CMMC 2.0 Level 1-2 Gap Assessment Tool with Automated FAR and Above and SPRS Scores, SSP Template, and More

If your organization handles government information, at a minimum you should be ready to prove that you meet the requirements defined in FAR 52.204-21, which are also in CMMC Level 1. If you handle, or expect to handle, CUI, you should be ready to prove that your organization has:

• created a System Security Plan (“SSP”) with the requisite information;
• evaluated your SSP against the requirements defined in NIST SP 800-171A or CMMC 2.0 Level 2 (they are essentially the same)
• identified any requirements that are not met (i.e., any gaps) and created Plans of Action and Milestones (“POA&Ms”) that describe how your organization will remediate the gaps.

Regardless of whether you handle CUI or FCI, our updated self-assessment worksheet will help streamline your efforts for creating a comprehensive and compliant cybersecurity program. The self-assessment worksheet now includes:

• A full listing of all NIST SP 800-171 requirements, prioritized using the FAR and Above methodology developed by the CMMC Information Institute and our industry partners;
• Detailed requirements definitions, including evaluating each requirement against the objectives defined in NIST SP 800-171A;
• Automated FAR and Above scoring;
• Automated SPRS scoring;
• Updated listings and references to reflect CMMC 2.0 numbering scheme;
• Listing of all potential assessment considerations for every requirement;
• System Security Plan (“SSP”) template based on the SSP template published by NIST; and
• Comprehensive list of CUI types from the National Archives and Records Administration (“NARA”) website.

You can download a copy of our updated tool via the link below:

• OLD – v2022.08d – Comprehensive FAR and Above and NIST SP 800-171 Self-Assessment and DoD SPRS Scoring Tool

For additional details about self-assessments and the tool, please visit our self-assessment page and see the introduction worksheet in the tool. If the tool is helpful to you, please consider making a donation to the CMMC Information Institute.

While our tool will help organizations take the first steps toward a compliant cybersecurity program, we also recognize that many organizations will quickly outgrow the capabilities of a spreadsheet-based tool. When that happens, and even before, we encourage our visitors and members to consider a tool like FutureFeed, a CMMC Information Institute sponsor.