CMMC Readiness Tool

CMMC Readiness Assessment

Select a certification level to begin

Domain 1 of 140%

This tool evaluates your organisation's cybersecurity readiness against the Cybersecurity Maturity Model Certification (CMMC 2.0) framework. Select a certification level below to scope the assessment to the appropriate control families and practices.

Each question presents four implementation levels. Select the response that most accurately describes your current state — not your target.

Select CMMC Certification Level

Level 1 — Foundational

FAR 52.204-21 · 6 Domains · 6 Questions · Self-Assessment

Basic safeguarding of Federal Contract Information (FCI). 17 practices across 6 control families. Annual self-assessment with affirmation — no third-party audit required.

Level 2 — Advanced

NIST SP 800-171 Rev 2 · 14 Domains · 28 Questions · C3PAO Audit

Protection of Controlled Unclassified Information (CUI). 110 security requirements across all 14 control families. Third-party assessment by a Certified Third-Party Assessment Organisation (C3PAO) required every 3 years.

Level 3 — Expert

NIST SP 800-171 + 800-172 · 14 Domains · 42 Questions · DIBCAC

Enhanced protection of CUI against Advanced Persistent Threats (APTs). 134 requirements (110 from SP 800-171 + 24 from SP 800-172). Government-led Defence Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment required every 3 years.

Organisation Name

Completed By

🔐

Family 3.1 — 22 Requirements

Access Control

NIST SP 800-171 Rev 2 §3.1.1–3.1.22

System access limitations, information flow control, least privilege, separation of duties, session management, and remote access controls.

Q 1.0 — Basic FCI access controls

How does your organisation limit information system access to authorised users, processes acting on behalf of authorised users, and devices (including other systems), and limit the types of transactions and functions that authorised users are permitted to execute?

Not ImplementedNo formal access controls for FCI systems. Users have unrestricted access with no role limitations or external system controls.

PartialBasic user accounts exist with some access restrictions. External system connections are not formally controlled. Public-facing information not consistently reviewed.

Largely ImplementedUser access limited to authorised individuals for most FCI systems. External connections controlled. Publicly accessible system content reviewed periodically.

Fully ImplementedAll FCI system access limited to authorised users with defined transaction types. External system connections verified and controlled. Public-facing content actively managed and reviewed.

Q 1.1 — System access & least privilege

How does your organisation limit system access to authorised users and enforce least-privilege principles across CUI systems?

Not ImplementedNo formal access controls. Users have broad access to systems and data with no role-based restrictions.

PartialBasic user accounts exist. Some role-based restrictions in place but not consistently enforced. Standing admin privileges common.

Largely ImplementedRBAC enforced for most CUI systems. Least privilege applied to privileged accounts. Separation of duties documented. Minor gaps remain.

Fully ImplementedComprehensive RBAC/ABAC across all CUI systems. Least privilege enforced universally. Separation of duties verified. Access reviews conducted regularly.

Q 1.2 — Remote access & session management

How are remote access sessions controlled, monitored, and encrypted for CUI systems?

Not ImplementedNo controlled remote access mechanism. Direct RDP/SSH without monitoring or encryption requirements.

PartialVPN deployed for some remote access. Session timeouts inconsistently applied. Limited monitoring of remote sessions.

Largely ImplementedEncrypted VPN/ZTNA for all remote CUI access. Session controls and timeouts enforced. Remote access logged and monitored.

Fully ImplementedAll remote access encrypted, MFA-protected, monitored in real time. Automated session termination. CUI flow controlled on publicly accessible systems.

Q 1.3 — Enhanced access controls (SP 800-172)

How does your organisation implement enhanced access controls — including dual authorisation for critical operations, automated policy enforcement, and network-based access restrictions — to protect CUI against Advanced Persistent Threats?

Not ImplementedNo dual authorisation or enhanced access mechanisms. Access controls do not address APT-level threats. No automated policy enforcement.

PartialSome critical operations require secondary approval but process is manual and inconsistent. Automated enforcement limited to basic rules.

Largely ImplementedDual authorisation enforced for most critical CUI operations. Automated access policy enforcement deployed. Network-based restrictions in place with minor gaps.

Fully ImplementedDual authorisation required for all critical operations. Automated, policy-driven access enforcement across all systems. Network-based access restrictions prevent lateral movement. Access decisions informed by real-time risk signals.

Domain 1 of 14

🎓

Family 3.2 — 3 Requirements

Awareness & Training

NIST SP 800-171 Rev 2 §3.2.1–3.2.3

Security awareness for all users, role-based training for privileged personnel, and insider threat awareness programmes.

Q 2.1 — Security awareness & role-based training

How does your organisation ensure all CUI system users receive security awareness training and role-specific cybersecurity training?

Not ImplementedNo formal security awareness programme. No role-based training for system administrators or privileged users.

