A GRC tool designed for Defense Industrial Base contractors seeking CMMC compliance, and any organization implementing NIST 800-171 or NIST 800-53. Deployed on-premises as a VM appliance, so your sensitive data never leaves your network.
From purchase to assessment-ready in five straightforward steps
Demos are coming soon. Once we launch, you’ll purchase online and deploy in your own environment — no sales calls.
Deploy the OVA VM appliance in your own VMware or VirtualBox environment. Your data never leaves your network.
Work through your controls with AI-assisted guidance and contextual help at every step — whether you're on NIST 800-171, NIST 800-53, or CMMC.
Attach required evidence and documentation for each control using our checklist.
Track progress, generate reports, and get ready for your C3PAO or self-assessment.
Everything you need to prepare for your CMMC assessment
Full NIST 800-171 (Level 1 & Level 2) with all 800-171a assessment objectives, plus NIST 800-53 Low, Moderate, and High baselines for federal systems.
AI-powered assistant that helps write and review implementation statements for your controls. Supports Anthropic Claude, OpenAI, and self-hosted models via LM Studio — bring your own API key.
Checklist of required evidence with upload capability for each control. Know exactly what documentation assessors expect.
Guidance and help statements for each control explaining what assessors are looking for, in plain language.
Track completion status across all control families. See your tentative and reviewed scores at a glance.
Guided preparation for both Level 1 self-assessment and Level 2 C3PAO assessment. Review and approval workflows included.
Compare User records against Active Directory or System Outputs to identify orphaned accounts, unauthorized access, and access control gaps with tamper-evident audit logging.
Track network devices and compare port baselines against nmap scans. Identify unauthorized devices and unexpected open ports automatically.
Automated readiness scoring reviews your implementation status, evidence linking, and documentation completeness to tell you if you're ready for assessment.
Plan of Action & Milestones management with milestone tracking, evidence attachments, and change history for audit readiness.
Our deployment model is a key differentiator that saves you money and complexity
Cloud-hosted GRC tools handling CUI require FedRAMP Moderate authorization. By running on-premises, we avoid this mandate entirely—saving $500k-$1M in compliance costs that would otherwise be passed to you.
Sensitive compliance documentation and CUI never leaves your controlled environment. Full data sovereignty with no third-party access.
Import the ~4GB OVA VM appliance into VMware or VirtualBox and boot. No container runtime, no complex infrastructure—just attach and start.
Minimal infrastructure needed to run Arcana-GRC
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework based on NIST 800-171 controls. It's required for companies in the Defense Industrial Base (DIB) that do business with the Department of Defense. CMMC Level 1 is for companies handling Federal Contract Information (FCI), while Level 2 is for those handling Controlled Unclassified Information (CUI). Organizations outside the DIB also use NIST 800-171 to protect sensitive information and demonstrate strong cybersecurity practices.
Cloud-hosted GRC tools that handle CUI are required to have FedRAMP Moderate authorization—a process that costs $500,000 to $1 million and $150,000+ annually to maintain. These costs get passed to customers. By running on-premises, we avoid FedRAMP entirely, allowing us to offer our tool starting at just $30/month instead of $2,000+. Plus, your sensitive data never leaves your network.
Once Arcana-GRC is released for general availability, you will receive a license key and a download link via email after purchase. You import the OVA VM appliance into VMware or VirtualBox and enter your license key on first run. The application validates your license online initially, then periodically re-validates with a grace period for offline operation.
The software includes documentation and contextual help within the tool. For additional support, you can purchase RP consulting hours or contact us via email. We're also happy to answer questions before purchase.
With on-premises deployment, you are responsible for securing the environment where the software runs. This includes keeping your host system updated, securing network access to the tool, and maintaining backups of your data. For most organizations already handling CUI, this is consistent with your existing security responsibilities.
We’re releasing guided demos of Arcana-GRC soon. Learn more → or contact us to be notified when they go live.
If your contracts only involve Federal Contract Information (FCI), choose CMMC Level 1 (also includes NIST 800-53 Low). If you handle Controlled Unclassified Information (CUI) or need the full NIST 800-171 control set, choose CMMC Level 2 / Commercial (also includes NIST 800-53 Low, Moderate, and High). When in doubt, contact us for guidance.
See our transparent pricing and purchase the right level for your organization.
View Pricing