← All framework documents

Assessments

CMMC Level 2 Assessment - CUI Safeguarding (NIST SP 800-171)

Assess your implementation of the 110 CMMC Level 2 security requirements (NIST SP 800-171 Rev. 2, the safeguarding requirements for Controlled Unclassified Information). An internal readiness self-assessment for DoD contractors preparing for the official Level 2 self-assessment or C3PAO certification assessment: it is not the official assessment, does not produce or submit an SPRS score, and does not confer a CMMC Status.

Use this page to decide whether this assessment belongs in your binder and which supported frameworks can include framework-specific language.

14 guided sections · 220 questions in the wizard

What this assessment covers

  1. 01

    Access Control (AC)

    Assess the 22 Access Control requirements: who can reach systems that handle Controlled Unclassified Information (CUI), what they can do there, and how remote, wireless, mobile, and external access paths are controlled.

  2. 02

    Awareness & Training (AT)

    Assess the three Awareness and Training requirements: general security awareness, role-based training for security duties, and insider-threat awareness.

  3. 03

    Audit & Accountability (AU)

    Assess the nine Audit and Accountability requirements: creating audit records, tying actions to users, reviewing and alerting on logs, and protecting the audit trail.

  4. 04

    Configuration Management (CM)

    Assess the nine Configuration Management requirements: baseline configurations, security configuration settings, change control, least functionality, and software restrictions.

  5. 05

    Identification & Authentication (IA)

    Assess the 11 Identification and Authentication requirements: unique identification, authentication, multifactor authentication (MFA), replay resistance, and password handling.

  6. 06

    Incident Response (IR)

    Assess the three Incident Response requirements: an operational incident-handling capability, incident tracking and reporting, and testing the response capability.

  7. 07

    Maintenance (MA)

    Assess the six Maintenance requirements: performing and controlling maintenance, sanitizing equipment sent off-site, checking incoming media, and supervising maintenance access.

  8. 08

    Media Protection (MP)

    Assess the nine Media Protection requirements: protecting, marking, transporting, encrypting, and sanitizing media that carry CUI, controlling removable media, and protecting backups.

  9. 09

    Personnel Security (PS)

    Assess the two Personnel Security requirements: screening individuals before CUI access and protecting CUI during terminations and transfers.

  10. 10

    Physical Protection (PE)

    Assess the six Physical Protection requirements: limiting physical access to systems in scope, escorting visitors, keeping physical access logs, managing access devices, and safeguarding CUI at alternate work sites.

  11. 11

    Risk Assessment (RA)

    Assess the three Risk Assessment requirements: periodic risk assessments, vulnerability scanning, and remediating vulnerabilities in accordance with risk.

  12. 12

    Security Assessment (CA)

    Assess the four Security Assessment requirements: periodic control assessments, remediation plans, continuous monitoring, and the system security plan (SSP).

  13. 13

    System & Communications Protection (SC)

    Assess the 16 System and Communications Protection requirements: boundary defense, network segmentation, cryptography (including FIPS validation), session protections, and CUI at rest.

  14. 14

    System & Information Integrity (SI)

    Assess the seven System and Information Integrity requirements: flaw remediation, malicious code protection, security alerts, and monitoring of systems, traffic, and unauthorized use.

Decisions this assessment captures

A sample of the guided questions the wizard walks through. Answers stay placeholder-safe in the hosted draft; sensitive specifics are completed in your exported copy.

  • AC.L2-3.1.1: Authorized Access Control
  • AT.L2-3.2.1: Role-Based Risk Awareness
  • AU.L2-3.3.1: System Auditing
  • CM.L2-3.4.1: System Baselining
  • IA.L2-3.5.1: Identification
  • IR.L2-3.6.1: Incident Handling
  • MA.L2-3.7.1: Perform Maintenance
  • MP.L2-3.8.1: Media Protection
  • PS.L2-3.9.1: Screen Individuals
  • PE.L2-3.10.1: Limit Physical Access

Supported framework mappings

When teams need it

  • A customer, insurer, partner, or internal reviewer asks for the document.
  • You need a clear owner, scope, review cadence, and evidence checklist.
  • You want framework-aware wording without starting from a blank template.

What Security Binder generates

  • A structured draft based on your business profile and answers.
  • Framework-aware wording where the product supports that framework mapping.
  • PDF, DOCX, Markdown, and Local Pack exports for review and local finalization.

Create this document from guided questions.

Generate a structured draft, export it, and finish sensitive proof locally.

Get started

Last reviewed: July 2026

Security Binder prepares documentation. It does not guarantee compliance, insurance coverage, or audit acceptance, and it does not substitute for licensed legal or audit review. Framework names are the property of their respective publishers.