KapacyberKapacyber
Free TemplateCMMC

CMMC Self-Assessment Worksheet

Fillable worksheet covering all 15 Level 1 practices plus a Level 2 family-by-family scoring template, with evidence prompts for each control. Free, no obligation.

What's Inside

15 Level 1 practices, 14 Level 2 family scoring tables, evidence prompts.

Each Level 1 practice has a yes/no/partial column, a notes column for evidence references, and the underlying FAR 52.204-21 citation. The Level 2 section gives one row per NIST SP 800-171 control family with a 0–110 scoring template aligned to the DoD SPRS methodology.

The 15 Level 1 Practices

  1. Limit information system access to authorised users.
  2. Limit information system access to the types of transactions and functions that authorised users are permitted to execute.
  3. Verify and control / limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices.
  7. Sanitise or destroy information system media containing FCI before disposal or release for reuse.
  8. Limit physical access to organisational information systems, equipment, and the respective operating environments.
  9. Escort visitors and monitor visitor activity.
  10. Maintain audit logs of physical access.
  11. Control and manage physical access devices.
  12. Monitor, control, and protect organisational communications at external boundaries and key internal boundaries.
  13. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  14. Identify, report, and correct information and information system flaws in a timely manner.
  15. Provide protection from malicious code at appropriate locations within organisational information systems.

Free download — drop your work email

We'll unlock the template immediately and add you to our dealership-security list (unsubscribe any time).

By submitting, you agree to our Privacy Policy. We don't sell or share your information.

The worksheet is a printable web document. Use your browser's Print → Save as PDF to keep an offline copy.

Why this matters

The DoD enforces. Your prime checks. Your IT shop can't draft this for you.

The annual affirmation is a legal attestation.

Misrepresenting your posture is a False Claims Act exposure. Recent settlements have hit $9M. A real self-assessment is the prerequisite to a defensible affirmation.

Your prime checks before they place a PO.

Primes are already filtering subcontractors on CMMC readiness before contract award. A documented self-assessment makes you visible to that filter.

Most shops can't produce the documentation.

The controls might be in place — but without written self-assessment, written SSP, and written POAM, you fail any meaningful review. This worksheet starts the documentation.

Want the controls behind the worksheet?

The worksheet is the documentation. The actual controls — MFA, EDR, logging, awareness training, an SSP your C3PAO will accept — need to be built and operated.

See CMMC Solutions