A GRC tool designed specifically for Businesses using NIST 800-171 and Defense Industrial Base Contractors seeking CMMC compliance. Deployed as a virtual appliance on-premises, so your sensitive data never leaves your network.
From purchase to assessment-ready in five straightforward steps
Buy the tool online and receive your license key and virtual appliance download link via email immediately.
Deploy the virtual appliance in your own environment. Your data never leaves your network.
Work through NIST 800-171 controls with AI-assisted guidance and contextual help at every step.
Attach required evidence and documentation for each control using our checklist.
Track progress, generate reports, and get ready for your C3PAO or self-assessment.
Everything you need to prepare for your CMMC assessment
All controls and assessment objectives from NIST 800-171a for Level 1 and Level 2 systems.
AI-powered assistant that helps write and review implementation statements for your controls. Get expert-level guidance tailored to your environment.
Checklist of required evidence with upload capability for each control. Know exactly what documentation assessors expect.
Guidance and help statements for each control explaining what assessors are looking for, in plain language.
Track completion status across all control families. See your tentative and reviewed scores at a glance.
Guided preparation for both Level 1 self-assessment and Level 2 C3PAO assessment. Review and approval workflows included.
Compare User records against Active Directory or System Outputs to identify orphaned accounts, unauthorized access, and access control gaps with tamper-evident audit logging.
Track network devices and compare port baselines against nmap scans. Identify unauthorized devices and unexpected open ports automatically.
Automated readiness scoring reviews your implementation status, evidence linking, and documentation completeness to tell you if you're ready for assessment.
Plan of Action & Milestones management with milestone tracking, evidence attachments, and change history for audit readiness.
Transparent pricing. No hidden fees, no surprise costs.
or $300/year (save 17%)
Best for companies handling FCI only
or $500/year (save 24%)
Best for defense contractors handling CUI or commercial organizations needing full NIST 800-171
Our deployment model is a key differentiator that saves you money and complexity
Cloud-hosted GRC tools handling CUI require FedRAMP Moderate authorization. By running on-premises, we avoid this mandate entirely—saving $500k-$1M in compliance costs that would otherwise be passed to you.
Sensitive compliance documentation and CUI never leaves your controlled environment. Full data sovereignty with no third-party access.
Deploy a single virtual appliance in your environment. No complex infrastructure required—just import the appliance and you're up and running.
Minimal infrastructure needed to run Arcana-GRC
Optional expert guidance from a CMMC Registered Practitioner
Purchase hours as needed
Select quantity during checkout
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework based on NIST 800-171 controls. It's required for companies in the Defense Industrial Base (DIB) that do business with the Department of Defense. CMMC Level 1 is for companies handling Federal Contract Information (FCI), while Level 2 is for those handling Controlled Unclassified Information (CUI). Organizations outside the DIB also use NIST 800-171 to protect sensitive information and demonstrate strong cybersecurity practices.
Cloud-hosted GRC tools that handle CUI are required to have FedRAMP Moderate authorization—a process that costs $500,000 to $1 million and $150,000+ annually to maintain. These costs get passed to customers. By running on-premises, we avoid FedRAMP entirely, allowing us to offer our tool starting at just $30/month instead of $2,000+. Plus, your sensitive data never leaves your network.
After purchase, you receive a license key and a virtual appliance image via email. You import the appliance into your hypervisor and enter your license key on first run. The appliance validates your license online initially, then periodically re-validates with a grace period for offline operation.
The software includes documentation and contextual help within the tool. For additional support, you can purchase RP consulting hours or contact us via email. We're also happy to answer questions before purchase.
With on-premises deployment, you are responsible for securing the environment where the virtual appliance runs. This includes keeping your hypervisor updated, securing network access to the tool, and maintaining backups of your data. For most organizations already handling CUI, this is consistent with your existing security responsibilities.
We don't currently offer a free trial, but at $30/month the barrier to entry is intentionally low. If you have questions about whether the tool is right for you, please contact us and we'll help you decide.
If your contracts only involve Federal Contract Information (FCI), choose CMMC Level 1. If you handle Controlled Unclassified Information (CUI) and need to prepare for a CMMC Level 2 assessment, or if you're a commercial organization implementing the full NIST 800-171 control set, choose CMMC Level 2 / Commercial. When in doubt, contact us for guidance.
We're happy to answer any questions about our tools or help you determine which level you need.
Contact Us