PartialAnnual awareness training exists but completion tracking is inconsistent. Limited role-based training for privileged users.

Largely ImplementedTracked awareness training for all users. Role-specific training for admins and privileged roles. Training records maintained.

Fully ImplementedComprehensive, tracked training programme with phishing simulations. Role-based training verified. Insider threat awareness integrated. Evidence audit-ready.

Q 2.2 — Insider threat awareness

How effectively does your organisation train personnel to recognise and report potential indicators of insider threats?

Not ImplementedNo insider threat training or awareness programme in place.

PartialGeneral mention of insider threats in awareness training. No dedicated insider threat indicators or reporting procedures.

Largely ImplementedDedicated insider threat training module. Reporting procedures defined. Most personnel have completed training.

Fully ImplementedIntegrated insider threat programme with behavioural indicators, clear reporting channels, regular refresher training, and tracking of all personnel completion.

Q 2.3 — APT-focused awareness training (SP 800-172)

How does your organisation provide enhanced, practical awareness training that covers APT tactics, techniques, and procedures (TTPs) and includes realistic exercises simulating advanced threat scenarios?

Not ImplementedNo APT-specific awareness training. Standard phishing awareness only. No practical exercises against advanced threats.

PartialSome APT awareness content included in general training. No dedicated exercises or simulations targeting advanced threat scenarios.

Largely ImplementedDedicated APT-focused training modules deployed. Practical exercises conducted periodically. Most key personnel have completed enhanced training.

Fully ImplementedComprehensive APT awareness programme with regular practical exercises aligned to current threat intelligence. All personnel in CUI roles complete advanced training. Exercises simulate real-world APT TTPs. Effectiveness measured and refined.

Domain 2 of 14

📋

Family 3.3 — 9 Requirements

Audit & Accountability

NIST SP 800-171 Rev 2 §3.3.1–3.3.9

Audit log creation, retention, correlation, protection, and individual user accountability for all CUI system activity.

Q 3.1 — Audit logging & retention

How comprehensively does your organisation create, retain, and protect audit logs for CUI system activity?

Not ImplementedMinimal or no audit logging. No centralised log aggregation. No defined retention periods.

PartialLogging enabled on some systems. Inconsistent retention. Logs stored locally without centralised collection or protection.

Largely ImplementedCentralised SIEM collecting logs from most CUI systems. Defined retention policy. Audit logs protected from tampering. Minor coverage gaps.

Fully ImplementedComprehensive audit logging across all CUI systems. SIEM with correlation rules. Immutable log storage. Retention exceeds 90 days. Individual accountability ensured.

Q 3.2 — Audit review & correlation

How does your organisation review, analyse, and correlate audit records for investigation and incident detection?

Not ImplementedNo audit review process. Logs are not analysed for anomalies or unauthorised activity.

PartialAd-hoc log review. Basic alerting on obvious events. No systematic correlation across systems.

Largely ImplementedRegular audit review process. SIEM correlation rules for key events. Alerting on suspicious activity. Investigation procedures documented.

Fully ImplementedAutomated correlation and alerting. Regular audit review cadence. Response procedures tested. Audit reduction and report generation capabilities operational.

Q 3.3 — Advanced audit analytics (SP 800-172)

How does your organisation implement advanced audit capabilities — including automated analysis, cross-system correlation, and threat-informed audit strategies — to detect sophisticated adversary activities?

Not ImplementedNo advanced audit analytics. Audit review is manual. No cross-system correlation or threat-informed audit strategies.

PartialBasic automated alerting on individual log sources. Cross-system correlation limited. Audit strategies not informed by current threat intelligence.

Largely ImplementedAutomated audit analysis with cross-system correlation operational. SIEM rules aligned to known TTPs (Tactics, Techniques, and Procedures). Threat intelligence integrated into audit strategy for most systems.

Fully ImplementedFull automated audit analysis with ML/behavioural analytics. Cross-system correlation across all CUI environments. Audit strategies continuously refined using threat intelligence. Anomaly detection identifies previously unknown attack patterns.

Domain 3 of 14

⚙️

Family 3.4 — 9 Requirements

Configuration Management

NIST SP 800-171 Rev 2 §3.4.1–3.4.9

Baseline configurations, change control, least functionality, and restriction of unauthorised software on CUI systems.

Q 4.1 — Baseline configurations & change control

How does your organisation establish, maintain, and enforce baseline configurations and change control for CUI systems?

Not ImplementedNo documented baselines. No formal change control process. Systems configured ad hoc.

PartialSome baseline configurations documented. Change control exists but is informal or inconsistently followed.

Largely ImplementedBaselines documented for most CUI systems (CIS/STIG-aligned). Formal change control process. Hardware/software inventories maintained.

Fully ImplementedComprehensive baselines enforced via automation (GPO, MDM, IaC). Change control with security impact analysis. Complete, current system inventories.

