npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- When an organization in the Defense Industrial Base (DIB) stores, processes, or transmits Controlled Unclassified Information (CUI) under a DoD contract.
- When a contract includes DFARS 252.204-7012 (safeguarding/incident reporting), -7019/-7020 (NIST 800-171 self-assessment + SPRS), or the new -7021 (CMMC requirement).
- When preparing for a C3PAO third-party assessment or a DoD-led assessment.
- When you must compute, post, or improve an SPRS score based on the NIST SP 800-171 DoD Assessment Methodology.
- When authoring or remediating a System Security Plan (SSP) and POA&M for the 110 requirements.
- When scoping which assets fall inside the CUI/FCI boundary (CUI assets, security-protection assets, contractor risk-managed assets, out-of-scope).
Prerequisites
- Knowledge of which contracts carry CUI and the CUI categories involved (check the contract and the DoD CUI Registry).
- An asset inventory and network diagram so you can define the CMMC assessment scope before assessing controls.
- The NIST SP 800-171 Rev 2 requirements and the DoD Assessment Methodology scoring weights.
- A documented SSP (its absence is itself a failed requirement — 3.12.4).
- Identification of any External Service Providers (ESPs) / cloud services touching CUI, and whether they meet FedRAMP Moderate (or equivalency).
Workflow
1. Determine applicability and CUI categories
Confirm the contract requires CMMC Level 2 (CUI present, not just FCI). FCI-only contracts are Level 1 (the 15 FAR 52.204-21 requirements). Identify CUI categories from the contract and the DoD CUI Registry.
2. Scope the environment
Classify every asset into one of the CMMC scoping categories:
- CUI Assets — process/store/transmit CUI (in scope, assessed against all applicable controls).
- Security Protection Assets — provide security to the CUI environment (in scope).
- Contractor Risk Managed Assets — could but are not intended to handle CUI; managed by policy.
- Specialized Assets (IoT/OT, GFE, test equipment) — documented, limited assessment.
- Out-of-Scope — physically/logically isolated from CUI.
Minimize scope deliberately — a smaller, well-segmented CUI enclave is far cheaper to certify than a flat network.
3. Implement the 110 requirements (NIST SP 800-171 Rev 2)
Work the 14 families (3.1–3.14). For each requirement, implement, then write the how in the SSP. High-leverage early wins: MFA (3.5.3), FIPS-validated cryptography (3.13.11), audit logging (3.3.x), access control + least privilege (3.1.x), and incident response (3.6.x).
4. Score with the DoD Assessment Methodology (SPRS)
Start at 110 and subtract the weighted value (1, 3, or 5 points) of each unmet requirement; partial credit applies to a small number of controls (e.g., MFA, FIPS crypto). The result is the SPRS score (maximum 110; the methodology floor is −203). Post the score, the SSP date, and the assessment scope to SPRS (or eMASS for higher assessments).
5. Build a compliant POA&M
Document every unmet requirement with owner, remediation, and milestone. Constraints under the CMMC rule: a Conditional status requires a score of at least 80% (≥ 88 of 110), only POA&M-eligible requirements may be deferred (the highest-weighted security requirements must be fully met — verify eligibility against 32 CFR Part 170), and all POA&M items must be closed within 180 days to convert Conditional → Final.
6. Assess (self or C3PAO)
- Level 1 and a subset of Level 2 = annual self-assessment with an affirmation in SPRS.
- Level 2 (most CUI contracts) = triennial C3PAO certification assessment.
- Level 3 = DoD (DIBCAC) assessment on top of Level 2, adding SP 800-172 enhanced requirements. Assessors evaluate each objective as MET / NOT MET / N/A with evidence (examine/interview/test). A senior official files the annual affirmation of continued compliance.
7. Maintain certification
Certification is valid three years with annual affirmations. Maintain the SSP, re-score on change, keep evidence current, and feed significant changes back into the assessment.
Key Concepts
| Concept | Definition |
|---|---|
| FCI | Federal Contract Information — Level 1 protects it (FAR 52.204-21). |
| CUI | Controlled Unclassified Information — Level 2 protects it (NIST 800-171). |
| 110 requirements | The SP 800-171 Rev 2 security requirements across 14 families. |
| SPRS | Supplier Performance Risk System — where the 800-171 score is posted. |
| DoD Assessment Methodology | The 1/3/5-point weighting used to compute the score from 110. |
| C3PAO | CMMC Third-Party Assessment Organization — performs Level 2 certification. |
| POA&M | Plan of Action & Milestones — limited, must close in 180 days for Final status. |
| Conditional vs Final | Conditional = open POA&M (score ≥ 80%); Final = all controls met. |
| ESP | External Service Provider — must meet FedRAMP Moderate / equivalency for CUI. |
| Scoping categories | CUI / Security Protection / Contractor Risk Managed / Specialized / Out-of-Scope. |
Tools & Systems
- NIST SP 800-171 Rev 2 — the 110 requirements (and 800-171A for assessment objectives).
- DoD NIST SP 800-171 Assessment Methodology — the scoring weights.
- 32 CFR Part 170 (CMMC Program rule) and 48 CFR / DFARS 252.204-7021 (acquisition rule).
- SPRS — score posting; SAM.gov for registration.
- SP 800-172 / 800-172A — enhanced requirements for Level 3.
- GRC / compliance tooling — to manage the SSP, POA&M, and evidence (e.g., Xacta, RegScale, FutureFeed-style trackers).
Common Scenarios
- Prime flows CUI to a sub. The sub needs its own Level 2 scope, SSP, SPRS score, and (most likely) C3PAO certification.
- Score is below 88. Prioritize the highest-weighted unmet requirements (5-point, then 3-point) to clear the conditional threshold and shrink the POA&M.
- Cloud holds CUI. Confirm the service is FedRAMP Moderate authorized or meets equivalency; document the responsibility split.
- Flat network. Re-scope into a segmented CUI enclave to cut the assessment surface before spending on controls.
- Annual affirmation due. A senior official affirms continued compliance in SPRS; let it lapse and you risk contract eligibility.
Output Format
Produce a CMMC Level 2 Readiness Report using assets/template.md, containing:
- Applicability & CUI categories — why Level 2 applies.
- Scope — assets by scoping category and the CUI boundary diagram reference.
- Control status by family — met / not met / N/A across the 14 families.
- SPRS score — computed score, deductions, and the gap to 110 and to the 88 threshold.
- POA&M — unmet requirements, eligibility check, owners, 180-day milestones.
- Assessment path — self vs C3PAO, target date, affirmation owner.
- Remediation roadmap — sequenced by point value and effort.
Use scripts/process.py to compute the SPRS score from a control-status JSON, flag POA&M-eligibility concerns, and report the gap to the conditional-certification threshold.
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
standards.md4.8 KB
CMMC Level 2 — Standards & Reference
Governing rules
| Rule | Citation | Status / effective date |
|---|---|---|
| CMMC Program rule | 32 CFR Part 170 | Effective December 16, 2024 |
| CMMC acquisition rule (DFARS) | 48 CFR; DFARS clause 252.204-7021 (and 204.7503) | Published Sept 10, 2025; effective November 10, 2025 |
| Safeguarding CUI / incident reporting | DFARS 252.204-7012 | In effect |
| NIST 800-171 self-assessment + SPRS posting | DFARS 252.204-7019 / -7020 | In effect |
Always confirm current status at the source — acquisition rules and phase dates have moved before. Authoritative: https://dodcio.defense.gov/CMMC/ and the eCFR for 32 CFR Part 170.
