CMMC 2.0 Assessment Tool

Organization Information

Organization Name *

Point of Contact (POC) Name

POC Title

POC Email

POC Phone

CAGE Code

System Description

Organization Scope & Size

Physical locations handling CUI or FCI

Total employees and contractors

Authorized to access Government Information

Account Inventory

User Accounts

Local Administrator Accounts

Application Accounts

Service Accounts

Domain Administrator Accounts

Other Accounts

Security Posture Questions

Do you allow employees to access systems from personal devices (BYOD)?

Can employees work remotely? If so, with what equipment?

Do employees periodically receive security awareness training?

Is staff trained to recognize and properly handle CUI/FCI?

Comprehensive list of sensitive information types?

Comprehensive hardware inventory?

Comprehensive software inventory?

Comprehensive cloud resources inventory?

Do you have a network diagram?

Can you show how/where CUI flows within your organization?

Employee roles defined with information category access?

Do all users have local admin privileges?

Multifactor Authentication (MFA)

Does your organization require MFA for:

Remote Administration

All User Remote Access

All Administrator Logins

All User Logins

Admin Access to Cloud Resources

User Access to Cloud Resources

Infrastructure & Incident Response

Wi-Fi deployment?

Do you have an incident response plan?

Are IR roles and responsibilities identified?

Has the IR plan been tested in the past 12 months?

Prior self-assessment against NIST SP 800-171?