Q 4.2 — Least functionality & software restrictions

How does your organisation enforce least functionality and restrict unauthorised software on CUI systems?

Not ImplementedNo restrictions on installed software. Unnecessary services and ports remain enabled. Users can install software freely.

PartialSome hardening applied. Software installation restricted for standard users but not consistently enforced. Unused services not systematically disabled.

Largely ImplementedDeny-by-default or application whitelisting for most CUI systems. Unnecessary ports and services disabled. User-installed software restricted.

Fully ImplementedApplication whitelisting enforced across all CUI systems. Only essential capabilities enabled. Automated compliance scanning validates least functionality.

Q 4.3 — Automated configuration monitoring (SP 800-172)

How does your organisation implement automated configuration management and continuous monitoring to detect unauthorised changes and ensure system integrity against sophisticated adversaries?

Not ImplementedNo automated configuration monitoring. Configuration drift not detected. No integrity verification beyond initial deployment.

PartialSome automated configuration checks but not comprehensive. Drift detection limited to select systems. Manual review predominates.

Largely ImplementedAutomated configuration monitoring across most CUI systems. Drift detection and alerting operational. Integrity verification performed regularly.

Fully ImplementedContinuous automated configuration monitoring across all CUI systems. Real-time drift detection with automated remediation. Cryptographic integrity verification. Unauthorised changes detected and reverted automatically. Change attribution maintained.

Domain 4 of 14

🪪

Family 3.5 — 11 Requirements

Identification & Authentication

NIST SP 800-171 Rev 2 §3.5.1–3.5.11

User and device identification, multi-factor authentication, authenticator management, and replay-resistant mechanisms.

Q 5.0 — Basic identification & authentication

How does your organisation identify and authenticate users, processes, and devices before granting access to FCI systems?

Not ImplementedNo formal identification or authentication mechanisms. Shared accounts common. No device identification requirements.

PartialIndividual user accounts exist for some systems. Password-based authentication in place but policies are inconsistent. Device identification not formalised.

Largely ImplementedUsers and devices identified before access on most FCI systems. Password policies defined and enforced for most accounts.

Fully ImplementedAll users, processes, and devices identified and authenticated before FCI access. Unique accounts enforced. Password complexity and lifecycle policies applied consistently.

Q 5.1 — Identity management & MFA

How does your organisation identify system users and enforce multi-factor authentication for CUI system access?

Not ImplementedShared accounts in use. No MFA deployed. Password-only authentication for all access.

PartialUnique user accounts. MFA deployed for some systems (e.g. VPN only). Privileged accounts may lack MFA.

Largely ImplementedMFA enforced for privileged and network access. Unique IDs for all users and service accounts. Most systems covered.

Fully ImplementedMFA for all local and network access (privileged and non-privileged). Phishing-resistant methods (FIDO2/passkeys). Device identity verified. Replay-resistant mechanisms in place.

Q 5.2 — Authenticator management

How are authenticators (passwords, tokens, certificates) managed, protected, and enforced across the enterprise?

Not ImplementedNo password policy. Default credentials in use. No authenticator lifecycle management.

PartialBasic password policy (length, complexity). Some default credentials changed. No formal authenticator lifecycle or revocation process.

Largely ImplementedStrong password policy enforced. Authenticator lifecycle managed. Default credentials eliminated on most systems. Certificate management operational.

Fully ImplementedComprehensive authenticator management. Encrypted storage and transmission. Automated lifecycle (issuance, rotation, revocation). Obscured feedback during authentication.

Q 5.3 — Enhanced authentication mechanisms (SP 800-172)

How does your organisation implement enhanced authentication — including hardware-bound credentials, network-authenticated access, and adaptive authentication — to resist credential theft and replay attacks by APTs?

Not ImplementedNo hardware-bound credentials. No adaptive or risk-based authentication. Standard MFA only.

PartialHardware-bound credentials deployed for some privileged accounts. No adaptive authentication. Network-based authentication not implemented.

Largely ImplementedHardware-bound credentials (FIDO2/smart cards) for most CUI access. Network-based device authentication in place. Risk-based authentication for high-value operations.

Fully ImplementedAll CUI access requires hardware-bound phishing-resistant credentials. Network-authenticated device identity verified at every access point. Adaptive authentication adjusts dynamically to risk signals. Credential theft and replay attacks effectively neutralised.

Domain 5 of 14

🚨

Family 3.6 — 3 Requirements

Incident Response

NIST SP 800-171 Rev 2 §3.6.1–3.6.3 · DFARS 252.204-7012 (72-hr reporting)

Incident handling capability, tracking and reporting (including DFARS 72-hour DC3 reporting), and testing of IR procedures.

Q 6.1 — Incident handling capability

Does your organisation have an operational incident-handling capability covering preparation, detection, analysis, containment, recovery, and user response?

Not ImplementedNo incident response plan or capability. No defined roles, procedures, or communication channels for security incidents.

