A zero-dependency, offline-first multi-framework compliance self-assessment. One HTML file. No server. No accounts. Rate your organization's maturity across cybersecurity, privacy, federal-defense, AI-governance, and incident-response standards; track progress over time; export evidence for auditors.
.pumapack here, open it in PumaRisk (risk-worthy findings → risk register), PumaTracker (task-worthy findings → workspace), PumaBoard, or any sibling app. Each consumer applies its own filter; foreign apps surface a friendly toast pointing you at where to open the file..pumapack (full backup, universal interop); CSV (controls + scores, spreadsheet round-trip); JSON (raw); RTF executive summary; Full report Markdown + RTF (every control with evidence, plans, cross-map references); cross-map matrix CSV; Print / Save as PDF.See the Keyboard tab for shortcuts.
A maturity self-assessment gives you an honest baseline and a roadmap — not a grade. The point isn't the number; it's seeing the gap between where you are and where the risk says you need to be, then closing it deliberately.
Maturity you can't evidence is maturity you're imagining. A score with no proof behind it won't survive an audit, and it quietly misleads you in the meantime.
Rate what's actually true and repeatable today — not what's in a draft policy or what you intend to do next quarter. An honest 2 is more useful than an aspirational 4; you can only plan from the truth.
Not every control needs to be a 5. Decide the level each domain warrants given its risk, and stop there. Chasing uniform top scores burns effort where it doesn't move the needle.
A gap analysis only helps if each gap turns into an owned, prioritized action. The score tells you where you fall short; the remediation plan and priority tell you what to do about it.
Frameworks overlap enormously. Answer a control well once, and cross-framework mapping lets that evidence satisfy the equivalent control elsewhere — so the second and third frameworks are far less work than the first.
The maturity ladder traces back to CMMI. The frameworks set the bar: NIST CSF 2.0 (tiers + functions), SOC-CMM for security operations, and David Bianco's Hunting Maturity Model — all bundled here. Route risk-worthy findings into PumaRisk and task-worthy ones into PumaTracker via .pumapack.
Every assessment, score, evidence note, and history snapshot is held in this browser's sessionStorage under the pumagrc2.* key prefix. Nothing is sent over the network. Closing the tab keeps your data; opening the file in a different browser, profile, or device shows no assessments.
Heads up. Clearing site data, using private/incognito mode, or losing the device erases everything. The browser is the database — back up regularly.
Use the Export button (cloud icon, topbar) for a full .pumapack backup — every workspace, every score, every history snapshot. Open the same pack in any sibling PumaWorx app for cross-app interop. From the gear menu you can also export:
This deletes every assessment, score, history snapshot, and preference under pumagrc2.* in this browser. It does not touch any .pumapack file you've exported.
Type DELETE EVERYTHING to confirm.
.pumapack.pumapack filePumaGRC2 is a lightweight, portable, offline GRC maturity assessment tool that runs entirely in your browser. It ships eighteen complete control catalogs with gap analysis, cross-framework mapping, and history snapshots.
This tool is provided as-is, with no warranties or guarantees. It is not professional advice. By using it you accept full responsibility for any outcomes that result from your use.
PumaWorx is a suite of offline, single-HTML productivity apps that run entirely in your local browser. The entire suite is a personal, open source vibecoding project.
Choose which frameworks appear in the sidebar and cross-map. Assessment data is preserved when a framework is hidden.
Name your workspace and pick the frameworks you want to score. You can add or remove frameworks later via the gear menu.
Capture the current assessment state for trend tracking.
This is an offline single-HTML app. No data goes to or from the internet. There is no server, no account, no sync, and no telemetry.
Your assessments live in your web browser's sessionStorage — on this device, in this browser, and nowhere else.
Your data is YOUR responsibility.
If you clear site data, use a private/incognito window, switch browsers, or lose this device, your assessments are gone. Back up regularly via the Export button in the topbar — produces .pumapack, CSV, or RTF.
Press ? any time for help and keyboard shortcuts.