Technical Readiness Check

A 27-question self-survey on the technical controls and documents a CMMC Level 2 assessment expects.

Answer each question with your best understanding. The score and the list of gaps are produced in your browser from your answers alone; nothing is verified, sent, or stored. This is not a CMMC assessment.

Discuss results with us

What this tool does and does not do

Does: Ask you, the user, whether specific technical controls and policy documents that a CMMC Level 2 assessment expects are in place at your organization, and then summarize your self-reported answers as a score and a gap list.

Does not: Verify your answers, inspect your environment, examine your documents, evaluate whether controls are configured correctly, evaluate whether policies are adequate, or evaluate whether staff follow what is documented. The output is entirely a reflection of what you input. A passing score here does not mean a C3PAO would find your environment compliant. A C3PAO performs evidence-based testing against the assessment objectives in NIST SP 800-171A; this tool does not.

1. Cloud environment for CUI

Where CUI lives and the authorization posture of the cloud holding it.

Where does the organization host CUI today?

Does the cloud service hosting CUI hold a FedRAMP Moderate authorization or higher for the services in use?

Is administrative access to the CUI tenant restricted to US persons by service tier or contract?

Is CUI data residency restricted to United States data centers by the service contract?

2. Identity and access

Authentication, authorization, and privileged access mechanics for systems that touch CUI.

Is multi-factor authentication enforced for every user with access to CUI?

Are Conditional Access policies configured to require a managed or compliant device for CUI applications?

Is Privileged Identity Management (or equivalent just-in-time elevation) configured for administrative roles in the CUI tenant?

Are local administrator accounts on CUI workstations restricted by policy (e.g., LAPS or equivalent)?

Are user identifiers automatically disabled after a defined period of inactivity, per a written policy?

3. Endpoint security

Protections configured on the devices that handle CUI.

Is full-disk encryption (e.g., BitLocker) enabled on every device that handles CUI?

Is an EDR product (e.g., Microsoft Defender for Endpoint) deployed and enrolled on every CUI-handling endpoint?

Are CUI endpoints enrolled in mobile device management (e.g., Microsoft Intune) with compliance policies applied?

Is USB and removable-media control configured on CUI endpoints (e.g., via Intune or Group Policy)?

4. Data protection

Encryption, labeling, and data loss prevention configuration for CUI content.

Are sensitivity labels (e.g., Microsoft Purview Information Protection) configured for CUI content?

Are data loss prevention (DLP) policies configured to restrict labeled CUI from leaving the tenant?

Is TLS 1.2 or higher enforced for all CUI in transit, including for legacy clients?

Is FIPS 140-validated cryptography enabled for data at rest on CUI endpoints?

5. Audit logging and monitoring

Audit log collection, retention, and alerting infrastructure for the CUI environment.

Are audit logs being collected from Entra ID, Exchange, SharePoint, and Defender for the CUI environment?

Are audit logs retained on a documented retention schedule that supports monitoring, analysis, investigation, and reporting?

Is a security information and event management (SIEM) platform (e.g., Microsoft Sentinel) ingesting CUI-relevant telemetry?

Are alert rules configured for high-risk events such as failed administrative logins and privileged role activations?

6. Policy documents

Existence of the written documents a Level 2 assessment expects to see.

Does a current System Security Plan (SSP) exist for the CUI environment?

Does a current Plan of Action and Milestones (POA&M) exist documenting open gaps?

Does a documented Incident Response Plan exist?

Does documentation of a periodic risk assessment exist for the systems handling CUI?

Does a documented Configuration Management Plan or baseline configuration exist?

7. Incident response readiness

DFARS 252.204-7012 requires reporting a cyber incident to DoD via DIBNet within 72 hours of discovery. The 72-hour clock runs through nights, weekends, and holidays.

How is the organization positioned to detect a cyber incident and report it via DIBNet within the 72-hour DFARS 252.204-7012 window, including weekends and holidays?

Nothing is submitted to a server. Your answers and your score stay in your browser.

Use the score as a starting point, not a conclusion.

The 27 items here are a representative slice of what a Level 2 assessment expects, not a complete list, and the score reflects only what you reported. We can walk your specific environment, contracts, and document set in a one-hour discovery call.

Start a discovery call