Self-Assessment Tool

Is Your Environment Too Complex
for a Fast-Track Program?

Two or more indicators below means a standardized CMMC program may leave you exposed at assessment. Select your profile, then check every box that applies.

Step 1 · Identify Your Profile

Who Are You
in the DIB?

Select the profile that best describes your organization. Most BlackWatch clients see themselves in more than one.

🏭

The Multi-Site Manufacturer

Multiple facilities, inconsistent postures across locations

⚖️

The Dual-Agency Contractor

DoD and civilian contracts running simultaneously

🔁

The Post-Failure Contractor

Been through a program — still exposed

⏱️

The Sub Under Pressure

Prime pushing requirements downstream with a deadline

🔗

The Contractor with a Supply Chain

Subs and MSPs inside your CUI boundary

🌐

The ITAR/EAR Contractor

Export control layered on top of CMMC

Step 2 · Check Your Indicators

How Complex Is
Your Environment?

Check every box that applies to your organization. Two or more checked means a standardized fast-track program carries real risk for you.

Multiple performance locations or facilities
Each site may have a different security posture that must be individually assessed and documented.
Legacy on-premise systems that cannot migrate to GCC High
On-prem environments require manual SSP coverage that automated tools routinely miss.
OT/IT boundary where manufacturing systems touch CUI
Operational technology environments create scoping complexities no template anticipates.
Uncertain or evolving CUI boundary
If you're not certain which systems, people, or processes touch CUI — your scope isn't defined yet.
Contracts under both DoD (DFARS) and civilian agencies (FAR/HSAR)
Different CUI regimes, incident-reporting clocks, and safeguarding obligations apply simultaneously.
ITAR or EAR obligations layered on top of CMMC requirements
Export control intersects with CUI classification in ways that require deliberate scoping.
Prime pushing CMMC requirements down to you as a subcontractor
You're certifying under pressure with a contract performance deadline driving the timeline.
Subcontractors or suppliers inside your CUI data flow
Third-party access to CUI creates downstream compliance obligations you are responsible for.
Managed service providers or external IT with system access
MSP access must be scoped, documented, and controlled — inherited trust is not inherited compliance.
Previously attempted a fast-track or DIY CMMC program
If you have open POA&M items or unresolved gaps from a prior program, the clock is already running.
SPRS score below 70 or self-assessment not yet submitted
A low or missing SPRS score is a contracting liability today — not just a future certification problem.
No current SSP, or SSP built from a template you can't fully defend
An SSP you can't defend under direct assessor questioning is not an SSP — it's a liability.
0
of 11 indicators checked
Check the boxes above to see your complexity assessment.