Every CMMC Level 2 journey starts with the same step, and most companies skip it: an honest NIST SP 800-171 self-assessment. Not a vendor’s marketing quiz, the real DoD methodology that produces the score primes can see in SPRS. Done right, it turns a vague sense of “we should probably do something about compliance” into a ranked list of work. Here is how to run one.
The 110 controls, 14 families
NIST SP 800-171 organizes 110 security requirements into 14 families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
You do not need to memorize them. You need to know that every one of the 110 is either fully met or it is not. There is no partial credit on a single control.
How the score actually works
The DoD Assessment Methodology starts you at 110 and subtracts points for each control you have not fully implemented. The catch that surprises people: the deductions are weighted. Most controls are worth 1 point, but a set of high-impact controls are worth 5 points each, and a few are worth 3. Miss the wrong five controls and you are at 85, not 105.
That weighting is the whole strategy. The five-point controls are the ones to fix first, because they move your score the most and because assessors weight them heavily for a reason: they are the controls that actually stop breaches.
The high-weight items cluster around a few themes:
- Multifactor authentication for network and local access to privileged accounts and for network access to non-privileged accounts.
- FIPS-validated cryptography to protect CUI.
- Limiting and controlling remote access, including monitoring and control of remote sessions.
- Restricting and monitoring the flow of CUI between systems and out to the internet.
- Separating user functionality from system management functionality.
If you do nothing else this quarter, close those.
Running the assessment without fooling yourself
The failure mode is generosity. It is tempting to mark a control “met” because you have something in the neighborhood. Assessors do not grade on neighborhoods. Use this test for each control: could you hand an assessor evidence today? A policy document, a screenshot of the configuration, a log sample, a ticket showing the process ran. If the honest answer is “we would have to go build that first,” the control is not met.
Three artifacts make the difference between a self-assessment and a guess:
- A System Security Plan (SSP) describing how each control is implemented. Write it as you assess. It is required for CMMC anyway, so you are not wasting effort.
- A Plan of Action and Milestones (POA&M) listing every unmet control with an owner and a date.
- Evidence, collected as you go. The assessment is only as real as what you can show.
Posting the score
Under DFARS 252.204-7019 and 7020, you post your summary score, the date, and your projected date to reach 110 in the Supplier Performance Risk System. A negative score is uncomfortable to post, but a missing score is worse: it tells a prime you have not even started. An honest negative score with a credible improvement date tells them you are a real partner who knows where they stand.
What to do with the results
A finished self-assessment hands you three things: a number, a ranked list of gaps, and a head start on the documents your eventual assessor will demand. Work the five-point controls first, then the three-point, then the rest. Re-score quarterly and watch the number climb toward 110.
This is the exact sequence we run with clients heading toward CMMC: score honestly, fix by weight, document as you go, and rehearse the assessment before it counts. If you want a second set of eyes on your score before a prime sees it, request a free assessment and we will validate where you actually stand against the 110.