CMMC Readiness Assessment
Free CMMC Readiness Assessment: Where Do You Stand?
9 questions. 5 minutes. You'll get your readiness signal, likely CMMC level, and a clear next step — from a navigator with no software to sell you.
Step 1 — Does this apply to you?
Let's confirm CMMC applies to you.
Does your company hold or pursue contracts with the U.S. Department of Defense?
Do you handle Controlled Unclassified Information (CUI)?
Things like technical drawings, engineering specs, or data your prime sends you.
CMMC may not apply to you.
CMMC requirements flow through DoD contracts. If your company doesn't hold DoD contracts, you're likely outside the scope — but it's worth a quick check.
How to verify:
- —Check if any of your customers are DoD prime contractors (you may be a sub without knowing it)
- —Review your contracts for DFARS clauses (look in Section I for 252.204-7012 or 252.204-7021)
- —Ask your customers if they flow down cybersecurity or CMMC requirements
Scoring your assessment…
Analyzing your responses and sending your results.
Readiness Score
Likely CMMC Level
What this means
Your Personalized Next Steps
This assessment provides indicative guidance only and does not constitute a formal compliance determination. A scoping conversation is recommended to confirm your requirements.
Know Your Gaps Before You Start
Starting a CMMC compliance program without knowing your current state is like renovating a building without an inspection report. You need to know what's broken before you can fix it — and a readiness assessment is how you find out.
A CMMC readiness assessment identifies gaps between your current cybersecurity practices and the requirements for your target level. For Level 1, that means 17 practices. For Level 2, it's 110 NIST SP 800-171 controls. Most companies have partial compliance — they've implemented some controls naturally through good IT hygiene — but the gaps are where risk and cost live.
This free assessment covers 9 key control domains most commonly deficient in small to mid-sized defense contractors: access control, incident response, media protection, configuration management, audit and accountability, identification and authentication, risk assessment, system and communications protection, and system and information integrity.
In under 5 minutes, you'll get a readiness signal across these domains plus a prioritized list of areas needing attention before a formal assessment. This is designed as a first-look tool — not a replacement for a formal gap analysis, but a strong indicator of where to focus first.
Frequently Asked Questions: CMMC Readiness Assessment
What is a CMMC readiness assessment? +
A CMMC readiness assessment evaluates your current cybersecurity practices against the requirements for your target CMMC level. It identifies gaps — controls you haven't implemented — so you can prioritize remediation before a formal C3PAO assessment.
How is this different from the official CMMC assessment? +
This is a self-assessment tool for internal planning. An official CMMC Level 2 assessment is conducted by an authorized C3PAO and produces results submitted to the DoD's SPRS system. This tool helps you prepare for that process by identifying your current state.
What is SPRS and why does it matter? +
SPRS (Supplier Performance Risk System) is the DoD portal where contractors submit their NIST SP 800-171 self-assessment scores. A score must be on file before you can be awarded certain DoD contracts. Scores range from -203 to 110, with 110 being full compliance.
What are the most common CMMC compliance gaps? +
The most frequently deficient control areas are: access control (especially multi-factor authentication), incident response planning, configuration management, audit log review, and system and communications protection. These domains often require dedicated tooling and documented processes that small businesses haven't formalized.
How long does it take to become CMMC compliant after an assessment? +
Timeline depends on your gap score. Companies with strong IT hygiene may need 3–6 months to close gaps. Companies starting from scratch typically need 12–18 months. Budget, internal resources, and whether you use an MSP/MSSP all affect the timeline significantly.
Do I need to hire a consultant for a readiness assessment? +
Not for a preliminary check. This free tool gives you a directional readiness signal at no cost. For a formal gap analysis tied to a remediation roadmap, a Registered Practitioner Organization (RPO) can provide a more detailed evaluation — typically costing $3,000–$15,000.
Next Step
Know your gaps? See what it will cost to close them.
Use the cost estimator to understand the investment required to reach your target CMMC level.