PlainAudit
Start assessment

The CMMC Level 2 documentation kit for small defense contractors who want to drive their own self-assessment.

Fourteen 800-171 policies, a populated SSP sample you can read below, and a POA&M with SPRS math. Instant download. $249.

110/110
controls covered
14
policies
25
files
12 mo
free updates
30 day
support window

CMMC L2 Assessment Kit

$249

Secure checkout · your email is used for order delivery only.

Secure checkout

Or take the free readiness quiz first →

30-day money-back window. Refund policy.

This is a kit, not a consultancy. If you need someone to run your CMMC program for you, we’ll point you to an RPO. If you have an IT lead who can drive the work and needs the right starting documents, this is for them.

This kit is for 20–150 employee defense contractors pursuing CMMC Level 2 self-assessment. If you’re Level 1 only, you’re a defense prime over 500 employees, or you need someone to implement the controls for you — this is the wrong kit. The detailed breakdown is below.

What’s inside the kit

25 files, organized for a CMMC Level 2 self-assessment workflow. Structure mirrors the zip you’ll download on purchase.

Top-level

  • README.pdf — 3-page executive overview
  • 01-Getting-Started.docx — from unzip to first filled artifact
  • 02-Scoping-Guide.docx — CUI vs FCI, in-scope systems, boundaries

Policies (14, one per NIST 800-171 family)

Core compliance program

  • ACAccess Control
  • AUAudit and Accountability
  • CASecurity Assessment
  • IRIncident Response
  • SCSystem and Communications Protection
  • SISystem and Information Integrity

Identity & configuration

  • IAIdentification and Authentication
  • CMConfiguration Management
  • RARisk Assessment
  • ATAwareness and Training

Operations baseline

  • MAMaintenance
  • MPMedia Protection
  • PEPhysical Protection
  • PSPersonnel Security

System Security Plan

  • SSP-Template.docx — covers all 110 controls with per-control sections

Trackers

  • POAM-Tracker.xlsx — seeded with 5 example rows + SPRS projection math
  • SPRS-Worksheet.xlsx — formula-driven live-calc
  • Control-Mapping-Matrix.xlsx — CMMC ↔ NIST 800-171 ↔ NIST 800-53 ↔ SOC 2 ↔ ISO 27001

Samples (Acme Defense Services \u2014 fictional 12-person contractor)

  • Populated Access Control Policy
  • Populated SSP Section (System Description + AC family)
  • POA&M Walkthrough with SPRS math

Reference

  • All 110 controls with full decomposition fields (Excel workbook)

Look at the SSP before you buy.

Every CMMC kit vendor asks you to spend hundreds or thousands of dollars on documents you cannot see. We don’t. Below is the first two pages of a populated System Security Plan for “Acme Defense Services” — a fictional twelve-person electromagnetic-design shop in Arlington, Virginia, operating in Microsoft 365 GCC High and Azure Government. The kit ships an unpopulated version of this template. You fill in your environment. This sample shows the level of specificity an assessor expects.

This is the public preview. The full populated sample continues through the Access Control family (3.1.1–3.1.22) with specific tools, named roles, and evidence pointers — included when you purchase.

FICTIONAL EXAMPLEAcme Defense Services (Sample)System Security PlanPage 1 of 12Classification: Controlled — CUI

System Security Plan — Acme Defense Services (Sample)

FieldValue
Document TitleAcme Defense Services System Security Plan
Document IDACME-SSP-001
Version2.1
Effective Date2026-01-15
Next Review Date2027-01-15
ClassificationControlled — Handled as CUI
Approved BySamira Patel, CEO (2026-01-12)
Document OwnerJordan Chen, IT Director

1. System Description

1.1 System Name and Identification

  • System Name: Acme Defense Services CUI Environment (ACME-CUI-ENV)
  • System Type: Cloud-hosted SaaS and IaaS environment
  • Primary Function: Support for defense engineering services under active prime contracts DoD-1234-5678 (CTI-designated technical data for communications systems) and DoD-2345-6789 (engineering services subcontract under Lockheed prime contract, CTI and Export-Controlled data).

