Assessments
CMMC Level 2 Assessment - CUI Safeguarding (NIST SP 800-171)
Assess your implementation of the 110 CMMC Level 2 security requirements (NIST SP 800-171 Rev. 2, the safeguarding requirements for Controlled Unclassified Information). An internal readiness self-assessment for DoD contractors preparing for the official Level 2 self-assessment or C3PAO certification assessment: it is not the official assessment, does not produce or submit an SPRS score, and does not confer a CMMC Status.
Use this page to decide whether this assessment belongs in your binder and which supported frameworks can include framework-specific language.
14 guided sections · 220 questions in the wizard
What this assessment covers
- 01
Access Control (AC)
Assess the 22 Access Control requirements: who can reach systems that handle Controlled Unclassified Information (CUI), what they can do there, and how remote, wireless, mobile, and external access paths are controlled.
- 02
Awareness & Training (AT)
Assess the three Awareness and Training requirements: general security awareness, role-based training for security duties, and insider-threat awareness.
- 03
Audit & Accountability (AU)
Assess the nine Audit and Accountability requirements: creating audit records, tying actions to users, reviewing and alerting on logs, and protecting the audit trail.
- 04
Configuration Management (CM)
Assess the nine Configuration Management requirements: baseline configurations, security configuration settings, change control, least functionality, and software restrictions.
- 05
Identification & Authentication (IA)
Assess the 11 Identification and Authentication requirements: unique identification, authentication, multifactor authentication (MFA), replay resistance, and password handling.
- 06
Incident Response (IR)
Assess the three Incident Response requirements: an operational incident-handling capability, incident tracking and reporting, and testing the response capability.
- 07
Maintenance (MA)
Assess the six Maintenance requirements: performing and controlling maintenance, sanitizing equipment sent off-site, checking incoming media, and supervising maintenance access.
- 08
Media Protection (MP)
Assess the nine Media Protection requirements: protecting, marking, transporting, encrypting, and sanitizing media that carry CUI, controlling removable media, and protecting backups.
- 09
Personnel Security (PS)
Assess the two Personnel Security requirements: screening individuals before CUI access and protecting CUI during terminations and transfers.
- 10
Physical Protection (PE)
Assess the six Physical Protection requirements: limiting physical access to systems in scope, escorting visitors, keeping physical access logs, managing access devices, and safeguarding CUI at alternate work sites.
- 11
Risk Assessment (RA)
Assess the three Risk Assessment requirements: periodic risk assessments, vulnerability scanning, and remediating vulnerabilities in accordance with risk.
- 12
Security Assessment (CA)
Assess the four Security Assessment requirements: periodic control assessments, remediation plans, continuous monitoring, and the system security plan (SSP).
- 13
System & Communications Protection (SC)
Assess the 16 System and Communications Protection requirements: boundary defense, network segmentation, cryptography (including FIPS validation), session protections, and CUI at rest.
- 14
System & Information Integrity (SI)
Assess the seven System and Information Integrity requirements: flaw remediation, malicious code protection, security alerts, and monitoring of systems, traffic, and unauthorized use.
Decisions this assessment captures
A sample of the guided questions the wizard walks through. Answers stay placeholder-safe in the hosted draft; sensitive specifics are completed in your exported copy.
- AC.L2-3.1.1: Authorized Access Control
- AT.L2-3.2.1: Role-Based Risk Awareness
- AU.L2-3.3.1: System Auditing
- CM.L2-3.4.1: System Baselining
- IA.L2-3.5.1: Identification
- IR.L2-3.6.1: Incident Handling
- MA.L2-3.7.1: Perform Maintenance
- MP.L2-3.8.1: Media Protection
- PS.L2-3.9.1: Screen Individuals
- PE.L2-3.10.1: Limit Physical Access
Supported framework mappings
When teams need it
- A customer, insurer, partner, or internal reviewer asks for the document.
- You need a clear owner, scope, review cadence, and evidence checklist.
- You want framework-aware wording without starting from a blank template.
What Security Binder generates
- A structured draft based on your business profile and answers.
- Framework-aware wording where the product supports that framework mapping.
- PDF, DOCX, Markdown, and Local Pack exports for review and local finalization.
Create this document from guided questions.
Generate a structured draft, export it, and finish sensitive proof locally.
Get started