Most compliance tools look great in screenshots.

Far fewer are useful on a random Tuesday afternoon when someone in operations, IT, or leadership is trying to answer a simple question:

“How ready are we, really?”

That’s the problem we set out to solve.

Not certification.
Not auditing.
Not replacing consultants.

Just helping defense contractors get a realistic picture of their CMMC readiness before investing weeks of meetings, spreadsheets, and assessment calls.

The result is a simple CMMC Readiness Calculator that turns a short questionnaire into:

• an estimated readiness score
• an estimated SPRS score
• a count of missing or partially implemented controls
• a three-year compliance cost projection
• a comparison between traditional and managed compliance approaches

Nothing magical.
Just useful.

Compliance Is Mostly an Operations Problem

One thing I’ve noticed in compliance projects is that organizations rarely fail because they don’t have enough documents.
They struggle because compliance becomes operational.
Policies are the easy part.
The hard part is making sure controls are actually implemented, logs are available when needed, evidence can be produced, and the entire process survives contact with everyday business realities.

For many small and mid-sized defense contractors, CMMC feels like taking on a second job.
That’s why early visibility matters.
Not because a readiness score is perfect, but because uncertainty is expensive.
The earlier you understand your likely gaps, the faster you can make informed decisions about remediation, staffing, tooling, and budget.

Building the Simplest Thing That Could Work

The entire application is a single-page app built with:

• HTML
• Tailwind via CDN
• Vanilla JavaScript

That’s it.

No framework.
No bundler.
No dependency tree large enough to require its own compliance program.

For a calculator-style application, simplicity has enormous advantages.

The code is easy to understand. The scoring logic is transparent. Future changes are straightforward.
I’ve become increasingly convinced that many internal business applications are over-engineered before they’re validated.

Sometimes a few hundred lines of understandable JavaScript beat a sophisticated architecture that nobody wants to maintain six months later.

Making the Scoring Explainable

One design goal was making the scoring model understandable.
Every control response gets normalized into:

• Yes
• Partial
• No

Controls are grouped into categories and weighted according to their relative importance.
The result isn’t intended to replicate a formal assessment.
That’s not the point.

The point is helping organizations prioritize.
A calculator that produces a mysterious score isn’t very helpful. A calculator that helps users understand why they received that score creates trust.

Transparency matters, especially in compliance.

The Most Important Feature Isn’t Technical

The biggest lesson from this project had nothing to do with JavaScript.
It was form design.

The assessment is intentionally split into four short steps:

1. Company profile
2. Control coverage
3. Internal resources
4. Results

That structure dramatically reduces abandonment.

People don’t want to complete a giant compliance questionnaire. They’ll happily complete four small tasks that feel achievable.
The lesson is simple: progress is motivating.

When users feel they’re moving forward, completion rates improve.
This is true whether you’re building a compliance tool, a SaaS onboarding flow, or an e-commerce checkout.

Where the Conversation Gets Interesting

The readiness score usually gets attention.
The cost estimate starts conversations.

The calculator projects multi-year compliance costs using factors such as:

• internal labor
• consulting effort
• tooling requirements
• ongoing maintenance

This is where abstract compliance requirements suddenly become tangible. Security teams talk about controls. Finance teams talk about budgets. Leadership teams talk about risk.
A useful product creates a common language between all three groups.
Numbers do that remarkably well.

Small Details Create Trust

A few implementation choices ended up having a bigger impact than expected:

• Requiring a minimum level of questionnaire completion before generating results
• Delivering value before asking for contact information
• Supporting keyboard navigation and accessibility
• Creating print-friendly output for internal sharing

None of these features would make a conference presentation.
All of them make the product feel more trustworthy.
And trust matters when users are making decisions about compliance, contracts, and budget.

What Comes Next

If I were building a second version tomorrow, I’d focus on planning rather than assessment.

A few ideas:

• Evidence-readiness scoring
• Gap-remediation simulations
• Industry benchmarking
• Downloadable remediation roadmaps
• Scenario planning around staffing and budget changes

At that point, the product starts becoming less of a calculator and more of a decision-support tool.
That’s a much more interesting direction.

Final Thoughts

The best software doesn’t eliminate complexity.
It helps people understand it.

This calculator takes a complicated topic—CMMC readiness—and turns it into a practical snapshot of risk, effort, and cost.
That’s valuable for organizations preparing for compliance. It’s also a useful reminder for developers.
You don’t always need a massive stack, a complicated architecture, or the latest framework trend.
Sometimes the best solution is a focused tool that answers an important question quickly and honestly.