Below is the report for Meridian Machining LLC (fictional) — a fictional 28-person defense machine shop — produced by the same engine, question bank, and document builders your report uses. Nothing is mocked up.
Want the editable Word versions? Executive summary .docx · POA&M .docx · SSP draft .docx
Meridian Machining LLC (fictional) · CMMC Level 2 (NIST SP 800-171 Rev 2)
Fictional organization · every number below computed by the DoD Assessment Methodology engine
| Estimated SPRS score (self-reported) | -48 / 110 (DoD scale −203 to 110) |
| Requirements met (incl. justified N/A) | 50 of 110 |
| Assessment-ready (met with documented evidence) | 21 of 110 |
| Must-fix gaps / POA&M-eligible gaps | 30 / 30 |
| AC — Access Control | 13/22 met · −15 pts |
| AT — Awareness & Training | 1/3 met · −10 pts |
| AU — Audit & Accountability | 2/9 met · −17 pts |
| CM — Configuration Management | 2/9 met · −27 pts |
| IA — Identification & Authentication | 6/11 met · −7 pts |
| IR — Incident Response | 1/3 met · −10 pts |
| MA — Maintenance | 3/6 met · −7 pts |
| MP — Media Protection | 4/9 met · −9 pts |
| PE — Physical Protection | 5/6 met · −1 pts |
| PS — Personnel Security | 2/2 met |
| RA — Risk Assessment | 1/3 met · −6 pts |
| CA — Security Assessment | 3/4 met · −5 pts |
| SC — System & Communications Protection | 4/16 met · −28 pts |
| SI — System & Information Integrity | 3/7 met · −16 pts |
| Requirement | Points | POA&M eligible? | Planned milestones | Target |
|---|---|---|---|---|
| AC.L2-3.1.12 · Control Remote Access | −5 | No — must fix | Draft plan: 1) assign an owner; 2) implement control remote access (AC.L2-3.1.12); 3) collect assessor-ready evidence (e.g., remote access policy (who may connect remotely, how, from what devices)); 4) verify and close out. | Before C3PAO assessment — cannot ride a POA&M |
| AT.L2-3.2.1 · Role-Based Risk Awareness | −5 | No — must fix | Enroll all staff in annual security awareness training (KnowBe4 or similar) | 2026-07 |
| AT.L2-3.2.2 · Role-Based Training | −5 | No — must fix | Draft plan: 1) assign an owner; 2) implement role-based training (AT.L2-3.2.2); 3) collect assessor-ready evidence (e.g., role-specific training records (e.g., admin security training, incident responder training)); 4) verify and close out. | Before C3PAO assessment — cannot ride a POA&M |
| AU.L2-3.3.1 · System Auditing | −5 | No — must fix | Turn on Microsoft 365 unified audit logging and ship firewall logs to a low-cost SIEM our MSP manages | 2026-08 |
| AU.L2-3.3.5 · Audit Correlation | −5 | No — must fix | Draft plan: 1) assign an owner; 2) implement audit correlation (AU.L2-3.3.5); 3) collect assessor-ready evidence (e.g., siem or log-aggregation configuration correlating events across systems); 4) verify and close out. | Before C3PAO assessment — cannot ride a POA&M |
| CM.L2-3.4.1 · System Baselining | −5 | No — must fix | Draft plan: 1) assign an owner; 2) implement system baselining (CM.L2-3.4.1); 3) collect assessor-ready evidence (e.g., hardware/software inventory of in-scope systems (kept current)); 4) verify and close out. | Before C3PAO assessment — cannot ride a POA&M |
| CM.L2-3.4.2 · Security Configuration Enforcement | −5 | No — must fix | Draft plan: 1) assign an owner; 2) implement security configuration enforcement (CM.L2-3.4.2); 3) collect assessor-ready evidence (e.g., hardening standard applied (e.g., cis benchmarks, disa stigs, vendor baseline)); 4) verify and close out. | Before C3PAO assessment — cannot ride a POA&M |
| CM.L2-3.4.5 · Access Restrictions for Change | −5 | No — must fix | Draft plan: 1) assign an owner; 2) implement access restrictions for change (CM.L2-3.4.5); 3) collect assessor-ready evidence (e.g., documented list of who may make physical/logical changes to systems); 4) verify and close out. | Before C3PAO assessment — cannot ride a POA&M |
AC.L2-3.1.1 · Authorized Access Control Implemented
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
Meridian Machining LLC limits system access to authorized users through individually assigned Microsoft 365 accounts; no shared logins are permitted. Accounts are created on hire through the onboarding checklist and disabled at termination per the offboarding checklist maintained by HR, and access is limited to company-managed endpoints. Evidence is maintained in the Microsoft 365 admin center user list and the HR onboarding/offboarding checklist.
AC.L2-3.1.16 · Wireless Access Authorization Not applicable
Authorize wireless access prior to allowing such connections.
Not applicable: no wireless networking exists in the assessed environment; the shop network is fully wired.
AU.L2-3.3.1 · System Auditing Not implemented
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
This requirement is not yet implemented; remediation is tracked on the accompanying POA&M. Planned approach: turn on Microsoft 365 unified audit logging and ship firewall logs to a low-cost SIEM managed by the company’s MSP (target 2026-08).
IA.L2-3.5.3 · Multifactor Authentication Partially implemented
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Implementation is partial. Multifactor authentication is enforced for administrator accounts and for VPN remote access through Entra ID conditional access policies. MFA for network access by the remaining (non-privileged) users is not yet implemented; the planned rollout extends the existing conditional access policy to office staff and then shop-floor shared workstations (target 2026-09) and is tracked on the accompanying POA&M.
Sample for a fictional organization. Your report covers all 110 requirements with your answers, your evidence, your plans — drafts reviewed by a CMMC Registered Practitioner before delivery.
Our guarantee: If your readout call doesn’t give you a clear, prioritized path to an 88+ SPRS estimate, we refund the full $3,500.
Get your report — $3,500 →Credited in full toward your remediation engagement · readout call included