• Contact Information

• Company Name
• Name*
  First NameLast Name
• Email*
  example@example.com
• Phone
  Please enter a valid phone number.Format: (000) 000-0000.
• Back

  Next

• Company, contracts, and scope

• Who are your main U.S. Government customers and primes, and which contracts involve CUI or export-controlled data (ITAR/EAR)?
• Where in your business do you create, receive, or store that controlled data (functions and sites: HQ, plant, R&D, remote workers)?
• Do you have any subcontractors or vendors who handle this controlled data on your behalf?
• Back

  Next

• Compliance status & documentation

• Do you have a current System Security Plan (SSP) and POA&M?
  YesNoIn progress
• When were they last updated?
• Have you completed a NIST 800-171 / CMMC self-assessment and submitted a score to SPRS? If yes, when and what score?
  YesNo
• Have you had any third-party or customer/primes’ security audits in the last 2–3 years?
  YesNo
• Are there any open findings you’re still working on?
  YesNo
• Back

  Next

• Data, systems, and network

• What types of sensitive information do you handle (e.g., drawings, CAD, test data, specs, etc.)?
• How does this data enter your environment, and where is it mainly stored (email, file servers, cloud, engineering workstations, ERP/MES, etc.)?
• Do you have an up-to-date network diagram, and are engineering/CUI systems segmented from regular office/guest networks?
  YesNoIn progress
• Do production machines (CNC, PLCs, testers, etc.) connect to the corporate network or internet?
  YesNo
• If so, how are they protected?
• How is remote access handled (VPN, remote desktop, vendor access), and how is it secured?
• Back

  Next

• Identity, accounts, and access control

• How do you create, change, and remove user accounts when people are hired, change roles, or leave?
• Are all users on unique accounts (no shared logins)?
  YesNo
• Where is Multi-Factor Authentication (MFA) enforced today (email, VPN, admin accounts, cloud apps)?
• Do you use role-based access so people only see what they need, and how is access to CUI repositories (folders/systems) reviewed?
  YesNo
• Back

  Next

• Assets, security tools, and patching

• Do you maintain a current inventory of key hardware (laptops, desktops, servers, plant PCs, network gear) and critical software?
  YesNo
• Do you have standard builds or configuration baselines for Windows endpoints/servers, and how are configuration changes tracked?
  YesNo
• What do you use for endpoint protection (AV/EDR), and how are Windows updates and security patches managed?
• Do you have centralized logging/monitoring, and how do you handle alerts or suspicious activity?
  YesNo
• Back

  Next

• Backup and recovery

• What is your backup strategy (what’s backed up, how often, and where: on-site, off-site, cloud), and are backups encrypted/segregated from production?
• When was the last time you tested restoring critical systems from backup, and roughly how long did it take?
• Do you have a written disaster recovery / business continuity plan for events like ransomware or major outages?
  YesNo
• Back

  Next

• Policies, training, and incidents

• Which written security policies and procedures do you currently have (e.g., acceptable use, access control, incident response, handling CUI, vendor access)?
• How often do employees receive security/awareness training, and do you run any phishing or similar tests?
• Do you have a written incident response plan?
  YesNoIn progress
• Have you had any notable security incidents in the last 3–5 years, and are there customer/prime reporting requirements?
  YesNo
• Back

  Next

• Physical security, third parties, cloud, and priorities

• How do you control physical access to buildings, production areas, and server/network rooms?
• How are visitors handled, and how is sensitive hardware/media disposed of?
• Who provides your IT support today (internal team, MSP, or both), and what level of admin access do external providers have?
• Do you have contracts or security clauses with your MSP/key vendors that address CUI and compliance requirements?
• Which cloud services do you use (e.g., Microsoft 365, Google, ERP, file sharing), and do you know which environment/region they’re in (e.g., Commercial vs GCC/GCC High, US vs non-US)?
• What are your biggest worries around cybersecurity/CMMC right now, and what 2–3 areas would you most like to improve in the next 6–12 months?
• Submit
• Should be Empty: