CMMC Compliance Checklist: Complete 110-Control Guide for 2026

Posted: March 31, 2026 to Blog.

CMMC Compliance Checklist: Complete 110-Control Guide for 2026

This CMMC compliance checklist covers every requirement across all three certification levels, including all 110 CMMC Level 2 requirements mapped to NIST SP 800-171 Revision 2. Use it to assess your organization's readiness, identify gaps in your CMMC compliance requirements, and prepare for your C3PAO assessment. Every practice listed here maps directly to 32 CFR Part 170. Updated for the 2026 enforcement timeline.

The Cybersecurity Maturity Model Certification (CMMC) is no longer a future concern. The Department of Defense is actively including CMMC clauses in new solicitations, and contractors that cannot demonstrate compliance are being excluded from contract awards. Whether you are a prime contractor or a subcontractor anywhere in the defense supply chain, this checklist gives you a concrete, actionable framework for achieving and maintaining certification.

This guide is organized by CMMC level and then by control family, making it usable both as a gap assessment tool and as ongoing evidence tracking for your CMMC compliance program.

What Is CMMC: A Quick Definition

The Cybersecurity Maturity Model Certification (CMMC) is a DoD cybersecurity framework codified in 32 CFR Part 170 that requires defense contractors to verify their implementation of cybersecurity controls before they can receive contract awards involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC replaced the previous self-attestation model under DFARS 252.204-7012 with a structured, three-level certification system that includes both self-assessments and third-party audits.

CMMC has three levels:

• Level 1 (Foundational): 17 practices from FAR 52.204-21. Self-assessment. Required for contractors handling FCI only.
• Level 2 (Advanced): 110 practices from NIST SP 800-171 Rev 2. Third-party assessment by a C3PAO. Required for contractors handling CUI.
• Level 3 (Expert): 110 NIST 800-171 practices plus 24 additional requirements from NIST SP 800-172. Government-led assessment by DIBCAC. Required for the highest-priority programs.

The phased rollout began in 2025 and will cover all applicable contracts by 2028. The CMMC compliance guide provides additional background on the framework's history and structure.

CMMC Level 1 Checklist: 17 Foundational Practices

Level 1 applies to contractors that handle Federal Contract Information (FCI) but not CUI. It requires implementation of 17 basic cybersecurity practices derived from FAR 52.204-21. Level 1 is assessed through annual self-assessment with results submitted to SPRS (Supplier Performance Risk System).

These 17 practices represent the minimum cybersecurity hygiene every federal contractor must meet. Below is the complete list organized by control domain, with plain-language explanations and verification guidance.

Access Control (AC): 4 Practices

• AC.L1-3.1.1 - Limit system access to authorized users. Only people with a legitimate business need should have access to your information systems. Verify by reviewing your user account list and confirming every account belongs to a current employee, contractor, or authorized service account. Disable or remove accounts for anyone who has left the organization.
• AC.L1-3.1.2 - Limit system access to authorized transactions and functions. Users should only be able to perform the actions their job requires. Verify by checking that role-based permissions are configured and that no user has administrator access unless specifically required. Common gap: giving everyone local admin rights on their workstation.
• AC.L1-3.1.20 - Verify and control connections to external systems. Any connections between your network and external systems (cloud services, vendor VPNs, partner networks) must be identified, authorized, and monitored. Verify by maintaining a list of all external connections and reviewing firewall rules.
• AC.L1-3.1.22 - Control information posted on publicly accessible systems. Ensure that FCI and sensitive information is not posted on public websites, file shares, or other publicly accessible locations. Verify by auditing your public-facing web content and cloud storage permissions.

Identification and Authentication (IA): 2 Practices

• IA.L1-3.5.1 - Identify system users, processes, and devices. Every user, process, and device accessing your systems must have a unique identifier. No shared accounts. Verify by auditing Active Directory or your identity provider for shared or generic accounts like "frontdesk" or "lab1."
• IA.L1-3.5.2 - Authenticate users, processes, and devices. Require authentication (passwords, MFA, certificates) before granting access. Verify that no systems allow anonymous access and that password policies meet minimum complexity requirements.

Media Protection (MP): 1 Practice

• MP.L1-3.8.3 - Sanitize or destroy media before disposal or reuse. Hard drives, USB drives, and any media that contained FCI must be wiped or physically destroyed before disposal. Verify by documenting your media sanitization process and keeping destruction logs.

