CMMC Assessment SOP¶
Sub-procedure of cmmc-sop.md
Overview¶
Detailed procedures for conducting CMMC (Cybersecurity Maturity Model Certification) readiness assessments, including CUI scoping, NIST SP 800-171 control evaluation, SPRS score calculation, and gap documentation. This sub-procedure covers the comprehensive assessment phase.
Scope¶
Parent SOP: CMMC Assessment Pillar: Protect (Security & Compliance) Service Area: CMMC Readiness Assessment
Prerequisites¶
- Parent SOP requirements met
- DoD contract or subcontract requirements confirmed
- CUI handling requirements identified from contract
- Executive sponsorship committed
- IT and security leadership available
- Access to network diagrams and system inventory
Procedure¶
Step 1: CUI Scoping and Boundary Definition¶
Objective: Define the assessment boundary based on CUI handling
CUI Identification Activities:
| Activity | Purpose | Deliverable |
|---|---|---|
| Contract Review | Identify CUI marking requirements | CUI category list |
| Data Flow Mapping | Trace CUI through organization | CUI flow diagrams |
| System Inventory | Identify systems processing CUI | CUI system inventory |
| Personnel Identification | Identify personnel with CUI access | CUI access roster |
| Location Mapping | Identify physical locations with CUI | CUI location inventory |
CUI Categories:
| Category | Description | Common Examples |
|---|---|---|
| CTI | Controlled Technical Information | Engineering data, specifications |
| ITAR | International Traffic in Arms | Defense articles, technical data |
| EXPT | Export Control | Dual-use technology |
| PRVCY | Privacy | PII in DoD context |
| PROPIN | Proprietary Business Information | Contractor proprietary data |
Boundary Definition Checklist:
- All CUI categories identified from contract
- CUI flow documented (receive, store, process, transmit)
- All systems handling CUI inventoried
- All personnel with CUI access identified
- All physical locations with CUI documented
- Network segmentation documented (enclave boundaries)
- Out-of-scope systems documented with justification
- Subcontractor CUI handling identified
Enclave Architecture:
| Element | In-Scope | Out-of-Scope |
|---|---|---|
| CUI Processing Systems | Yes | N/A |
| CUI Storage Systems | Yes | N/A |
| Network Infrastructure | Boundary devices, enclave network | Non-CUI network segments |
| Endpoints | Systems accessing CUI | Personal devices (with policy) |
| Personnel | CUI-authorized personnel | Non-CUI personnel |
Step 2: Documentation Assessment¶
Objective: Evaluate existing security documentation against CMMC requirements
Required Documentation Review:
| Document | CMMC Requirement | Assessment Focus |
|---|---|---|
| System Security Plan (SSP) | Required for all levels | Completeness, accuracy, currency |
| Plan of Action & Milestones (POA&M) | Required if gaps exist | Specificity, timelines, progress |
| Network Diagram | Required for boundary definition | Accuracy, CUI enclave delineation |
| Asset Inventory | Required for scoping | Completeness, CUI tagging |
| Policies and Procedures | Evidence for practice implementation | Coverage of all 14 families |
SSP Assessment Checklist:
| SSP Element | Status | Notes |
|---|---|---|
| System Identification | ☐ Complete ☐ Partial ☐ Missing | |
| System Environment | ☐ Complete ☐ Partial ☐ Missing | |
| System Interconnections | ☐ Complete ☐ Partial ☐ Missing | |
| Control Implementation | ☐ Complete ☐ Partial ☐ Missing | |
| Responsible Parties | ☐ Complete ☐ Partial ☐ Missing | |
| Approval and Dates | ☐ Complete ☐ Partial ☐ Missing |
Policy Gap Matrix:
| Control Family | Policy Exists | Procedure Exists | Evidence Available |
|---|---|---|---|
| Access Control (AC) | ☐ | ☐ | ☐ |
| Awareness & Training (AT) | ☐ | ☐ | ☐ |
| Audit & Accountability (AU) | ☐ | ☐ | ☐ |
| Configuration Management (CM) | ☐ | ☐ | ☐ |
| Identification & Authentication (IA) | ☐ | ☐ | ☐ |
| Incident Response (IR) | ☐ | ☐ | ☐ |
| Maintenance (MA) | ☐ | ☐ | ☐ |
| Media Protection (MP) | ☐ | ☐ | ☐ |
| Personnel Security (PS) | ☐ | ☐ | ☐ |
| Physical Protection (PE) | ☐ | ☐ | ☐ |
| Risk Assessment (RA) | ☐ | ☐ | ☐ |
| Security Assessment (CA) | ☐ | ☐ | ☐ |
| System & Comms Protection (SC) | ☐ | ☐ | ☐ |
| System & Info Integrity (SI) | ☐ | ☐ | ☐ |
Step 3: Technical Control Assessment¶
Objective: Validate technical control implementation
Control Assessment by Family:
Access Control (AC) - 22 Requirements:
| Requirement | Assessment Method | Common Gaps |
|---|---|---|
| AC.L2-3.1.1 - Authorized Access | User access review, policy verification | Lack of formal authorization |
| AC.L2-3.1.2 - Transaction Control | System configuration review | Missing transaction logging |
