Back

10 Top CMMC Assessment Checklist Resources

Intro from Agile IT This is a guest post from John Verry CISO and Managing Partner at PivotPoint SecurityBusinesses that provide products or se...

5 min read
Published on Nov 16, 2021
10-top-cmmc-assessment-checklist-resources

Intro from Agile IT: This is a guest post from John Verry, CISO and Managing Partner at PivotPoint Security.

Businesses that provide products or services to the US Defense Industrial Base (DIB) need to conform with the FAR (e.g., 52.204-12) and DFARS (e.g., 252.204-7012, 7019, 7020, 7021) requirements.  For those handling Controlled Unclassified Information (CUI), this also necessitates NIST 800-171 (7012, 7019, 7020) or Cybersecurity Maturity Model Certification (CMMC) V2 Level 2 certification.  For those just handling Federal Contract Information (FCI), this necessitates CMMC V2 Level 1 self-attestation.

While CMMC V2 is still pending updates to CFR32, many DIB firms are rightly concerned about the time and effort it will take to get to full compliance, especially at or above CMMC V2 level 2. Another concern is the anticipated scramble to engage assessors and other consultants as tens of thousands of defense contractors pursue CMMC in the months ahead.

What can you do now to prepare for CMMC certification? The perfect place to start is a CMMC assessment checklist, like this one from Pivot Point Security. A comprehensive checklist and related resources will give you a place to start, help you structure a workable plan, and keep you moving forward.

But because different organizations have different cybersecurity postures and varying contract requirements, no one checklist can fully meet everyone’s needs. So, we’ve compiled this list of 10 free CMMC assessment resources that are some of the best out there.

One: Official CMMC OSD Guidance

Stay up to date on the definitive guide to all things CMMC: https://www.acq.osd.mil/doing-business.html

Two: The CMMC Accreditation Body

The marketplace provides a listing of critical resources, including; Licensed Training Providers, Registered Provider Organizations, and Certified Third Party Assessors: https://cmmcab.org/

Three: Microsoft Product Placemat for CMMC

This “interactive view” (an Excel file with macros) from Microsoft provides invaluable guidance for Microsoft customers on how Microsoft cloud products and services—including GCC High—“inherit”/satisfy requirements for CMMC Level 3 practices: https://www.microsoft.com/en-us/download/details.aspx?id=102536

The interactive document even offers customer implementation guidance for each practice that Microsoft cloud offerings cover or support. Use it to augment your CMMC compliance activities with the prescriptive actions you need to take to meet CMMC audit requirements within the scope of shared responsibility for CMMC V2 Level 2 compliance between your business and Microsoft.

Four: NIST SP 800-171A Assessor’ Guide

The perfect complement to your CMMC assessment checklist as you move toward your internal CMMC audit, this NIST guidance for NIST 800-171 assessors will open a window onto what you can expect your CMMC V2 Level 2 external audit to look like, so you can better plan and prepare: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf

Five: DoD Environmental Research Programs templates for DFARS and NIST 800-171

This website for DoD’s SERDP and ESTCP environmental research programs includes a Templates and Checklists page with applicability to CMMC compliance: https://www.serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Templates-and-Checklists

You can find basic templates including; a DFARS CUI Cyber Incident Report Form, a Security Audit Plan, a Plan of Action & Milestones (POAM) Template, and an ESTCP Information Technology Policies and Procedures template.

Six: NIST 800-171 System Security Plan Template

This NIST template outlines the requirements for a DFARS 7012 compliant System Security Plan (SSP) as is currently required for DIB orgs that handle controlled unclassified information:

Seven: NIST 800-171 Plan of Action & Milestones (POAM) Template

Similar to the NIST SSP, this NIST template outlines the requirements for a DFARS 7012 compliant Plan of Action & Milestones (POAM) as is currently mandated for DoD contractors that handle controlled unclassified information: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx

Eight: DFARS Clauses

It is important to remember that the goal is NOT to become CMMC or 800-171 compliant – it is to become FAR and DFARS compliant.  The 17 practices in CMMC Level 1 fully address the 15 security requirements in FAR 52.204-21.  The 110 practices in CMMC V2 Level 2 DO NOT fully address the cumulative requirements specified in 7012/7020 or 7012/7021.

Nine: BYU CMMC Assessment Calculator Tool

Created by the Office of Research Computing at BYU, this Google Sheet is designed to help DIB orgs prepare for CMMC audits: https://rc.byu.edu/cmmctool

No need to create a DIY spreadsheet; start with this convenient calculator. It’s even tunable for CMMC Level.

Ten: DoD CUI Resources

Last but not least on our list is the DoD CUI Program website, with official direction on how to identify and handle controlled unclassified information: https://www.dodcui.mil

The site includes a downloadable DoD CUI registry, DoD CUI classification, protection policies, and a link to DoD CUI training content. There’s also a “desktop aids” page with the latest CUI marking tools. Identifying what CUI you have and how you store, process, and transmit CUI are critical initial steps in every CMMC compliance project, so don’t fail to investigate this content.

What’s Next?

Achieving and maintaining FAR and DFAR compliance and your CMMC certification is critical to ensuring you can retain and grow your DoD business. But finding the time and resources to make sure it happens can be a challenge. Whether you’re just getting started with CMMC or think you’re ready for your CMMC audit, our CMMC compliance services can give you the expertise, implementation support, and confidence you need to achieve certification.

We (Pivot Point Security) have been helping SMBs prove they’re secure and compliant for 20 years. As one of the first Registered Provider Organizations (RPOs) for CMMC, we offer a proven approach tunable to your unique budget, timeline, cyber maturity, and staffing requirements.  More importantly, our team has EXTENSIVE experience in the DIB, so we understand its unique language and challenges. Don’t worry; we won’t speak in acronyms! We’d be happy to help you navigate the complexities of these requirements and frameworks. Contact: [email protected]

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

CMMC Compliance — Understanding the Requirements and Why It's Important

CMMC Compliance — Understanding the Requirements and Why It's Important

CMMC compliance is crucial for protecting Controlled Unclassified Information (CUI) in defense contracts. Learn what CMMC is, its certification levels, and why it matters.

Jul 2, 2025
9 min read
CMMC Certification vs. Self-Assessment What You Need to Know

CMMC Certification and Self-Assessment: What Contractors Need to Know

Not all contractors need a third-party CMMC certification. Find out the differences between CMMC certification and self-assessment and which one applies to your organization.

Jul 1, 2025
7 min read
How Much Does It Cost to Achieve CMMC Compliance?

How Much Does It Cost to Achieve CMMC Compliance and Prepare for Certification?

CMMC compliance costs vary by level and organization size. Get a breakdown of certification expenses, hidden costs, and funding options for meeting CMMC requirements.

Jun 30, 2025
7 min read
Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

A successful Azure migration starts with proper planning. Use this step-by-step assessment checklist to evaluate infrastructure, dependencies, and tools before migrating.

Jun 23, 2025
7 min read
Migrate On-Premises VMs to Azure: Tips, Advice & Best Practices

Migrate On-Premises VMs to Azure: Tips, Advice & Best Practices

Learn how to migrate on-premises VMs to Azure with expert tips and best practices. Optimize your cloud migration strategy for security, performance, and cost efficiency.

Jun 20, 2025
9 min read
Azure Migration vs AWS Migration Key Differences

Comparing Azure Migration and AWS Migration Key Differences in Cloud Strategy

Comparing Azure and AWS for cloud migration? Learn the key differences in pricing, security, tools, and performance to choose the right platform for your business.

Jun 18, 2025
8 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation