110 controls, fully documented
Every NIST SP 800-171 Rev 2 control with the full requirement text, organized by 14 control families. No hunting through government PDFs.
CMMC Level 2
Stop guessing which controls you've met.
The complete self-assessment workbook for CMMC Level 2 — all 110 NIST SP 800-171 controls, evidence checklists, assessor insights, and a POA&M tracker. Know your SPRS score before you submit it.
$147
Instant download · .docx
Used by FSOs and IT managers at cleared DoD contractors
The CMMC problem
80,000 contractors. One deadline. Most aren't ready.
CMMC Level 2 requires implementation of all 110 NIST SP 800-171 Rev 2 security controls. Every DoD contractor handling CUI must either self-assess or pass a C3PAO assessment — and submit their SPRS score to the DoD.
Most small-to-mid contractors are staring at a 200-page NIST document and a spreadsheet someone emailed them in 2019. They don't know which controls they've implemented, which ones have gaps, or what evidence a C3PAO assessor will actually ask for.
The penalty for non-compliance isn't a finding — it's losing your contracts. Prime contractors are already flowing CMMC requirements down to subs. If you can't demonstrate compliance, you're off the bid list.
This workbook replaces the guesswork with a structured, control-by-control walkthrough that tells you exactly what to assess, what evidence to collect, and what to do about the gaps.
Inside the workbook
Every control. Every piece of evidence. Every gap, documented.
Evidence guidance per control
Each control lists specific evidence to collect — what the assessor will ask for, in plain English. Not just "access control policy" but "GPO exports, user privilege matrices, MFA enrollment records."
Assessor insights
Teal-bordered callout at the top of every control family with practical advice on what assessors actually look for — and where most organizations fail.
Common findings
Red-flagged list of the most cited deficiencies per family — so you can fix them before the assessor finds them.
Quick wins
A concrete, one-action item per family that addresses multiple controls at once. "Do this first" guidance that saves weeks of planning.
SPRS score calculator
Scoring summary table with all 14 families, space to tally implementations, and an SPRS worksheet. Know your score before you submit it.
Evidence collection checklist
32-item master checklist covering policies, technical evidence, and administrative records. Check them off as you gather them.
POA&M tracker
15-row Plan of Action & Milestones table for documenting gaps, remediation plans, responsible parties, and target dates. Required for any control not fully implemented.
Assessment certification page
Formal sign-off page for the assessor — name, title, organization, SPRS score, and signature block.
Notes & writing space
Lined notes section after every control family for additional observations, and expanded notes fields on every control for evidence references.
Who this is for
Built for the teams who don't have a $50K consultant budget.
- Small DoD contractors (under 200 employees) who need to self-assess for CMMC Level 2 but can’t afford a $50K consultant.
- IT managers at cleared contractors who’ve been handed CMMC compliance as an "additional duty."
- FSOs expanding into CMMC who already manage the NISPOM side and now need to demonstrate cybersecurity compliance.
- CMMC consultants who need a professional, structured workbook to deliver to their clients.
How it compares
Three paths to CMMC compliance.
| Feature | Free NIST templates | FSO Shield Workbook $147 | Consultant $15K–$50K |
|---|---|---|---|
| All 110 controls documented | |||
| Evidence guidance per control | |||
| Assessor insights & common findings | |||
| Quick wins per family | Sometimes | ||
| SPRS score calculator | |||
| POA&M tracker | |||
| Evidence collection checklist | |||
| Fully editable (your facility) | Partially | ||
| Ready in 5 minutes | |||
| Cost | Free | $147 | $15,000+ |
Questions
Frequently asked.
- Is this aligned to the current CMMC 2.0 framework?
- Yes. This workbook covers all 110 controls from NIST SP 800-171 Rev 2, which is the basis for CMMC Level 2 certification as of 2026.
- What’s the difference between CMMC Level 1 and Level 2?
- Level 1 covers 15 basic safeguarding controls from FAR 52.204-21 (self-assessment only). Level 2 covers all 110 NIST SP 800-171 controls and may require a C3PAO assessment depending on the contract.
- Can I use this to prepare for a C3PAO assessment?
- Yes — the workbook is structured the way assessors review controls. Use it to self-assess first, identify and close gaps, then present your completed workbook and collected evidence to the C3PAO.
- What if I’m only handling CUI in email and file shares?
- You still need to implement all 110 controls within your CUI boundary. This workbook helps you define that boundary and assess each control within it.
- Do I need this if I already have an SSP?
- Your SSP describes how controls are implemented. This workbook helps you verify they’re actually implemented correctly and identifies gaps your SSP may not cover. They’re complementary documents.
- What format is the workbook?
- Microsoft Word (.docx) — fully editable in Microsoft Office, Google Docs, or LibreOffice. Print-ready at US Letter size.
- Do you offer refunds?
- Yes — 30-day money-back guarantee.
Your SPRS score is due. Know where you stand.
Get the CMMC Workbook — $147
30-day money-back guarantee · Instant download