CMMC Level 2 System Assessment Report

1Executive Summary

▼

Assessment Overview

This System Assessment Report (SAR) documents the independent evaluation of ACME Technology Services Corporation's cybersecurity controls implementation for CMMC Level 2 compliance. The assessment was conducted by certified C3PAO assessors in accordance with NIST SP 800-171 Rev 2 requirements and CMMC 2.0 standards.

Organization Information

Organization: ACME Technology Services Corporation
Location: El Paso, Texas
Employees: 64
Business Type: Defense contractor providing uniform and textile logistics services to U.S. Army
Assessment Level: CMMC Level 2
Assessment Date: June 15, 2025

Overall Score: 92/110 (84%)

Conditional Certification Achieved

Key Findings

ACME Technology Services Corporation has demonstrated strong cybersecurity posture with 84% compliance rate. The organization has successfully implemented 92 out of 110 required NIST SP 800-171 controls. The remaining 18 controls require remediation within 180 days through POA&M closeout.

2Assessment Methodology & Scope

▼

Assessment Approach

The assessment followed the CMMC Assessment Process (CAP) version 2.0 methodology, employing multiple evaluation methods:

Document Review: System Security Plan (SSP), policies, procedures, and technical documentation
Interviews: Key personnel responsible for security control implementation
System Testing: Technical validation of security controls and configurations
Physical Inspection: On-site evaluation of physical security measures

Assessment Scope

The assessment scope included all systems and assets that process, store, or transmit Controlled Unclassified Information (CUI):

In-Scope CUI Assets

Primary Data Server (CUI-001)
Azure Cloud Backup Repository (CUI-002)
Contract Coordinator Workstations (CUI-003 to CUI-005)
CISO Management Workstation (CUI-006)
Secure File Server (CUI-007)

Security Protection Assets

Enterprise Firewall (SPA-001)
VPN Gateway (SPA-002)
Endpoint Protection System (SPA-004)
SIEM Platform (SPA-005)
Badge Access Control System (SPA-006)

3Assessment Team Credentials

▼

C3PAO Information

Assessment Organization: SecureAssess C3PAO LLC

C3PAO Authorization Number: C3PAO-2025-001

ISO 17020 Certification: Valid through December 2026

Assessment Team Members

Name	Role	Certification	Experience
Sarah Mitchell	Lead Certified CMMC Assessor (CCA)	CCA-2024-156	8 years cybersecurity, 3 years CMMC
James Rodriguez	Certified CMMC Professional (CCP)	CCP-2024-342	12 years IT security, 2 years CMMC
Dr. Emily Chen	Quality Control Lead	CCA-2023-089	15 years security assessments

4Detailed Security Control Findings

▼

Control Assessment Results

AC.1.001 - Account Management MET

Control Description: Limit information system access to authorized users, processes, and devices.

Implementation Status: ACME has implemented Active Directory-based account management with proper user lifecycle management processes.

Evidence Reviewed: Account creation procedures, termination checklists, regular access reviews

Assessment Method: Document review, system inspection, staff interviews

AC.1.002 - Access Enforcement MET

Control Description: Limit information system access to the types of transactions and functions authorized users are permitted to execute.

Implementation Status: Role-based access controls properly implemented through Active Directory groups and application-level permissions.

Evidence Reviewed: Role matrices, permission configurations, access testing results

AU.2.041 - Audit Record Correlation NOT MET

Control Description: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, or unusual activity.

Implementation Status: While SIEM platform is deployed, correlation rules for investigative processes are incomplete.

Gap Identified: Missing formal correlation procedures and insufficient automated alerting rules.

Remediation Required: Develop correlation procedures and implement additional SIEM rules within 180 days.

SC.1.175 - Collaborative Computing CONDITIONAL

Control Description: Prohibit remote activation of collaborative computing devices and provide indication of devices in use.

Implementation Status: Partially implemented - webcam disable policies in place but microphone controls need enhancement.

