Are you CMMC Level 2 ready?

Q1Multi-factor authentication is enforced on all privileged + remote accounts (including OT engineer VPN).

Q2Role-based access control is documented and reviewed at least quarterly for both IT and OT systems.

Q3Third-party vendor access to plant systems is time-boxed and logged session-by-session.

Q1A formal cyber risk assessment against NIST SP 800-171 has been completed in the last 12 months.

Q2A documented POA&M (Plan of Action & Milestones) exists with owners, dates, and residual risk.

Q3OT / ICS systems are included in the risk register (not just corporate IT).

Q1An incident response plan exists, is tested via tabletop at least annually, and covers OT scenarios.

Q2A designated incident commander and 24/7 contact tree is documented for ransomware events.

Q3Immutable, offline backups exist and have been restore-tested in the last 6 months.

Q1Centralized logging captures auth, privilege escalation, and OT protocol anomalies.

Q2Logs are retained for at least 90 days and reviewed at least weekly.

Q3Audit records are protected from unauthorized modification with tamper-evident storage.

Q1Baseline configurations exist for IT endpoints, servers, and OT devices (PLCs, HMIs, historians).

Q2Patching cadence is documented for IT (monthly) and OT (vendor-approved windows).

Q3Unauthorized software is blocked via allowlisting or equivalent controls.