Features

A CMMC documentation platform for the work, not just the documents.

The Poliato CMMC documentation platform handles both production and maintenance: a wizard writes assessor-quality policies, then the management layer keeps them alive between assessments — acknowledgements, tabletops, reviews, audit readiness.

Documentation generation

The Policy Wizard

Answer a structured questionnaire about your environment. The wizard composes a complete policy and procedure set from CCA-authored content, adapted to your scope, your cloud platforms, and your CUI handling. Output is what an assessor expects to see — not a template with unresolved brackets. See the full CMMC policy template list and the procedure templates Poliato generates.

Adaptive content engine

Policy-as-code with conditional logic — the wizard branches on your answers so the output reflects your actual environment, not a generic baseline. Coverage spans all 14 NIST SP 800-171 control families (AC, AT, AU, CM, IA, IR, MA, MP, PS, PE, RA, CA, SC, SI).

CCA-authored, NIST 800-171 mapped

Core content is authored by Certified CMMC Assessors and pre-mapped to specific NIST SP 800-171 control identifiers (e.g. AC.L2-3.1.1 for access control, AU.L2-3.3.1 for audit logging). No manual cross-referencing.

PDF export, anytime

Export current policies as assessor-ready PDFs at any time during or after your subscription. Your policies are yours.

BYOP upload supported

Already have policies? Upload them and use Poliato as your change management layer. The Change Management tier is built for exactly this case. See the template-pack comparison for context.

Designed for adoption

Plain-English policies your team will actually read.

Documentation written for the people who have to follow it, not just the people auditing it. Tied to acknowledgement campaigns with timestamps and exportable evidence — so "everyone read the policy" stops being a hope and becomes a record.

Living documentation

The Management Platform

Writing the policy is the first 20% of the work. Poliato handles the other 80% — the perpetual workflow that CMMC actually evaluates under DFARS 252.204-7012 and the CMMC clause (DFARS 7021).

Acknowledgement campaigns

Send policies to your roster, track who has read and acknowledged each version, and generate C3PAO-defensible reports (NIST 3.2.1, AT family). Automated reminders for stragglers.

Guided tabletop exercises

Run incident-response tabletops against NIST scenarios (IR family, including IR.L2-3.6.3), with structured prompts, automated transcription, and an exercise artifact ready for the audit binder.

Audit readiness dashboard

See, at a glance, which controls (CA family, CA.L2-3.12.x) are covered by which policies and procedures — and where the gaps are. The same view your CCA will effectively be checking.

Version control & reviews

Every policy carries its version history. Scheduled review reminders for annual updates. Approval workflows for multi-step sign-off.

Control mapping & assessment navigator

Auto-populated for Poliato-authored policies; manual upload supported for BYOP. Reverse navigation — pick a control, see every policy and procedure that addresses it.

Subcontractor portal

Invite external parties to acknowledge specific policies without granting them full platform access. Their acknowledgements roll into your reporting.

Try it free for 14 days.

Full feature access during the trial — including sample policies you can fully edit and export. Annual commitment, no sales call.

Start free trial

Frequently asked

Common questions about the platform.

What's the difference between the Policy Wizard and the Management Platform?
The Policy Wizard generates documentation: it asks structured questions about your environment and composes a complete policy and procedure set from CCA-authored content. The Management Platform handles everything that happens after — acknowledgement campaigns, version control, scheduled review reminders, guided tabletop exercises, and the audit-readiness dashboard. Most customers use both; some bring their own policies and only use the Management Platform (Change Management tier).
What does NIST SP 800-171 mapping mean?
Every Poliato-authored policy and procedure is pre-mapped to specific NIST SP 800-171 control identifiers (for example, AC.L2-3.1.1 for access control). When your assessor asks which document addresses a given control, the assessment navigator answers in one click. The reverse-mapping view lets you start from a control ID and see every policy and procedure that addresses it.
Can I bring my own policies instead of using the Wizard?
Yes. The Change Management (BYOP) tier is built for this case — upload your existing policy and procedure documents and use Poliato as the management layer. Control mapping is manual on the BYOP tier, automatic on the With Policies tier where Poliato authored the content.
How do acknowledgement campaigns work?
Send any policy version to your roster of managed users. Each recipient gets a notification, reads the policy, and acknowledges it. Poliato records timestamps, user identity, and the exact policy version. Automated reminders nudge stragglers. The output is a C3PAO-defensible report that proves who agreed to what, when — exportable as audit evidence.
What is a guided tabletop exercise?
A tabletop exercise is an incident-response rehearsal that CMMC effectively requires. Poliato runs structured scenarios drawn from NIST guidance, prompts each participant for their response at each stage, automatically transcribes the conversation, and produces an exercise artifact ready for the audit binder.
Can subcontractors use Poliato?
Yes — via the subcontractor portal. Invite external parties to acknowledge specific policies without granting them full platform access. Their acknowledgements roll into your reporting alongside your internal roster. Useful for CMMC flow-down requirements where the prime contractor needs evidence of subcontractor compliance.
Can I export documentation if I cancel?
Yes. PDF export is available at any time during the trial, any paid subscription, and remains usable after cancellation. The PDF is a point-in-time record sufficient to demonstrate compliance. Editable Word export is not supported by design — the living version of each document stays in the platform.