Checklist

CMMC 2.0 Compliance Checklist

CMMC 2.0 compliance means your defense contractor organization has implemented and been third-party assessed against NIST SP 800-171 controls. This checklist maps the 110 required controls across 14 domains, explains which CMMC level applies to your contract scope, scopes the CUI environment correctly, outlines the three assessment models (self-assessment, C3PAO, and enterprise), and details what happens when assessors find gaps.

By Nick Shevelyov 16 min read

What CMMC 2.0 is

Defense contractors routinely underestimate CMMC 2.0 implementation timelines by a factor of two or three. Organizations that assume they can run a gap assessment in month one, implement controls in months two and three, and be C3PAO-ready in month four consistently discover that access control remediation alone — enforcing MFA across all CUI-accessible systems, cleaning up orphaned accounts, implementing quarterly access reviews with documented evidence — takes three to four months. The 110 controls in NIST 800-171 are not independently difficult. Implementing them with the operational rigor auditors require, and generating the evidence that proves they ran continuously, is a different challenge.

CMMC 2.0 is the Cybersecurity Maturity Model Certification framework published by the Department of Defense. It certifies that a contractor’s security controls meet or exceed NIST SP 800-171, assessed by a licensed third party. Unlike earlier CMMC versions with five levels, CMMC 2.0 streamlines to three: Foundational (basic governance), Advanced (full 800-171), and Expert (advanced maturity with 800-53B supplement). The certification is contractually required for any organization performing a Department of Defense contract that involves CUI.

CMMC 2.0 replaced the earlier model in late 2023. The phased rollout is still underway, with different contract vehicle cutoff dates. Organizations should not wait for contractual notification — DoD is actively enforcing CMMC requirements across the defense industrial base, and being unprepared when a contract is awarded creates immediate compliance risk.

The stakes are contractual. A contractor without current CMMC certification cannot bid on contracts requiring it. A contractor with certification that lapses during performance of a contract is in material breach. The certification itself is valid for three years; you must maintain continuous compliance and renew before expiration.

CMMC 2.0 levels and who needs which

The three CMMC levels map to NIST frameworks and organizational maturity. Most contracts require Level 2; Level 3 is limited to specialized roles and high-risk data.

LevelNameNIST/Framework MappingControlsWho Needs It
1FoundationalNIST CSF Govern + basic 800-17117 practicesContractors with limited CUI; subcontractors; smaller organizations
2AdvancedNIST SP 800-171 Rev 2 (full)110 controlsMost DoD contracts involving CUI processing or storage
3ExpertNIST 800-171 + 800-53B supplement110 + 110 additionalCritical contractors; handling classified data; designated high-risk sectors

Level 1: Foundational

Foundational (Level 1) establishes a baseline security governance framework and basic controls. It covers 17 practices organized around asset management, access control, configuration management, incident response, and risk assessment. Level 1 is the entry point for organizations new to NIST-based compliance and is sufficient for contracts with limited CUI scope or flow-down requirements from primes to smaller subcontractors.

Foundational is not a “beginner” level—it still requires documented policies, access controls, incident response procedures, and regular risk assessment. The distinction is that processes can be manual and less formalized than Level 2.

Level 2: Advanced

Advanced (Level 2) maps to the full 110 control requirements in NIST SP 800-171. It requires demonstrated operational maturity—controls are not just implemented but documented, monitored continuously, and improved through regular review. Level 2 assessments are the most common because the majority of DoD contracts require this level.

The shift from Level 1 to Level 2 is not new controls so much as deeper implementation and evidence of process maturity. Access reviews must be documented and acted upon. Change management must be tracked and auditable. Incident response procedures must be tested. Vendor security assessments must be current.

Level 3: Expert

Expert (Level 3) extends Level 2 by adding 110 additional practices from NIST SP 800-53B (the supplement for contractors). Expert-level maturity requires organizational processes for continuous improvement, risk management at the strategic level, and advanced incident response capabilities. Level 3 is mandated only by DoD for contractors handling data at Critical impact level or above, or those designated as critical to the defense supply chain. Unless your contract explicitly requires Level 3, Level 2 is the target.

Scoping CUI and the CUI environment

Scoping defines which systems, data, and processes fall within CMMC assessment. Incorrect scoping is the costliest error in CMMC programs. Scope too broadly and you are securing systems that do not handle CUI, inflating cost and complexity. Scope too narrowly and you leave CUI environments outside the assessed scope, creating contract violation risk.