Physical Protection (PE): 4 Practices

• PE.L1-3.10.1 - Limit physical access to authorized individuals. Only authorized personnel should be able to physically access your servers, network equipment, and workstations. Verify by checking badge access logs, door locks, and visitor sign-in procedures.
• PE.L1-3.10.3 - Escort visitors and monitor visitor activity. Visitors must be escorted in areas where FCI is accessible. Verify by reviewing your visitor management process and ensuring sign-in logs are maintained.
• PE.L1-3.10.4 - Maintain audit logs of physical access. Keep records of who accesses secure areas and when. Verify by reviewing badge system logs or manual sign-in sheets and confirming they are retained for at least 12 months.
• PE.L1-3.10.5 - Control and manage physical access devices. Keys, badges, and access cards must be tracked and managed. Verify by maintaining an inventory of issued access devices and promptly deactivating devices when employees leave.

System and Communications Protection (SC): 2 Practices

• SC.L1-3.13.1 - Monitor, control, and protect communications at system boundaries. Firewalls and boundary protection devices must be in place between your network and external networks. Verify by reviewing firewall configurations and confirming that inbound and outbound traffic is filtered.
• SC.L1-3.13.5 - Implement subnetworks for publicly accessible system components. Public-facing systems (web servers, email gateways) must be separated from your internal network using DMZs or network segmentation. Verify by reviewing your network architecture diagram.

System and Information Integrity (SI): 4 Practices

• SI.L1-3.14.1 - Identify, report, and correct system flaws in a timely manner. Patch management is required. Apply security patches within a defined timeline (30 days for critical, 90 days for others is common). Verify by running vulnerability scans and reviewing patch compliance reports.
• SI.L1-3.14.2 - Provide protection from malicious code. Antivirus and anti-malware must be installed on all endpoints and servers. Verify by confirming that signatures are updated regularly and real-time scanning is enabled.
• SI.L1-3.14.4 - Update malicious code protection mechanisms. Antivirus definitions and engines must be kept current. Verify by checking the last update timestamp on all endpoints and confirming automatic updates are configured.
• SI.L1-3.14.5 - Perform periodic system and file scans. Regular full-system scans must run in addition to real-time protection. Verify by reviewing scan schedules and confirming weekly or daily scans are configured.

CMMC Level 2 Requirements: All 110 Controls by Family

Level 2 is where the majority of defense contractors will certify. It maps directly to the 110 security requirements in NIST SP 800-171 Revision 2, organized across 14 control families. A C3PAO (CMMC Third-Party Assessment Organization) must conduct the assessment, which evaluates both technical implementation and documentation including your System Security Plan (SSP) and Plan of Action and Milestones (POA&M).

Below is every control family with its requirement count and key practices. Use this as your working checklist for gap analysis and assessment preparation.

1. Access Control (AC): 22 Requirements

Access Control is the largest control family and the one where assessors find the most gaps. These 22 requirements govern who can access your systems, what they can do, how remote access works, and how you control information flow.

Key requirements include:

• AC.L2-3.1.3 - Control CUI flow. You must control the flow of CUI in accordance with approved authorizations. This means implementing data loss prevention (DLP) tools, email filtering, and network segmentation to prevent CUI from moving to unauthorized systems or users. Assessors will look for documented data flow diagrams showing where CUI enters, is processed, stored, and exits your environment.
• AC.L2-3.1.5 - Employ least privilege. Beyond basic role-based access, this requires that users receive only the minimum access necessary for their job function. Verify by reviewing privilege escalation procedures and confirming that privileged accounts are separate from regular user accounts.
• AC.L2-3.1.12 - Monitor and control remote access. All remote access sessions must be monitored, encrypted, and controlled. VPN connections must terminate at authorized endpoints. Verify by reviewing VPN logs and confirming that split tunneling is disabled or controlled for CUI systems.

Other AC requirements cover session lock timeouts (AC.L2-3.1.10), wireless access restrictions (AC.L2-3.1.16), mobile device connections (AC.L2-3.1.18), and encryption of CUI on mobile devices (AC.L2-3.1.19). Every remote access mechanism in your environment must be documented and secured.

2. Awareness and Training (AT): 3 Requirements

Training requirements are straightforward but frequently handled poorly. These three controls require that all users understand their security responsibilities and that managers and system administrators receive role-specific training.

Key requirements include:

• AT.L2-3.2.1 - Security awareness for all users. Every person who accesses your systems must complete security awareness training that covers current threats, phishing, social engineering, and CUI handling procedures. Training must be documented and refreshed regularly, typically annually.
• AT.L2-3.2.2 - Role-based training. System administrators, developers, and managers need additional training specific to their security responsibilities. A generic awareness course alone does not satisfy this requirement.
• AT.L2-3.2.3 - Insider threat awareness. Users must be trained to recognize and report potential insider threats. This includes understanding indicators of insider threat behavior and knowing the reporting channels.

