CMMC Checklist: Audit Prep Guide for DoD Contractors

What Is CMMC (Cybersecurity Maturity Model Certification)?

A DoD contractor loses a major defense contract because they assumed self-attestation to NIST SP 800-171 was enough. As of November 10, 2025, it isn't. The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a DoD cybersecurity certification framework that verifies defense contractor implementation of existing federal security requirements through independent assessment. It does not create new security requirements. It adds independent verification to controls already mandated under DFARS 7012 since 2017.

The program is codified in 32 CFR 170 (CMMC Program Rule) and enforced through 48 CFR 204 (DFARS Acquisition Rule). The Cyber AB serves as the accreditation body for the CMMC ecosystem. If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) for the Department of Defense, CMMC applies to you.

Per 48 CFR 204.7502, contracting officers shall not award contracts to offerors without current CMMC status at the required level. Your CMMC checklist preparation starts now, not when a solicitation lands on your desk.

Before CMMC, contractors self-scored their NIST SP 800-171 implementation and submitted results to the Supplier Performance Risk System (SPRS). Self-attestation created a trust gap across the defense industrial base (DIB), allowing contractors to claim compliance without independent validation.

CMMC closes this gap by requiring third-party or government assessments depending on the sensitivity of data you handle. Every control you claim in your System Security Plan (SSP) must survive examination, interview, and hands-on technical testing by trained assessors. Your security operations tools, audit logging, access controls, and incident response procedures all fall within CMMC's assessment scope. The framework organizes these requirements into three certification levels, each with its own assessment process.

Who Needs a CMMC Checklist?

Not every organization interacting with the DoD faces identical CMMC requirements, but the scope is broader than many contractors expect. Any company that stores, processes, or transmits FCI or CUI as part of a DoD contract must achieve the appropriate CMMC certification level before contract award.

Prime contractors holding DoD contracts that include the DFARS 252.204-7021 clause must demonstrate current CMMC status at the level specified in the solicitation. This requirement flows down through the supply chain: subcontractors that handle CUI in support of contract performance must independently meet the required CMMC level, not simply rely on the prime contractor's certification. Per an NDIA supply chain analysis, DFARS flow-down requirements apply without regard to supply chain tier position.

Organizations that should maintain a CMMC checklist include defense manufacturers and suppliers handling CUI, IT service providers and managed service providers with access to CUI environments, research institutions under DoD-funded contracts, and staffing or professional services firms whose employees access CUI systems. Small businesses are not exempt. If your contract involves CUI, CMMC Level 2 requirements apply regardless of company size or revenue.

The threshold is straightforward: if your contract currently includes or will include DFARS 252.204-7021, you need a structured compliance process. A CMMC checklist lets you track control implementation, document evidence collection, and identify gaps before a C3PAO or DIBCAC assessor does.

How to Determine Your Required CMMC Level

Your required CMMC level depends on the type of information you handle under a DoD contract. The determination starts with one question: does your contract involve CUI?

Matching data type to certification level

• FCI only (Level 1): Your contract involves basic Federal Contract Information but no CUI markings. You implement 17 practices from FAR 52.204-21 and self-assess annually.
• CUI (Level 2): Your contract includes data marked as Controlled Unclassified Information under the CUI Registry. You implement all 110 NIST SP 800-171 practices and undergo a C3PAO assessment or self-assessment depending on the contract.
• High-value CUI (Level 3): Your contract involves CUI on critical programs identified by the DoD. You implement 134 practices (110 from NIST SP 800-171 plus 24 from NIST SP 800-172) and undergo a government-led DIBCAC assessment. Level 3 requires current Level 2 status as a prerequisite.

If your contract does not specify a CMMC level, review the DFARS clauses in your solicitation. Per 32 CFR 170, the contracting officer determines the required level based on the sensitivity of information involved. When in doubt, contact your contracting officer directly. Getting the level wrong means preparing for the wrong assessment, which wastes time and budget. Once you know your level, the table below shows exactly what that level requires.

Understanding CMMC Levels Before Using a Checklist

Before working through any CMMC checklist, you need a clear picture of what each certification level requires. The three levels differ significantly in practice count, assessment type, and the category of information they protect.

Phase 1 implementation began November 10, 2025, focusing primarily on Level 1 and Level 2 requirements. Phase 2 starts November 10, 2026, expanding mandatory CMMC Third Party Assessment Organization (C3PAO) Level 2 assessments. Full implementation across all applicable contracts begins after November 9, 2028.

All Level 2 C3PAO assessments follow a mandatory four-phase structure per the CMMC process:

1. Plan and Prepare Pre-Assessment: Define scope, provide SSP and network diagrams, and agree on assessment timeline.
2. Assess Conformity to Security Requirements: Assessors examine documentation, interview personnel, and test controls directly.
3. Complete and Report Assessment Results: C3PAO uploads results to the required reporting system.
4. Issue Certificate and Close Out POA&M: Remediate open items within the allowed period or lose your Conditional CMMC Status.

Assessors use three mandatory methods drawn from NIST 171A: examine (review documentation, configurations, logs), interview (structured discussions with personnel), and test (hands-on technical validation). You cannot pass on paper alone.

CMMC currently uses NIST SP 800-171 Revision 2. Per DoD CIO FAQs, DoD has issued a class deviation to DFARS clause 252.204-7012 to maintain Rev 2 as the assessment standard until Rev 3 is incorporated through future rulemaking. With this context established, the following checklists give you a structured path through preparation.