CUI environment is the term for all systems, networks, and data flows that process, store, or transmit CUI. The assessment boundary should include not only the production systems handling CUI, but also the infrastructure that protects those systems: network perimeter, identity providers, logging systems, backup systems, and administrative access paths.

Scoping checklist

Identify all systems that store, process, or transmit CUI (including backup and archival systems)
Document all network boundaries: production networks, development networks, testing networks, administrative access paths
Identify supporting infrastructure: firewalls, routers, DNS, logging servers, identity providers, endpoint protection systems
Map data flows: where CUI comes in, where it moves, where it is stored, where it is deleted or retained
Document all users and roles that access CUI: employees, contractors, service providers
Identify third-party systems with access to CUI: cloud services, hosted services, SaaS applications, managed service providers
Determine whether the assessment scope covers the entire CUI environment or is limited to specific systems or data types (work with your contracting officer or prime contractor to confirm scope limits)
Document the rationale for scope boundaries in writing — this becomes part of the System Security Plan

CMMC 2.0 assessment types

CMMC 2.0 includes three assessment models. The right choice depends on your organization size, complexity, and whether you are operating as a prime or subcontractor.

Self-assessment

Self-assessment is an organization-level evaluation against the CMMC maturity model. Your internal team (or an advisor) evaluates the organization’s controls and processes. Self-assessment is not independently verified and does not produce CMMC certification—it is a readiness check before engaging a C3PAO.

Self-assessment is required under CMMC 2.0 and must be submitted annually. Use NIST SP 800-171A (the assessment procedures for 800-171 controls) as the evaluation standard. Self-assessments vary in rigor; some organizations approach them as genuine gap analysis, while others treat them as a compliance checkbox. The more rigorous your self-assessment, the fewer surprises the C3PAO will find.

C3PAO (third-party) assessment

Certified Third Party Assessment Organizations (C3PAOs) conduct authorized CMMC certifications. A C3PAO assessment produces the formal certification that proves compliance. A C3PAO team visits your organization (or conducts remote assessment if agreed), evaluates controls through interviews, technical testing, and documentation review, and produces an assessment report.

C3PAO assessment is required for any contractor claiming CMMC certification. Organizations new to CMMC should expect the C3PAO assessment to take 3 to 5 days on-site. Larger organizations or those with distributed systems may require additional time. The C3PAO will request evidence for each control—policies, screenshots, logs, audit records, and process artifacts.

Enterprise assessment

Enterprise assessment is a continuous model for large contractors operating multiple teams and systems. Instead of a single annual point-in-time assessment, the organization establishes an internal assessment and continuous monitoring function that mirrors C3PAO evaluation. Enterprise assessment streamlines certification for organizations with the maturity and scale to operate an internal compliance program.

Most organizations under 500 employees and without multiple CUI environments use C3PAO assessment. Enterprise assessment is cost-effective at scale.

CMMC control domains and high-leverage practices

CMMC 2.0 Level 2 maps to 110 controls across 14 domains derived from NIST SP 800-171. Most organizations have limited resources for implementation. The following checklist highlights the highest-leverage controls within each domain—areas where gaps most frequently surface during assessment.

Access Control (AC)

Access control is the control domain with the highest failure rate. Organizations often have MFA or access restrictions on paper, but enforcement is inconsistent.

Operator note: The access control finding that trips up the most contractors is not missing MFA — it is access reviews. The requirement is not just that access is reviewed. It is that the review is documented, that the documentation shows who reviewed what and when, and that findings from the review were acted upon and that action is also documented. A spreadsheet with no timestamps, no reviewer attribution, and no record of what changed as a result will not satisfy the C3PAO. Implement the review process and build the evidence artifact at the same time — they are the same deliverable.

Multi-factor authentication (MFA) is enforced for all accounts accessing CUI systems, cloud consoles, and identity providers
Least-privilege is implemented and documented — each user has only the permissions required for their role
Privileged access accounts (administrative, root, service accounts) are restricted, logged, and monitored separately
Access reviews are conducted at least annually for all CUI-access accounts, with documented evidence of review and remediation
Onboarding provisions access based on documented role with approval chain
Offboarding revokes access within 24 hours of termination, with documented verification
Shared and group accounts are prohibited except where business necessity is documented and monitored

Audit and Accountability (AU)

Audit logging failures are the second-most common CMMC finding. Organizations log events but do not retain or review the logs.

