CMMC Level 2 System Assessment Report (SAR)

🎓 Student Instructions

Click ✏️ Edit Mode to unlock all narrative text blocks — click again to lock them. All inline fields (tables, findings) are always editable.
Work through each of the 8 sections to build a complete SAR for your assigned case study company.
In Section 4, click "+ Add Finding" for each control you assessed. Set its status (MET / NOT MET / CONDITIONAL) and complete all fields.
Tables in Sections 3, 5, 6 have + Add Row buttons — click to expand them.
Use 💾 Save (Ctrl+S) to preserve work in your browser, or 📤 Export JSON to download a file.
Click any section header bar to expand or collapse that section.
Use 🖨️ Print / PDF to generate your final submission — all tool controls will be hidden.

1Executive Summary

▼

Assessment Overview

Organization Information

Organization:

Location:

Employees:

Business Type:

Assessment Level:

Assessment Date(s):

Overall Score

Controls Met

Total Controls

Score %

[Enter scores above]

Certification status will appear here

Key Findings Summary

2Assessment Methodology & Scope

▼

Assessment Approach

Assessment Scope

Assessment Limitations

3Assessment Team Credentials

▼

C3PAO Information

Assessment Organization:

C3PAO Authorization Number:

ISO 17020 Certification:

Assessment Team Members

Name	Role	Certification #	Experience	Actions
No team members added — click "Add Team Member" below.

4Detailed Security Control Findings

▼

Control Assessment Results

Add one finding card per control assessed. Set its status, then complete all fields. Use the control family prefix format: AC.L2-3.1.1, AU.L2-3.3.1, etc.

No findings added yet — click the button below to add your first control finding.

5Risk Assessment & Impact Analysis

▼

Risk Summary

Risk Category	Risk Level	Count	Potential Impact	Actions
No risk categories added — click "Add Risk Category" below.

Overall Risk Determination

Risk Mitigation Recommendations

6Plan of Action & Milestones (POA&M)

▼

Required Remediation Items

Control ID	Control Name	Priority	Target Date	Responsible Party	Actions
No POA&M items — click "Add POA&M Item" below.

POA&M Closeout Requirements

7Recommendations for Improvement

▼

Strategic Recommendations

Technical Improvements

Process Improvements

8Certification Decision

▼

Assessment Conclusion

Certification Determination

Certification Details

Certificate Number:

Issue Date:

Expiration Date:

Annual Reaffirmation Required:

Re-assessment Required:

Conditions for Final Certification

Assessor Signature

Lead Certified CMMC Assessor:

Date:

C3PAO Organization: