In this article:
Based on security models and assessments, different types of reports are available. More report coverage is coming soon.
A report is part of the security model license issued to customers. For example, as part of the CMMC v2.0 license, customers can use the System Security Plan and Plan of Action & Milestones (POA&Ms) reports. These reports are available in the avatar menu of Axio360.
With the focus on a CMMC v2.0 assessment in the assessment navigation menu, navigate to the user profile menu.
- From the drop-down menu select Export POA&M Report.
From the modal, select the report to export.
The System Security Plan (SSP) report provides an overview of the security requirements and describes the practices in place or planned for implementation.
The generated .xlxs formatted report outputs a row for each practice with at least one evidence link in one of the selected assessments. The row has columns for
- Practice Name,
- Control Name, and
- Evidence Links.
- Domain and Practice Name match the model file fields.
- Evidence Links contain a new line with the assessment name for each assessment and a new line for each evidence link at that practice for that assessment.
Plans of Actions and Milestones (POA&Ms) are a critical component of a CMMC compliance strategy. POA&Ms document corrective action plans for tracking and resolving information security and privacy weaknesses against CMMC requirements. The plans detail the gaps and intended remediations, resources (e.g., personnel, technology, funding) required to accomplish the plan, milestones for correcting the weaknesses, key stakeholders involved in the effort, and scheduled completion dates for the milestones.
The export action writes a .xlxs file with the following data columns:
- Assessment Name
- CMMC Level
- Control Name
- Level (including only “not met” and “partially implemented” states)
- Target Date
- Action Items
Users can create the C2M2 v2.1 Foundations MIL report after the assessment questionnaire has been completed. The report is available for download in .pdf format.
- The order of questions in the report differs from those in the actual assessment model.
- Completion percentages for partially implemented domains indicate zero completion. Only Largely or Fully Implemented practices account for completion percentages by domain.
- Decimals on percentage completion rates are always rounded down.
- MIL reports are not available on Full C2M2 v2.1 assessments.