sean's Use Case
If advising DIB SMB clients: 1. checkpoint.html β Initial gap assessment (zero friction) 2. CMMC-Bagel β Ongoing assessment tracking + SPRS calculation 3. cmmc-tracker β Full lifecycle compliance management 4. CMMC-L2-Baseline-Auditor β Windows technical audit 5. OpenCMMC evidence files β Guide what evidence to collect per control
5. Full Inventory Table
| Repo | Stars | Size | License | Value | Status |
|---|---|---|---|---|---|
| SecurityBagel/CMMC-Bagel | 109 | 3.8MB | GPL-3.0 | HIGH | Downloaded |
| bmarsh9/gapps | 654 | 1.4MB | Commons Clause | MEDIUM | Downloaded |
| JAKTOOL/cmmc | 33 | 8.2MB | MIT | LOW* | Downloaded |
| awslabs/compliant-framework-... | 62 | 1MB | Apache 2.0 | LOWβ | Downloaded |
| CainLabs/CMMC-L2-Baseline-Auditor | 5 | 56KB | MIT | HIGH | Downloaded |
| jenglish/opencontrol-cmmc | 5 | 24KB | MIT | LOW | Downloaded |
| capetron/cmmc-compliance-toolkit | 2 | 36KB | MIT | HIGH | Downloaded |
| capetron/nist-800-171-toolkit | 1 | 20KB | MIT | MEDIUM | Downloaded |
| capetron/nist-800-171-controls-matrix | 1 | 16KB | CC BY-SA 4.0 | HIGH | Downloaded |
| capetron/cmmc-compliance-checklist | 1 | 20KB | CC BY-SA 4.0 | MEDIUM | Downloaded |
| leehowder/OpenCMMC | 1 | 52KB | MIT | HIGH | Downloaded |
| jonathancaruso/awesome-cmmc | 0 | 8KB | CC0 | HIGH | Downloaded |
| jonathancaruso/cmmc-tracker | 1 | 228KB | MIT | HIGH | Downloaded |
| neatlabs-ai/checkpoint | 2 | 44KB | MIT | HIGH | Downloaded |
| acep-uaf/cmmc-2.0-control-parser | 0 | 16KB | MIT | MEDIUM | Downloaded |
| StingzLD/CMMC_Assessment_Tool | 0 | 4KB | None | LOW | Downloaded |
| FRATERIT/cmmc-checklist | 0 | 4KB | None | LOW | Downloaded |
| russellmatt27/CMMCPBI | 0 | 384KB | GPL-3.0 | MEDIUM | Downloaded |
| atkens4real2000-sudo/CMMC-Gap-Assessment-Toolkit | 1 | 88KB | None | MEDIUM | Downloaded |
| sanjeev-pai/datapact-cmmc | 0 | 452KB | None | MEDIUM | Downloaded |
| WaypointCA/compliance-scripts | 1 | 16KB | MIT | MEDIUM | Downloaded |
| namwiraedd/cmmc-ssp-autogen-saas | 0 | 24KB | None | LOW | Downloaded |
| nightstalker117/nistify-800-171r2 | 0 | 36KB | GPL-3.0 | MEDIUM | Downloaded |
| kcaylor/rcd-cui | 0 | 816KB | None | MEDIUM | Downloaded |
| turnstonecompliance/AZ_ImpRef_... | 0 | 32KB | CC | MEDIUM | Downloaded |
| MrBrooks-code/compliance-toolkit | 2 | 844KB | None | LOW | Downloaded |
| ckyriaco/Capstone | 2 | 147MB | β | SKIP | Over 100MB |
*JAKTOOL/cmmc is a Next.js web app but README is just the default Next.js bootstrap text β minimal CMMC-specific value found in scan.
β awslabs only relevant for AWS GovCloud deployments.
6. Next Steps / Recommendations
- Deploy cmmc-tracker on homelab immediately β Docker compose, MIT license, full-featured
- Use CMMC-Bagel Excel templates as the assessment data format β widely understood, Power BI compatible
- Share checkpoint.html with DIB clients as a zero-friction starting point
- Reference OpenCMMC evidence files when preparing for C3PAO assessment
- Run CMMC-L2-Baseline-Auditor on any Windows systems in scope
- Add all HIGH-value repos to the GitHub cmmc-2-0 list for easy reference
Report generated by automated GitHub research agent. All repos downloaded to /lab/research/cmmc-repos/downloads/ and extracted to /lab/research/cmmc-repos/extracted/. Scan notes per-repo in /lab/research/cmmc-repos/scan-notes/.
