How Can We Help?

< All Topics

If your organization handles government information, at a minimum you should be ready to prove that you meet the requirements defined in FAR 52.204-21, which are also in CMMC Level 1. If you handle, or expect to handle, CUI, you should be ready to prove that your organization has:

  • created a System Security Plan (“SSP”) with the requisite information;
  • evaluated your SSP against the requirements defined in NIST SP 800-171A or CMMC 2.0 Level 2 (they are essentially the same)
  • identified any requirements that are not met (i.e., any gaps) and created Plans of Action and Milestones (“POA&Ms”) that describe how your organization will remediate the gaps.

Regardless of whether you handle CUI or FCI, our updated self-assessment worksheet will help streamline your efforts for creating a comprehensive and compliant cybersecurity program. The self-assessment worksheet now includes:

  • A full listing of all NIST SP 800-171 requirements, prioritized using the FAR and Above methodology developed by the CMMC Information Institute and our industry partners;
  • Detailed requirements definitions, including evaluating each requirement against the objectives defined in NIST SP 800-171A;
  • Automated FAR and Above scoring;
  • Automated SPRS scoring;
  • Updated listings and references to reflect CMMC 2.0 numbering scheme;
  • Listing of all potential assessment considerations for every requirement;
  • System Security Plan (“SSP”) template based on the SSP template published by NIST; and
  • Comprehensive list of CUI types from the National Archives and Records Administration (“NARA”) website.

You can download a copy of our updated tool via the link below:

For additional details about self-assessments and the tool, please visit our self-assessment page and see the introduction worksheet in the tool. If the tool is helpful to you, please consider making a donation to the CMMC Information Institute.

While our tool will help organizations take the first steps toward a compliant cybersecurity program, we also recognize that many organizations will quickly outgrow the capabilities of a spreadsheet-based tool. When that happens, and even before, we encourage our visitors and members to consider a tool like FutureFeed, a CMMC Information Institute sponsor.

Table of Contents