Files
Anthropic-Cybersecurity-Skills/skills/achieving-cmmc-level-2-compliance/assets/template.md
T
andrewibrah e8832748d3 Add 5 skills: GRC (800-30, RMF, CMMC, HIPAA, TPRM)
- conducting-cyber-risk-assessment-with-nist-800-30
- executing-nist-rmf-authorization-to-operate
- achieving-cmmc-level-2-compliance
- implementing-hipaa-security-rule-safeguards
- managing-third-party-vendor-risk

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 09:57:31 -04:00

3.7 KiB

CMMC Level 2 Readiness Report — Worked Example

Filled example for a small DIB manufacturer handling CUI on a segmented enclave. Replace bracketed content for your own organization.

1. Applicability & CUI Categories

  • Contract drivers: Prime subcontract with DFARS 252.204-7012 and -7021; CUI present → CMMC Level 2 required.
  • CUI categories (from contract + DoD CUI Registry): Controlled Technical Information (CTI), Export Controlled (EAR).
  • Target assessment path: Triennial C3PAO certification (Phase 2 applies from Nov 10, 2026).

2. Scope (CMMC Level 2 Scoping Guide)

Category Examples in this environment
CUI Assets Engineering workstations, CUI file share, the segmented "Enclave-1" VLAN
Security Protection Assets EDR console, SIEM, firewall, IdP/MFA, jump host
Contractor Risk Managed General corporate laptops (policy-blocked from CUI)
Specialized Assets CNC machine controllers (documented, isolated)
Out-of-Scope Guest Wi-Fi, marketing SaaS

Boundary note: CUI is confined to Enclave-1 behind segmentation and MFA. Deliberately minimized to shrink the assessment surface. See network diagram CUI-boundary-v3.

3. Control Status by Family (NIST SP 800-171 Rev 2)

(summary; full per-requirement status lives in the SSP)

Family Met Partial Not Met N/A
3.1 Access Control 22 0 0 0
3.3 Audit & Accountability 8 0 1 0
3.5 Identification & Auth 10 1 0 0
3.8 Media Protection 8 0 1 0
3.13 System & Comms Protection 15 0 1 0
3.14 System & Info Integrity 6 0 1 0
(others) all met

4. SPRS Score

(computed by scripts/process.py from the control-status JSON)

  • Score: 97 / 110 (started at 110; deducted 13).
  • Gap to perfect: 13 points across 4 not-met + 1 partial requirement.
  • Conditional threshold (≥ 88): MET (margin 9) — eligible for Conditional status if the remaining items are POA&M-eligible.
  • Posted to SPRS: score, SSP date, and assessment scope.

5. POA&M (eligibility-checked)

ID Requirement Points Eligibility Remediation Owner Milestone (≤180d)
3.3.1 Audit log generation/coverage 5 Verify — high weight; confirm against 32 CFR 170 Enable full audit policy + ship to SIEM SecOps 2026-07-30
3.13.11 FIPS-validated cryptography 3 Verify eligibility Replace non-validated module with FIPS 140-validated Infra 2026-08-15
3.5.3 MFA (partial) 3 Partial-credit control Extend MFA to remaining admin paths IAM 2026-07-20
3.8.9 Backup CUI protection 1 Eligible Encrypt + access-control backup store Infra 2026-08-31
3.14.1 Flaw remediation 1 Eligible Formalize patch SLA + tracking IT 2026-08-31

The two 3-point and one 5-point items must clear eligibility review; the highest-weighted security requirements generally cannot remain on a POA&M. All items close within 180 days to convert Conditional → Final.

6. Assessment Path

  • Type: C3PAO certification assessment.
  • Target window: Q4 2026, after POA&M closure of the high-weight items.
  • Affirmation owner: [senior official] files the annual affirmation in SPRS.

7. Remediation Roadmap (sequenced by point value, then effort)

  1. 3.3.1 audit logging (5 pts) — biggest score lever and likely POA&M-ineligible → do first.
  2. 3.13.11 FIPS crypto (3 pts) and 3.5.3 MFA gap (3 pts) — close to remove eligibility risk.
  3. 3.8.9, 3.14.1 (1 pt each) — low-effort cleanups before the C3PAO date.
  4. Re-run the SPRS calculator after each closure; goal is 110 before assessment.