PartialBasic IR plan exists but untested. Roles loosely defined. No formal evidence preservation or DC3 reporting procedures.

Largely ImplementedDocumented IR plan with defined roles. DFARS 72-hour reporting procedure established. Containment and recovery procedures in place.

Fully ImplementedComprehensive IR capability. All phases covered. DC3 reporting tested. Evidence preservation for 90 days. Integration with SIEM and SOC operations.

Q 6.2 — IR testing & lessons learned

How regularly does your organisation test its incident response capability and incorporate lessons learned?

Not ImplementedIR plan has never been tested. No tabletop exercises or simulations conducted.

PartialIR plan tested informally or only after a real incident. No regular exercise schedule. Lessons learned not systematically captured.

Largely ImplementedAnnual tabletop exercises. Lessons learned documented and fed back into IR plan updates. Key personnel participate.

Fully ImplementedRegular exercises (tabletop + simulations). Red team/purple team engagements. Systematic lessons learned cycle. IR plan updated after every exercise and incident.

Q 6.3 — Proactive threat hunting & advanced IR (SP 800-172)

How does your organisation implement proactive threat hunting, advanced incident response capabilities, and coordination with external threat intelligence sources to address APT-level threats?

Not ImplementedNo proactive threat hunting. Incident response is purely reactive. No external threat intelligence integration.

PartialAd hoc threat hunting performed occasionally. Some external threat feeds consumed but not integrated into IR workflows.

Largely ImplementedScheduled threat hunting aligned to known TTPs. Advanced IR playbooks cover APT scenarios. External threat intelligence integrated into detection and response.

Fully ImplementedContinuous proactive threat hunting with hypothesis-driven campaigns. Advanced IR capabilities include containment, eradication, and recovery from APT intrusions. Real-time threat intelligence sharing with CISA/DC3. Purple team exercises validate detection and response effectiveness.

Domain 6 of 14

🔧

Family 3.7 — 6 Requirements

Maintenance

NIST SP 800-171 Rev 2 §3.7.1–3.7.6

Controlled system maintenance, approved maintenance tools, remote maintenance oversight, and equipment sanitisation.

Q 7.1 — Maintenance controls & tools

How does your organisation control maintenance activities and approve maintenance tools for CUI systems?

Not ImplementedNo formal maintenance procedures. Maintenance performed ad hoc with no controls on tools or personnel.

PartialSome maintenance scheduled. Tools not formally approved or inspected. Maintenance records incomplete.

Largely ImplementedMaintenance scheduled and documented. Approved tool list maintained. Equipment sanitised before removal. Minor gaps in coverage.

Fully ImplementedComprehensive maintenance programme. All tools approved and inspected. Media sanitised before and after maintenance. Complete audit trail of all activities.

Q 7.2 — Remote maintenance

How is remote maintenance of CUI systems supervised, controlled, and documented?

Not ImplementedRemote maintenance uncontrolled. No supervision, logging, or session termination requirements.

PartialRemote maintenance allowed over encrypted channels but not consistently supervised or logged.

Largely ImplementedRemote maintenance supervised and logged. Sessions encrypted. Terminated when complete. Non-local maintenance tools inspected.

Fully ImplementedAll remote maintenance approved, supervised, recorded, and audited. MFA required. Sessions encrypted and terminated immediately upon completion.

Q 7.3 — Supply chain–aware maintenance (SP 800-172)

How does your organisation protect maintenance activities from supply chain threats and ensure maintenance tools, firmware, and updates are verified for integrity before deployment?

Not ImplementedNo supply chain verification for maintenance. Tools and updates not checked for integrity. No provenance tracking.

PartialSome vendor patches verified via checksums. Maintenance tools not formally inventoried or integrity-verified. Supply chain risk not assessed for maintenance activities.

Largely ImplementedMaintenance tools and updates integrity-verified for most systems. Supply chain risk assessed for critical components. Vendor provenance documented.

Fully ImplementedAll maintenance tools, firmware, and updates cryptographically verified before deployment. Supply chain risk formally assessed and mitigated. Provenance tracked end-to-end. Maintenance operations monitored for tamper indicators.

Domain 7 of 14

💾

Family 3.8 — 9 Requirements

Media Protection

NIST SP 800-171 Rev 2 §3.8.1–3.8.9

Protection, access control, sanitisation, marking, and transport of media containing CUI.

Q 8.0 — Basic FCI media sanitisation

How does your organisation sanitise or destroy information system media containing Federal Contract Information before disposal or release for reuse?

Not ImplementedNo media sanitisation process. Media discarded or reused without clearing FCI data. No disposal tracking.

PartialSome media wiped before disposal but process is informal and inconsistent. No verification of sanitisation effectiveness.

Largely ImplementedMedia sanitisation process defined for most FCI media. Destruction or clearing performed before disposal. Minor gaps in tracking.