Centralized logging is configured for all CUI systems, infrastructure, and security-relevant events
Log retention meets CMMC requirements (minimum one year; many organizations retain 3 years)
Logs are protected from tampering — stored in an immutable system or separate location with restricted access
Audit logs cover authentication attempts (successful and failed), privilege elevation, configuration changes, and data access
Log review occurs on a defined schedule with documented investigation of suspicious events
Clock synchronization across all CUI systems is configured and monitored (NTP or equivalent)

Configuration Management (CM)

Configuration management gaps—systems deployed without documented baselines or configuration changes not tracked—appear in 60 percent of assessments.

Documented baselines exist for all CUI systems: operating systems, applications, infrastructure configurations
All changes to CUI systems follow a documented change management process requiring approval and testing
Emergency changes are documented and reviewed post-implementation
Configuration changes are tracked and auditable — from request through deployment
Separation of duties is enforced: the person requesting change is not the approver, and the approver is not the deployer
Software inventory is maintained for all systems in the CUI environment

Identification and Authentication (IA)

IA failures mostly involve inadequate credential management and missing MFA on critical systems.

User accounts are provisioned with unique identifiers — no shared accounts except where documented necessity exists
MFA is enforced for remote access and administrative access
Password policies enforce minimum length (14+ characters), complexity, and expiration (90 days maximum)
Service accounts and API keys are inventoried with documented owners and rotation schedules
Privilege escalation (sudo, run-as-admin) is logged and monitored
Session timeouts are configured for unattended sessions (15 minutes for standard, 10 minutes for privileged)

Incident Response (IR)

Incident response is often documented on paper but never tested. The CMMC requirement is that the plan be operationalized, not just written.

An incident response plan exists, is approved by management, and has been communicated to all relevant personnel
The incident response plan includes roles, responsibilities, escalation procedures, and communication protocols
The plan has been tested through at least one tabletop exercise within the past 12 months, with documented results
Incident detection and response processes are defined with SLAs for different severity levels
All incidents are documented in a ticketing system with sufficient detail: what happened, when, who was involved, what actions were taken
Post-incident reviews are conducted for confirmed incidents, with lessons documented and fed back into plan improvements

Risk Assessment (RA)

Risk assessment findings center on incomplete asset inventories or risk assessments that are outdated.

A formal risk assessment covering the entire CUI environment has been conducted within the past 12 months
The risk assessment covers all systems, applications, data, and third-party relationships in scope
Identified risks are documented in a risk register with owners, severity ratings, and treatment decisions
Risk treatment decisions (mitigate, transfer, accept, avoid) are documented with rationale and sign-off
The assessment is updated at least annually or triggered by significant environment or threat changes
An asset inventory covers all hardware, software, and data in the CUI environment with deprecation status

System and Communications Protection (SC)

SC controls address encryption, network segmentation, and secure communications. Common gaps include unencrypted data at rest or in transit.

Data encryption standards are defined for data at rest (AES-256 or equivalent) and in transit (TLS 1.2 or higher)
Encryption policies are implemented across all systems storing or transmitting CUI
Encryption key management processes are documented with key storage, rotation, and destruction procedures
Network segmentation isolates the CUI environment from non-CUI networks and external networks
Firewalls and access control lists enforce least-privilege network communications
Wireless networks (if used for CUI access) are secured with WPA3 or equivalent and monitored

Remaining control domains (abbreviated)

The 14 CMMC domains also include:

  • Awareness and Training (AT): Annual security training, role-specific training, contractor training
  • Media Protection (MP): Secure handling and disposal of media containing CUI
  • Personnel Security (PS): Background checks, NDAs, separation procedures
  • Physical Protection (PH): Physical access controls, surveillance, secure facilities
  • System and Information Integrity (SI): Patch management, malware protection, firmware updates
  • System Maintenance (MA): Maintenance logs, maintenance personnel access, secure maintenance procedures
  • Assessment and Authorization (CA): Periodic system security assessments and continuous monitoring

Each domain has specific control requirements. The System Security Plan documents how your organization addresses each.

POA&M (Plan of Action and Milestones) rules

A POA&M documents any controls that are partially implemented or not implemented at the time of assessment. The C3PAO will require a POA&M if gaps exist. Importantly, a POA&M alone does not grant certification—all 110 Level 2 controls must be fully implemented to claim certification.

