Score Your Defense Contracting Cybersecurity in 5 Minutes

CMMC 2.0 Self-Assessment Tool

The amended CMMC 2.0 framework requires self-assessment against NIST 800-171 controls for every Department of Defense subcontractor handling Controlled Unclassified Information. Most defense suppliers walk into their first DIBCAC pre-assessment 30-40 points lighter than they thought. This free interactive tool gives you an honest score across 19 representative practices, highlights the single highest-leverage control (Privileged Access Management), and exports a documented gap report you can bring to your C3PAO or your MSP.

Get a Real Pre-Assessment 888.792.8080

SOC 2 Compliant

24/7 Support

30+ Years Experience

CMMC 2.0 Self-Assessment

CMMC 2.0 Readiness Self-Assessment

19 representative NIST 800-171 practices across all CMMC 2.0 domains. Mark each as Yes / Partial / No. Get a score, gap report, and recommendation. 100% browser-only — nothing is sent to LayerLogix.

Access Control

AC.L1-3.1.1L1

Limit access to authorized users

AC.L1-3.1.1 — Limit information system access to authorized users, processes, and devices.

AC.L1-3.1.2L1

Limit access to authorized transactions

AC.L1-3.1.2 — Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

AC.L2-3.1.5L2

Least privilege enforced

AC.L2-3.1.5 — Employ the principle of least privilege, including for specific security functions and privileged accounts.

AC.L2-3.1.7L2

Non-privileged accounts used for non-security functions

AC.L2-3.1.7 — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Awareness & Training

AT.L2-3.2.1L2

Security awareness training program

AT.L2-3.2.1 — Ensure that managers, system administrators, and users are made aware of the security risks associated with their activities.

Audit & Accountability

AU.L2-3.3.1L2

Audit logs created and retained

AU.L2-3.3.1 — Create and retain system audit logs and records to enable monitoring, analysis, investigation, and reporting.

Configuration Management

CM.L2-3.4.6L2

Least functionality (PAM/allowlisting)

CM.L2-3.4.6 — Employ the principle of least functionality. Application allowlisting (PAM) directly satisfies this control.

CM.L2-3.4.8L2

Application execution policy enforced

CM.L2-3.4.8 — Apply deny-all/permit-by-exception (allowlisting) policy. Allowlisting via PAM is the modern approach.

Identification & Authentication

IA.L1-3.5.1L1

Users uniquely identified

IA.L1-3.5.1 — Identify information system users, processes acting on behalf of users, or devices.

IA.L2-3.5.3L2

MFA for privileged and remote access

IA.L2-3.5.3 — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Incident Response

IR.L2-3.6.1L2

Incident response capability established

IR.L2-3.6.1 — Establish an operational incident-handling capability for organizational systems.

Media Protection

MP.L1-3.8.3L1

Media containing CUI sanitized before disposal

MP.L1-3.8.3 — Sanitize or destroy information system media containing FCI before disposal or release for reuse.

Physical Protection

PE.L1-3.10.1L1

Physical access to systems controlled

PE.L1-3.10.1 — Limit physical access to organizational information systems and equipment to authorized individuals.

Risk Assessment

RA.L2-3.11.1L2

Risk assessments performed periodically

RA.L2-3.11.1 — Periodically assess the risk to organizational operations resulting from the operation of organizational systems.

Security Assessment

CA.L2-3.12.1L2

Security controls assessed periodically

CA.L2-3.12.1 — Periodically assess the security controls in organizational systems to determine if the controls are effective.

System & Communications

SC.L1-3.13.1L1

Communications monitored at boundaries

SC.L1-3.13.1 — Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems.

SC.L2-3.13.4L2

Information flow control between domains

SC.L2-3.13.4 — Prevent unauthorized information transfer via shared system resources. Application ringfencing (PAM) directly satisfies this control.

System & Information Integrity

SI.L1-3.14.1L1

System flaws identified and remediated

SI.L1-3.14.1 — Identify, report, and correct information and information system flaws in a timely manner.

SI.L2-3.14.3L2

Security alerts and advisories monitored

SI.L2-3.14.3 — Monitor system security alerts and advisories and take action in response.

Level 1 (FCI)

Need 100% to pass Level 1

Level 2 (CUI)

Need 90% for Level 2

Quick Win

Privileged Access Management (PAM) satisfies CM.L2-3.4.6, CM.L2-3.4.8, and SC.L2-3.13.4 in a single deployment.

