SELF-ASSESSMENT — NOT C3PAO CERTIFIED

This documentation represents an internal self-assessment prepared with AI assistance. It has not been reviewed or validated by a Certified Third-Party Assessment Organization (C3PAO), external MSSP, or any external auditor. CMMC Level 2 certification requires a formal C3PAO assessment. Control statuses reflect honest current implementation state — not aspirational targets.

CMMC Level 2 — Self-Assessment

Security Protocol Dashboard

Internal cybersecurity compliance documentation for OUTSOURCE Consulting Services, Inc. — structured against NIST SP 800-171 Rev 2 and the CMMC 2.0 Level 2 framework. This is a gap analysis and roadmap, not a certification claim.

Organization: OUTSOURCE Consulting Services, Inc. Framework: NIST SP 800-171 Rev 2 / CMMC 2.0 Level 2 Last Updated: April 3, 2026 Prepared By: OCSI Internal (AI-Assisted) Assessment Type: Self-Assessment — C3PAO Review Pending
16
Implemented (Verified)
14
Partially Implemented
80
Not Implemented / No Evidence
13
Open POA&M Items
NIST Cybersecurity Framework Lifecycle

OCSI's security protocols are structured around the NIST Cybersecurity Framework 5-phase lifecycle. Phases 3-5 require external partnership (e.g., external MSSP or similar MSSP) — not yet engaged.

1. Assessment Gap Analysis & Vulnerability ID
2. Remediation Risk Mitigation & Controls
3. Testing Penetration & Control Testing
4. Monitoring Log Review & Alerting (No SIEM)
5. Incident Response Triage, Contain, Recover
Master Documents
SSP
System Security Plan
All 110 controls mapped to implementation
POA&M
Plan of Action & Milestones
Remediation tracker with risk levels
RA Report
Risk Assessment Report
Web application threat analysis
NIST SP 800-171 — 14 Control Families
3.1 — AC
Access Control
22 controls
3.2 — AT
Awareness & Training
3 controls
3.3 — AU
Audit & Accountability
9 controls
3.4 — CM
Configuration Management
9 controls
3.5 — IA
Identification & Authentication
11 controls
3.6 — IR
Incident Response
3 controls
3.7 — MA
Maintenance
6 controls
3.8 — MP
Media Protection
9 controls
3.9 — PS
Personnel Security
2 controls
3.10 — PE
Physical Protection
6 controls
3.11 — RA
Risk Assessment
3 controls
3.12 — CA
Security Assessment
4 controls
3.13 — SC
System & Communications Protection
16 controls
3.14 — SI
System & Information Integrity
7 controls
Supporting Documents
IR Playbook
Incident Response Plan
NIST SP 800-61 aligned (untested)
Operations
Command Center
Staffing operations dashboard with audit logging

Current Compliance Posture — Gap Analysis

OUTSOURCE Consulting Services, Inc. (OCSI) has begun implementing cybersecurity controls structured against NIST SP 800-171 Rev 2 to work toward CMMC 2.0 Level 2 readiness. This is an internal gap analysis, not a compliance certification. Of 110 required controls: 16 are technically verified in code, 14 are partially implemented, and 80 require further implementation or organizational evidence. A formal C3PAO assessment has not been conducted. Key gaps include: no MFA, client-side-only authentication, no SIEM, no encryption at rest, and shared hosting infrastructure.

Target: NIST SP 800-171 Rev 2 Target: CMMC 2.0 Level 2 C3PAO Assessment: Not Scheduled 13 Open POA&M Items

© 2026 OUTSOURCE Consulting Services, Inc. — All security documentation is CONTROLLED UNCLASSIFIED INFORMATION (CUI).

Self-assessment documentation prepared with AI assistance. Not reviewed by any external auditor or C3PAO.