FrameworkMapper
FrameworkMapper
Midwest Cyber
NIST 800-171 Aligned

CMMC Level 2 Assessment

Comprehensive assessment covering 110 practices required to protect Controlled Unclassified Information (CUI) in DoD contracts.

Start Assessment View Sample Reports
CMMC

What is CMMC Level 2?

CMMC Level 2 is the advanced tier required for organizations handling Controlled Unclassified Information (CUI). It encompasses all 110 security requirements from NIST SP 800-171 and requires third-party certification for most contracts.

110 Practices

Comprehensive security controls covering all aspects of protecting sensitive government information in contractor systems.

Third-Party Certification

Most CUI contracts require assessment by a CMMC Third-Party Assessment Organization (C3PAO) every three years.

NIST 800-171 Aligned

Directly maps to NIST Special Publication 800-171, the federal standard for protecting CUI in non-federal systems.

14 Security Domains

CMMC Level 2 practices are organized into 14 security domains based on the NIST 800-171 security requirement families.

AC Access Control

22 practices

AT Awareness & Training

3 practices

AU Audit & Accountability

9 practices

CM Configuration Mgmt

9 practices

IA Identification & Auth

11 practices

IR Incident Response

3 practices

MA Maintenance

6 practices

MP Media Protection

9 practices

PE Physical Protection

6 practices

PS Personnel Security

2 practices

RA Risk Assessment

3 practices

CA Security Assessment

4 practices

SC System & Comms Protection

16 practices

SI System & Info Integrity

7 practices

Who Needs CMMC Level 2?

CUI Handlers

Organizations that receive, process, store, or transmit Controlled Unclassified Information.

Defense Industrial Base

Prime contractors and subcontractors in the defense supply chain handling sensitive technical data.

DFARS 252.204-7012 Compliance

Organizations already subject to DFARS cybersecurity requirements transitioning to CMMC.

C3PAO Assessment Prep

Organizations preparing for formal third-party CMMC assessment and certification.

Assessment Dashboard Screenshot

Placeholder for assessment interface image

SPRS Score Calculation

Our assessment automatically calculates your Supplier Performance Risk System (SPRS) score based on the DoD Assessment Methodology. Scores range from -203 to 110.

-203
Minimum Score

All practices not implemented

0
Baseline

Typical starting point with major gaps

110
Perfect Score

All 110 practices fully implemented

How SPRS Scoring Works

  • Each practice has a weighted point value based on its security impact (1, 3, or 5 points)
  • Start at 110 points, deduct points for each practice not fully implemented
  • Score must be entered into SPRS and is visible to DoD contracting officers
  • POA&M (Plan of Action & Milestones) can document remediation plans for gaps

How the Assessment Works

Our assessment tool guides you through all 110 practices with clear explanations, automatically calculating your SPRS score as you progress.

1

Select a Domain

Navigate through the 14 security domains, reviewing practices in each area.

2

Evaluate Each Practice

For each practice, assess your current implementation: Met, Partially Met, Mostly Met, or Not Met.

3

Document Evidence & POA&M

Add implementation notes and create remediation plans for any gaps identified.

4

Review SPRS Score & Reports

Track your calculated SPRS score and generate comprehensive reports for C3PAO preparation.

Time Estimate

A complete Level 2 assessment typically takes 4-8 hours depending on organizational complexity and existing documentation.

What to Have Ready

  • System Security Plan (SSP)
  • Network diagrams & system inventory
  • Security policies & procedures
  • Access to IT/security personnel

Practice Assessment Interface Screenshot

Placeholder for rating interface image

What You'll Receive

Generate comprehensive reports to document your CMMC Level 2 compliance status, support your SPRS submission, and prepare for C3PAO assessment.

Assessment Report

Complete assessment results with SPRS score, domain summaries, and detailed practice-by-practice compliance status.

  • SPRS score calculation
  • All 110 practices detailed
  • 14 domain summaries
Download Sample PDF

POA&M Documentation

Plan of Action & Milestones report documenting gaps and remediation timelines required for SPRS submission.

  • Gap identification
  • Remediation tracking
  • Milestone dates
Download Sample PDF

Encrypted Backup

A password-protected JSON file containing all your assessment data. Use it to restore your assessment or transfer between devices.

  • AES-256 encryption
  • Complete data export
  • Easy restore process
Generated from your data

SPRS Score Dashboard Preview

Placeholder for report screenshot

Domain Summary Preview

Placeholder for report screenshot

Level 1 vs Level 2: Which Do You Need?

The right CMMC level depends on the type of information you handle in your DoD contracts.

Level 1

Federal Contract Information (FCI)

  • 17 practices across 6 domains
  • Annual self-assessment
  • No third-party certification required
  • Basic cyber hygiene
Learn about Level 1
Level 2 You are here

Controlled Unclassified Information (CUI)

  • 110 practices across 14 domains
  • Triennial third-party assessment (C3PAO)
  • Aligned with NIST SP 800-171
  • Advanced cyber hygiene

Ready to Assess Your CMMC Level 2 Readiness?

Try our CMMC Level 2 assessment tool with a free trial. Calculate your SPRS score, identify gaps, and prepare for C3PAO certification.

Start Free Trial View All Tools