Phased rollout (per the acquisition rule)
| Phase | Begins | What applies |
|---|---|---|
| Phase 1 | Nov 10, 2025 | Level 1 and some Level 2 self-assessment required in solicitations |
| Phase 2 | Nov 10, 2026 | Level 2 C3PAO certification required for applicable contracts |
| Phase 3 | Nov 10, 2027 | Level 2 C3PAO + Level 3 DIBCAC assessment phased in |
| Phase 4 | Nov 10, 2028 | Full implementation across applicable DoD contracts |
The three CMMC levels
| Level | Protects | Requirements | Assessment |
|---|---|---|---|
| Level 1 | FCI | 15 requirements (FAR 52.204-21) | Annual self-assessment + affirmation |
| Level 2 | CUI | 110 requirements (NIST SP 800-171 Rev 2) | Self or triennial C3PAO certification |
| Level 3 | CUI (high priority) | 110 + selected SP 800-172 enhanced | DoD (DIBCAC) assessment |
Certification validity: 3 years, with annual affirmation by a senior official in SPRS.
NIST SP 800-171 Rev 2 — the 14 families (110 requirements)
| § | Family | # reqs |
|---|---|---|
| 3.1 | Access Control | 22 |
| 3.2 | Awareness and Training | 3 |
| 3.3 | Audit and Accountability | 9 |
| 3.4 | Configuration Management | 9 |
| 3.5 | Identification and Authentication | 11 |
| 3.6 | Incident Response | 3 |
| 3.7 | Maintenance | 6 |
| 3.8 | Media Protection | 9 |
| 3.9 | Personnel Security | 2 |
| 3.10 | Physical Protection | 6 |
| 3.11 | Risk Assessment | 3 |
| 3.12 | Security Assessment | 4 |
| 3.13 | System and Communications Protection | 16 |
| 3.14 | System and Information Integrity | 7 |
| Total | 110 |
(Assessment objectives for each requirement are in NIST SP 800-171A.)
DoD Assessment Methodology — SPRS scoring
- Start at 110. Subtract the weighted value of each NOT MET requirement.
- Weights: 1, 3, or 5 points. The most security-significant requirements are weighted 3 or 5.
- Partial credit applies to a small number of requirements (notably MFA at 3.5.3 and FIPS-validated cryptography at 3.13.11) where partial implementation reduces the deduction.
- Maximum score 110; the methodology floor is −203 (more is deducted than the 110 starting points because of the weighting).
- The complete per-requirement point assignment is published in the DoD NIST SP 800-171 Assessment Methodology — use that document for the authoritative weight of each control rather than estimating.
POA&M rules under the CMMC rule (32 CFR Part 170)
- A Conditional Level 2 status is allowed only if the assessment score is at least 80% (≥ 88 of 110).
- Only POA&M-eligible requirements may be deferred. The highest-weighted security requirements generally must be fully met and cannot sit on a POA&M — verify each item's eligibility against the rule.
- All POA&M items must be closed within 180 days; a closeout assessment then converts Conditional → Final.
Scoping categories (CMMC Level 2 Scoping Guide)
| Category | Treatment |
|---|---|
| CUI Assets | Process/store/transmit CUI — assessed against applicable requirements. |
| Security Protection Assets | Provide security to the CUI environment — in scope. |
| Contractor Risk Managed Assets | Capable of handling CUI but not intended to — managed by policy/config. |
| Specialized Assets | IoT/OT, GFE, test equipment — documented, limited assessment. |
| Out-of-Scope Assets | Isolated from CUI — not assessed. |
External Service Providers / cloud
- Cloud services that store/process/transmit CUI must be FedRAMP Moderate authorized or meet FedRAMP Moderate equivalency.
- Document the customer/provider responsibility split (CRM) and inherited controls in the SSP.
