compliance governance

Achieving CMMC Level 2 Compliance

Prepare a defense-contractor environment for CMMC Level 2 certification: scope CUI and FCI, implement the 110 NIST SP 800-171 Rev 2 security requirements across 14 families, compute the SPRS score with the DoD Assessment Methodology, manage a compliant POA&M, and ready the organization for a C3PAO assessment. Use when an organization handles Controlled Unclassified Information (CUI) under a DoD contract, when a contract carries DFARS clause 252.204-7012/7019/7020/7021, when preparing for or responding to a CMMC assessment, when computing or improving an SPRS score, when building a System Security Plan or POA&M for 800-171, or when scoping which systems are in the CUI boundary. Keywords: CMMC, CMMC Level 2, NIST 800-171, SP 800-171 Rev 2, CUI, FCI, SPRS, DFARS 7012, C3PAO, POA&M, System Security Plan, DoD Assessment Methodology, 110 controls, defense industrial base, DIB, FedRAMP equivalency.

c3paocmmccompliancecuidefense-industrial-basedfarsgovernancenist-800-171
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When an organization in the Defense Industrial Base (DIB) stores, processes, or transmits Controlled Unclassified Information (CUI) under a DoD contract.
  • When a contract includes DFARS 252.204-7012 (safeguarding/incident reporting), -7019/-7020 (NIST 800-171 self-assessment + SPRS), or the new -7021 (CMMC requirement).
  • When preparing for a C3PAO third-party assessment or a DoD-led assessment.
  • When you must compute, post, or improve an SPRS score based on the NIST SP 800-171 DoD Assessment Methodology.
  • When authoring or remediating a System Security Plan (SSP) and POA&M for the 110 requirements.
  • When scoping which assets fall inside the CUI/FCI boundary (CUI assets, security-protection assets, contractor risk-managed assets, out-of-scope).

Prerequisites

  • Knowledge of which contracts carry CUI and the CUI categories involved (check the contract and the DoD CUI Registry).
  • An asset inventory and network diagram so you can define the CMMC assessment scope before assessing controls.
  • The NIST SP 800-171 Rev 2 requirements and the DoD Assessment Methodology scoring weights.
  • A documented SSP (its absence is itself a failed requirement — 3.12.4).
  • Identification of any External Service Providers (ESPs) / cloud services touching CUI, and whether they meet FedRAMP Moderate (or equivalency).

Workflow

1. Determine applicability and CUI categories

Confirm the contract requires CMMC Level 2 (CUI present, not just FCI). FCI-only contracts are Level 1 (the 15 FAR 52.204-21 requirements). Identify CUI categories from the contract and the DoD CUI Registry.

2. Scope the environment

Classify every asset into one of the CMMC scoping categories:

  • CUI Assets — process/store/transmit CUI (in scope, assessed against all applicable controls).
  • Security Protection Assets — provide security to the CUI environment (in scope).
  • Contractor Risk Managed Assets — could but are not intended to handle CUI; managed by policy.
  • Specialized Assets (IoT/OT, GFE, test equipment) — documented, limited assessment.
  • Out-of-Scope — physically/logically isolated from CUI.

Minimize scope deliberately — a smaller, well-segmented CUI enclave is far cheaper to certify than a flat network.

3. Implement the 110 requirements (NIST SP 800-171 Rev 2)

Work the 14 families (3.1–3.14). For each requirement, implement, then write the how in the SSP. High-leverage early wins: MFA (3.5.3), FIPS-validated cryptography (3.13.11), audit logging (3.3.x), access control + least privilege (3.1.x), and incident response (3.6.x).

4. Score with the DoD Assessment Methodology (SPRS)

Start at 110 and subtract the weighted value (1, 3, or 5 points) of each unmet requirement; partial credit applies to a small number of controls (e.g., MFA, FIPS crypto). The result is the SPRS score (maximum 110; the methodology floor is −203). Post the score, the SSP date, and the assessment scope to SPRS (or eMASS for higher assessments).

