This tool will walk you through a simple risk assessment and give you a pass or fail at the end. If you want a score and something to print out for your risk management team, then you will need to create an account to get access to premium features.
If you are going to be participating in any US DoD contracts, whether direct or through a team, you must complete your self-assessment and upload the result to the Procurement Integrated Enterprise Environment (PIEE). You will also need 2 people, one to be the admi and one to do the cyber assessment uploads.
Many of the security requirements request organization-defined artifacts or documented policies and procedures. These are not optional. You must have these in place to be compliant. We can not stress enough how important it is to have documentation in place and to test the policies on a regular and defined interval.
Plans of action addressing unimplemented security requirements are not a substitute for a completed requirement. Security requirements not implemented, whether a plan of action is in place or not, will be assessed as 'not implemented.'
Temporary deficiencies and/or isolated enduring exceptions which occur during initial implementation, or arise after implementation, are to be expected in most complex environments. If the implementation roll-out has otherwise been completed, this ‘temporary deficiency’ plan of action would be considered, and the requirement scored 'as implemented.'
FIPS compliance is likely the most-often excepted policy. The default SSL implementation is not FIPS compliant. You must verify that your mail server has both SSL enabled (uses the STARTTLS command [analysis] ), and it uses a FIPS compliant implementation of SSL. Without FIPS compliance in your cryptographic systems you will not be authorized to handle any CUI+ labeled data. Do not assume your mainstream operating system is FIPS compliant. How do you know if your system is FIPS compliant? NIST will issue a certificate that certifies the system as compliant. Here's an example for an IBM z/OS system that was certified.