Get a Real Pre-Assessment

What We Offer

Comprehensive solutions tailored for Houston-area businesses

19 Representative Practices

Covers Access Control, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Media Protection, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity.

Live Score Across Levels

Real-time scoring against both CMMC Level 1 (FCI) and Level 2 (CUI) thresholds. Level 1 requires 100% to pass; Level 2 requires 90%+.

PAM Highlighted as Quick Win

Privileged Access Management (PAM) — application allowlisting and ringfencing — satisfies CM.L2-3.4.6, CM.L2-3.4.8, and SC.L2-3.13.4 in a single deployment. The tool flags this for any user not yet on PAM.

Gap Report Export

Download a text report of your practice-by-practice status, score, and recommended next steps. Bring it to your DIBCAC pre-assessment or CMMC C3PAO conversation.

100% Browser-Only

Nothing is sent to LayerLogix servers, never logged, never stored. Your assessment stays on your device.

Built by Real CMMC Practitioners

Built by the team that delivers CMMC-aligned managed services for Texas defense suppliers across Fort Worth, Arlington, Bay Area Houston, Austin, and San Antonio.

Why Choose LayerLogix?

Serving businesses throughout the Greater Houston area including Fort Worth, Arlington, Clear Lake, Houston, Austin, San Antonio, College Station, Dallas.

Get Honest About Your Gaps

Most defense subcontractors over-estimate their CMMC posture by 30-40 points. The tool forces you to confront each practice honestly with Yes / Partial / No answers.

See PAM Leverage in Real Time

PAM is the single highest-leverage CMMC control. The tool shows you the 3 practices it satisfies in one deployment.

Save Consulting Hours

Walking into a DIBCAC pre-assessment with a documented self-assessment saves the assessor hours of discovery — often $2K-$5K of consulting fees.

Defensible Documentation

Export a dated report you can attach to your System Security Plan (SSP) work or include in your CMMC readiness package.

Free Forever

No email gate, no signup, no upsell on the tool itself. We earn the conversation by giving away the tool.

Our Process

Open the tool — no signup, no email required, nothing tracked

Mark each of the 19 NIST 800-171 practices as In Place / Partial / No based on your honest current state

Watch your Level 1 (FCI) and Level 2 (CUI) scores update in real time

Review the PAM Quick Win callout — application allowlisting satisfies 3 controls in one deployment

Export your text report with practice-by-practice status, score, and recommended next steps

Bring the report to your CMMC consultant, MSP, or directly to a C3PAO conversation

When you are ready for managed services that take you from Level 1 to Level 2, contact LayerLogix for a real pre-assessment

Frequently Asked Questions

Is this an official CMMC assessment?▼

No. This is a self-assessment tool that scores your responses against 19 representative NIST 800-171 practices. An official CMMC certification is performed by an accredited C3PAO (CMMC Third-Party Assessor Organization) for Level 2 and above. This tool is for honest internal scoring and gap identification before you spend money on a formal assessment.

How does the score map to CMMC 2.0 levels?▼

CMMC Level 1 (Federal Contract Information / FCI) requires 100% of Level 1 practices in place. CMMC Level 2 (Controlled Unclassified Information / CUI) requires 90% or above of Level 2 practices in place. The tool calculates and displays both thresholds in real time.

Why does the tool flag PAM as a quick win?▼

Privileged Access Management (PAM) — application allowlisting and ringfencing — directly satisfies multiple NIST 800-171 controls in a single deployment: CM.L2-3.4.6 (least functionality), CM.L2-3.4.8 (application execution policy), and SC.L2-3.13.4 (information flow control). For most defense suppliers, PAM is the single highest-leverage technical investment they can make toward CMMC readiness.

Is my data sent anywhere?▼

No. The tool runs entirely in your browser. Nothing is sent to LayerLogix servers, never logged, never stored. Your assessment stays on your device. The export report is generated client-side and downloaded directly.

What do I do after exporting my report?▼

If your scores are below threshold, you have a documented gap report. Bring it to your CMMC consultant, your MSP, or a C3PAO for a formal pre-assessment conversation. If you want managed services that take you from your current state to Level 2 readiness — including PAM deployment, MFA, encryption, and SSP authoring — contact LayerLogix for a CMMC-aligned managed services proposal.

Ready to Get Started?

Contact LayerLogix today for a free consultation. We serve businesses throughout Fort Worth, Arlington, Clear Lake, and the surrounding Greater Houston area.

Schedule Free Consultation Call 888.792.8080