5. Build a compliant POA&M

Document every unmet requirement with owner, remediation, and milestone. Constraints under the CMMC rule: a Conditional status requires a score of at least 80% (≥ 88 of 110), only POA&M-eligible requirements may be deferred (the highest-weighted security requirements must be fully met — verify eligibility against 32 CFR Part 170), and all POA&M items must be closed within 180 days to convert Conditional → Final.

6. Assess (self or C3PAO)

  • Level 1 and a subset of Level 2 = annual self-assessment with an affirmation in SPRS.
  • Level 2 (most CUI contracts) = triennial C3PAO certification assessment.
  • Level 3 = DoD (DIBCAC) assessment on top of Level 2, adding SP 800-172 enhanced requirements. Assessors evaluate each objective as MET / NOT MET / N/A with evidence (examine/interview/test). A senior official files the annual affirmation of continued compliance.

7. Maintain certification

Certification is valid three years with annual affirmations. Maintain the SSP, re-score on change, keep evidence current, and feed significant changes back into the assessment.

Key Concepts

Concept Definition
FCI Federal Contract Information — Level 1 protects it (FAR 52.204-21).
CUI Controlled Unclassified Information — Level 2 protects it (NIST 800-171).
110 requirements The SP 800-171 Rev 2 security requirements across 14 families.
SPRS Supplier Performance Risk System — where the 800-171 score is posted.
DoD Assessment Methodology The 1/3/5-point weighting used to compute the score from 110.
C3PAO CMMC Third-Party Assessment Organization — performs Level 2 certification.
POA&M Plan of Action & Milestones — limited, must close in 180 days for Final status.
Conditional vs Final Conditional = open POA&M (score ≥ 80%); Final = all controls met.
ESP External Service Provider — must meet FedRAMP Moderate / equivalency for CUI.
Scoping categories CUI / Security Protection / Contractor Risk Managed / Specialized / Out-of-Scope.

Tools & Systems

  • NIST SP 800-171 Rev 2 — the 110 requirements (and 800-171A for assessment objectives).
  • DoD NIST SP 800-171 Assessment Methodology — the scoring weights.
  • 32 CFR Part 170 (CMMC Program rule) and 48 CFR / DFARS 252.204-7021 (acquisition rule).
  • SPRS — score posting; SAM.gov for registration.
  • SP 800-172 / 800-172A — enhanced requirements for Level 3.
  • GRC / compliance tooling — to manage the SSP, POA&M, and evidence (e.g., Xacta, RegScale, FutureFeed-style trackers).

Common Scenarios

  • Prime flows CUI to a sub. The sub needs its own Level 2 scope, SSP, SPRS score, and (most likely) C3PAO certification.
  • Score is below 88. Prioritize the highest-weighted unmet requirements (5-point, then 3-point) to clear the conditional threshold and shrink the POA&M.
  • Cloud holds CUI. Confirm the service is FedRAMP Moderate authorized or meets equivalency; document the responsibility split.
  • Flat network. Re-scope into a segmented CUI enclave to cut the assessment surface before spending on controls.
  • Annual affirmation due. A senior official affirms continued compliance in SPRS; let it lapse and you risk contract eligibility.

Output Format

Produce a CMMC Level 2 Readiness Report using assets/template.md, containing:

  1. Applicability & CUI categories — why Level 2 applies.
  2. Scope — assets by scoping category and the CUI boundary diagram reference.
  3. Control status by family — met / not met / N/A across the 14 families.
  4. SPRS score — computed score, deductions, and the gap to 110 and to the 88 threshold.
  5. POA&M — unmet requirements, eligibility check, owners, 180-day milestones.
  6. Assessment path — self vs C3PAO, target date, affirmation owner.
  7. Remediation roadmap — sequenced by point value and effort.

Use scripts/process.py to compute the SPRS score from a control-status JSON, flag POA&M-eligibility concerns, and report the gap to the conditional-certification threshold.

