CMMC Level 2 Assessment Guide

The CMMC Level 2 Assessment Guide provides detailed instructions for conducting assessments against the 110 security requirements outlined in NIST SP 800-171, which are mandatory for protecting Controlled Unclassified Information (CUI).

This guide is used by both organizations performing self-assessments and Certified Third-Party Assessment Organizations (C3PAOs) conducting formal evaluations. It includes:

• Assessment objectives for each requirement based on NIST SP 800-171A.

• Methods for evaluating implementation, such as interviews, examinations, and testing.

• Guidance on scoring and findings, including classifications like MET, NOT MET, or NOT APPLICABLE.

• Documentation requirements, particularly for System Security Plans (SSPs), policies, and procedures.

• Clarifications for specialized or risk-managed assets, in line with the Level 2 Scoping Guidance.

The guide ensures consistency, accuracy, and transparency in evaluating whether an organization adequately protects CUI in accordance with DoD requirements.

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf