Assess a control

Pick one of the six CMMC Level 2 controls in this build. Each is walked the way an assessor works it: the security requirement → the 800-171A assessment objectives (a control is MET only if EVERY objective is MET) → what it means / the org process → the Examine / Interview / Test methods. Requirement and objective text is verbatim from 800-171A.

32 CFR 170 requires NIST 800-171 R2 assessed by 800-171A objectives the org's SSP interpretation the check.
Why R2, not R3? NIST withdrew 800-171 R2 in May 2024 in favor of R3 — but CMMC is anchored to R2 by its own rule, 32 CFR 170.14(c)(3). DoD has not adopted R3 for CMMC, so a CMMC Level 2 assessment is still conducted against R2. Assessing R3 today would be wrong for CMMC — exactly the version trap a tool like this exists to catch.

Model checker — deprovisioning liveness

CMMC PS.L2-3.9.2, objective [b] ("system access and credentials are terminated consistent with personnel actions such as termination or transfer"). The obligation: a terminated user's CUI access is eventually revoked. Pick how robust the revocation worker is and watch TLC decide. A SAT/snapshot check cannot do this — it checks one state; this checks the process over every possible run.

The model, in TLA+ (real excerpt)

\* obligation: terminated user is eventually revoked
Liveness == terminated ~> revoked

\* worker revokes, but only while it is up
WorkerRevoke == queued /\ workerUp /\ ~revoked
                /\ revoked' = TRUE

\* it can crash before it acts -- what starves it
Crash   == workerUp /\ ~revoked /\ workerUp' = FALSE
Restart == ~workerUp /\ workerUp' = TRUE

\* fairness is the knob you turn -->
Spec == Init /\ [][Next]_vars /\ Fairness

Fairness on the revocation worker

▲ Every verdict and trace is genuine TLC output (Deprovision.tla, tla2tools, run 2026-07-13) — not a mock. TLC is deterministic, so the three fairness runs are faithfully precomputed.

Ask the auditor

Grounded on the NIST/CMMC corpus (800-171 R2, 800-171A, 32 CFR 170, CMMC L2 Assessment Guide, DoD Assessment Methodology). It cites the exact clause, and it says so when it doesn't know rather than guessing.

Grounded on the NIST 800-171 + CMMC corpus, answered by the on-prem model. Cites the clause; says so when it doesn't know.
Ask a CMMC / NIST 800-171 question. I answer only from the authoritative corpus and cite the source clause. If it's not in the corpus, I'll say so rather than guess. Try: "what deadline does 3.9.2 set for deprovisioning?" or "is PS.L2-3.9.2 POA&M-eligible?"

Documents — the authority chain

Where every determination in this tool comes from. The chain runs from the regulation that makes 800-171 binding, down to the specific check. authoritative = the government source of record. explainer = a good plain-language restatement, not the source. org = the OSC's own document.

32 CFR Part 170 — the CMMC final rule authoritative
Legally incorporates NIST 800-171 Revision 2 by reference (170.1(c)); Level 2 = the 110 R2 requirements (170.14(c)(3)); POA&M rules (170.21); SPRS scoring (170.24).  eCFR ↗  · Federal Register final rule (PDF) ↗
NIST SP 800-171 R2 — the security requirements authoritative
The 110 requirements themselves (14 families). The control statement you must quote.  nvlpubs.nist.gov (PDF) ↗
NIST SP 800-171A — the assessment objectives + methods authoritative
Each requirement decomposed into lettered objectives ([a],[b],[c]…) and the Examine/Interview/Test method sets. This is what an assessor actually works from.  nvlpubs.nist.gov (PDF) ↗
DoD Assessment Methodology + 32 CFR 170.24 — scoring authoritative
Score starts at 110; each unmet requirement subtracts 5 / 3 / 1 (may go negative). Defines which controls are POA&M-eligible.  DoDAM v1.2.1 (PDF) ↗  · 170.24 ↗  · 170.21 (POA&M) ↗
The OSC's System Security Plan (SSP) org
Where the organization writes its own interpretation and any org-defined parameters (e.g. the deprovisioning window — NIST sets none). The SSP is a gate: no up-to-date SSP ⇒ the assessment cannot be completed (170.24(c)(2)(i)(B)(5)).
The check org
Evidence snapshot for point-in-time objectives; TLA+/TLC model-checking for process-over-time objectives (e.g. 3.9.2[c] liveness). The AI proposes a checkable rule from the prose; the model checker disposes.
Explainers (useful, but NOT the source of record)
Community restatements such as csf.tools 3.1.1 are helpful for orientation. Do not cite them in a finding — cite the 800-171A / 32 CFR section id. Every quote in this tool is traceable to the .gov text in corpus/.
Source manifest (what was downloaded, all public .gov)
DocumentSourceUse
NIST.SP.800-171r2.pdfnvlpubs.nist.govRequirement statements (the 110)
NIST.SP.800-171A.pdfnvlpubs.nist.govObjectives [a]… + Examine/Interview/Test
32 CFR 170 (eCFR current)ecfr.govRev 2 incorporation, POA&M (170.21), scoring (170.24)
CMMC final rule (89 FR, Oct 15 2024)govinfo.govFull preamble + regulatory text
DoD Assessment Methodology v1.2.1acq.osd.milSPRS point weights (−5/−3/−1)