Identity and Access Management is the #1 CMMC assessment failure domain. Shared accounts on the shop floor. MFA deployed for VPN but missing everywhere else. Privileged accounts nobody reviews. Audit logs that exist but nobody reads.
This workbook gives you a structured, step-by-step process to audit all 21 IAM-related NIST SP 800-171 Rev 2 controls, identify every gap, and produce the evidence documentation that C3PAO assessors expect to see.
Complete it in a single afternoon. No compliance experience required.
What’s Inside
10-Tab Interactive Excel Workbook – Shared Account Audit — Inventory every account, flag shared/generic accounts with CUI access, identify remediation targets – MFA Deployment Matrix — Map MFA coverage across all access types, track exceptions, check the GSA showstopper requirement – Privilege Review — Inventory privileged accounts, document separation of duties, schedule reviews – Audit Log Attribution — Verify log coverage by event type, test individual attribution, assess log protection – Auto-Scored Dashboard — See your readiness score by domain, view critical findings, know exactly where you stand – Remediation Tracker — Turn findings into action items with risk levels, owners, and target dates – Evidence Index — Catalog every piece of evidence, mapped to controls, ready for your assessor
Plus: – 8-page Companion Guide with domain deep dives and evidence collection tips – Example excerpt showing realistic completed tabs from a fictional 50-person contractor – Quick-start README
Who This Is For
- IT directors at small defense contractors preparing for CMMC Level 2
- Compliance officers building or validating IAM programs
- System administrators responsible for Active Directory, MFA, and audit logging
- Consultants running IAM assessments for multiple clients
What You’ll Need
- Microsoft Excel 2016 or later (no macros required)
- Access to your Active Directory or identity provider
- MFA admin console access
- Audit log configuration access
- 2-4 hours of focused time
Controls Covered
21 in-scope controls from NIST SP 800-171 Rev 2: – 14 Access Control (3.1) — account management, least privilege, separation of duties, session controls, remote access – 7 Audit & Accountability (3.3) — audit logging, individual attribution, log review, log protection – 4 cross-referenced Identification & Authentication (3.5) — MFA requirements, authenticator management
Reviews
There are no reviews yet.