Skip to content
CyberAutopsySHIELD · COMPLIANCE
CMMC Level 2ServicesThe MethodIndustriesResourcesAbout Client PortalBook Contract Risk Audit →
TOOL · SELF-ASSESSMENT

Will you fail? Probably not. But which three families come closest?

Twelve signal questions, drawn from the failure patterns we have read inside dozens of C3PAO assessments. Each maps to one or two NIST 800-171 families. The result is a ranked view of which families are most likely to drop your engagement — and which are already in good shape.

12 questions

0 / 12 ANSWERED
  1. Q01IA · AC

    Privileged accounts use phishing-resistant MFA (FIDO2 or hardware tokens).

    Software OTP is no longer sufficient for the privileged tier.

  2. Q02AU

    Audit logs from CUI systems are retained 12+ months online.

    Retention shorter than one year fails the AU family on first pass.

  3. Q03CA · SC

    An authorization boundary diagram exists, signed within the last 12 months.

    An unsigned, stale, or absent boundary diagram halts the assessment.

  4. Q04IR

    Our incident response plan has been tabletop-exercised in the last 12 months.

    A plan without exercise records is treated as not implemented.

  5. Q05CA

    Our SSP is hand-authored — not auto-generated by a readiness tool.

    Tool-exported SSPs routinely fail because they cannot answer follow-up questions.

  6. Q06SC

    FIPS-validated cryptography protects CUI at rest and in transit, by data class.

    Bring-your-own-encryption and non-validated modules do not qualify.

  7. Q07SI · RA

    Vulnerability scans are run monthly with a documented closure SLA.

    Ad-hoc scanning and undocumented closure timelines fail SI and weaken RA.

  8. Q08MP · AT

    CUI marking is consistent on documents, emails, and removable media.

    Inconsistent marking is the most common MP family failure.

  9. Q09PS

    Personnel security records cross-walk to system access provisioning.

    HR clearance evidence not linked to access grants fails PS on sample test.

  10. Q10MA

    Internal and vendor maintenance access is logged, reviewed, and tied to a ticket.

    Vendor access without ticket reference is the recurring MA family finding.

  11. Q11PE

    Visitor and after-hours physical access is logged and retained 90+ days.

    Cleaning staff and visitor entries are routinely missed.

  12. Q12CM

    Configuration baselines exist per system class and are version-controlled.

    Baselines that live in a Word document fail the CM family.

METHOD NOTE

How the ranking is built.

The twelve questions are not random. Each one targets a posture area that has driven an assessment finding for a contractor we have read. The question wording is precise because the assessor's question is precise.

Each question contributes weighted risk to one or two NIST 800-171 families. A No answer applies the full weight; Partial applies half; Yes applies none. The fourteen families are then ranked by accumulated risk, and the top three are surfaced. A family scoring above 2.5 weighted points is labeled high risk.

The ranking is directional, not deterministic. The artifact posture inside each family is the audit-grade answer; we produce it in our two-week Gap Assessment engagement.

RELATED
TOOL

SPRS Score Estimator

Open →GUIDE

DFARS 252.204-7012: The 14 Obligations

Open →REFERENCE

CMMC Level 2: The 110 Controls

Open →