1.2 Organizational Context

Acme Defense Services is a 12-person defense engineering consultancy based in Arlington, VA. The organization was founded in 2022 and performs electromagnetic design and analysis services for DoD prime contractors and one direct DoD contract. All personnel are US persons as required by the export-controlled nature of project data.

1.3 CUI Categories Handled

Per the National Archives CUI Registry, the categories handled:

  • Controlled Technical Information (CTI): Technical data with military application. Primary source: engineering analyses, CAD models, simulation results, design documentation exchanged with DoD customers and prime contractors.
  • Export Controlled (EXPT): Information subject to ITAR controls. Applies to the design data for communications systems under contract DoD-1234-5678.

1.4 Authorization Boundary Summary

The CUI environment consists entirely of cloud services in the US government cloud regions:

  • Microsoft 365 GCC High tenant (acme-defense.onmicrosoft.us)
  • Azure Government subscription (subscriptions: Acme-Production, Acme-Engineering)
  • Company-managed endpoints (Windows 11 laptops and iPhones enrolled in Microsoft Intune)

No on-premise servers or traditional data centers are used. All CUI is stored and processed in Microsoft's FedRAMP High/DoD IL5-authorized cloud regions or on managed endpoints that connect to those services through conditional access policies.

1.5 Key Personnel

RoleNameAuthority
CEO / Senior Agency OfficialSamira PatelAccepts residual risk; approves the SSP and POA&M
IT Director / System Owner / Acting ISSOJordan ChenManages technical security program; owns this document
IT AdministratorPriya SharmaExecutes day-to-day security operations
Security Liaison (rotating Q1/Q2 2026)Priya SharmaReviews audit logs and security alerts
Security Liaison (rotating Q3/Q4 2026)Marcus OkoyeReviews audit logs and security alerts
Engineering ManagerDavid LiuApproves engineering team CUI access
Operations ManagerAisha JohnsonApproves operations team CUI access
····· Preview ends · Pages 3–12 included in the kit ·····
See what’s includedPurchase kit · $249

Pages 3–12 cover the full Access Control family (3.1.1–3.1.22) with specific tools, named roles, and evidence pointers.

Compare this to the paraphrased-from-NIST-800-171A text you’ll find in most competitors’ samples. The difference shows up in a C3PAO review.

How it works

  1. Take the free readiness quiz (optional)

    A 15-minute self-assessment across all 14 NIST 800-171 families. You get a SPRS-style score, a list of control gaps, and a suggested remediation order. Skip this step if you already know where you stand.

  2. Download

    Purchase the kit — $249. Instant .zip download of all 25 files.

    The POA&M tracker ships seeded with five realistic example rows and working SPRS projection math, so you have a populated template to adapt to your environment rather than a blank spreadsheet.

  3. Customize and submit

    Replace the fictional Acme Defense Services context with your own environment, systems, and roles. Fill the SSP per-control sections, track remediation in the POA&M, and run the SPRS worksheet against your actual posture. Use the 30-day support window to ask questions as they come up.

Pricing

One-time purchase. 12 months of free updates included. 30-day email support window from purchase. 30-day money-back window if the kit isn’t what you expected — see the refund policy.

CMMC L2 Assessment Kit

$249
  • 14 policy templates — one for each NIST 800-171 family (AC, AT, AU, CM, IA, IR, MA, MP, PE, PS, RA, CA, SC, SI)
  • System Security Plan template covering all 110 controls, with per-control sections
  • POA&M tracker seeded with 5 example remediation rows and SPRS projection math
  • SPRS score worksheet with live-calc formulas
  • Control-mapping matrix: CMMC ↔ NIST 800-171 ↔ NIST 800-53 ↔ SOC 2 ↔ ISO 27001
  • Getting-Started guide and Scoping guide (CUI vs FCI, in-scope systems)
  • Three fully populated sample artifacts for a fictional 12-person defense contractor
  • README.pdf executive overview (3 pages)

Instant download · 12 months of free updates · 30-day support window

This documentation kit is an educational starting point, not legal, audit, or compliance advice.

Templates must be customized to your organization’s specific security environment.

