In this article:
Reports by Assessment Model
Based on security models and assessments, different types of reports are available. More report coverage is coming soon.
How to Access and Export
A report is part of the security model license issued to customers. For example, as part of the CMMC v2.0 license, customers can use the System Security Plan and Plan of Action & Milestones (POA&Ms) reports in .pdf format.
Customers can also generate reports for all one-dimensional assessments in PowerPoint format (.pptx).
Once a user opens an assessment, the reports are available in the avatar menu of Axio360.
Example Export Based on Different Model Types
PowerPoint Reports
Available for the following models, including all derived customer-specific models:
- CIS Control Assessment
- CIS+
- CRI Profile, all current model versions
- NIST CSF, all supported model versions and scales
- NIST IR 8374 (Ransomware)
- NIST SP 800-53 Rev. 5
- SSDF, including CMMI scale
- from the prerelease models:
- FFIEC Part 1
Images and text in exported PowerPoint reports are not editable. Users may add text boxes or graphic elements to add their own explanations. At this point, the default report format is kept at a 4:3 ratio to allow our customers to easily import images into presentations with either a 4:3 or 16:9 ratio.
Axio360 is currently in a phased rollout of redesigned product elements. Features already available based on the redesign might have model-specific nomenclature limitations until the redesign rollout is completed. The PowerPoint Report is one of those feature areas with a limitation on the correct verbiage used, for example, for NIST CSF (Function, Category) vs. CIS (Control, Activity). The report currently defaults to the NIST CSF nomenclature.
- From the Axio360 menu, select Assessments.
- From the Assessments Menu, select and open your assessment, for example, a NIST CSF v2.0.
-
Navigate to the user profile menu.
-
From the drop-down menu select PowerPoint Report.
Creating a report can take up to 30 seconds.
A progress indicator will show during the report generation and download process.
Once completed, the report is available in your browser’s download tray.
CMMC v2.0 Specific Reports
-
With the focus on a CMMC v2.0 assessment in the assessment navigation menu, navigate to the user profile menu.
- From the drop-down menu select Export POA&M Report.
-
From the modal, select the report to export.
CMMCv2 Reports
System Security Plan (SSP)
The System Security Plan (SSP) report provides an overview of the security requirements and describes the practices in place or planned for implementation.
The generated .xlxs formatted report outputs a row for each practice with at least one evidence link in one of the selected assessments. The row has columns for
- Domain,
- Practice Name,
- Control Name, and
- Evidence Links.
Where:
- Domain and Practice Name match the model file fields.
- Evidence Links contain a new line with the assessment name for each assessment and a new line for each evidence link at that practice for that assessment.
Plans of Actions and Milestones (POA&M):
Plans of Actions and Milestones (POA&Ms) are a critical component of a CMMC compliance strategy. POA&Ms document corrective action plans for tracking and resolving information security and privacy weaknesses against CMMC requirements. The plans detail the gaps and intended remediations, resources (e.g., personnel, technology, funding) required to accomplish the plan, milestones for correcting the weaknesses, key stakeholders involved in the effort, and scheduled completion dates for the milestones.
The export action writes a .xlxs file with the following data columns:
- Assessment Name
- CMMC Level
- Control Name
- Level (including only “not met” and “partially implemented” states)
- Target Date
- Action Items
C2M2 V2.1 Reports
C2M2 v2.1 Foundations MIL Report
Users can create the C2M2 v2.1 Foundations MIL report after the assessment questionnaire has been completed. The report is available for download in .pdf format.
Please note:
- The order of questions in the report differs from those in the actual assessment model.
- Completion percentages for partially implemented domains indicate zero completion. Only Largely or Fully Implemented practices account for completion percentages by domain.
- Decimals on percentage completion rates are always rounded down.
- MIL reports are not available on Full C2M2 v2.1 assessments.