Fully ImplementedAll FCI media sanitised or destroyed before disposal or reuse per documented procedures. Sanitisation verified and tracked. Physical destruction used where appropriate.

Q 8.1 — Media protection & access control

How does your organisation protect and control access to media (digital and physical) containing CUI?

Not ImplementedNo media protection controls. CUI stored on unencrypted removable media with no access restrictions or marking.

PartialSome media access controls. CUI marking inconsistent. Removable media use not fully restricted or tracked.

Largely ImplementedMedia containing CUI marked, access-controlled, and stored securely. Removable media restricted and encrypted. Most physical media tracked.

Fully ImplementedComprehensive media protection. All CUI media marked, encrypted, access-controlled, and inventoried. Removable media policy enforced via DLP/endpoint controls.

Q 8.2 — Media sanitisation & transport

How does your organisation sanitise media before disposal/reuse and protect CUI during transport?

Not ImplementedNo media sanitisation procedures. Equipment disposed of without data clearing. No transport protections for CUI media.

PartialBasic deletion before disposal. Sanitisation not verified. Physical transport of CUI media without encryption or accountability.

Largely ImplementedNIST 800-88 sanitisation for most media. Sanitisation records maintained. CUI media transported with encryption and custodial tracking.

Fully ImplementedVerified NIST 800-88 sanitisation for all media. Cryptographic erase or physical destruction documented. Controlled transport with chain-of-custody for all CUI media.

Q 8.3 — Enhanced media protection (SP 800-172)

How does your organisation implement enhanced media protection — including cryptographic protections, advanced access controls, and automated tracking — for media containing highly sensitive CUI?

Not ImplementedNo enhanced media protections beyond basic sanitisation. No cryptographic controls on media. No automated media tracking.

PartialSome CUI media encrypted but not all. Media tracking is manual. Advanced access controls not in place for media storage areas.

Largely ImplementedMost CUI media encrypted at rest. Automated media inventory and tracking for sensitive items. Access to media storage areas controlled and logged.

Fully ImplementedAll CUI media cryptographically protected. Automated tracking and chain-of-custody from creation through destruction. Multi-factor access controls on media vaults. Tamper-evident protections on highly sensitive media.

Domain 8 of 14

👤

Family 3.9 — 2 Requirements

Personnel Security

NIST SP 800-171 Rev 2 §3.9.1–3.9.2

Personnel screening prior to CUI access and CUI protection during personnel actions (termination, transfer).

Q 9.1 — Personnel screening

How does your organisation screen individuals prior to authorising access to CUI systems?

Not ImplementedNo screening process for personnel before granting CUI system access.

PartialBackground checks for some roles. Screening criteria not linked to CUI access authorisation. Re-screening not performed.

Largely ImplementedBackground screening required before CUI access. Screening criteria defined. Most personnel screened but re-investigation schedule incomplete.

Fully ImplementedAll personnel screened before CUI access. Screening criteria tied to risk level. Periodic re-investigation. Third-party/contractor screening equivalent to internal.

Q 9.2 — Personnel actions (termination/transfer)

How does your organisation protect CUI during and after personnel actions such as terminations and transfers?

Not ImplementedNo formal offboarding process for CUI access. Accounts remain active after departure. No media/equipment retrieval procedures.

PartialAccounts disabled upon termination but delays common. Equipment retrieval inconsistent. Transfer access changes not systematic.

Largely ImplementedTimely account termination. Equipment and media retrieved. Access adjusted on transfer. Exit interviews conducted for CUI personnel.

Fully ImplementedAutomated account deprovisioning. Same-day access revocation. All CUI media and equipment retrieved and verified. Transfer access rights reviewed and adjusted immediately.

Q 9.3 — Enhanced personnel security (SP 800-172)

How does your organisation implement enhanced personnel security measures — including continuous evaluation, advanced insider threat detection, and supply chain personnel vetting — for individuals with access to highly sensitive CUI?

Not ImplementedNo enhanced personnel security beyond initial screening. No continuous evaluation. Insider threat detection limited to basic awareness.

PartialSome positions subject to enhanced screening. Continuous evaluation not formalised. Insider threat detection relies on manual reporting.

Largely ImplementedEnhanced screening for personnel in critical CUI roles. Continuous evaluation programme in place for most privileged users. Behavioural analytics deployed for insider threat detection.

Fully ImplementedAll personnel with access to sensitive CUI subject to enhanced screening and continuous evaluation. Advanced insider threat detection with behavioural analytics and anomaly detection. Supply chain personnel vetted to equivalent standards. Real-time risk-based access adjustments.

Domain 9 of 14

🏢

Family 3.10 — 6 Requirements

Physical Protection

NIST SP 800-171 Rev 2 §3.10.1–3.10.6

Physical access authorisation, monitoring, visitor control, audit logs, and protection of CUI at alternate work sites.

Q 10.0 — Basic physical access controls

How does your organisation limit physical access to FCI systems, equipment, and operating environments to authorised individuals, and how are visitors managed and physical access activity monitored?

Not ImplementedNo physical access restrictions. Visitors unescorted. Equipment and server areas accessible to all personnel. No access logs maintained.

PartialSome physical access controls in place (locked server rooms) but inconsistently applied. Visitor sign-in exists but escorts not enforced. Limited monitoring.

Largely ImplementedPhysical access limited to authorised individuals for most FCI areas. Visitors escorted in sensitive areas. Access activity logged for key locations.

Fully ImplementedPhysical access to all FCI equipment and environments controlled and limited to authorised individuals. Visitors escorted and logged. Access audit logs maintained. Equipment protected from unauthorised physical access.

Q 10.1 — Physical access controls

How does your organisation control and monitor physical access to CUI systems and the facilities housing them?

Not ImplementedNo physical access controls specific to CUI systems. Facilities unlocked or accessible without authorisation checks.

PartialBasic badge access to building. Server rooms or CUI areas may not have separate access controls. Physical access logs incomplete.

Largely ImplementedCUI areas access-controlled (badge/biometric). Physical access logs maintained. Visitor escort procedures in place. Minor gaps in monitoring.

Fully ImplementedComprehensive physical access controls. Authorisation lists maintained. Video surveillance and access logging. Visitor management with escort. Alternate work sites addressed.

Q 10.2 — Visitor management & facility monitoring

How does your organisation manage visitors and monitor physical access to facilities containing CUI?

Not ImplementedNo visitor management process. No physical access audit logs. No surveillance or monitoring of CUI areas.

PartialSign-in sheets for visitors. Escort policy exists but inconsistently enforced. Limited physical access logging.

Largely ImplementedFormal visitor management with badge issuance and escort. Physical access logs reviewed. Surveillance in key areas.

Fully ImplementedComprehensive visitor programme. All access logged and reviewed. Surveillance covering all CUI areas. Access anomalies investigated. Equipment and media protected from unauthorised physical access.

Q 10.3 — Enhanced physical security (SP 800-172)

How does your organisation implement enhanced physical security — including multi-factor physical access, advanced surveillance, and penetration testing of physical controls — for facilities housing highly sensitive CUI?

Not ImplementedNo enhanced physical security measures. Single-factor access. Standard CCTV only. No physical penetration testing.

PartialMulti-factor physical access for some high-security areas. Surveillance covers key areas but not comprehensive. No formal physical penetration testing.

Largely ImplementedMulti-factor physical access for most sensitive CUI areas. Advanced surveillance with analytics. Physical security assessments conducted periodically.

Fully ImplementedAll sensitive CUI facilities require multi-factor physical access with biometrics. AI-enhanced surveillance with anomaly detection. Regular physical penetration testing. Tamper detection on critical infrastructure. Real-time alerting and response integration.

Domain 10 of 14

⚠️

Family 3.11 — 3 Requirements

Risk Assessment

NIST SP 800-171 Rev 2 §3.11.1–3.11.3

Periodic risk assessments, vulnerability scanning, and remediation of vulnerabilities in CUI systems.

Q 11.1 — Risk assessments

How does your organisation conduct and maintain risk assessments for CUI systems?

Not ImplementedNo formal risk assessment process. CUI system risks not identified, documented, or tracked.

PartialAd-hoc risk assessments. Some risks identified but not systematically documented or updated. No regular cadence.

Largely ImplementedPeriodic risk assessments conducted. Risks documented with likelihood and impact. Risk register maintained. Annual review cycle.

Fully ImplementedComprehensive risk assessment programme. Risks quantified and prioritised. Risk register actively maintained. Assessments updated for system changes and new threats.

Q 11.2 — Vulnerability scanning & remediation

How does your organisation scan for vulnerabilities and remediate findings on CUI systems?

Not ImplementedNo vulnerability scanning programme. No awareness of vulnerability posture across CUI systems.

PartialOccasional vulnerability scans. Remediation is reactive and slow. No defined SLAs for patching critical vulnerabilities.

Largely ImplementedRegular vulnerability scanning (monthly+). Remediation SLAs defined. Critical/high findings addressed within defined timelines. Most systems covered.

Fully ImplementedContinuous vulnerability scanning across all CUI systems. Risk-based remediation with enforced SLAs. Scanning tools updated with latest signatures. Exceptions tracked and justified.

Q 11.3 — Threat intelligence–driven risk (SP 800-172)

How does your organisation integrate threat intelligence into risk assessments and maintain a comprehensive, continuously updated threat-informed risk posture?

Not ImplementedRisk assessments do not incorporate threat intelligence. Static risk register. No adversary-informed risk analysis.

PartialSome threat intelligence reviewed during annual risk assessments. Risk register updated periodically but not informed by current TTP data.

