CMMC Level 2 Readiness Calculator

All user accounts are created from a documented request process with explicit approval.

Multi-factor authentication is enforced for all users accessing systems containing CUI.

Remote access uses encrypted channels and is centrally logged.

All staff complete annual security awareness training that covers insider threats and CUI handling.

System audit logs are collected, centralized, and retained for at least 90 days.

Audit logs are reviewed at least weekly for suspicious activity.

Documented baseline configurations exist for every system type (server, workstation, network).

Changes to production systems go through a documented change management process.

Software installation is restricted; users cannot install arbitrary applications.

Every user has a unique account; no shared/generic credentials in production.

Password policy enforces minimum length, complexity, and prevents reuse.

A written incident response plan exists and was tested in the last 12 months.

Incidents are reported to DoD per DFARS 252.204-7012 (72-hour window).

External maintenance providers are vetted and supervised when working on CUI systems.

Removable media (USB drives, external disks) is restricted or controlled.

CUI media is sanitized or destroyed before disposal/repurposing.

Background screening is performed before granting access to CUI.

Physical access to facilities housing CUI is controlled (badges, locks, visitor logs).

Vulnerability scans are performed at least monthly on all in-scope systems.

A current SSP (System Security Plan) describes every implemented control with evidence.

A POAM (Plan of Action & Milestones) tracks open gaps with owners and dates.

CUI in transit is encrypted with FIPS 140-validated cryptography.

CUI at rest is encrypted (full-disk or file-level) wherever it lives.

Firewall/boundary protection denies inbound traffic by default; only required services exposed.

Endpoint protection (anti-malware) is installed on all systems and updated automatically.