1. Does your company work with sensitive (but not classified) government data?

This is called CUI — things like technical drawings, test data, or contract specs marked 'Controlled.' Learn more about CUI in our FAQ.

Yes, and we have documented CUI handling procedures Yes, but our procedures are not documented Not sure what qualifies as CUI No CUI handling

2. Do you have a written plan for how your company protects sensitive data?

In CMMC language, this is called a System Security Plan (SSP). Learn more in our FAQ.

Yes, current and comprehensive Yes, but needs updating/expansion Outdated or incomplete No SSP exists

3. Is multi-factor authentication (MFA) implemented for all users accessing company systems with sensitive data?

MFA requires a second form of verification (like a phone app or text code) beyond just a password.

Yes, for all users and systems Most users, working on 100% coverage Some users only No MFA implemented

4. Do you have a plan for what to do if you get hacked or have a data breach?

CMMC requires a documented incident response plan that covers sensitive data breaches.

Documented, tested, and regularly updated Documented but not tested Informal procedures only No incident response plan

5. Is your sensitive data encrypted (scrambled so hackers can't read it) both when stored and when sent?

CMMC requires FIPS 140-2 validated encryption for data at rest and in transit.

Yes, FIPS 140-2 for both at rest and in transit Yes, but not FIPS 140-2 validated Partial encryption (either at rest or in transit) No encryption implemented

6. Do you regularly scan your systems for security weaknesses and fix them?

This is called vulnerability management — finding and patching security holes before hackers exploit them.

Automated scanning with documented remediation processes Regular manual scanning and remediation Ad hoc vulnerability assessments No vulnerability management program

7. How many people at your company can access sensitive government data?

Fewer people with access means a smaller scope to secure — and a simpler path to certification.

Under 25 people 25–100 people 100–500 people Over 500 people

8. Do you have dedicated cybersecurity personnel or a Chief Information Security Officer (CISO)?

Dedicated cybersecurity team with CISO One dedicated cybersecurity person Part-time or shared responsibility No dedicated cybersecurity personnel

9. Have you done an official security self-assessment and reported your score to the DoD?

This is the SPRS score based on NIST 800-171 — it's required for all DoD contractors.

Yes, current assessment with high score (80+) Yes, current assessment with medium score (50–79) Outdated assessment (over 1 year old) No NIST 800-171 self-assessment completed

10. When do you need to achieve CMMC Level 2 certification?

Already required for active contracts Within 6 months Within 12 months Planning ahead, no immediate deadline

11. Do you have written rules about who can see sensitive government data — and do you enforce them?

These are called access control policies — documenting who gets access to what data and how you verify they should have it.

Yes, documented and actively enforced Basic policies documented, limited enforcement Informal access controls only No formal access control policies

12. Do you provide cybersecurity awareness training for personnel with CUI access?

Regular training with documented completion records Annual basic cybersecurity training Informal or ad hoc training No formal security awareness training

13. Do you keep records of who accessed what on your systems, and does someone review them?

These are called audit logs — digital footprints that track user activity for security monitoring.

Automated logging with regular automated analysis Logging enabled with manual review processes Basic logging, infrequent review No systematic audit logging

14. Do you have a standard, secure setup for your computers and servers — and a process to keep them that way?

This is configuration management — ensuring all systems follow secure baseline settings and stay configured properly over time.

Automated configuration management with monitoring Documented baselines with manual management Informal configuration standards No configuration management processes

Get Your Personalized CMMC Readiness Report

Enter your details to receive your detailed assessment results and personalized recommendations.

YOUR CMMC READINESS SCORE

Priority Recommendations

Ready to Close Your Compliance Gaps?

Schedule a free discovery call to discuss your specific situation and next steps.

Book a Free Discovery Call

Most contractors are assessment-ready within 90–120 days.

Is Your Company Ready for CMMC Level 2?

Get Your Personalized CMMC Readiness Report

Priority Recommendations

Ready to Close Your Compliance Gaps?

Ready to Get Compliant?