POA&M requirements

Each open item includes the control reference, current status, and root cause analysis
Planned remediation steps are documented with responsible owner and target completion date
Dates are realistic — assessors scrutinize aggressive timelines and mark them as noncompliant if they lack credibility
Resource allocation is documented: budget, personnel, tools, or external support required
Progress is tracked and updated monthly (at minimum) — C3PAOs expect evidence that POA&M items are advancing
Completed remediation is validated through retesting or evidence collection before marking POA&M item closed
The POA&M is approved by management, with authority to commit resources and enforce timelines

Organizations frequently fail to close POA&M items within committed timelines, which carries reputational and contractual consequences. Treat POA&M commitments as binding—if you commit to remediation by March 31, and March 31 arrives with the control still partially implemented, the contractor is in non-compliance.

Operator note: The most common POA&M failure pattern is aggressive initial timelines written under pressure to demonstrate progress. The C3PAO sees a POA&M where 15 findings are committed for remediation within 30 days. Two months later, none are closed. The assessor now has documentation that the contractor wrote down unrealistic commitments and did not meet them. A POA&M with honest timelines and slow but verified progress is far better than one with ambitious timelines and no evidence of forward movement.

Common CMMC failure points

These are the control areas where contractors most frequently fall short during C3PAO assessment.

Access control and MFA enforcement

The most common finding. MFA is documented in policy but not consistently enforced on all systems, or enforcement exists on some systems but not others. Inconsistent enforcement across the environment is treated as non-compliance. Remediation: audit all CUI-accessible systems and enforce MFA universally, not selectively.

Incomplete or outdated asset inventory

You cannot protect systems you have not documented. Asset inventories are frequently incomplete (shadow IT, cloud services, third-party systems) or outdated (systems decommissioned years ago still in the inventory, current systems missing). Remediation: conduct a network discovery scan and reconcile against HR records and procurement logs.

Access review documentation

Access reviews happen quarterly or annually on schedule, but evidence is not documented or the reviews do not capture what was actually reviewed or what changes resulted. Assessors expect to see a dated artifact showing who reviewed what, whether issues were found, and what actions were taken. Remediation: implement an access review process that produces evidence—a spreadsheet, a ticketing record, an access review tool—that documents the review date, reviewer, systems covered, findings, and remediation.

Incident response plan not tested

The plan exists and is well-written, but it has never been exercised. CMMC requires that the plan be tested through tabletop exercises, drills, or full simulations. Remediation: schedule an annual incident response tabletop exercise, document the exercise, capture lessons, and update the plan accordingly.

Configuration management not enforced for infrastructure

Code changes go through change management, but infrastructure changes (firewall rules, cloud IAM policies, network configurations) are deployed ad hoc. CMMC treats infrastructure and code changes equivalently—all changes to CUI systems must follow the same change management process. Remediation: extend your change management process to infrastructure, or implement infrastructure-as-code so infrastructure changes go through code review.

Logging insufficient or logs not retained

Logs are collected but retention is too short (e.g., 90 days), or critical events are not logged (e.g., configuration changes, administrative access, privilege escalation). CMMC requires that logs be retained for at least one year and cover security-relevant events. Remediation: configure log retention to 12 months minimum, audit logging rules to ensure all required events are captured, and verify logs are being written continuously.

Assessment readiness timeline

Most contractors should budget 6 to 12 months from scoping to C3PAO assessment:

Months 1-2: Scoping and self-assessment

  • Define CUI environment and assessment boundaries
  • Conduct self-assessment against NIST 800-171 using SP 800-171A procedures
  • Document gaps and prioritize remediation

Months 2-6: Gap remediation

  • Implement high-priority controls (access control, audit logging, change management)
  • Update or create policies and procedures
  • Build and test evidence collection processes
  • Engage C3PAO to schedule assessment (typically 2-3 months out)

Months 6-9: Documentation and evidence collection

  • Complete System Security Plan documenting all 110 controls
  • Collect and organize evidence artifacts
  • Prepare documentation for C3PAO review
  • Conduct internal assessment to validate readiness

Months 9-12: C3PAO assessment and certification

  • Host C3PAO assessment team
  • Respond to C3PAO requests for additional evidence
  • Receive assessment report and certification

Organizations with significant control gaps or limited internal resources may need to extend this timeline. Engaging external support (a fractional CISO or compliance consultant) compresses the timeline by bringing pattern recognition and structured methodology to the implementation phase.

Maintaining CMMC certification

CMMC 2.0 certification is valid for three years. Maintaining compliance requires continuous monitoring and remediation of new gaps.