POA&M Item: Complete microphone access controls configuration by September 15, 2025.

5Risk Assessment & Impact Analysis

▼

Risk Summary

Risk Category	Risk Level	Count	Impact
Access Control Gaps	Medium	3	Potential unauthorized access to CUI systems
Audit & Monitoring	Medium	5	Reduced incident detection capability
Configuration Management	Low	4	Minor compliance documentation gaps
Incident Response	Medium	2	Delayed response to security incidents

Overall Risk Determination

The residual risk to ACME Technology Services Corporation is assessed as MODERATE. While the organization has implemented a strong cybersecurity foundation, the identified gaps primarily relate to monitoring and audit capabilities that could impact incident detection and response times.

Risk Mitigation Recommendations

Prioritize completion of audit correlation procedures and SIEM tuning
Enhance monitoring coverage for CUI processing systems
Implement automated alerting for critical security events
Conduct tabletop exercises to validate incident response procedures

6Plan of Action & Milestones (POA&M)

▼

Required Remediation Items

The following 18 security controls require remediation within 180 days to achieve final CMMC Level 2 certification:

Control ID	Control Name	Priority	Target Date	Responsible Party
AU.2.041	Audit Record Correlation	High	August 15, 2025	Raymond Lawrence, CISO
IR.2.092	Incident Handling	High	September 1, 2025	IT Security Team
SC.1.175	Collaborative Computing	Medium	September 15, 2025	IT Operations
SI.1.210	Information Input Validation	Medium	October 1, 2025	Application Development

POA&M Closeout Requirements

All items must be completed within 180 days (by December 12, 2025)
C3PAO closeout assessment required for certification finalization
Evidence packages must be submitted for each remediated control
Final assessment report will be generated upon successful closeout

7Recommendations for Improvement

▼

Strategic Recommendations

Enhance Security Monitoring: Implement 24/7 SOC capabilities or engage managed security services to improve incident detection and response times.
Automate Compliance Monitoring: Deploy automated compliance monitoring tools to continuously assess control effectiveness and identify drift.
Strengthen Incident Response: Conduct regular tabletop exercises and update incident response procedures based on current threat landscape.
Employee Training: Implement comprehensive cybersecurity awareness training program with regular phishing simulations.
Supply Chain Security: Extend CMMC requirements to subcontractors and implement supply chain risk management procedures.

Technical Improvements

Implement privileged access management (PAM) solution for administrative accounts
Deploy network segmentation monitoring tools to detect lateral movement
Enhance endpoint detection and response (EDR) capabilities
Implement automated patch management for critical security updates
Deploy data loss prevention (DLP) solutions for CUI protection

Process Improvements

Establish formal change management procedures for security configurations
Implement regular vulnerability assessment and penetration testing schedule
Create security metrics dashboard for executive reporting
Develop business continuity and disaster recovery testing program

8Certification Decision

▼

Assessment Conclusion

Based on the comprehensive assessment conducted from June 10-14, 2025, ACME Technology Services Corporation has demonstrated substantial compliance with CMMC Level 2 requirements.

CONDITIONAL LEVEL 2 CERTIFICATE ISSUED

Valid subject to POA&M closeout by December 12, 2025

Certification Details

Certificate Number: CMMC-L2-2025-ACME-001
Issue Date: June 16, 2025
Expiration Date: June 16, 2028 (3 years)
Annual Reaffirmation Required: June 16, 2026 and June 16, 2027
Re-assessment Required: June 16, 2028

Conditions for Final Certification

To convert this conditional certification to final status, ACME Technology Services Corporation must:

Complete all 18 POA&M items within 180 days
Engage a C3PAO for POA&M closeout assessment
Demonstrate full implementation of all 110 NIST SP 800-171 controls
Submit evidence packages for all remediated controls

Assessor Signature

Lead Certified CMMC Assessor: Sarah Mitchell, CCA-2024-156

Date: June 16, 2025

C3PAO: SecureAssess C3PAO LLC