Petronella Technology Group offers security awareness training programs that cover all three AT requirements and include phishing simulation testing.

3. Audit and Accountability (AU): 9 Requirements

Audit requirements ensure that you are logging security-relevant events, protecting those logs from tampering, and reviewing them regularly. Without proper audit trails, you cannot detect or investigate security incidents.

Key requirements include:

• AU.L2-3.3.1 - Create and retain audit records. Log successful and failed login attempts, privilege escalation, file access to CUI, configuration changes, and other security-relevant events. Retain logs for a period consistent with your records retention policy (typically 1 to 3 years for CMMC).
• AU.L2-3.3.2 - Ensure actions can be traced to individual users. Every action in your audit log must be attributable to a specific user. This is why shared accounts are prohibited and why service accounts must be individually tracked.
• AU.L2-3.3.5 - Correlate audit review, analysis, and reporting. You need a centralized log management or SIEM solution that correlates events across multiple systems. Manual log review of individual servers does not meet this requirement at scale.

Additional AU controls cover alert generation for audit failures (AU.L2-3.3.4), audit log protection (AU.L2-3.3.8), and audit reduction and report generation (AU.L2-3.3.6).

4. Configuration Management (CM): 9 Requirements

Configuration Management controls how your systems are built, documented, and maintained. Poorly configured systems are the most common attack vector in the defense industrial base.

Key requirements include:

• CM.L2-3.4.1 - Establish and maintain baseline configurations. Every system in your CUI environment must have a documented baseline configuration that includes operating system settings, installed software, patch levels, and security configurations. Gold images and configuration management tools (Group Policy, Intune, Ansible) are the standard approach.
• CM.L2-3.4.2 - Establish and enforce security configuration settings. Apply security benchmarks such as CIS Benchmarks or DISA STIGs to all systems. Verify compliance with automated scanning tools.
• CM.L2-3.4.6 - Employ least functionality. Disable unnecessary services, ports, protocols, and software on all systems. A web server should not have database software installed unless required. Common gap: leaving default services running on Windows servers.

Other CM requirements address change management (CM.L2-3.4.3), software usage restrictions (CM.L2-3.4.9), and user-installed software policies (CM.L2-3.4.9).

5. Identification and Authentication (IA): 11 Requirements

IA requirements extend Level 1's basic authentication into multifactor authentication (MFA), password management, and cryptographic authentication mechanisms.

Key requirements include:

• IA.L2-3.5.3 - Use multifactor authentication. MFA is required for all network access to privileged accounts and for all remote network access. This is one of the most frequently cited gaps. Hardware tokens, authenticator apps, or FIDO2 keys all qualify. SMS-based MFA is allowed but not recommended.
• IA.L2-3.5.7 - Enforce minimum password complexity. Passwords must meet defined complexity requirements. NIST 800-63B recommends minimum 8 characters with no mandatory complexity rules, but many assessors still expect mixed character types. Document your policy and be consistent.
• IA.L2-3.5.8 - Prohibit password reuse for a defined number of generations. Users must not be able to reuse previous passwords. Typically enforce a history of at least 12 to 24 passwords.

Additional IA controls cover authenticator management (IA.L2-3.5.4), replay-resistant authentication (IA.L2-3.5.9), and identifier management procedures (IA.L2-3.5.5, IA.L2-3.5.6).

6. Incident Response (IR): 3 Requirements

Three requirements may seem minimal, but each one demands significant documentation and capability. You need a tested incident response plan, the ability to detect and report incidents, and a defined process for tracking and documenting them.

Key requirements include:

• IR.L2-3.6.1 - Establish incident handling capability. Document an incident response plan that covers preparation, detection, analysis, containment, eradication, and recovery. The plan must identify roles, responsibilities, and escalation procedures. It must be tested (tabletop exercises count) and updated at least annually.
• IR.L2-3.6.2 - Track, document, and report incidents. Every security incident must be documented from detection through resolution. For CMMC, you must also report cyber incidents involving CUI to the DoD within 72 hours per DFARS 252.204-7012.
• IR.L2-3.6.3 - Test incident response capability. Conduct tabletop exercises or simulations at least annually. Document the results and any lessons learned. Assessors will ask to see evidence of your most recent test.

7. Maintenance (MA): 6 Requirements

Maintenance controls govern how system maintenance is performed, who performs it, and how maintenance tools and remote maintenance sessions are managed.

Key requirements include:

• MA.L2-3.7.1 - Perform maintenance on organizational systems. Establish maintenance schedules and document all maintenance activities. This includes both routine patches and hardware repairs.
• MA.L2-3.7.5 - Require MFA for remote maintenance sessions. Any remote maintenance session must use multifactor authentication and be fully logged. Terminate the session and change credentials when maintenance is complete.
• MA.L2-3.7.2 - Provide controls on maintenance tools. Tools used for maintenance (diagnostic software, portable drives, remote access tools) must be inspected and approved before use on CUI systems.