NIST CSF 2.0 alignment
| CSF 2.0 ID | Relevance |
|---|---|
| GV.OC-03 | Legal/regulatory (DFARS/CMMC) requirements understood. |
| GV.SC-01 | Supply-chain risk management — flowdown to subs / ESPs. |
| ID.AM-08 | Assets managed across the lifecycle (scoping). |
| ID.RA-05 | Risk informs prioritization of unmet requirements. |
| PR.AA-01 | Identity and access (3.1 / 3.5 families). |
| PR.DS-01 | Data-at-rest protection (FIPS crypto, media protection). |
Scripts 1
process.py7.6 KB
#!/usr/bin/env python3
"""
CMMC Level 2 / NIST SP 800-171 Rev 2 SPRS score calculator.
Implements the DoD Assessment Methodology arithmetic: start at 110 and subtract
the weighted value (1, 3, or 5) of each NOT MET requirement, with partial credit
for the small set of requirements that allow it. Reports the SPRS score, the gap
to a perfect 110 and to the 88-point (80%) conditional-certification threshold,
and flags higher-weighted unmet requirements whose POA&M eligibility must be
verified against 32 CFR Part 170.
NOTE: per-requirement point weights are defined by the DoD NIST SP 800-171
Assessment Methodology. Supply each requirement's official weight in the input
(this tool does not invent weights). Use status 'partial' with 'partial_deduction'
only for requirements the methodology allows partial credit on (e.g., 3.5.3 MFA,
3.13.11 FIPS crypto).
Input JSON shape:
{
"org": {"name": "Acme Defense LLC", "scope": "CUI enclave"},
"requirements": [
{"id": "3.1.1", "family": "3.1", "status": "met", "weight": 5},
{"id": "3.5.3", "family": "3.5", "status": "partial", "weight": 5, "partial_deduction": 3},
{"id": "3.3.1", "family": "3.3", "status": "not_met", "weight": 5},
{"id": "3.8.9", "family": "3.8", "status": "not_met", "weight": 1},
{"id": "3.2.1", "family": "3.2", "status": "na", "weight": 1}
]
}
status: met | not_met | partial | na
Usage:
python process.py --input controls.json [--output readiness.md]
python process.py --input controls.json --require-conditional # exit 1 if score < 88
"""
import argparse
import json
import sys
START_SCORE = 110
CONDITIONAL_THRESHOLD = 88 # 80% of 110
VALID_STATUS = {"met", "not_met", "partial", "na"}
VALID_WEIGHTS = {1, 3, 5}
def compute(data):
reqs = data.get("requirements", [])
if not reqs:
raise ValueError("requirements list is required")
deductions = 0
counts = {"met": 0, "not_met": 0, "partial": 0, "na": 0}
poam_flags = [] # higher-weight unmet -> verify POA&M eligibility
by_family = {} # family -> {met,not_met,partial,na}
detail = []
for r in reqs:
rid = r.get("id", "?")
status = r.get("status")
weight = r.get("weight")
if status not in VALID_STATUS:
raise ValueError(f"{rid}: status '{status}' invalid (met|not_met|partial|na)")
if status in ("not_met", "partial", "met") and weight not in VALID_WEIGHTS:
raise ValueError(f"{rid}: weight '{weight}' invalid (must be 1, 3, or 5)")
fam = r.get("family", rid.rsplit(".", 1)[0])
fam_rec = by_family.setdefault(fam, {"met": 0, "not_met": 0, "partial": 0, "na": 0})
fam_rec[status] += 1
counts[status] += 1
ded = 0
if status == "not_met":
ded = weight
if weight > 1:
poam_flags.append((rid, weight))
elif status == "partial":
ded = r.get("partial_deduction")
if ded is None:
raise ValueError(f"{rid}: status 'partial' requires 'partial_deduction'")
if ded < 0 or ded > weight:
raise ValueError(f"{rid}: partial_deduction {ded} out of range (0..{weight})")
if ded > 1:
poam_flags.append((rid, ded))
deductions += ded
detail.append((rid, fam, status, weight, ded))
score = START_SCORE - deductions
return {
"score": score,
"deductions": deductions,
"counts": counts,
"by_family": by_family,
"poam_flags": poam_flags,
"detail": detail,
}
def render(data, res):
org = data.get("org", {})
lines = []
lines.append(f"# CMMC Level 2 Readiness - {org.get('name','Organization')}")
lines.append("")
if org.get("scope"):
lines.append(f"- **Scope:** {org['scope']}")
lines.append("")
score = res["score"]
lines.append("## SPRS Score (DoD Assessment Methodology)")
lines.append("")
lines.append(f"- **Score:** **{score}** / 110 (started at 110, deducted {res['deductions']})")
lines.append(f"- **Gap to perfect (110):** {110 - score}")
if score >= CONDITIONAL_THRESHOLD:
lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** MET "
f"(margin {score - CONDITIONAL_THRESHOLD}) - eligible for Conditional status "
"if remaining items are POA&M-eligible.")
