achieving-cmmc-level-2-compliance
Installation
SKILL.md
Achieving CMMC Level 2 Compliance
When to Use
- When an organization in the Defense Industrial Base (DIB) stores, processes, or transmits Controlled Unclassified Information (CUI) under a DoD contract.
- When a contract includes DFARS 252.204-7012 (safeguarding/incident reporting), -7019/-7020 (NIST 800-171 self-assessment + SPRS), or the new -7021 (CMMC requirement).
- When preparing for a C3PAO third-party assessment or a DoD-led assessment.
- When you must compute, post, or improve an SPRS score based on the NIST SP 800-171 DoD Assessment Methodology.
- When authoring or remediating a System Security Plan (SSP) and POA&M for the 110 requirements.
- When scoping which assets fall inside the CUI/FCI boundary (CUI assets, security-protection assets, contractor risk-managed assets, out-of-scope).
Prerequisites
- Knowledge of which contracts carry CUI and the CUI categories involved (check the contract and the DoD CUI Registry).
- An asset inventory and network diagram so you can define the CMMC assessment scope before assessing controls.
- The NIST SP 800-171 Rev 2 requirements and the DoD Assessment Methodology scoring weights.
- A documented SSP (its absence is itself a failed requirement — 3.12.4).
- Identification of any External Service Providers (ESPs) / cloud services touching CUI, and whether they meet FedRAMP Moderate (or equivalency).