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

standards.md4.8 KB

CMMC Level 2 — Standards & Reference

Governing rules

Rule Citation Status / effective date
CMMC Program rule 32 CFR Part 170 Effective December 16, 2024
CMMC acquisition rule (DFARS) 48 CFR; DFARS clause 252.204-7021 (and 204.7503) Published Sept 10, 2025; effective November 10, 2025
Safeguarding CUI / incident reporting DFARS 252.204-7012 In effect
NIST 800-171 self-assessment + SPRS posting DFARS 252.204-7019 / -7020 In effect

Always confirm current status at the source — acquisition rules and phase dates have moved before. Authoritative: https://dodcio.defense.gov/CMMC/ and the eCFR for 32 CFR Part 170.

Phased rollout (per the acquisition rule)

Phase Begins What applies
Phase 1 Nov 10, 2025 Level 1 and some Level 2 self-assessment required in solicitations
Phase 2 Nov 10, 2026 Level 2 C3PAO certification required for applicable contracts
Phase 3 Nov 10, 2027 Level 2 C3PAO + Level 3 DIBCAC assessment phased in
Phase 4 Nov 10, 2028 Full implementation across applicable DoD contracts

The three CMMC levels

Level Protects Requirements Assessment
Level 1 FCI 15 requirements (FAR 52.204-21) Annual self-assessment + affirmation
Level 2 CUI 110 requirements (NIST SP 800-171 Rev 2) Self or triennial C3PAO certification
Level 3 CUI (high priority) 110 + selected SP 800-172 enhanced DoD (DIBCAC) assessment

Certification validity: 3 years, with annual affirmation by a senior official in SPRS.

NIST SP 800-171 Rev 2 — the 14 families (110 requirements)

§ Family # reqs
3.1 Access Control 22
3.2 Awareness and Training 3
3.3 Audit and Accountability 9
3.4 Configuration Management 9
3.5 Identification and Authentication 11
3.6 Incident Response 3
3.7 Maintenance 6
3.8 Media Protection 9
3.9 Personnel Security 2
3.10 Physical Protection 6
3.11 Risk Assessment 3
3.12 Security Assessment 4
3.13 System and Communications Protection 16
3.14 System and Information Integrity 7
Total 110

(Assessment objectives for each requirement are in NIST SP 800-171A.)

DoD Assessment Methodology — SPRS scoring

  • Start at 110. Subtract the weighted value of each NOT MET requirement.
  • Weights: 1, 3, or 5 points. The most security-significant requirements are weighted 3 or 5.
  • Partial credit applies to a small number of requirements (notably MFA at 3.5.3 and FIPS-validated cryptography at 3.13.11) where partial implementation reduces the deduction.
  • Maximum score 110; the methodology floor is −203 (more is deducted than the 110 starting points because of the weighting).
  • The complete per-requirement point assignment is published in the DoD NIST SP 800-171 Assessment Methodology — use that document for the authoritative weight of each control rather than estimating.

POA&M rules under the CMMC rule (32 CFR Part 170)

  • A Conditional Level 2 status is allowed only if the assessment score is at least 80% (≥ 88 of 110).
  • Only POA&M-eligible requirements may be deferred. The highest-weighted security requirements generally must be fully met and cannot sit on a POA&M — verify each item's eligibility against the rule.
  • All POA&M items must be closed within 180 days; a closeout assessment then converts Conditional → Final.

Scoping categories (CMMC Level 2 Scoping Guide)

Category Treatment
CUI Assets Process/store/transmit CUI — assessed against applicable requirements.
Security Protection Assets Provide security to the CUI environment — in scope.
Contractor Risk Managed Assets Capable of handling CUI but not intended to — managed by policy/config.
Specialized Assets IoT/OT, GFE, test equipment — documented, limited assessment.
Out-of-Scope Assets Isolated from CUI — not assessed.

External Service Providers / cloud

  • Cloud services that store/process/transmit CUI must be FedRAMP Moderate authorized or meet FedRAMP Moderate equivalency.
  • Document the customer/provider responsibility split (CRM) and inherited controls in the SSP.

