CMMC Self-Assessment

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for protecting sensitive information. Use this free tool to evaluate your organization's compliance posture and get plain-English guidance on each control.

Select your assessment level below to begin.

Level 1

Basic Cyber Hygiene

Foundational cybersecurity practices for protecting Federal Contract Information (FCI). Focuses on basic access control, authentication, media protection, physical security, and boundary protection.

7 Controls
Level 2

Intermediate Cyber Hygiene

Advanced practices for protecting Controlled Unclassified Information (CUI). Adds documentation requirements, CUI flow control, encryption policies, and external system connection management.

8 Controls

Frequently Asked Questions

What is CMMC?

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for ensuring that defense contractors adequately protect sensitive information, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It establishes required cybersecurity practices across multiple maturity levels.

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 covers basic cyber hygiene with 17 practices focused on protecting Federal Contract Information (FCI). Level 2 requires intermediate cyber hygiene with 110 practices aligned with NIST SP 800-171 for protecting Controlled Unclassified Information (CUI), including documentation requirements and regular reviews.

Who needs CMMC certification?

Any organization that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a Department of Defense contract needs CMMC certification. This includes prime contractors, subcontractors, and suppliers in the defense industrial base.

Can I self-assess for CMMC compliance?

CMMC Level 1 allows annual self-assessment. Level 2 may require either self-assessment or third-party assessment by a C3PAO (CMMC Third-Party Assessment Organization), depending on the type of information handled. Level 3 requires government-led assessments. A self-assessment tool like ours helps you understand your current posture before an official assessment.

How long does it take to become CMMC compliant?

The timeline varies based on your current security posture. Organizations with existing cybersecurity practices may need a few months to document and formalize processes. Organizations starting from scratch may need 6-18 months to implement all required controls, develop policies, and build the necessary documentation for Level 2 compliance.

This tool is for self-assessment purposes only and does not constitute an official CMMC certification. Official CMMC certification requires assessment by a CMMC Third-Party Assessment Organization (C3PAO). Contact us for guidance on your certification journey.

Your Assessment:

Compliant

Detailed Results

This self-assessment is for informational purposes only and does not constitute an official CMMC certification. Official CMMC certification requires assessment by a CMMC Third-Party Assessment Organization (C3PAO). For professional CMMC compliance assistance, contact us.