The CMMC Operator Suite
Your assessor has seen a hundred Windows SSPs. Yours has to explain Apple Business Manager, supervised enrollment, Jamf, FileVault escrow, and mSCP baselines, and every generic template pack makes you translate it page by page. The CMMC Operator Suite is the Level 2 documentation system written for the Mac boundary from the first line.
One-time purchase, from $499, including 12 months of versioned updates. The Gumroad listing is being finalized now. The launch list gets the release note the day it ships, and the first 100 buyers get $100 off with code FOUNDING100.
The problem with every other template pack
Most CMMC Level 2 documentation is platform-neutral or Windows-default. If your environment runs on Apple hardware, that means every policy example, every SSP implementation statement, and every evidence prompt assumes Group Policy, Active Directory, and BitLocker. You end up doing the vendor’s work: translating someone else’s architecture into yours, control by control, and hoping nothing gets lost in translation in front of an assessor.
CMMC Operator inverts that. The reference architecture is Apple Business Manager, supervised Automated Device Enrollment, Jamf Pro or an equivalent approved MDM, Jamf Protect or equivalent endpoint security, FileVault with escrowed recovery keys, mSCP baselines, and Microsoft GCC High or equivalent identity and compliance services where adopted. The language is vendor-substitutable throughout, so Intune, Kandji, Addigy, and Mosyle shops adapt instead of rewriting.
What’s in the suite
Fifty interconnected documents, built from a canonical dataset of all 110 Level 2 requirements and their 320 assessment objectives from NIST SP 800-171A, authored clean-room from federal sources and verified against them at every release.
| Component | Count | What it covers |
|---|---|---|
| SSP template | 1 | Mac-first system description, boundary and scoping language, per-requirement implementation statements, diagram register. |
| Policies | 14 | One per NIST SP 800-171 Rev. 2 family (AC through SI), each with Mac implementation prompts. |
| Procedures | 15 | Onboarding and offboarding, configuration and change management, vulnerability and patch management, audit logging, incident response, data spillage, backup and DR, CUI marking, supply-chain risk, and more. |
| Forms & agreements | 8 | Access request, user agreement, privileged access, BYOD, telework, issued equipment, risk acceptance memo, protection of sensitive information. |
| Workbooks (XLSX) | 6 | Pre-assessment self-assessment with estimated SPRS planning impact, POA&M operational plan, asset inventory with Mac fields (ABM status, MDM enrollment, FileVault escrow, macOS version, EDR health, baseline status), shared responsibility matrix, ESP/CSP vendor risk, policy exceptions. |
| Mac overlay | 5 | Reference architecture, control implementation map, evidence collection guide, Jamf + GCC High shared responsibility notes, FedRAMP/ESP decision guide for Mac MDM. |
| Premium specialty | 7 | FIPS validation strategy, security impact analysis, assessment readiness checklist, evidence library structure standard, tabletop exercise pack, security awareness training outline, and CUI lifecycle map (Complete edition). |
Everything ships as editable DOCX and XLSX with structured placeholder fields, written evidence-safe: the prompts steer your team toward document names, ticket IDs, and repository references rather than pasting logs, screenshots, credentials, or CUI into files that leave your boundary.
One connected system, not a folder of files
Every document carries an artifact ID (CMO-POL-AC-001, CMO-WBK-POAM-001, and so on), and the SSP references the policies, procedures, workbooks, forms, and Mac overlay by those IDs. When an assessor asks where a control is implemented, your documentation answers as one system. The SSP points to the policy, the policy points to the procedure, and the procedure points to the record it produces.
Editions
| Core - $499 | Complete - $699 | |
|---|---|---|
| SSP, 14 policies, 15 procedures | ✓ | ✓ |
| 8 forms & agreements, 6 workbooks | ✓ | ✓ |
| 5-document Mac implementation overlay | ✓ | ✓ |
| START_HERE guided sequence | ✓ | ✓ |
| 7 premium specialty artifacts* | - | ✓ |
| Security awareness training deck (PPTX, speaker notes) | - | ✓ |
| Read-only PDF copies of the Mac overlay | - | ✓ |
| Versioned updates | 12 months | 12 months |
* FIPS validation strategy, security impact analysis, assessment readiness checklist, evidence library standard, tabletop exercise pack, training outline, CUI lifecycle map.
Pricing is public and one-time: no quote call, no per-seat math, no subscription. Founding-buyer discount at launch: $100 off with code FOUNDING100, limited to the first 100 uses. Consultant and MSP licensing for client work is separate; reply to any launch-list email to ask.
Who this is for
Small and mid-size defense contractors, roughly 5 to 200 endpoints, with a meaningful Mac fleet and CMMC Level 2 ahead of them. Subs facing prime flowdowns who need defensible documentation without a six-figure consulting engagement. IT and security leads who want to understand what they are implementing rather than fill in blanks. MSPs and consultants supporting Mac-heavy DIB clients, under a consultant license.
Who it is not for: teams looking for a compliance guarantee, an official SPRS score, or a substitute for a C3PAO assessment. No document set can promise those, and this one does not pretend to.
How it was built
The suite is authored clean-room from public federal sources: NIST SP 800-171 Rev. 2, NIST SP 800-171A, 32 CFR Part 170, the CMMC assessment and scoping guides, plus public Apple, Jamf, and Microsoft platform documentation for factual capability statements. No competitor templates are consulted during authoring, and every release ships with a QA scan and release attestation. Cloud-service claims follow a verification posture: the FedRAMP Marketplace is the authority, not vendor roadmap slides.
Questions worth asking
Does this work if we use Intune, Kandji, Addigy, or Mosyle instead of Jamf?
Yes. The examples are Jamf-first because that is the most common Mac MDM in the DIB, but the language is deliberately vendor-substitutable, and the shared responsibility and vendor risk workbooks are built to capture whichever MDM, EDR, and identity stack you actually run.
We are a mixed Mac/Windows shop. Is this still useful?
The suite documents the Mac side of your boundary natively. Policies, procedures, forms, and workbooks are platform-agnostic where they should be and Mac-specific where it matters. Windows-side implementation statements remain your team’s to write.
What exactly happens after I buy?
You download a versioned ZIP with all documents in DOCX/XLSX (plus PPTX and PDF extras in Complete), open START_HERE.md, and follow the recommended first-ten-files sequence. Updates for 12 months are included, and each release ships with a changelog.
Will this get us certified?
No product can promise that, and you should distrust any that does. This suite reduces blank-page work and organizes your documentation the way assessors expect to consume it. Certification depends on your actual implementation.
Planning disclaimer: CMMC Operator templates are provided for reference and adaptation. They are not a substitute for legal counsel, professional cybersecurity services, or a CMMC certification assessment by an accredited C3PAO. Nothing in these materials guarantees certification, an official score, contract eligibility, or assessment outcome.
Sensitive-data notice: do not send CUI, FCI, credentials, system configurations, logs, screenshots, raw evidence, customer data, or sensitive filled-in copies to CMMC Operator. Apply appropriate markings, including CUI markings when applicable, and store filled copies only in your approved environment.
Non-affiliation: CMMC Operator is not affiliated with, endorsed by, or sponsored by Apple, Jamf, Microsoft, the Department of Defense, Cyber AB, CAICO, NIST, any C3PAO, or any government agency. CMMC, Apple, Jamf, Microsoft, and related terms are used descriptively.