| AC.L2-3.1.3 - CUI Flow Control | Network analysis, DLP review | Inadequate data flow controls |
| AC.L2-3.1.5 - Least Privilege | Privilege audit, role review | Excessive privileges |
| AC.L2-3.1.7 - Privileged Functions | Privileged account review | No PAM solution |
| AC.L2-3.1.12 - Remote Access | VPN configuration, MFA verification | MFA not enforced |
| AC.L2-3.1.22 - Publicly Accessible | Public system inventory | CUI on public systems |
Identification & Authentication (IA) - 11 Requirements:
| Requirement | Assessment Method | Common Gaps |
|---|---|---|
| IA.L2-3.5.1 - Identification | User ID configuration | Shared accounts |
| IA.L2-3.5.2 - Authentication | Authentication testing | Weak authentication |
| IA.L2-3.5.3 - MFA | MFA configuration review | MFA not for all CUI access |
| IA.L2-3.5.4 - Replay Resistance | Protocol analysis | Weak protocols |
| IA.L2-3.5.10 - Password Reuse | Password policy review | Insufficient history |
System & Communications Protection (SC) - 16 Requirements:
| Requirement | Assessment Method | Common Gaps |
|---|---|---|
| SC.L2-3.13.1 - Boundary Protection | Firewall review, network analysis | Inadequate segmentation |
| SC.L2-3.13.8 - Data in Transit | Encryption verification | Non-FIPS encryption |
| SC.L2-3.13.11 - FIPS Encryption | Cryptographic module review | Non-validated modules |
| SC.L2-3.13.16 - Data at Rest | Storage encryption verification | Unencrypted CUI storage |
Step 4: SPRS Score Calculation¶
Objective: Calculate current SPRS score based on assessment findings
Scoring Methodology:
| Element | Description |
|---|---|
| Starting Score | 110 points |
| Deductions | 1, 3, or 5 points per unmet requirement |
| Minimum for CMMC L2 | 110 (all requirements met or valid POA&M) |
Severity Deduction Values:
| Severity | Points | Criteria |
|---|---|---|
| 5 | Very High | No implementation, critical control, high risk |
| 3 | High | Partial implementation, significant gap |
| 1 | Low | Minor gap, largely implemented, low risk |
SPRS Calculation Worksheet:
| Family | Requirements | Not Met | Severity 5 | Severity 3 | Severity 1 | Family Deduction |
|---|---|---|---|---|---|---|
| AC | 22 | x5 = | x3 = | x1 = | ||
| AT | 3 | x5 = | x3 = | x1 = | ||
| AU | 9 | x5 = | x3 = | x1 = | ||
| CM | 9 | x5 = | x3 = | x1 = | ||
| IA | 11 | x5 = | x3 = | x1 = | ||
| IR | 3 | x5 = | x3 = | x1 = | ||
| MA | 6 | x5 = | x3 = | x1 = | ||
| MP | 9 | x5 = | x3 = | x1 = | ||
| PE | 6 | x5 = | x3 = | x1 = | ||
| PS | 2 | x5 = | x3 = | x1 = | ||
| RA | 3 | x5 = | x3 = | x1 = | ||
| CA | 4 | x5 = | x3 = | x1 = | ||
| SC | 16 | x5 = | x3 = | x1 = | ||
| SI | 7 | x5 = | x3 = | x1 = | ||
| Total | 110 | Total Deduction |
SPRS Score = 110 - Total Deduction
Step 5: Gap Documentation¶
Objective: Document all identified gaps with remediation requirements
Gap Documentation Template:
| Field | Content |
|---|---|
| Gap ID | Unique identifier (e.g., AC-001) |
| Requirement | NIST 800-171 requirement reference |
| Requirement Text | Full requirement text |
| Current State | Description of current implementation |
| Gap Description | What is missing or deficient |
| Severity | 5 (Very High), 3 (High), or 1 (Low) |
| SPRS Impact | Points deducted |
| Remediation Approach | High-level remediation strategy |
| Estimated Effort | Hours/days to remediate |
| Dependencies | Other gaps or activities required first |
| Priority | Critical, High, Medium, Low |
Gap Prioritization Matrix:
| Priority | Criteria | Remediation Timeline |
|---|---|---|
| Critical | Blocks certification, severity 5, multiple requirements | 0-30 days |
| High | Severity 3, significant SPRS impact | 30-60 days |
| Medium | Severity 1, moderate impact | 60-90 days |
| Low | Best practice, optimization | 90-180 days |
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| CUI Scope Documentation | Word/PDF | SBK Consultant |
| CUI Flow Diagrams | Visio/Draw.io | SBK + Client IT |
| Documentation Gap Matrix | Excel | Lead Assessor |
| Control Assessment Report | Excel/PDF | Lead Assessor |
| SPRS Score Calculation | Excel | Lead Assessor |
| Gap Register | Excel | Lead Assessor |
| Assessment Summary | Executive PDF | SBK Lead |
Quality Gates¶
- CUI scope clearly defined and documented
- All 110 NIST 800-171 requirements assessed
- SPRS score accurately calculated
- All gaps documented with severity ratings
- Gap priorities assigned based on methodology
- Remediation approaches identified for all gaps
- Assessment findings reviewed with client
- SSP/POA&M requirements identified
Related Documents¶
- Parent SOP: CMMC Assessment
- CMMC Gap Remediation SOP
- CMMC Certification Prep SOP
- Cross-Pillar SOPs
- Assessment Templates
Last Updated: February 2026 Parent SOP: cmmc-sop.md