CMMC Readiness Assessment Questionnaire | By Petronella Technology Group
Complete this questionnaire to determine your organization's readiness for a CMMC assessment. Answer honestly -- the goal is to identify areas needing attention before your formal assessment.
Organization Profile
| Field | Details |
|---|---|
| Organization | |
| Industry | |
| Number of Employees | |
| Target CMMC Level | Level 1 / Level 2 |
| Assessment Type | Self / C3PAO |
| Target Assessment Date | |
| Completed By | |
| Date |
Section 1: Scoping and Preparation
| # | Question | Yes | No | Partial | Notes |
|---|---|---|---|---|---|
| 1.1 | Have you identified all contracts that require CMMC certification? | ||||
| 1.2 | Have you identified the type of data you handle (FCI only vs. CUI)? | ||||
| 1.3 | Have you defined your CMMC assessment scope (CUI boundary)? | ||||
| 1.4 | Have you categorized all assets (CUI Assets, Security Protection Assets, Contractor Risk Managed, Specialized, Out-of-Scope)? | ||||
| 1.5 | Have you created a complete asset inventory (hardware, software, cloud services)? | ||||
| 1.6 | Have you created network architecture and data flow diagrams? | ||||
| 1.7 | Have you identified all business associates/subcontractors who handle CUI? | ||||
| 1.8 | Have your subcontractors achieved or are pursuing their own CMMC certification? |
Section Score: _____ / 8
Section 2: Documentation
| # | Question | Yes | No | Partial | Notes |
|---|---|---|---|---|---|
| 2.1 | Do you have a System Security Plan (SSP) that documents all 110 controls? | ||||
| 2.2 | Is the SSP specific to your environment (not generic template language)? | ||||
| 2.3 | Do you have documented security policies covering all 14 CMMC domains? | ||||
| 2.4 | Do you have documented security procedures for implementing each policy? | ||||
| 2.5 | Do you have a current risk assessment (within the last 12 months)? | ||||
| 2.6 | Do you have a documented incident response plan? | ||||
| 2.7 | Do you have a Plan of Action and Milestones (POA&M) for open gaps? | ||||
| 2.8 | Are all policies and procedures reviewed and updated at least annually? | ||||
| 2.9 | Can you produce evidence (artifacts) for every control marked as MET? |
Section Score: _____ / 9
Section 3: Technical Controls
| # | Question | Yes | No | Partial | Notes |
|---|---|---|---|---|---|
| 3.1 | Is multi-factor authentication (MFA) enforced for all users? | ||||
| 3.2 | Is FIPS-validated encryption used for CUI at rest? | ||||
| 3.3 | Is FIPS-validated encryption used for CUI in transit? | ||||
| 3.4 | Do you have centralized audit logging (SIEM or equivalent)? | ||||
| 3.5 | Are audit logs reviewed regularly for suspicious activity? | ||||
| 3.6 | Do you perform periodic vulnerability scanning? | ||||
| 3.7 | Is there a formal patch management process with documented timelines? | ||||
| 3.8 | Is endpoint protection deployed on all systems with centralized management? | ||||
| 3.9 | Are system baselines documented and enforced (CIS Benchmarks, GPO)? | ||||
| 3.10 | Is network segmentation implemented to isolate CUI systems? | ||||
| 3.11 | Is split tunneling prevented on VPN connections? | ||||
| 3.12 | Are removable media (USB) controlled via policy and technology? | ||||
| 3.13 | Are mobile devices managed (MDM) with encryption enforced? | ||||
| 3.14 | Is DNS filtering / web content filtering deployed? | ||||
| 3.15 | Are email security controls in place (SPF, DKIM, DMARC, anti-phishing)? |
Section Score: _____ / 15
Section 4: Administrative Controls
| # | Question | Yes | No | Partial | Notes |
|---|---|---|---|---|---|
| 4.1 | Is there a designated security official (ISSO or equivalent)? | ||||
| 4.2 | Is security awareness training conducted at least annually for all users? | ||||
| 4.3 | Does training include insider threat awareness? | ||||
| 4.4 | Are background checks performed before granting access to CUI? | ||||
| 4.5 | Is there a formal account provisioning/deprovisioning process? | ||||
| 4.6 | Are access reviews conducted periodically (at least quarterly)? | ||||
| 4.7 | Is there a formal change management process? | ||||
| 4.8 | Has the incident response plan been tested (tabletop exercise) in the last 12 months? | ||||
| 4.9 | Are backup and recovery procedures tested regularly? | ||||
| 4.10 | Is there a supply chain risk management process for CUI-related vendors? |
Section Score: _____ / 10
Section 5: Physical Controls
| # | Question | Yes | No | Partial | Notes |
|---|---|---|---|---|---|
| 5.1 | Is physical access to CUI processing areas controlled (badges, locks)? | ||||
| 5.2 | Are visitors escorted in areas with CUI systems? | ||||
| 5.3 | Are physical access logs maintained and reviewed? | ||||
| 5.4 | Are media sanitization/destruction procedures followed with documentation? | ||||
| 5.5 | Are safeguards in place for remote work / alternate work sites? |
Section Score: _____ / 5
Section 6: Cloud and External Services
| # | Question | Yes | No | Partial | Notes |
|---|---|---|---|---|---|
| 6.1 | Are cloud services used for CUI FedRAMP Moderate (or equivalent)? | ||||
| 6.2 | Is the cloud shared responsibility model documented and understood? | ||||
| 6.3 | Are cloud configurations reviewed against security benchmarks? | ||||
| 6.4 | Are external service provider agreements (SLAs) in place with security requirements? | ||||
| 6.5 | Is CUI data residency understood and documented (no unauthorized offshore storage)? |
Section Score: _____ / 5
Overall Readiness Score
| Section | Score | Max | Percentage |
|---|---|---|---|
| 1. Scoping and Preparation | 8 | ||
| 2. Documentation | 9 | ||
| 3. Technical Controls | 15 | ||
| 4. Administrative Controls | 10 | ||
| 5. Physical Controls | 5 | ||
| 6. Cloud and External Services | 5 | ||
| Total | 52 |
Readiness Interpretation
| Score Range | Readiness Level | Recommendation |
|---|---|---|
| 90-100% | Assessment Ready | Schedule your assessment |
| 70-89% | Nearly Ready | Address remaining gaps (1-3 months) |
| 50-69% | Significant Work Needed | Develop remediation plan (3-6 months) |
| Below 50% | Major Gaps | Engage compliance partner (6-12 months) |
Top Action Items
Based on this assessment, the top priorities for remediation are:
| Priority | Gap Area | Action Required | Target Date |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 3 | |||
| 4 | |||
| 5 |
Need help getting assessment-ready? Contact Petronella Technology Group -- CMMC Registered Practitioner on staff, 2,500+ companies protected.