Consult a qualified auditor or RPO for formal compliance readiness.

Secure checkout · your email is used for order delivery only.

Secure checkout

Who it’s for

Small defense contractors (20–150 employees)

You handle CUI on DoD contracts and need to stand up a defensible Level 2 posture without a six-figure consultancy engagement.

IT leads driving the CMMC program internally

You’re the de facto compliance owner. You want the templates, the mapping matrix, and the SSP scaffolding so you can do the work yourself.

Compliance officers at sub-primes

Your customer is a prime asking for SSP excerpts and POA&M visibility. You need deliverables that survive a flow-down review.

Security leads preparing for a C3PAO engagement

You’ve booked a C3PAO assessment or plan to. The kit shortens prep time and makes your documentation answer-ready so billable assessor hours go toward assessment, not cleanup.

Not for you if…

  • You’re a CMMC Level 1 contractor. The 17-control FCI-only subset is out of scope; email us within 30 days if you bought in error and we’ll resolve it.
  • You’re a defense prime with 500+ employees and complex multi-cloud infrastructure. A ComplianceForge NCP or Kieri enclave kit is a better fit.
  • You need someone to implement the controls for you. This is a documentation kit, not a consultancy — we can point you to an RPO.

Frequently asked questions

Risk & scope

Is this a substitute for a C3PAO assessment?
No. CMMC Level 2 certification requires an assessment by an authorized C3PAO. This kit prepares your documentation and workflow so your C3PAO engagement is shorter, cheaper, and more likely to pass. Before CMMC Phase 2 (November 2026), many Level 2 contracts still allow self-assessment; this kit supports self-assessment fully. After Phase 2, a C3PAO assessment becomes mandatory for most Level 2 work. Your SPRS score submission to DoD remains your responsibility in either case. The full disclaimer set is in the disclaimers section.
Does buying this kit affect my False Claims Act exposure?
Your SPRS score submission to DoD is your responsibility. Submitting an inaccurate SPRS score is a federal offense regardless of whether a third party — including us — helped you prepare the inputs. This kit’s templates are an educational starting point; the contents of the SSP, POA&M, and policies you submit are your own representations. That applies to every CMMC kit on the market, not just ours. We make this explicit because some of our competitors do not.
Is this appropriate for Level 1 contractors?
No. This kit is scoped for CMMC Level 2, which requires all 110 NIST 800-171 controls. CMMC Level 1 contractors handle Federal Contract Information (FCI) only, not Controlled Unclassified Information (CUI), and have a simpler 17-control subset drawn from FAR 52.204-21. Level 1 vs Level 2 depends on the specific contract — if you have both FCI-only and CUI-bearing contracts, you likely need Level 2 for the CUI work. If you are a Level 1 contractor and bought this kit, email us within the 30-day support window and we will resolve it.

Coverage

How is this different from the $5,200 ComplianceForge NCP or the $5,200 Kieri kit?
Scope and price. ComplianceForge ships 28 policy domains plus a multi-framework matrix; we ship 14 (one per 800-171 family) plus the same matrix. Kieri ships Azure/GCC High enclave architecture guides authored by a C3PAO; we do not ship enclave guides in v1. Both ship over email in 1-2 business days; we ship instant download. Both hide public pricing; we publish $249 above the fold. We are a better fit for a 12-to-150-person contractor who wants to drive the work internally. We are not a better fit for a 500-person prime with complex multi-cloud infrastructure. Full pricing section below.
My SPRS score is -42. Does this kit help me get to a passing score?
The kit includes a POA&M tracker seeded with realistic remediation rows and SPRS projection math. You can model outcomes like "complete items 1-8, SPRS moves from -42 to -18; complete items 1-15, SPRS moves to +26" inside the workbook. That math is there. The actual remediation work — implementing controls, collecting evidence, updating systems — is yours to do. The kit gives you the plan and the measurement; it does not do the remediation.
How is my SSP going to differ from the populated Acme sample?
The Acme Defense Services sample shows the level of specificity a C3PAO expects — named roles, specific tools, evidence pointers, boundary descriptions. Your SSP will replace Acme’s 12-person Arlington VA electromagnetic-design context with your organization’s context. The template gives you the section structure and the per-control scaffolding; you write your actual environment. The sample is a reference example, not a fill-in-the-blanks form. See the sample preview above.
Can I use this for NIST SP 800-171 Rev 3?
Not yet. This kit is built against NIST SP 800-171 Revision 2 (January 2021 update) because Revision 3 (November 2024) has not yet been authorized for CMMC. DoD CMMC rulemaking references Rev 2. When Rev 3 becomes the CMMC baseline — expected 2027 or later — our 12-month update commitment applies and we will ship a Rev-3-aligned version to customers within that window.
What does the kit cover?
A .zip file with 25 organized documents: a README executive overview (PDF), Getting-Started and Scoping guides (DOCX), 14 policy templates (one per NIST 800-171 family), a System Security Plan template covering all 110 controls, a POA&M tracker seeded with example remediation rows and SPRS projection math, an SPRS worksheet, a cross-framework control-mapping matrix (CMMC, NIST 800-171, NIST 800-53, SOC 2, ISO 27001), three fully populated samples for a fictional twelve-person defense contractor, and a 110-control reference workbook. Full breakdown above.

