1
Organization
Define company scope, system boundary, and assessment context.
CMMC Level 2 readiness
Assess controls. Collect evidence. Export audit packages.
Khestra is a compliance workspace built for the Defense Industrial Base — structured around your assessment workflow, SPRS scoring, and SSP/POA&M exports.
110 controls
CMMC Level 2 scope
4 connectors
Entra, AWS, GitHub, Intune
SSP + POA&M
Export-ready packages
Built for defense contractors pursuing CMMC certification
How it works
One guided path from scope to export
Khestra mirrors how assessors and compliance teams actually work — organization profile, control review, readiness checks, then audit-ready exports.
2
Controls
Review all 110 controls with status, SSP text, evidence, and POA&M fields.
3
Readiness
Track documentation, evidence coverage, and pre-audit checklist items.
4
Export
Generate SSP, POA&M, and full audit package zip when review is complete.
Product tour
See the workflow in the app
Real screens from the Khestra workspace — controls, SSP authoring, exports, and integrations.
Work controls systematically
Review each control with status, SSP narrative, evidence attachments, and POA&M fields. Priority queue surfaces 5-point gaps first.
- Queue and browse modes with family filters
- SSP progress strip across all 110 controls
- Org-aware narrative suggestions from evidence
Draft and preview SSP narratives
Write control descriptions with org-aware starters, evidence-backed suggestions, and an SSP preview that shows how text will read in the exported document.
- Insert example or org-profile draft text
- Suggest SSP from attached collector evidence
- Toggle SSP preview before export
Collect evidence from your stack
Connect Microsoft Entra ID, AWS, GitHub, and Intune to run automated checks and attach evidence snapshots to mapped CMMC controls.
- Scheduled collector runs with drift detection
- Evidence freshness and monitoring alerts
- Demo mode for training without live credentials
Export audit-ready packages
When assessment and documentation are complete, generate SSP documents, POA&M spreadsheets, and a full audit package zip.
- Export readiness gate before download
- SSP (.docx), POA&M (.xlsx), audit package (.zip)
- Evidence coverage validation for MET controls
Platform capabilities
Everything you need for CMMC readiness
Purpose-built for assessors, compliance leads, and executives tracking certification progress.
SPRS scoring
Track your score against the 110-point model with gap visibility and family breakdowns.
Control assessment
MET / NOT MET / PARTIALLY MET workflow with SSP narratives, evidence, and POA&M fields.
Continuous monitoring
Scheduled evidence collectors with drift detection and freshness alerts.
SSP authoring
Org-aware narrative starters and optional AI polish from attached evidence.
Audit exports
SSP, POA&M, and bundled audit packages when your assessment is export-ready.
Role-based access
Microsoft Entra ID sign-in with assessor, contributor, and executive roles.
Integrations
Evidence from the tools you already use
Collectors map checks to CMMC control families — MFA and Conditional Access from Entra, CloudTrail and S3 posture from AWS, branch protection from GitHub, and device compliance from Intune.
Microsoft Entra ID
MFA, Conditional Access, admin inventory
Amazon Web Services
Root MFA, CloudTrail, S3, GuardDuty
GitHub
Org 2FA, branch protection, secret scanning
Microsoft Intune
Device compliance, config profiles
Meet the new standard for CMMC readiness
Join our pilot program. We’ll walk you through the platform with your scope and help you evaluate fit for your certification timeline.