NIST CSF 2.0 alignment

CSF 2.0 ID Relevance
GV.OC-03 Legal/regulatory (DFARS/CMMC) requirements understood.
GV.SC-01 Supply-chain risk management — flowdown to subs / ESPs.
ID.AM-08 Assets managed across the lifecycle (scoping).
ID.RA-05 Risk informs prioritization of unmet requirements.
PR.AA-01 Identity and access (3.1 / 3.5 families).
PR.DS-01 Data-at-rest protection (FIPS crypto, media protection).

Scripts 1

process.py7.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
CMMC Level 2 / NIST SP 800-171 Rev 2 SPRS score calculator.

Implements the DoD Assessment Methodology arithmetic: start at 110 and subtract
the weighted value (1, 3, or 5) of each NOT MET requirement, with partial credit
for the small set of requirements that allow it. Reports the SPRS score, the gap
to a perfect 110 and to the 88-point (80%) conditional-certification threshold,
and flags higher-weighted unmet requirements whose POA&M eligibility must be
verified against 32 CFR Part 170.

NOTE: per-requirement point weights are defined by the DoD NIST SP 800-171
Assessment Methodology. Supply each requirement's official weight in the input
(this tool does not invent weights). Use status 'partial' with 'partial_deduction'
only for requirements the methodology allows partial credit on (e.g., 3.5.3 MFA,
3.13.11 FIPS crypto).

Input JSON shape:
{
  "org": {"name": "Acme Defense LLC", "scope": "CUI enclave"},
  "requirements": [
    {"id": "3.1.1",  "family": "3.1", "status": "met",      "weight": 5},
    {"id": "3.5.3",  "family": "3.5", "status": "partial",  "weight": 5, "partial_deduction": 3},
    {"id": "3.3.1",  "family": "3.3", "status": "not_met",  "weight": 5},
    {"id": "3.8.9",  "family": "3.8", "status": "not_met",  "weight": 1},
    {"id": "3.2.1",  "family": "3.2", "status": "na",       "weight": 1}
  ]
}

status: met | not_met | partial | na

Usage:
  python process.py --input controls.json [--output readiness.md]
  python process.py --input controls.json --require-conditional   # exit 1 if score < 88
"""

import argparse
import json
import sys

START_SCORE = 110
CONDITIONAL_THRESHOLD = 88   # 80% of 110
VALID_STATUS = {"met", "not_met", "partial", "na"}
VALID_WEIGHTS = {1, 3, 5}


def compute(data):
    reqs = data.get("requirements", [])
    if not reqs:
        raise ValueError("requirements list is required")

    deductions = 0
    counts = {"met": 0, "not_met": 0, "partial": 0, "na": 0}
    poam_flags = []   # higher-weight unmet -> verify POA&M eligibility
    by_family = {}    # family -> {met,not_met,partial,na}
    detail = []

    for r in reqs:
        rid = r.get("id", "?")
        status = r.get("status")
        weight = r.get("weight")
        if status not in VALID_STATUS:
            raise ValueError(f"{rid}: status '{status}' invalid (met|not_met|partial|na)")
        if status in ("not_met", "partial", "met") and weight not in VALID_WEIGHTS:
            raise ValueError(f"{rid}: weight '{weight}' invalid (must be 1, 3, or 5)")

        fam = r.get("family", rid.rsplit(".", 1)[0])
        fam_rec = by_family.setdefault(fam, {"met": 0, "not_met": 0, "partial": 0, "na": 0})
        fam_rec[status] += 1
        counts[status] += 1

        ded = 0
        if status == "not_met":
            ded = weight
            if weight > 1:
                poam_flags.append((rid, weight))
        elif status == "partial":
            ded = r.get("partial_deduction")
            if ded is None:
                raise ValueError(f"{rid}: status 'partial' requires 'partial_deduction'")
            if ded < 0 or ded > weight:
                raise ValueError(f"{rid}: partial_deduction {ded} out of range (0..{weight})")
            if ded > 1:
                poam_flags.append((rid, ded))
        deductions += ded
        detail.append((rid, fam, status, weight, ded))

    score = START_SCORE - deductions
    return {
        "score": score,
        "deductions": deductions,
        "counts": counts,
        "by_family": by_family,
        "poam_flags": poam_flags,
        "detail": detail,
    }


