CMMC Level 2 Self-Assessment Path

Who Needs This Program?

✓ Non-Critical CUI Contracts

Organizations handling Controlled Unclassified Information that is not designated as critical to national security

✓ Annual Self-Assessment

Contracts requiring annual self-assessment instead of third-party C3PAO evaluation

✓ SPRS Score Requirements

Need to calculate, maintain, and submit SPRS scores to demonstrate compliance

✓ Executive Certification

Senior leadership attestation of cybersecurity implementation and compliance

Program Phases

Our comprehensive 6-phase approach to CMMC Level 2 self-assessment compliance

Initial Assessment & Scoping

Comprehensive gap analysis against 110 NIST 800-171 controls
Current security posture evaluation
Define CUI boundary and scope
SPRS score baseline calculation
Remediation roadmap development
Cost and resource planning

GCC High / Azure Government Deployment

Environment validation and onboarding
Tenant setup and migration
Azure Active Directory Premium configuration
Conditional Access & Multi-Factor Authentication
Microsoft Defender suite deployment
Network boundary controls (NSGs, firewalls, Azure Policy)
FIPS 140-2 compliant encryption setup
Secure backup and disaster recovery configuration

Security Controls Implementation

All 110 NIST 800-171 controls implementation
Address 320 assessment objectives
14 security domains configuration:
- Access Control
- Audit & Accountability
- Configuration Management
- Identification & Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System & Communications Protection
- System & Information Integrity
- Awareness & Training
Continuous monitoring and automation tools
Automated evidence collection systems
Encryption implementation (data at rest and in transit)
Security Information and Event Management (SIEM) deployment

Documentation & Policies

System Security Plan (SSP) - 150+ pages
POA&M (Plans of Action & Milestones)
Complete security policy library (17+ policies)
Incident response and disaster recovery plans
Data classification and handling documentation
Access control and identity management policies
Change management documentation
Asset inventory and network diagrams
Configuration management baseline
Risk assessment documentation

Organizational Readiness

Mock assessment/pre-assessment
Compliance team preparation
Evidence provision preparation
Control demonstration rehearsal
Internal control testing and validation
Remediation of pre-assessment findings
Assessment logistics coordination

06
Self-Assessment & SubmissionSPRS score calculation and validation
Executive certification preparation
Annual self-assessment report
Compliance documentation package
SPRS score submission to DoD
Contract readiness confirmation

Program Benefits

💰

Cost-Effective

Lower cost than C3PAO certification while meeting DoD requirements for non-critical contracts

⚡

Faster Timeline

Streamlined process without external C3PAO scheduling constraints

🎯

Annual Flexibility

Annual assessment cycle allows for continuous improvement

📊

SPRS Management

Ongoing tracking and optimization of your compliance score

What You Receive

Complete Infrastructure

Fully deployed and configured GCC High or Azure Government environment with all security controls

Comprehensive Documentation

150+ page SSP, POA&M, and complete policy library ready for review

Validated SPRS Score

Calculated and documented SPRS score ready for DoD submission

Executive Certification

Prepared certification package for senior leadership attestation

Evidence Repository

Organized evidence demonstrating implementation of all 110 controls

Annual Assessment Process

Documented procedures for conducting future annual self-assessments