CMMC Level 1 SPRS Submission Package Generator — Generate SSP + Annual Affirmation + POA&M in 30 minutes.
For each practice, select MET (fully implemented), NOT MET (not fully implemented), or N/A (not applicable to your system boundary). Expand the evidence hint to see what to document.
Limit information system access to authorized users, processes, and devices only.
Example: Active Directory with quarterly access reviews; VPN+MFA for remote access
Limit access to only the types of transactions and functions authorized users may execute.
Example: RBAC with Viewer/Contributor/Owner roles; formal role matrix reviewed annually
Verify and control connections to external information systems.
Example: Documented external connection inventory; firewall rules blocking unauthorized outbound traffic
Control information posted or processed on publicly accessible systems.
Example: Quarterly review of public website confirming no FCI is present
Identify information system users, processes acting on behalf of users, or devices.
Example: Asset inventory of all users, service accounts, and devices; reviewed monthly
Authenticate the identities of users, processes, or devices before allowing access.
Example: Password + MFA (Microsoft Authenticator) enforced via Conditional Access for all FCI systems
Sanitize or destroy information system media before disposal or reuse.
Example: NIST 800-88-compliant wiping (Blancco); certified shredder; destruction log retained 3+ years
Limit physical access to information systems and operating environments to authorized individuals.
Example: Badge readers on server room; quarterly physical access audits; after-hours log review
Escort visitors, monitor visitor activity, and maintain physical access audit logs.
Example: Visitor sign-in with government-issued ID; escort badge; visitor log retained 3+ years
Periodically assess risk to organizational operations, assets, and individuals.
Example: Annual risk assessment per NIST SP 800-30; findings documented in Risk Register
Monitor, control, and protect communications at external and key internal boundaries.
Example: NGFW with IDS/IPS; centralized SIEM logging; security alerts reviewed weekly
Implement subnetworks for publicly accessible components physically or logically separated from internal networks.
Example: Public web servers in dedicated DMZ VLAN; firewall separation from internal FCI network
Identify, report, and correct information system flaws in a timely manner.
Example: CISA KEV subscription; vulnerability scanner; critical CVEs patched within 15 days
Provide protection from malicious code at appropriate locations within information systems.
Example: Microsoft Defender for Business deployed on all endpoints; real-time protection enabled
Perform periodic system scans and real-time scans of files from external sources.
Example: Weekly full AV scans; real-time scanning for all downloads and USB insertions
Update malicious code protection mechanisms when new releases are available.
Example: Automatic AV signature updates (daily minimum); verified via management console
Establish and maintain baseline configurations and inventories throughout system development life cycles.
Example: System baseline configuration documented; formal change control with rollback plan