Page 1 of 1

Valor CMMC Readiness Snapshot™

A fast, practical snapshot to help DoD subcontractors understand their CMMC readiness and next best step.
This readiness snapshot is for planning purposes only. Valor Visions does not perform CMMC assessments or issue certifications. Official CMMC Level 2 assessments are conducted by authorized C3PAOs.

16 quick questions — under 5 minutes total

Section 1 — Scope (sets Level 1 vs Level 2 track)

1. Does your organization handle Controlled Unclassified Information (CUI)? CUI includes technical data, source selection information, or other sensitive DoD information marked "CUI" or previously marked "FOUO."

Examples: Technical drawings marked CUI, Export-controlled data (ITAR/EAR), Procurement-sensitive information, Operational or mission data
1. Does your organization handle Controlled Unclassified Information (CUI)? CUI includes technical data, source selection information, or other sensitive DoD information marked "CUI" or previously marked "FOUO."
A
B
C
If Q1 = Yes → You are likely on a CMMC Level 2 track.

2. Are you currently in the DoD supply chain?

2. Are you currently in the DoD supply chain?
A
B
C
D

3. How many employees?

3. How many employees?
A
B
C
D

4. Primary Industry?

4. Primary Industry?
A
B
C
D
E

5. Timeline urgency?

5. Timeline urgency?
A
B
C
D

Section 2 — Readiness essentials (scored)

6. Do you have a named owner responsible for CMMC / cybersecurity readiness?

6. Do you have a named owner responsible for CMMC / cybersecurity readiness?
A
B
C

7. Do you have a current System Security Plan (SSP) or equivalent documentation?

7. Do you have a current System Security Plan (SSP) or equivalent documentation?
A
B
C

8. Do you maintain a POA&M to track gaps and remediation work?

8. Do you maintain a POA&M to track gaps and remediation work?
A
B
C

9. Is MFA enforced for email, remote access, and administrative accounts?

9. Is MFA enforced for email, remote access, and administrative accounts?
A
B
C

10. Do you have an asset inventory (systems, endpoints, cloud services) with ownership defined?

10. Do you have an asset inventory (systems, endpoints, cloud services) with ownership defined?
A
B
C

11. Is there a defined process for user access provisioning and removal?

11. Is there a defined process for user access provisioning and removal?
A
B
C

12. Is compliance evidence stored in a centralized, auditable location (not scattered)?

12. Is compliance evidence stored in a centralized, auditable location (not scattered)?
A
B
C

13. Do you have an incident response process with roles and escalation defined?

13. Do you have an incident response process with roles and escalation defined?
A
B
C

14. Have you completed a security or readiness review in the last 12 months?

14. Have you completed a security or readiness review in the last 12 months?
A
B
C

15. Could you confidently explain your compliance posture to a C3PAO today?

15. Could you confidently explain your compliance posture to a C3PAO today?
A
B
C

16. When something breaks today, how does your team usually respond? This question does not affect your score. It helps surface how issues are handled in practice.

16. When something breaks today, how does your team usually respond? This question does not affect your score. It helps surface how issues are handled in practice.
A
B
C
D

Where should we send your Readiness Snapshot?
We’ll email a copy of your results so you can review and share them internally.

We don’t spam. This is used to deliver your snapshot and relevant next-step guidance.