8. Media Protection (MP): 9 Requirements

Media protection goes well beyond Level 1's sanitization requirement. Level 2 requires marking, transport protection, storage control, and access restrictions for all media containing CUI.

Key requirements include:

• MP.L2-3.8.1 - Protect system media containing CUI. Both paper and digital media containing CUI must be physically protected. Locked storage for removable media, restricted access to file servers, and controlled print areas all apply.
• MP.L2-3.8.2 - Limit access to CUI on system media. Only authorized users should be able to access media containing CUI. Implement access controls on network shares, removable media, and backup tapes.
• MP.L2-3.8.6 - Implement cryptographic mechanisms for CUI on portable media. USB drives, laptops, and any portable storage containing CUI must use FIPS 140-2 validated encryption. BitLocker with TPM, self-encrypting drives, and encrypted USB devices all qualify.

Additional MP controls cover CUI marking on media (MP.L2-3.8.4), transport protection (MP.L2-3.8.5), and media use restrictions (MP.L2-3.8.7).

9. Personnel Security (PS): 2 Requirements

Personnel Security is the smallest control family but critical. It ensures that people are screened before being given access to CUI and that access is revoked when they leave.

• PS.L2-3.9.1 - Screen individuals before authorizing access. Background checks must be completed before granting access to systems containing CUI. Define what constitutes an acceptable background check and document the process.
• PS.L2-3.9.2 - Protect CUI during personnel actions. When employees are terminated or transferred, immediately revoke system access, retrieve badges and devices, and ensure CUI is not removed from the organization. Document offboarding procedures and verify they are followed consistently.

10. Physical Protection (PE): 6 Requirements

Level 2 builds on Level 1's physical protection with additional controls for alternate work sites, equipment protection, and environmental hazards.

Key requirements include:

• PE.L2-3.10.2 - Protect and monitor physical facility. Implement surveillance cameras, alarm systems, and intrusion detection at facilities where CUI is processed or stored. Monitor these systems continuously or on a defined schedule.
• PE.L2-3.10.6 - Enforce safeguards for CUI at alternate work sites. Remote workers and teleworkers who access CUI from home offices or other locations must follow defined physical security measures. This includes locked offices, privacy screens, and secure Wi-Fi. Document your telework policy and the security requirements for alternate sites.

11. Risk Assessment (RA): 3 Requirements

Risk assessment is a foundational activity that informs all other security decisions. These three controls require periodic risk assessments, vulnerability scanning, and remediation of discovered vulnerabilities.

• RA.L2-3.11.1 - Periodically assess risk. Conduct formal risk assessments at least annually, and whenever significant changes occur in your environment. Document the methodology, findings, and risk response decisions. Your risk assessment should cover all 14 control families.
• RA.L2-3.11.2 - Scan for vulnerabilities periodically and when new vulnerabilities are identified. Run authenticated vulnerability scans at least monthly. Address critical and high vulnerabilities within 30 days. Document scan results and remediation actions.
• RA.L2-3.11.3 - Remediate vulnerabilities in accordance with assessments of risk. Prioritize vulnerability remediation based on risk. Not every vulnerability needs immediate attention, but your risk-based prioritization must be documented and defensible.

A comprehensive cybersecurity risk assessment should be the starting point for any CMMC compliance program.

12. Security Assessment (CA): 4 Requirements

Security Assessment controls require you to periodically evaluate whether your security controls are working as intended and to develop plans for addressing deficiencies.

• CA.L2-3.12.1 - Periodically assess security controls. Conduct internal assessments of your security controls at least annually. This is separate from your C3PAO assessment and serves as ongoing due diligence.
• CA.L2-3.12.2 - Develop and implement plans of action to correct deficiencies. Your POA&M must document every identified deficiency, assign responsibility, set milestones, and track remediation progress. Assessors review your POA&M to understand what gaps exist and whether you have a credible plan to close them.
• CA.L2-3.12.3 - Monitor security controls on an ongoing basis. Implement continuous monitoring through automated tools (SIEM, vulnerability scanners, configuration compliance tools) to verify that controls remain effective between assessments.
• CA.L2-3.12.4 - Develop, document, and periodically update system security plans. Your SSP is the central document for your CMMC assessment. It must describe your system boundaries, how each of the 110 controls is implemented, and the security architecture of your CUI environment. Keep it current.

