Free Diagnostic · 10 Questions · Instant Score

CMMC Level 2 Self-Score Quiz: Where You Stand Before Your C3PAO Shows Up

A ten-question directional readiness score tied to actual NIST SP 800-171 Rev 2 controls. Answer honestly, get a 0 to 100 score, and receive a detailed PDF report that explains what your score means, which control families you are weakest in, and how long audit readiness typically takes from where you are today. Built by Petronella Technology Group, a CMMC-AB Registered Provider Organization (RPO #1449).

CMMC-AB RPO #1449 Entire team CMMC-RP DFE #604180 BBB A+ since 2003
Question 1 of 10 10%
Question 1 — Planning

Does your company have a written System Security Plan (SSP) covering your CUI environment?

The SSP is the single most common document reviewed at the start of any C3PAO assessment. Tied to NIST SP 800-171 3.12.4.

Question 2 — Scoping

Have you identified where Controlled Unclassified Information (CUI) lives in your environment?

Scoping the CUI boundary is step zero. If you cannot show a data-flow diagram and a list of systems in scope, audit preparation cannot meaningfully start. Tied to 3.12.4 scoping guidance.

Question 3 — Access Control

Is multi-factor authentication enforced on all privileged admin accounts?

Tied directly to NIST SP 800-171 3.5.3. The most cited weakness in C3PAO findings is MFA exceptions for IT admins or legacy service accounts.

Question 4 — Monitoring

Do you have 24/7 security operations center monitoring, or a documented equivalent?

Tied to 3.14.6 and 3.14.7. Many SMBs outsource this to a managed detection provider. In-house is only acceptable if monitoring truly runs around the clock.

Question 5 — Awareness

How often do you run security awareness training for all employees?

Tied to 3.2.1 and 3.2.2. C3PAO assessors will ask to see attendance records plus content outlines. Role-based training is required for privileged users.

Question 6 — Encryption

Are workstations and servers encrypted at rest using FIPS-validated modules?

Tied to 3.13.11. FIPS 140-2 or 140-3 validation matters. BitLocker with non-FIPS mode does not count for C3PAO.

Question 7 — Assessment

Have you had a third-party penetration test against your CUI environment?

Pen testing is not explicitly mandated at L2, but third-party validation closes findings faster. Tied to 3.11.1 risk assessment and 3.12.1 security control assessment.

Question 8 — Remediation

Do you maintain a documented Plan of Action and Milestones (POA&M)?

Required for any open findings. Tied to 3.12.2. At L2, only specific controls are POA&M-eligible and they must close within 180 days of the assessment.

Question 9 — Incident Response

Is your incident response plan tabletop-tested at least annually?

Tied to 3.6.1 through 3.6.3. A plan that has never been rehearsed is treated as weak evidence. Assessors often ask for the last tabletop report.

Question 10 — Media Protection

Are external USB drives and removable media restricted on CUI systems?

Tied to 3.8.7 and 3.8.8. Removable media is the most common data-exfiltration vector cited in DIBCAC assessments. Group Policy or MDM enforcement is the accepted control.

0
of 100
Calculating

Your directional CMMC Level 2 readiness score

Enter your details below to unlock the full PDF report. It explains what your score means, breaks out weak control families, and lays out a realistic timeline based on the pattern your answers match.

By submitting you agree to our privacy policy. One-click unsubscribe on every follow-up. No sales pressure.

Prefer to talk? (919) 348-4912 rings Penny, our front-desk agent. Free 15-minute CMMC readiness call on request.

How the score is calculated

Each of the ten questions maps to a specific NIST SP 800-171 Rev 2 control family and scores 0, 5, or 10 points. The total is 0 to 100, where 100 means every answer was the "audit-ready" response. The instrument is directional, not a substitute for a real C3PAO assessment.

We picked the ten questions based on the control families that show up most often in published DIBCAC findings and in our own CMMC gap-assessment engagements. The weightings are equal across questions deliberately. A zero on incident response is not less expensive to remediate than a zero on MFA, and a scored instrument that tries to weight remediation cost quickly becomes too opinionated to trust.