else:
lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** NOT MET "
f"(short by {CONDITIONAL_THRESHOLD - score}) - not eligible for Conditional "
"certification until the score reaches 88.")
c = res["counts"]
lines.append(f"- **Status tally:** met {c['met']}, partial {c['partial']}, "
f"not met {c['not_met']}, N/A {c['na']}")
lines.append("")
# by family
lines.append("## Status by family")
lines.append("")
lines.append("| Family | Met | Partial | Not Met | N/A |")
lines.append("|---|---|---|---|---|")
for fam in sorted(res["by_family"]):
f = res["by_family"][fam]
lines.append(f"| {fam} | {f['met']} | {f['partial']} | {f['not_met']} | {f['na']} |")
lines.append("")
# POA&M eligibility flags
lines.append("## POA&M eligibility check")
lines.append("")
if not res["poam_flags"]:
lines.append("No unmet requirement carries more than 1 point of deduction. "
"Remaining gaps are most likely POA&M-eligible (still verify against 32 CFR Part 170).")
else:
lines.append("The following unmet/partial requirements carry **> 1 point**. The highest-weighted "
"security requirements generally **cannot** sit on a POA&M - verify each against "
"32 CFR Part 170 before relying on Conditional status:")
lines.append("")
lines.append("| Requirement | Points lost |")
lines.append("|---|---|")
for rid, w in sorted(res["poam_flags"], key=lambda x: -x[1]):
lines.append(f"| {rid} | {w} |")
lines.append("")
lines.append("> All POA&M items must be closed within **180 days** to convert Conditional -> Final.")
return "\n".join(lines)
def main():
ap = argparse.ArgumentParser(description="CMMC L2 / NIST 800-171 SPRS score calculator")
ap.add_argument("--input", "-i", required=True, help="Path to control-status JSON")
ap.add_argument("--output", "-o", help="Write Markdown readiness report to this path")
ap.add_argument("--require-conditional", action="store_true",
help="Exit non-zero if SPRS score < 88 (conditional threshold)")
args = ap.parse_args()
try:
with open(args.input) as f:
data = json.load(f)
except (OSError, json.JSONDecodeError) as e:
print(f"ERROR: could not read input JSON: {e}", file=sys.stderr)
return 2
try:
res = compute(data)
md = render(data, res)
except ValueError as e:
print(f"ERROR: {e}", file=sys.stderr)
return 2
if args.output:
with open(args.output, "w") as f:
f.write(md + "\n")
print(f"Readiness report written to {args.output}", file=sys.stderr)
else:
print(md)
print(f"SPRS score {res['score']}/110 (deductions {res['deductions']}; "
f"not met {res['counts']['not_met']}, partial {res['counts']['partial']}).",
file=sys.stderr)
if args.require_conditional and res["score"] < CONDITIONAL_THRESHOLD:
print(f"FAIL: score {res['score']} < {CONDITIONAL_THRESHOLD} conditional threshold.",
file=sys.stderr)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())