CMMC Level 2 / NIST 800-171 CUI Data Flow Diagram tool for consultants working in Cowork.
Takes a CMMC L2 engagement from "blank slate" through "diagram with lint-passing CUI scope, FIPS modules attached, draw.io L0/L1 export, and auto-drafted 3.12.x / 3.13.11 SSP narratives + POA&M entries."
- Scaffolds a client diagram from prior network diagrams, asset inventory CSVs, SSP excerpts, and CSP CRMs.
- Walks the engineer through component description with required-attribute gating so assessment-ready means assessment-ready.
- Lints the diagram against 11 high-impact rules grounded in NIST 800-171A Rev 2 assessment objectives, with override paths and POA&M auto-draft language per rule.
- Resolves FIPS modules from the NIST CMVP database, strict OE-matching, sunset/historical/revoked watch.
- Generates SSP narratives for 3.12.1 / 3.12.2 / 3.12.3 / 3.12.4 / 3.13.11 and POA&M entries in Compact Weakness Notation.
- Exports the L0 context view and L1 boundary view as draw.io XML, and the complete client deliverable as a packaged folder.
| Skill | Status | Purpose |
|---|---|---|
cmmc-dfd:init |
v0.1 (M1) | Scaffold a new client diagram from inputs; gather metadata; create the JSON data store |
cmmc-dfd:describe |
v0.1 (M1) | Interactive component description workflow; gates assessment-readiness |
cmmc-dfd:render |
v0.1 (M1) | Export current diagram to draw.io XML (L0 context + L1 boundary views) |
cmmc-dfd:expert |
v0.1 (M1) | Reference loader for CMMC L2 / 800-171 AO content (reads embedded master reference shipped in this plugin) |
cmmc-dfd:lint |
v0.1 (M2) | Run the 11 block-tier lint rules; emit findings + auto-draft POA&M language |
cmmc-dfd:cmvp |
v0.1 (M3) | Browse/search NIST CMVP via cmvp-tui or direct cert#; attach modules to components; OE-match check |
cmmc-dfd:assess |
v0.1 (M4) | Generate per-AO assessment status, SSP narratives (3.12.x / 3.13.11), POA&M drafts |
cmmc-dfd:export |
v0.1 (M4) | Package the complete client deliverable (JSON source, draw.io exports, lint report, assessment output, POA&M) |
The plugin is a standalone Cowork plugin. It can operate fully on its own (the master NIST 800-171 reference is embedded at skills/expert/references/) or, if a companion shared package becomes available, consume canonical types, asset taxonomy, FIPS matcher logic, and SSP/POAM template data from it for tighter integration with other compliance tooling.
See skills/init/references/diagram.schema.json for the JSON Schema definition of the 11-entity v0.1 data model:
Diagram · Site · Boundary · Component (embeds inheritance[], fips_modules[], evidence_refs[]) · Edge · FIPS Module · Evidence Artifact · Lint Finding · Assessment Status (per AO) · POA&M Entry · SSP Section
Engineer-described components are the source of truth. Everything else (draw.io export, lint report, SSP narratives, POA&M draft, packaged deliverable) is rendered from this JSON.
Each client gets a folder at cmmc-dfd-data/<client-slug>/:
cmmc-dfd-data/<client-slug>/
├── diagram.json Source of truth — the 11-entity data store
├── inputs/ User-uploaded ingestion source material
├── evidence/ Evidence artifacts (screenshots, configs, policies, CRMs)
├── exports/
│ ├── L0-context.drawio
│ ├── L1-boundary.drawio
│ ├── lint-report.md
│ ├── lint-report.json
│ ├── ssp-narrative-deltas.md
│ ├── poam-draft.md
│ └── manifest.json Hashes + dates for the 6-year evidence retention requirement
└── snapshots/ Point-in-time baselines for assessment day
- draw.io desktop or diagrams.net web — required for viewing the exports.
- cmvp-tui (
brew install ethanolivertroy/sectools/cmvpon macOS) — optional, recommended for browsing NIST CMVP. The plugin works without it (direct cert# entry).
The plugin is fully self-contained. The complete NIST 800-171 Rev 2 / CMMC L2 master reference (5,000+ lines covering all 110 controls, 320 assessment objectives, Rev 2→Rev 3 crosswalk, evidence guides, interview questions, SPRS scoring, POA&M eligibility rules, scoping, and ESP/CSP rules) is embedded at skills/expert/references/cmmc-l2-master-reference.md. No other plugins or skills are required.
v0.1 (this release): the 11 block-tier lint rules, draw.io L0/L1 export, assessment for 3.12.x + 3.13.11.
v0.2: interactive multi-layer viewer (L2 component view, L3 CUI flow view, L4 control overlay with AO hotspots), CRM auto-ingest, warn-tier lint rules, full BYOD/PE/Backup rule coverage.
v0.3 and beyond: full assessment workflow for all 110 controls, OSCAL exporter, Figma / Lucid / Excalidraw exporters, multi-diagram support.
See the build plan in your session outputs for full milestone detail.