The goal is honest signal. A score of 62 does not mean "you are 62% ready." It means "your answers match the pattern we see in businesses that typically need six to twelve more months of structured work before a C3PAO assessment." The report explains the tier thresholds and what a realistic path forward looks like.

What the full PDF report contains

Not a score card with marketing copy. A working document you can hand to your IT lead or compliance officer and get a real conversation started.

Score breakdown by control family

Each answer mapped back to the NIST SP 800-171 family it belongs to. Shows which families pulled your score up and which dragged it down.

Tier interpretation

What a score in your tier typically means for timeline, effort, and budget. Based on patterns across CMMC gap-assessment engagements we have led.

Top three remediation priorities

The three control families most likely to move your score the furthest for the least effort. Framed as actions, not acronyms.

Realistic timeline

A narrative estimate of how long businesses at your tier typically take to reach audit-ready. No guarantees, no pass-rate claims, just honest pattern matching.

C3PAO selection checklist

When you are close to ready, how to pick a C3PAO assessor. What to ask, what to avoid, how to read the CMMC-AB marketplace without getting upsold.

Common POA&M mistakes

The five POA&M patterns we see most often that cause L2 assessments to stall. Fix these before the C3PAO shows up, not after.

Who this is for

  • Defense contractors and subcontractors that handle or expect to handle CUI.
  • Manufacturing firms on the DIB supply chain seeing CMMC language in their flow-downs.
  • Engineering, architecture, and design firms serving federal agencies.
  • MSPs and MSSPs scoping the compliance posture of a new defense client.
  • Internal compliance leads preparing for a board conversation about CMMC budget and timeline.

If you are still at CMMC Level 1 (Federal Contract Information only, not CUI), the quiz will still run but some questions are over-scoped for your posture. Our sister page CMMC compliance overview covers all three levels. Petronella Technology Group consults at Level 1, Level 2, and Level 3.

Common questions

Is this a real CMMC assessment?
No. Only a Certified Third-Party Assessment Organization (C3PAO) can issue a CMMC Level 2 certification. This quiz is a directional readiness snapshot based on ten of the most commonly weighted control families. Use it to set expectations with your team, not to make audit-ready claims.
Why only ten questions if CMMC L2 has 110 controls?
A longer instrument would score higher marketing points but would not meaningfully improve directional accuracy at this stage. Our ten questions cover the control families most often cited in DIBCAC findings. The full PDF report explains which families were covered and which were not, so you know exactly where the instrument's limits are.
Who reviews the report?
The PDF is generated from your answers using our internal scoring framework. Petronella Technology Group, a CMMC-AB Registered Provider Organization, authored the framework. If you want a live walkthrough, book a free 15-minute call with Penny, our front-desk agent, at (919) 348-4912.
What do I get after I submit my email?
Instant PDF download in the browser plus a backup copy emailed to the address you provided. You also receive a short three-email follow-up series with context on CMMC budget, timeline, and common remediation traps. Every email has a one-click unsubscribe link.
What if my score is under 50? Is Petronella going to pressure me to sign a contract?
No. The report explains what a score under 50 typically means and gives a realistic timeline. If you want to talk through options you can book a call. If you want to walk away and come back in six months, you keep the report and owe nothing. We run an assessment-first model, not a cold-close model.
Can I retake the quiz after remediation work?
Yes. The quiz is free to retake as often as you want. Several of our existing clients use it quarterly as a directional progress check between formal gap assessments.

Turn a directional score into an audit-ready roadmap

A ten-question quiz tells you where you stand. A structured gap assessment tells you exactly what it will take to close. Petronella Technology Group runs CMMC gap assessments as a Registered Provider Organization. Custom quote, not a flat list price.

Request a full CMMC gap assessment Or call (919) 348-4912

Free 15-minute consultation with Penny at (919) 348-4912. Paid engagements after scoping.