Back to Control Explorer



Control Acronym



Security Assessment

CMMC Level


800-171 Control #


CMMC Description

Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement.

CMMC Clarification

An organization must explicitly identify its desired end-state for cybersecurity capabilities and document a roadmap describing the planned path forward. Increasing measures along the way reduces the likelihood of a cyber-attack being successful or minimizes the impact of an attack. The roadmap should have short, medium, and long term goals for the organization. Plan for what the organization wants to accomplish in the next 6-12 months (short term). Also plan for 12-36 months (medium term), and plan for 5-10 years. All of the plans can be adjusted over time, but having the plans will allow for budgeting, priorities, and knowledge as to where to organization is going to keep the environment safe from adversaries. Example 1 The organization sees its security end-state as being comparable to similar sized companies that are considered to have good cybersecurity capabilities. An immediate shortfall has been identified related to email coming into the organization without any filtering capabilities in place. This requires the organization to thwart email attacks at the endpoint and have additional controls on the enterprise to help thwart such attacks. The security roadmap outlines a plan to have automated spam filters, sandboxing of attachments, and link analysis in place within 6 months to help reduce the likelihood of an attack coming from email. Example 2 The organization has a VPN solution that does not require multifactor authentication (MFA). The security roadmap outlines a plan to have MFA in place within the next year, which will reduce the likelihood of remote attackers gaining access to the VPN through stolen credentials.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC As organizations become more mature in their cyber security operations, it is expected that an organization will create, maintain, and leverage a security roadmap to show their planned path forward for improvements. This demonstrates a maturity level within an organization that is above the average company. The security roadmap will help a company move forward with increasing their overall security posture based on priority, cost, and implementation time. Such planning will help an organization line up vendors to discuss the planning and what solutions they may offer, receiving bids to help with the work, or get a bid on a cybersecurity appliance that will be installed on location or an “as a service” solution from a cloud provider that will be utilized remotely. This roadmap should be used to help plan based on areas of highest risk, latest TTPs, and or knowledge that a specific industry is being targeted and pushing solutions forward that will thwart malicious activities. A roadmap will require updates from time to time based on intelligence or architecture needs. A roadmap will survive people changing positions, and it will provide continuity plan for improving the cybersecurity posture of an organization.

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 PL-1

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 ID.RM-1, RS.IM-1, RS.IM-2, RC.IM-1, and RC.IM-2

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15