🔐
NIST SP 800-171 r2 + CMMC Workbook
NIST SP 800-171 r2 + CMMC 2.0 Level 2 Readiness Self-Assessment Working copy – not an official NIST form
Use this page to capture assessment notes and status against a practical subset aligned to NIST SP 800-171 Rev. 2 and CMMC 2.0 Level 2 readiness. Progress can be saved locally, exported to JSON, or printed.
Important: Unofficial tool + local-only storage
Read before use
- Unofficial resource: Not an official NIST workbook and not endorsed by NIST.
- No sensitive data: Do not enter secrets or regulated/sensitive data into this workbook.
- Storage: “Save Session” uses your browser’s localStorage on this device. It is not encrypted. Don’t use on shared/public computers.
- Authority: Your governing policies, auditors, and legal counsel are the authoritative sources for requirements and interpretations.
- Official references: NIST SP 800-171 Rev. 2 · CMMC 2.0 Overview · SP 800-171A Assessment Procedures
Control Family 1–13 Coverage
Cities/Counties friendly
Leadership + IT collaboration
1. Organization & Scope
Context & identifiers
Organization Name *
Org/Dept Identifier
State/Region (optional)
Assessment Date
Assessor
Contact Email
Scope Notes
Helpful for documenting what is (and is not) in scope: critical services, systems, cloud apps, and key vendors.
Assessment Type
Adjust language in notes to match purpose (formal vs. informal).
2. Governance & Key Contacts
Control Family 1, 2, 11, 12
IT/Security Lead (or Designee)
IT/Security Contact
Security Officer / Point of Contact
Security POC Contact
IT / ISO Lead
IT / ISO Contact
Leadership & Cyber Contacts
Evidence of assigned roles/responsibilities and points of contact.
Core Cyber Policies (plain language)
View suggested governance evidence
3. Control Families — Assessment Items
Control Family 1–13
Use the controls below to track status by control family. The main goal is to capture practical implementation status for the organization:
how each control is implemented, any gaps, and follow-up actions.