Maintenance checklist

Assign ownership of each control to a specific person or team with accountability for continued compliance
Monitor control effectiveness continuously — quarterly reviews at minimum, monthly reviews recommended
Document all control changes in the System Security Plan
Conduct annual self-assessments to identify emerging gaps before the C3PAO reassessment
Update the risk assessment annually or triggered by significant environment changes
Re-conduct the incident response tabletop exercise annually
Engage the C3PAO for reassessment approximately 90 days before certification expiration
Track POA&M items from the initial assessment through closure, with documented evidence of remediation

The greatest risk to maintaining CMMC certification is treating it as a one-time project rather than an operational discipline. Organizations that embed controls into daily workflows—code review before merge, access provisioning through HR systems, change approval as a required workflow, logging as a configuration standard—sustain compliance with less friction than those managing compliance as a separate function.

Building your CMMC 2.0 program?

vCSO.ai helps defense contractors and their supply chain partners scope CUI environments, implement NIST 800-171 controls, prepare Systems Security Plans, and achieve Level 2 certification through C3PAO assessment. Nick Shevelyov, former Chief Security Officer at Silicon Valley Bank, brings the same compliance discipline used at enterprise scale to defense contracting environments.

Request a consultation to scope your CMMC readiness, or explore our Strategic Oversight service for ongoing NIST 800-171 compliance management aligned with your contracting calendar.

See NIST Compliance: A Complete Guide for deeper context on NIST SP 800-171 control requirements. For contractors managing both CMMC and supply chain security obligations, Cyber War…and Peace covers the governance and risk assessment frameworks that scale across your entire contractor network.

Questions & answers

What is CMMC 2.0?
CMMC 2.0 is the Department of Defense's certification and accreditation framework for contractors who handle Controlled Unclassified Information (CUI). Unlike previous versions, CMMC 2.0 simplifies the model to three levels (Foundational, Advanced, and Expert) and removes the requirement for Level 1 self-assessment reports. CMMC 2.0 was released in late 2023 and is being phased in across DoD contracts under the current schedule. Level 2 (Advanced) is the most common requirement and maps directly to the 110 controls in NIST SP 800-171.

Do I need CMMC 2.0 certification?
If your organization has a Department of Defense contract that requires handling or storing CUI, or if your contract flow-down requires you to meet CMMC requirements as a subcontractor, then yes. CMMC is contractually mandated for any contractor handling CUI at the flow-down level in the defense industrial base. You cannot bid on contracts requiring CMMC without current certification, and you cannot perform the contract without maintaining certification throughout the period of performance.

What is the difference between Foundational, Advanced, and Expert CMMC levels?
Foundational (Level 1) maps to the NIST CSF Govern function and basic NIST 800-171 controls — 17 practices covering foundational security governance, asset management, and basic access controls. Advanced (Level 2) maps the full 110 controls in NIST 800-171 and requires process maturity around continuous improvement. Expert (Level 3) adds 110 additional practices from NIST SP 800-53B (the contractor supplement) and requires demonstrated organizational maturity in risk management and incident response. Most defense contracts require Level 2. Level 3 is mandated only for contractors handling data classified at Critical or above, or in high-risk sectors.

How long does a CMMC assessment take?
A Level 2 C3PAO assessment typically requires 3 to 5 days of on-site assessment work, but the total timeline from scoping through report issuance is 4 to 8 weeks. Self-assessment is asynchronous and controlled by your organization; enterprise-level assessments (used by large contractors) may involve multiple teams and take longer. Before the assessment, budget 6 to 12 months for implementing controls and building supporting documentation.

What happens if we fail the CMMC assessment?
CMMC is not a pass/fail binary — it is a maturity assessment. The C3PAO produces a report documenting which controls were assessed as not implemented, partially implemented, or fully implemented. Controls that are not implemented or partially implemented with no remediation plan require entry into a Plan of Action and Milestones (POA&M). A Level 2 certification is granted if all 110 Level 2 controls are fully implemented. If gaps remain after assessment, you cannot claim certification, but you are eligible to pursue corrective action through a supplemental assessment once gaps are remediated.

Ready to turn this into a working plan?

Nick's team helps growth-stage companies, PE/VC sponsors, and cybersecurity product teams translate security questions into board-ready decisions. First call is strategy, not vendor pitch.

Talk to Nick Explore services →
Talk to us Tell us your needs →