EFROS

Tool

CMMC Level 2 readiness quiz

Twenty questions across the NIST SP 800-171 control families that drive most CMMC Level 2 assessment outcomes. Each answer maps to a 0-to-3 maturity score. At the end you get a total, a gap list (questions you answered 0 or 1), and a recommended next step tied to where you land.

By Daniel Agrici, Chief Security Officer, EFROSReviewed by Stefan Efros, CEO & Founder, EFROS
Reviewed by CSO ·

0 of 20 answered

  1. 1

    Access Control

    Multi-factor authentication is enforced on all privileged accounts (domain admin, cloud admin, security tools).

  2. 2

    Access Control

    Session timeout policies are applied to systems that store or process CUI.

  3. 3

    Awareness and Training

    Personnel who handle CUI complete annual CUI-specific training with tracked completion records.

  4. 4

    Audit and Accountability

    Logs from systems that process CUI are aggregated into a central SIEM or log platform.

  5. 5

    Audit and Accountability

    Security-relevant logs are retained for at least 12 months and protected against tampering.

  6. 6

    Configuration Management

    Baseline configurations are documented for each system type and enforced through technical controls.

  7. 7

    Configuration Management

    A documented change management process is used for systems in the CUI environment, with approval and rollback steps.

  8. 8

    Identification and Authentication

    Every user has a unique account (no shared accounts for CUI system access).

  9. 9

    Identification and Authentication

    Phishing-resistant MFA (FIDO2, smart card, WebAuthn platform) is used for CUI access, not SMS or TOTP alone.

  10. 10

    Incident Response

    A documented incident response plan exists and has been tested through a tabletop or live exercise within the past 12 months.

  11. 11

    Maintenance

    Remote maintenance activities on CUI systems are logged, authorized in advance, and terminated when complete.

  12. 12

    Media Protection

    Media sanitization procedures are documented and followed for disposal of any media that stored CUI.

  13. 13

    Personnel Security

    Background checks are completed before granting access to CUI, with periodic revalidation.

  14. 14

    Physical Protection

    Physical access to facilities that house CUI systems is controlled and logged.

  15. 15

    Risk Assessment

    A documented risk assessment is completed at least annually and drives the security roadmap.

  16. 16

    Risk Assessment

    Vulnerability scanning runs monthly or more frequently across the CUI environment.

  17. 17

    Security Assessment

    Security control effectiveness is assessed annually through an internal or third-party review.

  18. 18

    System and Communications Protection

    CUI in transit is protected using FIPS 140-2 or 140-3 validated cryptography.

  19. 19

    System and Communications Protection

    Network segmentation separates CUI systems from general corporate networks and non-CUI workloads.

  20. 20

    System and Information Integrity

    Flaw remediation is performed on a defined cadence (within 30 days for high-severity vulnerabilities, faster for critical).

Your answers stay in your browser. Nothing is submitted anywhere.

What CMMC Level 2 certification actually requires

CMMC Level 2 is aligned to NIST SP 800-171 (110 controls across 14 families). For most contractors handling Controlled Unclassified Information (CUI), a certified third-party assessment organization (C3PAO) must verify that all 110 controls are implemented. There are some allowances for POA&M (Plan of Action and Milestones) items, but the set of controls that cannot be on a POA&M is growing, and the scoring methodology penalizes each missing control by the weight assigned in the CMMC scoring methodology (1, 3, or 5 points deducted from a maximum of 110).

The contractual trigger is DFARS 252.204-7021 (the CMMC clause), which has been rolling into DoD solicitations on a phased schedule. If your next recompete or new award includes the CMMC clause and you are not certified at the required level by the award date, you will not be eligible. This is a procurement gate, not a best-practice recommendation.

How the readiness score is calculated

Each question maps to a representative control (or in some cases a small cluster of related controls). You pick one of four maturity levels: 0 (not implemented), 1 (partially implemented, no documented evidence), 2 (implemented with some documentation), 3 (fully implemented with evidence continuously generated). Your total is out of 60 points, converted to a percentage, and placed into one of four bands.

The bands are calibrated against the gap between "the control is working" and "an assessor can verify the control is working" (which is typically where programs get caught in pre-assessment). A score above 85 percent means your controls are not only in place but evidenced well enough to survive an assessment. A score in the 60 to 85 range means controls are real but evidence is incomplete. Below 60 and you are in remediation program territory (6 to 12 months of focused work).

What the quiz does not cover

This is a 20-question self-assessment against a 110-control standard. It samples the families that drive most readiness gaps (access control, audit and accountability, configuration management, identification and authentication, incident response, risk assessment, system and communications protection, system and information integrity). It does not evaluate your System Security Plan, your POA&M discipline, your scoping decisions around CUI boundaries, or the specific implementation of any individual control. It is not a substitute for a gap assessment and it is not a pre-assessment readiness review.

It also does not tell you what CUI you actually have or where it flows. CUI scoping is the single most expensive mistake in a CMMC program (either overscoping and making every system in-bounds, or underscoping and missing systems that process CUI through indirect channels like shared file stores, email distribution lists, or developer build pipelines). If you are not certain about your CUI inventory and data flows, start there before worrying about control implementation.

Next steps based on your score

Below 30 percent the program needs structural work first (CUI inventory, scoping, System Security Plan, and baseline configurations) before individual control hardening will move the needle. Between 30 and 60 percent, a targeted remediation program focused on the lowest-scoring families typically closes the gap in 3 to 6 months. Between 60 and 85 percent you are close enough that a formal gap assessment against all 110 controls is the right next step. Above 85 percent you are ready to engage a C3PAO on a pre-assessment basis and schedule the certified assessment.

Regardless of score, do not wait until the CMMC clause appears in a solicitation to begin the program. Lead time from "start remediation" to "certified" runs 9 to 18 months for most mid-sized contractors. If the solicitation window is tighter than that, you are not winning that award.

Get a detailed assessment