Largely ImplementedThreat intelligence integrated into risk assessment process. Risk register updated when new threats identified. Adversary TTPs mapped to organisational attack surface.

Fully ImplementedContinuous threat intelligence–driven risk assessment. Risk posture dynamically updated based on real-time intelligence feeds. Adversary capability modelling informs control prioritisation. Red team findings directly update risk register. Threat-informed risk metrics reported to leadership.

Domain 11 of 14

📊

Family 3.12 — 4 Requirements

Security Assessment

NIST SP 800-171 Rev 2 §3.12.1–3.12.4

Periodic security control assessments, SSP development and maintenance, POA&M management, and continuous monitoring.

Q 12.1 — Security control assessments

How does your organisation assess the effectiveness of its security controls for CUI systems?

Not ImplementedNo security control assessments performed. No understanding of which controls are effective or deficient.

PartialInformal self-assessment of some controls. No use of SP 800-171A assessment objectives. Results not documented systematically.

Largely ImplementedPeriodic self-assessments against SP 800-171A. Deficiencies documented. Corrective actions tracked. Continuous monitoring programme in development.

Fully ImplementedRegular assessments against all 320 SP 800-171A objectives. Continuous monitoring operational. Automated compliance checking where feasible. Assessment-ready evidence maintained.

Q 12.2 — SSP & POA&M management

How mature are your System Security Plan (SSP) and Plan of Action & Milestones (POA&M)?

Not ImplementedNo SSP or POA&M. System boundaries and control implementation not documented.

PartialSSP drafted but incomplete or not reflective of actual implementation. POA&M exists but not actively managed. SPRS score not current.

Largely ImplementedSSP documents most control implementations accurately. POA&M actively tracks gaps with remediation timelines. SPRS score submitted and current.

Fully ImplementedSSP fully reflects operational reality for all 110 controls. POA&M actively managed with milestones within 180 days. SPRS score accurate and current. Documents assessment-ready.

Q 12.3 — Advanced assessments & red teaming (SP 800-172)

How does your organisation conduct advanced security assessments — including red team exercises, penetration testing modelled on APT TTPs, and independent evaluation of security architecture?

Not ImplementedNo red team exercises or APT-modelled penetration testing. Assessments limited to checklist-based reviews.

PartialOccasional penetration testing performed but not APT-modelled. No formal red team programme. Security architecture not independently evaluated.

Largely ImplementedRegular penetration testing with some APT-modelled scenarios. Red team exercises conducted periodically. Security architecture reviewed by qualified assessors.

Fully ImplementedComprehensive red team programme modelling current APT TTPs. Penetration testing covers all CUI environments. Independent security architecture evaluation. Purple team exercises integrate offensive and defensive teams. Findings drive continuous improvement.

Domain 12 of 14

🛡️

Family 3.13 — 16 Requirements

System & Communications Protection

NIST SP 800-171 Rev 2 §3.13.1–3.13.16

Boundary protection, architectural design, CUI flow enforcement, cryptographic protections, session authenticity, and DNS/DNSSEC.

Q 13.0 — Basic boundary protection & subnetworks

How does your organisation monitor, control, and protect communications at the external boundaries and key internal boundaries of information systems, and implement architectural designs with subnetworks for publicly accessible components?

Not ImplementedNo boundary monitoring. No separation between public-facing and internal systems. External communications uncontrolled.

PartialFirewall deployed at perimeter but internal boundaries not monitored. Public-facing systems on same network segments as internal systems. Limited traffic control.

Largely ImplementedBoundary protection at external edges and some internal points. Public-facing components separated from internal networks. Communications monitored at key boundaries.

Fully ImplementedAll external and key internal communications monitored and controlled. Public-facing components isolated in dedicated subnetworks. Architectural design enforces boundary separation and traffic inspection.

Q 13.1 — Boundary protection & segmentation

How does your organisation protect system boundaries and segment CUI environments from general-purpose networks?

Not ImplementedFlat network. No boundary protection or segmentation between CUI and non-CUI systems. No DMZ or subnet isolation.

PartialPerimeter firewall in place. CUI systems on same network segments as general IT. Some subnet separation but not consistently enforced.

Largely ImplementedCUI enclave segmented. Boundary protection at internal and external interfaces. Managed interfaces for all external connections. Architectural design limits attack surface.

Fully ImplementedFull CUI enclave isolation. Defence-in-depth with boundary protection at every tier. Subnetworks for publicly accessible components. All network communications monitored at boundaries.

Q 13.2 — Cryptographic protections

How does your organisation implement cryptographic mechanisms to protect CUI confidentiality in transit and at rest?

Not ImplementedNo encryption for CUI in transit or at rest. Cleartext protocols in use (HTTP, FTP, Telnet). No FIPS-validated cryptography.

PartialTLS enabled on some services. Encryption at rest for some storage. FIPS-validated modules not consistently used. Some cleartext protocols remain.