13. System and Communications Protection (SC): 16 Requirements

SC is the second-largest control family and covers encryption, network architecture, and data protection in transit and at rest. These 16 requirements are technically demanding and often require infrastructure changes.

Key requirements include:

• SC.L2-3.13.8 - Implement cryptographic mechanisms to prevent unauthorized disclosure during transmission. All CUI transmitted across networks must be encrypted using FIPS 140-2 validated cryptography. This applies to email, file transfers, VPN connections, and API communications. TLS 1.2 or higher is the minimum standard.
• SC.L2-3.13.11 - Employ FIPS-validated cryptography. Cryptographic modules used for CUI protection must be FIPS 140-2 validated. This means using compliant implementations of AES, SHA, and RSA, not just any encryption library. Verify by checking the NIST Cryptographic Module Validation Program (CMVP) list.
• SC.L2-3.13.16 - Protect confidentiality of CUI at rest. CUI stored on any system must be encrypted at rest. Full disk encryption (BitLocker, FileVault with FIPS mode) and database encryption both qualify, provided the cryptographic module is FIPS 140-2 validated.

Other SC requirements address session authenticity (SC.L2-3.13.9), DNS filtering (SC.L2-3.13.6), collaborative computing devices (SC.L2-3.13.12), and mobile code restrictions (SC.L2-3.13.13).

14. System and Information Integrity (SI): 7 Requirements

SI requirements ensure that your systems are monitored for security issues, that you receive and act on security alerts, and that your systems are protected from malicious code.

Key requirements include:

• SI.L2-3.14.3 - Monitor security alerts and advisories. Subscribe to vendor security advisories, CISA alerts, and threat intelligence feeds relevant to your technology stack. Act on these alerts within your defined vulnerability management timeline.
• SI.L2-3.14.6 - Monitor systems to detect attacks and indicators of potential attacks. Deploy intrusion detection and prevention systems (IDS/IPS), endpoint detection and response (EDR), or a managed XDR solution. Passive monitoring alone is insufficient; you need active detection capabilities. Our managed XDR suite provides this capability for organizations that lack in-house SOC resources.
• SI.L2-3.14.7 - Identify unauthorized use of organizational systems. Implement monitoring to detect unauthorized access patterns, unusual login times, impossible travel scenarios, and unauthorized software installation. Correlate these with your audit logs for investigation.

CMMC Level 3 Additional Requirements

Level 3 applies to the most sensitive DoD programs and adds 24 requirements from NIST SP 800-172 on top of the 110 Level 2 controls. Level 3 assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government organization, not a private C3PAO.

The additional Level 3 requirements focus on advanced threat protection:

• Enhanced threat detection: Implement behavioral analytics, advanced threat hunting, and anomaly detection beyond standard SIEM capabilities.
• Dual authorization for critical operations: Require two-person authorization for highly sensitive administrative actions such as changing encryption keys or modifying security configurations on CUI systems.
• Penetration testing: Conduct regular adversary-driven penetration testing that simulates advanced persistent threats (APTs) using current TTPs from the MITRE ATT&CK framework.
• System resiliency: Design systems to continue operating in a degraded state during cyberattacks and to rapidly recover from incidents.
• Isolation and segmentation: Implement micro-segmentation and zero trust architecture principles to contain lateral movement from compromised systems.
• Enhanced incident response: Maintain specialized incident response capabilities including forensic analysis, malware reverse engineering, and threat intelligence integration.

Most defense contractors in the supply chain will not need Level 3. It is reserved for programs where advanced persistent threats from nation-state adversaries are a primary concern. If your contract requires Level 3, you should expect significantly higher costs and a 12 to 24 month implementation timeline.

SPRS Score and Self-Assessment

Every defense contractor handling CUI must calculate and report their SPRS (Supplier Performance Risk System) score. This score quantifies your compliance posture on a scale from -203 to +110, where 110 represents full implementation of all NIST 800-171 controls and -203 represents no implementation at all.

How to Calculate Your SPRS Score

The scoring methodology works as follows:

• Start with a score of 110 (perfect compliance).
• For each NIST 800-171 control that is not implemented, subtract the weighted value assigned to that control.
• Control weights range from 1 to 5 points, based on the security impact of the control.
• If a control is partially implemented or planned in your POA&M, you still subtract the full weight until it is completely implemented.

Critical controls carry the highest weights. For example, multifactor authentication (IA.L2-3.5.3) carries a weight of 5, meaning its absence drops your score by 5 points. Some access control and encryption requirements also carry 5-point weights.

Reporting Requirements

Under DFARS 252.204-7019, contractors must:

• Conduct a self-assessment using the DoD Assessment Methodology.
• Submit the score to SPRS along with the date of the assessment, the scope of the assessment, and the system security plan.
• Update the score whenever your compliance posture changes materially.
• Maintain the assessment for review by the contracting officer upon request.

