If your organization handles government information, at a minimum you should be ready to prove that you meet the requirements defined in FAR 52.204-21, which are also in CMMC Level 1. If you handle, or expect to handle, CUI, you should be ready to prove that your organization has:
- created a System Security Plan (“SSP”) with the requisite information;
- evaluated your SSP against the requirements defined in NIST SP 800-171A or CMMC 2.0 Level 2 (they are essentially the same)
- identified any requirements that are not met (i.e., any gaps) and created Plans of Action and Milestones (“POA&Ms”) that describe how your organization will remediate the gaps.
Regardless of whether you handle CUI or FCI, our updated self-assessment worksheet will help streamline your efforts for creating a comprehensive and compliant cybersecurity program. The self-assessment worksheet now includes:
- A full listing of all NIST SP 800-171 requirements, prioritized using the FAR and Above methodology developed by the CMMC Information Institute and our industry partners;
- Detailed requirements definitions, including evaluating each requirement against the objectives defined in NIST SP 800-171A;
- Automated FAR and Above scoring;
- Automated SPRS scoring;
- Updated listings and references to reflect CMMC 2.0 numbering scheme;
- Listing of all potential assessment considerations for every requirement;
- System Security Plan (“SSP”) template based on the SSP template published by NIST; and
- Comprehensive list of CUI types from the National Archives and Records Administration (“NARA”) website.
You can download a copy of our updated tool via the link below:
- OLD – v2022.08d – Comprehensive FAR and Above and NIST SP 800-171 Self-Assessment and DoD SPRS Scoring Tool
For additional details about self-assessments and the tool, please visit our self-assessment page and see the introduction worksheet in the tool. If the tool is helpful to you, please consider making a donation to the CMMC Information Institute.
While our tool will help organizations take the first steps toward a compliant cybersecurity program, we also recognize that many organizations will quickly outgrow the capabilities of a spreadsheet-based tool. When that happens, and even before, we encourage our visitors and members to consider a tool like FutureFeed, a CMMC Information Institute sponsor.