7. Phase 2 Additions
Added 2026-03-11 via automated subagent research
Skipped (too large)
- utmstack/UTMStack (217MB) β full SIEM platform, too large
- intuitem/ciso-assistant-community (216MB) β full GRC platform, too large
New Inventory Table
| Repo | Size | Value | Notes |
|---|---|---|---|
| TEKIMAX/cmmc-level-1-compliance | 1MB | HIGH | React/TypeScript CMMC L1 manager, AI chat, Ollama/OpenAI, self-hosted |
| morbidsteve/sre-platform | 11MB | HIGH | Hardened K8s compliance platform, 16 components, Proxmox docs |
| stella-maris-governance/smg-public-governance-templates | 10KB | HIGH | Professional CMMC/NIST governance templates (sanitized, real advisory firm) |
| stella-maris-governance/smg-cmmc-readiness-framework | 3KB | HIGH | Full CMMC L2 readiness methodology + artifacts |
| stella-maris-governance/smg-supply-chain-risk-governance | 3KB | HIGH | C-SCRM / SR domain framework (underserved area) |
| mattj23/cmmc-gen-model | 10KB | HIGH | Python scripts fetch CMMC+NIST data β structured model + OSCAL β5 |
| sean-m-sweeney/GoogleWorkspaceAudit | 257KB | HIGH | Google Workspace compliance audit via Claude MCP, 19 checks, CMMC mapped |
| capetron/incident-response-playbook | 23KB | MEDIUM | IR templates + automation scripts, NIST IR alignment |
| capetron/cybersecurity-awareness-training-materials | 14KB | MEDIUM | 8 training modules, quiz CSV, CMMC AT domain coverage |
| capetron/incident-response-plan-template | 13KB | MEDIUM | NIST 800-61 IR plan template |
| dylan-security-journey/nist-800-171-assessment-simulation | 171KB | MEDIUM | Example SSP + POA&M + report for fictional business |
| Quig-Enterprises/cyber-guardian | 7MB | MEDIUM | Security monitoring platform, compliance bridge, malware + CVE scanning |
| kogunlowo123/devops-devsecops-pipeline | 29KB | MEDIUM | DevSecOps CI/CD with compliance-gate.py |
| kogunlowo123/entra-iam-zero-trust | 18KB | MEDIUM | Zero Trust / Entra ID guide, NIST 800-207, CMMC L2 aligned |
| Cvele21/compliance-auditor | 1.1MB | MEDIUM | AI document compliance scanner (Next.js + Claude/GPT-4) |
| stella-maris-governance/smg-consulting-methodology | 3KB | LOW-MEDIUM | CMMC engagement methodology reference |
| Starbusop/agent-accountability-receipt | 687KB | LOW-MEDIUM | AI agent audit receipts for CMMC AU compliance (niche/novel) |
| ctatum20/cmmc-study | 1.2MB | LOW-MEDIUM | PWA CMMC L2 CCA exam study tool (assessor training) |
| fubak/cmmcwatch | 863KB | LOW | CMMC news aggregator (cmmcwatch.com) |
| kaustuvdutta/CMMC-Level-3-Assessment-of-a-Client | 2.2MB | LOW | DOCX/PPTX case study, assessment format reference |
| stella-maris-governance/smg-capabilities-statement | 3KB | LOW | Consulting firm marketing |
| greenido/ai-security-compliance-news | 381KB | LOW | AI news blog generator, minimal CMMC relevance |
| Son468/auditkit | 2.1MB | LOW | PCI-DSS/SOC2 scanner, not CMMC-specific |
| ctatum20/cmmc-study-ccp | 136KB | LOW | CCP exam study tool (binary only) |
Phase 2 Search Results
GitHub API searches (cmmc+2.0+compliance+tracker, nist+800-171+assessment, cmmc+ssp+template, cmmc+poam) did not surface new repos beyond what was already collected. Top-starred repos already in inventory.
Key Phase 2 Findings
Best additions: 1. mattj23/cmmc-gen-model β Most technically valuable discovery. Python tool that fetches CMMC 2.0 + NIST 800-171 + NIST 800-171A + NIST 800-53 and builds structured OSCAL output. Foundation for custom compliance tools. 2. TEKIMAX/cmmc-level-1-compliance β Production-ready web app for CMMC L1 with AI chat. Self-deployable. 3. morbidsteve/sre-platform β Compliance-ready K8s platform relevant to homelab/DIB. Has Proxmox docs. 4. Stella Maris Governance repos β Three repos from a real SDVOSB CMMC advisory firm. Professional templates and methodology artifacts that mirror what C3PAOs look for. 5. sean-m-sweeney/GoogleWorkspaceAudit β Claude MCP-based Google Workspace auditor. Relevant for DIB contractors on Google.
Supply chain gap filled:
The smg-supply-chain-risk-governance repo addresses CMMC SR (Supply Chain Risk) domain β an area with almost no tooling in Phase 1.
Updated recommendations:
- Deploy mattj23/cmmc-gen-model to build a local authoritative CMMC control database
- Fork TEKIMAX/cmmc-level-1-compliance for L1 client demos
- Use Stella Maris templates as professional-grade documentation references
- Run sean-m-sweeney/GoogleWorkspaceAudit for any Google Workspace clients