CMMC/NIST Self-Assessment Scorecard

The CMMC is a new Department of Defense (DoD) mandate that affects all federal DoD contractors. The self-attestation of NIST 800-171, NIST 800-52 and DFARS 252.204-7012 is not only complicated, but it has NOT been working so the DoD is unifying all the guidelines via CMMC and auditing contractors in this new "trust but verify" approach.

This new guideline now requires a CMMC 3rd Party Assessor Organization (C3PAO) to audit your cybersecurity policies, procedures and security controls. There are five Maturity Levels (ML) a contractor can achieve, and they build on top of each other – You can’t reach ML5 unless you also have ML3 practices and processes in place.

The CMMC/NIST Self-Assessment Scorecard is based on the 110 NIST SP 800-171 Security Controls that need to be in place NOW, along with all the DoD-required Objective Evidence and Plan of Action and Milestones (POAMs) for any Security Controls not yet implemented.  If you do not have this information, you are at risk for an audit, as well as penalties and fees under the False Claims Act (FCA).  

Use this scorecard to gauge your score before officially submitting your score into the SPRS (DoD) system, to identify vulnerabilities that can be remediated immediately.

Not only will this make your Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) more secure, but it will also give you a better understanding of where you are in your CMMC journey.  This assessment is a MUST-HAVE for any business that is now,or wishes to be, a Subcontractor or Prime Contractor with the DoD.

At Compliance Armor, we’ve spent over 20 years staying on the cutting edge of industry, and keeping up with developments. We are experts in this stuff, so that you don’t have to be.