Use our SPRS calculator to estimate your current score and identify the highest-impact controls to implement first.

Assessment Types by CMMC Level

The type of assessment required depends on your certification level. Understanding these differences helps you plan your budget, timeline, and evidence preparation accordingly.

Criteria	Level 1	Level 2	Level 3
Assessment type	Self-assessment	C3PAO (third-party)	DIBCAC (government)
Controls assessed	17 (FAR 52.204-21)	110 (NIST 800-171)	110 + 24 (NIST 800-172)
Certification period	Annual self-attestation	3 years with annual affirmation	3 years with annual affirmation
Estimated cost	$5,000 to $15,000	$50,000 to $200,000	$200,000+
Applies to	FCI only	CUI	Critical CUI programs
POA&M allowed	No	Yes (limited, 180 days)	Yes (limited, 180 days)
SPRS submission	Required	Required	Required
Learn more	CMMC overview	C3PAO assessment guide	NIST compliance

CMMC Compliance Requirements: Top 10 Most-Failed Controls

Based on assessment data from C3PAOs and our own gap analysis engagements with defense contractors, these are the controls that organizations fail most frequently. Addressing these first will have the greatest impact on your SPRS score and assessment readiness.

1. Multifactor Authentication (IA.L2-3.5.3)

Failure rate: Very high. Many organizations have MFA on email but not on VPN, admin accounts, or cloud services. CMMC requires MFA for all privileged access and all remote access, without exception.

Remediation: Deploy MFA across all remote access entry points and privileged accounts. Use hardware tokens or authenticator apps. Enforce MFA through conditional access policies in Azure AD or your identity provider.

2. FIPS 140-2 Validated Encryption (SC.L2-3.13.11)

Failure rate: Very high. Organizations use encryption but cannot verify that their implementation is FIPS 140-2 validated. Standard BitLocker without FIPS mode enabled does not qualify. Most commercial VPN and email encryption tools are not FIPS-validated by default.

Remediation: Enable FIPS mode in Windows (Group Policy), verify VPN concentrators use FIPS-validated firmware, and confirm TLS implementations use FIPS-compliant cipher suites.

3. System Security Plan (CA.L2-3.12.4)

Failure rate: High. Many contractors either have no SSP, have an outdated SSP, or have an SSP that does not accurately describe their CUI environment. The SSP is the first document assessors request and the foundation of your entire assessment.

Remediation: Create or update your SSP to accurately document your CUI boundary, system architecture, data flows, and how each of the 110 controls is implemented. Review and update it quarterly.

4. Audit Log Review (AU.L2-3.3.1, AU.L2-3.3.5)

Failure rate: High. Organizations collect logs but do not review them. CMMC requires active log review and correlation, not just storage. Without SIEM or centralized logging, this requirement is nearly impossible to meet at scale.

Remediation: Deploy a SIEM solution, define alert rules for security events, and assign responsibility for daily or weekly log review. Document your review process and retain evidence of reviews performed.

5. CUI Data Flow Documentation (AC.L2-3.1.3)

Failure rate: High. Most organizations cannot clearly articulate where CUI enters their environment, how it moves through their systems, where it is stored, and how it exits. Without documented data flows, you cannot define your CUI boundary or demonstrate that you are protecting CUI consistently.

Remediation: Create data flow diagrams that show CUI ingress, processing, storage, and egress points. Map these to your network architecture and identify all systems within your CUI boundary.

6. Vulnerability Scanning and Remediation (RA.L2-3.11.2, RA.L2-3.11.3)

Failure rate: Moderate to high. Some organizations scan monthly but do not remediate findings within their defined timelines. Others scan only quarterly, which is insufficient.

Remediation: Implement authenticated vulnerability scanning on a monthly schedule. Define SLA timelines (30 days for critical, 60 for high, 90 for medium) and track remediation in your POA&M.

7. Incident Response Testing (IR.L2-3.6.3)

Failure rate: Moderate to high. Organizations have incident response plans but never test them. An untested plan gives false confidence and often fails during actual incidents.

Remediation: Conduct at least one tabletop exercise annually using a realistic CUI breach scenario. Document the exercise, participants, findings, and improvements made to the plan.

8. Configuration Baselines (CM.L2-3.4.1)

Failure rate: Moderate. Organizations deploy systems without documented baseline configurations, making it impossible to verify that security settings are consistent and compliant.

Remediation: Create gold images for each system role (workstation, server, domain controller) with CIS Benchmarks or DISA STIGs applied. Enforce configurations through Group Policy, Intune, or configuration management tools.