Largely ImplementedCUI encrypted in transit (TLS 1.2+) and at rest on most systems. FIPS 140-2 validated modules used. Session authenticity protected. Minor gaps in full coverage.

Fully ImplementedFIPS-validated encryption for all CUI in transit and at rest. TLS 1.2+ universal. Collaborative computing protection. DNS filtering (DNSSEC where applicable). Full cryptographic lifecycle management.

Q 13.3 — Enhanced boundary & crypto protections (SP 800-172)

How does your organisation implement enhanced boundary protections — including microsegmentation, encrypted information flow control, and advanced network monitoring — to defend CUI systems against APT lateral movement?

Not ImplementedNo microsegmentation. No encrypted internal flows beyond perimeter VPN. Network monitoring limited to boundary firewalls.

PartialSome network segmentation beyond basic VLANs. Encrypted flows for select internal traffic. Monitoring does not cover lateral movement patterns.

Largely ImplementedMicrosegmentation deployed across most CUI environments. Internal traffic encrypted between segments. Network monitoring covers lateral movement indicators for critical systems.

Fully ImplementedFull microsegmentation with zero-trust network policies. All inter-segment CUI traffic encrypted and inspected. Advanced network monitoring with ML-based lateral movement detection. Encrypted DNS and secure routing. Cryptographic lifecycle management automated.

Domain 13 of 14

🔍

Family 3.14 — 7 Requirements

System & Information Integrity

NIST SP 800-171 Rev 2 §3.14.1–3.14.7

Flaw remediation, malicious code protection, security alerting, system monitoring, and inbound/outbound communications analysis.

Q 14.0 — Basic flaw remediation & malware protection

How does your organisation identify, report, and correct information system flaws in a timely manner, and provide protection from malicious code at appropriate locations?

Not ImplementedNo patch management. No antivirus or malware protection deployed. System flaws not tracked or remediated.

PartialAntivirus installed on some systems but not consistently updated. Patching is reactive and ad hoc. Malware scans not performed regularly.

Largely ImplementedAntivirus/antimalware deployed and updated on most systems. Patches applied for critical flaws. Periodic scanning performed. Minor coverage gaps.

Fully ImplementedSystem flaws identified, reported, and corrected promptly. Malicious code protection deployed at all endpoints and network boundaries. Signatures and definitions kept current. Real-time and periodic scanning operational.

Q 14.1 — Flaw remediation & malicious code protection

How does your organisation identify, report, and correct system flaws and protect against malicious code?

Not ImplementedNo patch management process. No antivirus/EDR deployed. Systems not monitored for malicious code.

PartialAntivirus installed but updates inconsistent. Patching reactive and ad hoc. No defined SLAs for critical flaws.

Largely ImplementedPatch management with SLAs. EDR/antimalware deployed and updated. Malicious code scanning at network entry/exit points. Most systems covered.

Fully ImplementedAutomated patching with enforced SLAs. EDR across all endpoints. Real-time malicious code protection at endpoints and network boundaries. Security advisories monitored and acted upon.

Q 14.2 — System monitoring & alerting

How does your organisation monitor CUI systems for security-relevant events and generate alerts for anomalies?

Not ImplementedNo security monitoring. No alerting on attacks, indicators of compromise, or unauthorised activity on CUI systems.

PartialBasic monitoring on some systems. Alerting limited. Inbound/outbound traffic not systematically analysed. No centralised monitoring.

Largely ImplementedCentralised security monitoring. Alerts configured for key attack indicators. Inbound/outbound communications analysed. Unauthorised use detection in place.

Fully ImplementedComprehensive monitoring with SOC capabilities. Real-time alerting and correlation. Inbound/outbound communications analysis. Unauthorised connections detected and blocked automatically.

Q 14.3 — Advanced integrity & threat detection (SP 800-172)

How does your organisation implement advanced integrity verification, continuous monitoring, and automated threat detection to counter sophisticated adversaries targeting CUI systems?

Not ImplementedNo advanced integrity verification. Monitoring is signature-based only. No behavioural or anomaly-based detection.

PartialSome integrity checks on critical binaries. Basic anomaly detection deployed but limited. Threat detection relies primarily on known signatures.

Largely ImplementedIntegrity verification for critical system components. Behavioural analytics and anomaly detection deployed across most CUI systems. Threat detection covers known and some unknown attack patterns.

Fully ImplementedContinuous integrity verification across all system components using cryptographic hashing. Advanced behavioural analytics with ML-driven anomaly detection. Automated threat detection identifies zero-day and fileless attacks. Sandboxing and detonation analysis for unknown files. SOC integration with automated response playbooks.

Domain 14 of 14

CMMC Readiness

0.0

/ 4.0

Control Family Readiness Radar

Estimated Compliance Timeline

Plan of Action & Milestones (POA&M)

✓ All controls are fully implemented. No outstanding tasks.