Commercial terms

What file formats do I get?
Policies, SSP, guides, and samples are delivered as .docx (Microsoft Word). POA&M, SPRS worksheet, control-mapping matrix, and the 110-control reference workbook are .xlsx (Microsoft Excel). README is .pdf. Full file list above.
Are updates included?
12 months of free updates. If NIST SP 800-171 or CMMC rules change in that window — for example, DoD final-rule amendments or NIST SP 800-171 Rev 3 authorization for CMMC — we will email you within 14 days with a summary of the change, the scope of impact on the kit, and a re-download link for the updated bundle. After the 12-month window, continuing updates are offered at a discount.
What support is included?
A 30-day support window by email from purchase. Questions about how to use the templates, interpretation of NIST 800-171 controls, or clarification on POA&M scoring are in scope. We are not a consultancy; we do not implement the controls for you or write your SSP for you. If you need hands-on help, we can point you to an RPO who does implementation work.
What if CMMC rules change?
For 12 months from purchase, any DoD final-rule amendment or NIST SP 800-171 revision that materially changes the kit will trigger a free update emailed to you with a re-download link. We will describe the scope of the change so you know what to re-customize. Rules are changing — this is one of the highest-friction parts of CMMC — and your purchase includes the update cadence for that window.
Can I get a refund?
Yes — within 30 days of purchase, email support@plainaudit.com with your order and we will refund via the payment processor. After 30 days, refunds are handled case-by-case. If the kit turns out to be wrong-scoped for your situation (Level 1 instead of Level 2, for example), we would rather refund than have an unhappy buyer. Full terms in the refund policy.

Ready to start?

Get the full CMMC L2 Assessment Kit and start your self-assessment today. Or take the free quiz first to see where your gaps are.

CMMC L2 Assessment Kit

$249

Secure checkout · your email is used for order delivery only.

Secure checkout

Not ready to buy? Take the free readiness quiz — no signup, results in 15 minutes.

Disclaimers

This documentation kit is an educational starting point, not legal, audit, or compliance advice. Templates must be customized to your organization’s specific security environment.

CMMC Level 2 certification requires an assessment by an authorized C3PAO. This kit supports your preparation and, before CMMC Phase 2 (November 2026), many Level 2 contracts still allow self-assessment using kit templates.

Your SPRS score submission to DoD is your responsibility. Submitting an inaccurate SPRS score is a federal offense regardless of whether a third party helped prepare the inputs.

The kit is built against NIST SP 800-171 Revision 2. If NIST SP 800-171 Rev 3 is authorized for CMMC during your 12-month free-updates window, an updated bundle will be emailed to you.

PlainAudit is not an RPO and does not issue CMMC certifications. Consult a qualified auditor, RPO, or C3PAO for formal compliance readiness.

More CMMC Level 2 Readiness tools

Free, no signup required.

CMMC Readiness Quiz

Estimate your SPRS score and CMMC Level 2 readiness across all 14 NIST 800-171 control domains.