9. Media Protection and Encryption of Portable Devices (MP.L2-3.8.6)

Failure rate: Moderate. USB drives without encryption, laptops without full-disk encryption, and uncontrolled use of personal devices are common findings.

Remediation: Enforce BitLocker with FIPS mode on all laptops, block unauthorized USB devices through endpoint management policies, and implement encrypted USB drive solutions for any required portable media.

10. Least Privilege and Account Management (AC.L2-3.1.5, AC.L2-3.1.7)

Failure rate: Moderate. Users with excessive privileges, shared administrator accounts, and dormant accounts that were never deactivated are common findings across organizations of all sizes.

Remediation: Conduct quarterly access reviews. Ensure privileged accounts are separate from daily-use accounts. Implement just-in-time privileged access where possible. Disable accounts within 24 hours of personnel departure.

CMMC Rollout Timeline and Deadlines

Understanding the phased rollout schedule is critical for planning your compliance timeline. The DoD published the final CMMC rule (32 CFR Part 170) in late 2024, with enforcement beginning in 2025.

Phase 1 (2025)

CMMC Level 1 self-assessments and Level 2 self-assessments begin appearing in new solicitations. Contractors must have a current SPRS score submitted. The DoD can include CMMC requirements in any new contract or contract renewal at its discretion.

Phase 2 (2026)

Level 2 C3PAO assessments become required for contracts involving CUI where the DoD determines third-party assessment is necessary. This is the phase most contractors are preparing for now. The demand for C3PAO assessments is expected to far exceed supply, creating scheduling bottlenecks. Contractors who wait until a solicitation requires certification before starting their compliance program will likely miss bid deadlines.

Phase 3 (2027)

Level 2 C3PAO assessments are required for all contracts involving CUI. Level 3 DIBCAC assessments begin for the most sensitive programs. CMMC requirements are included in option exercises and contract modifications, not just new awards.

Phase 4 (2028)

Full enforcement. CMMC certification is required for all applicable DoD contracts. The contract clause DFARS 252.204-7021 is included in all solicitations and contracts involving FCI or CUI. No exceptions, no extensions.

Key Contract Clause: DFARS 252.204-7021

This is the contract clause that makes CMMC a binding requirement. When this clause appears in a solicitation or contract, the contractor must:

• Have a current CMMC certification at the level specified in the contract.
• Maintain certification throughout the period of performance.
• Flow down the requirement to subcontractors that will process, store, or transmit FCI or CUI.
• Provide certification status to the contracting officer upon request.

Organizations that have not begun their compliance journey should start immediately. A realistic timeline from initial gap assessment to certification-ready status is 6 to 18 months, and C3PAO scheduling delays can add another 3 to 6 months.

How ComplianceArmor Automates This Checklist

Manually tracking 110 controls, writing policies for 14 control families, maintaining your SSP, managing your POA&M, and preparing assessment evidence is a massive administrative burden. This is exactly the problem ComplianceArmor was built to solve.

ComplianceArmor automates the most time-consuming parts of CMMC compliance:

• Policy and procedure generation: Generates CMMC-aligned policies and procedures for all 14 control families. Each document maps directly to the specific NIST 800-171 requirements it satisfies, so assessors can trace every control to its supporting documentation.
• System Security Plan (SSP): Produces a complete SSP template populated with your organization's information, system boundaries, and control implementation descriptions. Updated automatically as your environment changes.
• POA&M management: Tracks every open deficiency with responsible parties, milestones, estimated completion dates, and risk ratings. Generates the POA&M in the format assessors expect.
• SPRS score calculation: Calculates your current SPRS score based on your control implementation status and updates it in real time as you close gaps.
• Evidence mapping: Maps your technical evidence (screenshots, configurations, scan results) to the specific controls they support. When your assessor asks to see evidence for AC.L2-3.1.3, you can produce it in seconds rather than searching through folders.
• Gap analysis: Compares your current posture against all 110 requirements and generates a prioritized remediation roadmap based on SPRS scoring weights and implementation difficulty.

Organizations using ComplianceArmor typically reduce their documentation preparation time by 60 to 80 percent and enter their C3PAO assessment with higher confidence because every control is mapped, documented, and evidenced before the assessor arrives.