def render(data, res):
    org = data.get("org", {})
    lines = []
    lines.append(f"# CMMC Level 2 Readiness - {org.get('name','Organization')}")
    lines.append("")
    if org.get("scope"):
        lines.append(f"- **Scope:** {org['scope']}")
    lines.append("")

    score = res["score"]
    lines.append("## SPRS Score (DoD Assessment Methodology)")
    lines.append("")
    lines.append(f"- **Score:** **{score}** / 110  (started at 110, deducted {res['deductions']})")
    lines.append(f"- **Gap to perfect (110):** {110 - score}")
    if score >= CONDITIONAL_THRESHOLD:
        lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** MET "
                     f"(margin {score - CONDITIONAL_THRESHOLD}) - eligible for Conditional status "
                     "if remaining items are POA&M-eligible.")
    else:
        lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** NOT MET "
                     f"(short by {CONDITIONAL_THRESHOLD - score}) - not eligible for Conditional "
                     "certification until the score reaches 88.")
    c = res["counts"]
    lines.append(f"- **Status tally:** met {c['met']}, partial {c['partial']}, "
                 f"not met {c['not_met']}, N/A {c['na']}")
    lines.append("")

    # by family
    lines.append("## Status by family")
    lines.append("")
    lines.append("| Family | Met | Partial | Not Met | N/A |")
    lines.append("|---|---|---|---|---|")
    for fam in sorted(res["by_family"]):
        f = res["by_family"][fam]
        lines.append(f"| {fam} | {f['met']} | {f['partial']} | {f['not_met']} | {f['na']} |")
    lines.append("")

    # POA&M eligibility flags
    lines.append("## POA&M eligibility check")
    lines.append("")
    if not res["poam_flags"]:
        lines.append("No unmet requirement carries more than 1 point of deduction. "
                     "Remaining gaps are most likely POA&M-eligible (still verify against 32 CFR Part 170).")
    else:
        lines.append("The following unmet/partial requirements carry **> 1 point**. The highest-weighted "
                     "security requirements generally **cannot** sit on a POA&M - verify each against "
                     "32 CFR Part 170 before relying on Conditional status:")
        lines.append("")
        lines.append("| Requirement | Points lost |")
        lines.append("|---|---|")
        for rid, w in sorted(res["poam_flags"], key=lambda x: -x[1]):
            lines.append(f"| {rid} | {w} |")
    lines.append("")
    lines.append("> All POA&M items must be closed within **180 days** to convert Conditional -> Final.")

    return "\n".join(lines)


def main():
    ap = argparse.ArgumentParser(description="CMMC L2 / NIST 800-171 SPRS score calculator")
    ap.add_argument("--input", "-i", required=True, help="Path to control-status JSON")
    ap.add_argument("--output", "-o", help="Write Markdown readiness report to this path")
    ap.add_argument("--require-conditional", action="store_true",
                    help="Exit non-zero if SPRS score < 88 (conditional threshold)")
    args = ap.parse_args()

    try:
        with open(args.input) as f:
            data = json.load(f)
    except (OSError, json.JSONDecodeError) as e:
        print(f"ERROR: could not read input JSON: {e}", file=sys.stderr)
        return 2

    try:
        res = compute(data)
        md = render(data, res)
    except ValueError as e:
        print(f"ERROR: {e}", file=sys.stderr)
        return 2

    if args.output:
        with open(args.output, "w") as f:
            f.write(md + "\n")
        print(f"Readiness report written to {args.output}", file=sys.stderr)
    else:
        print(md)

    print(f"SPRS score {res['score']}/110 (deductions {res['deductions']}; "
          f"not met {res['counts']['not_met']}, partial {res['counts']['partial']}).",
          file=sys.stderr)

    if args.require_conditional and res["score"] < CONDITIONAL_THRESHOLD:
        print(f"FAIL: score {res['score']} < {CONDITIONAL_THRESHOLD} conditional threshold.",
              file=sys.stderr)
        return 1
    return 0


if __name__ == "__main__":
    sys.exit(main())

Assets 1

template.mdtext/markdown · 3.7 KB
Keep exploring