Week one of a CMMC readiness engagement usually feels productive. The consultant pulls up the 110 controls from NIST SP 800-171, maps them to the client's environment, and starts checking boxes. By week two there is a spreadsheet with color-coded status columns. Everyone is cautiously optimistic.

By week three the project stalls. Not because the controls are wrong or the mapping is bad, but because someone asks the obvious question: where is the evidence? The access control policy was last reviewed eighteen months ago. The audit log exports live in a SharePoint folder that three people have access to and nobody has opened since the last internal review. The vulnerability scan results are in a ticketing system, but they are not tagged to controls and half of them reference infrastructure that has since been decommissioned.

By week six the engagement is not behind on controls. It is behind on evidence. The gap is not in what the organization knows it should do. The gap is in proving it actually did those things, recently, with artifacts that an assessor would accept.

What existing tools actually solve

The market is not short on CMMC tooling. GRC platforms handle control mapping and policy libraries well. Compliance management suites track assessment timelines and generate reports. Some of them are genuinely useful for teams that have already solved the evidence problem and need a system of record on top of it.

But most of these tools assume the evidence already exists, is current, and is organized. They provide a place to reference artifacts. They do not solve the operational problem of figuring out which artifacts you actually have, whether they are fresh enough to matter, or which controls are still sitting on nothing but a policy document that nobody has tested.

That operational layer, the layer between "we have a control framework" and "we can hand an assessor a complete evidence package," is where most readiness efforts lose weeks. It is tedious, repetitive, and unglamorous work. It is also the work that determines whether a readiness engagement finishes on time or quietly falls apart.

What we built

Menagos CMMC Evidence Factory is an open-source, local-first tool built for that operational layer. It is deliberately narrow. It does not try to be a GRC platform or an assessment management suite. It focuses on six things:

• Load CMMC Level 2 controls from YAML-based control packs
• Accept artifact uploads including policies, screenshots, configurations, scan reports, and training records
• Suggest which controls an artifact supports using deterministic heuristic matching
• Track evidence-to-control mappings with strength ratings: strong, partial, or weak
• Compute freshness status per control based on artifact age and type-specific rules
• Export readiness summaries in Markdown, JSON, or CSV

The tool runs on a laptop with no cloud dependencies and makes zero outbound network calls. It is built with Python, FastAPI, React, and SQLite.

Why local-first matters

CMMC readiness work routinely involves CUI-adjacent data. Scan results reference system architectures. Configuration exports describe network segmentation. Policy documents name internal tools, processes, and personnel. Uploading that material to a SaaS platform creates a data handling question that most small defense contractors are not ready to answer, especially before they have finalized their CUI boundaries.

Local-first means the evidence never leaves the environment it was collected in. For consultants working across multiple clients, it also means portability. Clone the repo, point it at a fresh database, and you have an isolated instance per engagement with no shared tenancy risk.

The v1 heuristic engine is a deliberate design choice. It uses keyword matching, filename pattern analysis, and metadata extraction to suggest control mappings. It does not use a large language model. For a first release focused on small contractors and solo consultants, deterministic heuristics are easier to audit, easier to explain to a compliance lead, and carry zero risk of sending sensitive content to an external inference endpoint.

What is in the starter pack

The initial release ships with a control pack covering 20 high-friction CMMC Level 2 controls across seven practice families: Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Risk Assessment (RA), and System and Information Integrity (SI). These were selected based on the controls that most consistently surface evidence gaps in real readiness engagements.

Additional control packs and an assessor-friendly export template are on the roadmap.

What this is not

This tool is for internal evidence tracking during CMMC preparation. It is important to be explicit about what it does not do.

It does not produce assessor-grade scoring. The strength ratings (strong, partial, weak) are heuristic indicators meant to help a team prioritize effort. They are not assessment results.

It does not interpret controls on your behalf. The control definitions come from NIST SP 800-171, and the tool surfaces them as-is. Professional judgment about whether a specific artifact satisfies a specific requirement still belongs to qualified assessors.

It is not a substitute for a C3PAO assessment. If you are pursuing CMMC Level 2 certification, you need a certified third-party assessment. This tool helps you prepare for that process. It does not replace any part of it.

Is this the problem you are solving right now?

Is your evidence scattered across SharePoint libraries, ticketing systems, and shared drives with no consistent mapping to controls? Are your security policies technically current but functionally stale because nobody has validated them against actual practice in the last twelve months? Is your CMMC readiness timeline slipping because every week surfaces another gap that should have been caught months ago? Are your analysts spending hours on manual triage, SOC alert correlation, or SIEM pipeline maintenance instead of work that moves the compliance needle?

If any of that sounds familiar, you are not alone, and you do not have to sort it out with spreadsheets.

Menagos LLC is a cybersecurity consultancy focused on security data engineering, GRC operations, and agentic tooling for small defense contractors and mid-market teams. We help organizations build the operational infrastructure underneath their compliance programs so that readiness work stays on track and evidence stays current.

If you want to talk about what that looks like for your team, reach out through our contact form or send a note to info@menagos.com. No pitch deck. Just a conversation about where you are stuck.