|CMMC Level 3 Policy and Procedures||The CMMC Level 3 requires the client to generate and maintain a comprehensive written IT Security Compliance Policies and Procedures manual. I must list all of the IT Security policies that the company has in place to protect its network environment and data, along with specific descriptions of how each policy is implemented and measured. For organizations that don’t have a set of data protection policies – or at least one that conforms to CMMC requirements, this report provides an “out of the box” version of policies and procedures that they can use or start with.|
|External Vulnerability Scan Detail||Detailed report showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.|
|CMMC Risk Treatment Plan Update||
Based on the findings in the CMMC Risk Update Assessment, the organization must create a CMMC Risk Treatment Plan with tasks required to minimize, avoid, or respond to identified risks to IT security.
The CMMC Risk Treatment Plan Update contains a list of tasks that can be executed to mitigate identified IT Security risks.
|CMMC Change Summary Report||
Every time you use Compliance Manager for CMMC to run a CMMC Risk Update Assessment on a given network, Compliance Manager for CMMC generates the CMMC Change Summary report.
This report compares the results the last Full CMMC Assessment with the Risk Update Assessment’s network scan, local computer scan(s), and external vulnerability scan results performed during the Risk Update Assessment process.
This report details changes in the network’s User Accounts, Local Computer Accounts, Active Directory (A/D) Computers, Non-A/D Computers, Non-A/D Devices, External Vulnerabilities, along with a Windows computer Patch Summary.
|CMMC Risk Analysis Update||
The CMMC Risk Analysis Update report lists IT Security risks identified during a Risk Update Assessment that impact the state of IT network security. The CMMC Risk Analysis Update identifies what protections are in place and where there is a need for more.
The CMMC Risk Analysis Update report presents results in a list of items that must be remediated to ensure the security and confidentiality of sensitive or confidential information at rest and/or during its transmission
|External Vulnerability Scan Detail by Issue||Detailed report showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.|
|CMMC Windows Patch Assurance Report||The CMMC Windows Patch Assurance Report helps verify the effectiveness of the client’s patch management program. The report uses scan data to detail which patches are missing on the network.|
|CMMC Login History Report||This report presents user login history by computer to enable workforce members responsible for IT Security to audit access to computers connected to a company’s network. Quite useful, in particular, for looking at a commonly accessed machines (file server, domain controller, etc.) – or a particularly sensitive “CUI” computers that are used to collect, process, transmit, or store CUI for failed login attempts.|
|CMMC Full Detail Excel Export||The CMMC Full Detail Excel Export includes every detail uncovered during the CMMC assessment’s network and computer endpoint scanning process. Details are presented in line-item fashion in an editable Excel workbook document. The report is organized by titled worksheets to help you locate the specific findings of interest, and problem areas are conveniently highlighted in red, making it easy to spot individual problems to be rectified.|
|CMMC Evidence of Compliance||Compiles compliance information from automated scans, augmented data, and questionnaires. Gathers evidence into one document to back up the CMMC Assessor Checklist with real data.|
|CMMC Risk Analysis||CMMC Risk Analysis is the foundation for the entire CMMC compliance and IT security program. The CMMC Risk Analysis identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of sensitive data at rest and/or during its transmission.|
|CMMC Risk Treatment Plan||Based on the findings in the CMMC Compliance Assessment, the organization must create a Risk Treatment Plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, CMMC Manager provides a risk scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources and ensure that issues identified are issues solved. The Risk Treatment plan defines the strategies and tactics the organization will use to address its risks.|
|CMMC Assessor Checklist||The CMMC Assessor Checklist gives you a high-level overview of how well the organization complies with the CMMC (Cybersecurity Maturity Model Certification) requirements. The checklist details specific compliance items, their status, and helpful references. Use the checklist to quickly identify potential issues to be re-mediated in order to achieve compliance.|
|NIST 800-171 Scoring Supplement Worksheet||This is a temporary worksheet that “bridges the gap” of 800-171 controls that are not already covered by the CMMC Level 2 certification requirements. First complete the Level 2 CMMC assessment built into Compliance Manager, and then complete this supplemental scoring worksheet. The documents will be automatically combined, analyzed and used to create the final self-assessment scorecard.|
|Plan of Action & Milestones (POA&M)||The POA&M is a requirement of the Interim Rule and includes information about security control implementation weaknesses and gaps found during the assessment, lists the any mitigating steps the contractor intends to make in order to fully implement, along with a specific deadline for completion. This document is provided in Excel format, and follows the DoD’s best practices template.|
|System Security Plan (SSP)||The System Security Plan (SSP) is the most important document in the event of an audit. IT sums up the system description, system boundary, architecture, and security controls in one document. The SSP document generated by Compliance Manager follows the exact format as prescribed in best practice templates supplied by the DoD.|
|NIST 800-171 DoD Assessment Score Report||This report is a line-item scorecard showing the results of the implementation review of each of the 110 controls included in NIST (SP) 800-171, and the total score based on the Department of Defense’s official scoring rubri, with a starting maximum score of 110, and specified deductions made for non-implementation of a given control. A summary score is provided for each of the 14 main control families, and then for each individual control, it lists in tabular fashion: The NIST control ID number, security requirement description, control implementation status, amount deducted (if not implemented), and comments (if applicable).|