achieving-cmmc-level-2-compliance

Installation
SKILL.md

Achieving CMMC Level 2 Compliance

When to Use

  • When an organization in the Defense Industrial Base (DIB) stores, processes, or transmits Controlled Unclassified Information (CUI) under a DoD contract.
  • When a contract includes DFARS 252.204-7012 (safeguarding/incident reporting), -7019/-7020 (NIST 800-171 self-assessment + SPRS), or the new -7021 (CMMC requirement).
  • When preparing for a C3PAO third-party assessment or a DoD-led assessment.
  • When you must compute, post, or improve an SPRS score based on the NIST SP 800-171 DoD Assessment Methodology.
  • When authoring or remediating a System Security Plan (SSP) and POA&M for the 110 requirements.
  • When scoping which assets fall inside the CUI/FCI boundary (CUI assets, security-protection assets, contractor risk-managed assets, out-of-scope).

Prerequisites

  • Knowledge of which contracts carry CUI and the CUI categories involved (check the contract and the DoD CUI Registry).
  • An asset inventory and network diagram so you can define the CMMC assessment scope before assessing controls.
  • The NIST SP 800-171 Rev 2 requirements and the DoD Assessment Methodology scoring weights.
  • A documented SSP (its absence is itself a failed requirement — 3.12.4).
  • Identification of any External Service Providers (ESPs) / cloud services touching CUI, and whether they meet FedRAMP Moderate (or equivalency).
Installs
96
GitHub Stars
24.8K
First Seen
Jun 20, 2026
achieving-cmmc-level-2-compliance — mukul975/anthropic-cybersecurity-skills