Next Steps: From Checklist to Certification

This checklist gives you visibility into every requirement across CMMC Levels 1, 2, and 3. The path from checklist to certification follows a consistent sequence:

1. Scope your CUI environment. Define exactly where CUI enters, is processed, stored, and exits your organization. Reducing your CUI boundary reduces the number of systems that must comply.
2. Conduct a gap assessment. Evaluate your current posture against all applicable controls. Use the ComplianceArmor gap analysis or engage a qualified assessor.
3. Calculate your SPRS score. Know where you stand today. Use the SPRS calculator to identify the highest-impact controls to implement first.
4. Build your remediation plan. Prioritize controls by SPRS weight, implementation difficulty, and dependencies. Focus on the top 10 most-failed controls listed above.
5. Implement controls and document everything. Every control needs both technical implementation and supporting documentation. Your SSP, policies, procedures, and evidence must be complete.
6. Conduct an internal assessment. Before scheduling your C3PAO, do a full dry run. Fix everything the internal assessment finds.
7. Schedule and complete your C3PAO assessment. Understand the C3PAO assessment process before your assessor arrives.

If you need help at any stage of this process, Petronella Technology Group has guided hundreds of defense contractors through CMMC compliance from initial assessment to certification. Our team provides comprehensive compliance services and holds CMMC Registered Practitioner credentials with direct experience in C3PAO assessment preparation. Organizations that pair their CMMC program with strong cybersecurity foundations achieve certification faster and maintain it more consistently.

Frequently Asked Questions About CMMC Compliance

What is a CMMC compliance checklist and why do I need one?

A CMMC compliance checklist is a structured document that maps every cybersecurity control required by the Cybersecurity Maturity Model Certification framework. You need one because CMMC assessors evaluate your implementation of each control systematically, and without a tracking mechanism, organizations consistently miss requirements during their assessment. This checklist covers all 110 NIST 800-171 controls required for Level 2 certification, organized by the 14 control families that assessors use to structure their evaluation.

How many controls are in CMMC Level 2?

CMMC Level 2 contains 110 security requirements derived directly from NIST SP 800-171 Revision 2. These 110 CMMC Level 2 requirements are organized across 14 control families: Access Control (22), Awareness and Training (3), Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16), and System and Information Integrity (7).

How long does it take to achieve CMMC certification?

A realistic timeline from initial gap assessment to certification-ready status is 6 to 18 months, depending on your current security posture. Organizations starting with a mature security program and existing NIST 800-171 implementation can reach certification readiness in 6 to 9 months. Organizations building from scratch typically need 12 to 18 months. Add 3 to 6 months for C3PAO scheduling, as demand currently exceeds assessor supply. Starting your compliance program before a solicitation requires it is critical for meeting bid deadlines.

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 requires 17 basic cybersecurity practices from FAR 52.204-21 and uses annual self-assessment. It applies to contractors handling Federal Contract Information (FCI) only. CMMC Level 2 requires all 110 NIST 800-171 controls, demands a third-party assessment by a C3PAO, and applies to contractors handling Controlled Unclassified Information (CUI). Level 2 is significantly more rigorous, requiring documented policies, a System Security Plan, Plan of Action and Milestones, and comprehensive evidence for each control.

How much does CMMC compliance cost?

CMMC compliance costs vary by level and organizational complexity. Level 1 self-assessment typically costs $5,000 to $15,000. Level 2 C3PAO assessment and preparation range from $50,000 to $200,000, including gap assessment, remediation, documentation, and the assessment itself. Level 3 costs exceed $200,000. The largest cost drivers are security tool implementation, documentation development, and remediation of identified gaps. Using compliance automation platforms like ComplianceArmor can reduce documentation costs by 60 to 80 percent.

What is an SPRS score and how is it calculated?

The Supplier Performance Risk System (SPRS) score quantifies your NIST 800-171 compliance on a scale from -203 to +110. You start at 110 and subtract weighted values for each unimplemented control. Critical controls like multifactor authentication carry 5-point weights. Your SPRS score must be submitted to the DoD under DFARS 252.204-7019 and is used by contracting officers to evaluate your cybersecurity posture during source selection.

Can I use a POA&M for my CMMC assessment?

Yes, but with limitations. For Level 2 assessments, you can have open POA&M items, but they must be closed within 180 days of the assessment. Not all controls are eligible for POA&M; certain critical controls must be fully implemented at the time of assessment. Your POA&M must document specific milestones, responsible parties, estimated completion dates, and resource requirements for each open item. Assessors review your POA&M to determine whether your remediation plan is credible and achievable within the 180-day window.

Do subcontractors need CMMC certification?

Yes. CMMC requirements flow down to subcontractors that will process, store, or transmit FCI or CUI. The DFARS 252.204-7021 clause requires prime contractors to ensure their subcontractors hold the appropriate CMMC certification level. Subcontractors handling only FCI need Level 1, while those handling CUI need Level 2. This flow-down requirement applies throughout the entire supply chain, not just to first-tier subcontractors. Penetration testing can help verify that subcontractor environments meet the required security standards before assessment.