Pre-Assessment Readiness Checklist

Pre-assessment readiness covers the foundational work that must be complete before you can accurately scope, document, or engage a C3PAO. Gaps identified here affect every item on your CMMC checklist.

Asset scoping:

• Complete hardware and software asset inventory across all five CMMC asset categories (CUI Assets, Security Protection Assets, CRMA, Specialized Assets, Out-of-Scope)
• Map all data flows showing where CUI enters, moves through, and exits your environment
• Document all cloud service provider connections and whether they process CUI or FCI
• Identify all external connections, remote workers, and vendor access points
• Verify technical and physical separation for out-of-scope assets
• Document CRMA risk management justification in SSP for each CRMA designation
• Identify all Security Protection Assets and their security functions

Assessment readiness:

• Gap analysis complete against all Level 2 practices using the DoD assessment guide
• Internal mock assessment or Registered Practitioner Organization (RPO) readiness review conducted
• Personnel prepared for assessor interviews (can articulate their security responsibilities)
• Self-assessment score submitted to SPRS
• C3PAO selected from Cyber AB marketplace and engagement agreement executed

Completing asset scoping before engaging a C3PAO is not optional. Assessors who discover undisclosed CUI assets during the assessment can expand scope, extend timelines, and convert passing controls into findings. Getting this right early has more impact on assessment outcomes than any other single step in CMMC preparation.

CMMC Level 1 Checklist (Foundational Controls)

Level 1 requires 17 practices drawn from FAR 52.204-21, organized across six security domains. These are basic safeguarding requirements for systems that handle FCI. No POA&Ms are permitted at Level 1: all 17 practices must be fully implemented before self-assessment.

Access control:

• Limit system access to authorized users, processes, and devices
• Restrict access to the types of transactions and functions authorized users may execute
• Verify and control connections to external information systems
• Control information posted or processed on publicly accessible systems

Identification and authentication:

• Identify all users, processes acting on behalf of users, and devices
• Authenticate the identities of users, processes, and devices before allowing system access

Media protection:

• Sanitize or destroy information system media before disposal or reuse

Physical protection:

• Limit physical access to systems to authorized individuals
• Escort visitors, monitor visitor activity, and maintain physical access logs
• Protect and monitor physical facilities and supporting infrastructure

System and communications protection:

• Monitor, control, and protect communications at external and key internal boundaries
• Implement subnetworks for publicly accessible components that are separated from internal networks

System and information integrity:

• Identify and correct information system flaws in a timely manner
• Provide protection from malicious code at appropriate system locations
• Update malicious code protection mechanisms when new releases are available
• Perform periodic system scans and real-time scans of files from external sources

Level 1 compliance is achievable for most small contractors with basic IT hygiene in place. If all 17 practices are implemented, your CMMC checklist at this level is straightforward to document and self-attest. The more significant preparation burden begins at Level 2, where 110 practices must be assessed against documented, operational evidence.

CMMC Level 2 Checklist (Advanced Controls)

Level 2 maps to all 110 practices in NIST SP 800-171 Revision 2 across 14 security domains. This CMMC checklist is organized by domain family. Not all 110 individual practice line items are listed here; use the DoD assessment guide for the complete practice list and assessment objectives.

• Access control (AC): Implement least-privilege access, manage privileged accounts, enforce session lock after inactivity, control remote access and use of external systems, and prohibit use of portable storage without identifiable owner.
• Audit and accountability (AU): Create and protect system audit logs, review and analyze logs for unauthorized activity, retain audit records to support after-the-fact investigation, and provide system capability to audit events defined in the SSP.
• Configuration management (CM): Establish and maintain baseline configurations, enforce security configuration settings, track and control changes to systems, analyze security impact of changes prior to implementation.
• Identification and authentication (IA): Enforce multi-factor authentication for all network access and privileged accounts, manage authenticator strength and lifecycle, and employ replay-resistant authentication.
• Incident response (IR): Establish an operational incident-handling capability including preparation, detection, containment, recovery, and user reporting. Test incident response capability and track incidents.
• Maintenance (MA): Perform maintenance on systems, control maintenance tools, sanitize equipment removed for off-site maintenance, and require MFA for remote maintenance sessions.
• Media protection (MP): Protect system media containing CUI, limit access to CUI on media to authorized users, sanitize media prior to disposal or reuse, and control access to media containing CUI during transport.
• Personnel security (PS): Screen individuals prior to authorizing access to systems containing CUI, and ensure CUI is protected during and after personnel actions such as terminations and transfers.
• Risk assessment (RA): Periodically assess risk to operations and assets, scan for vulnerabilities in systems and applications, and remediate vulnerabilities in accordance with risk assessments.
• Security assessment (SA): Periodically assess security controls, develop and implement plans of action, monitor system security controls on an ongoing basis, and produce a current SSP that reflects the operating environment.
• System and communications protection (SC): Monitor, control, and protect communications at boundaries, implement architectural designs and software development techniques promoting security, and encrypt CUI in transit and at rest.
• System and information integrity (SI): Identify and address flaws, provide malicious code protection, monitor systems for security alerts, and update malicious code protections when new releases are available.

Working through the CMMC Level 2 checklist requires sustained effort over months, not weeks. Organizations that have not previously implemented NIST SP 800-171 should begin gap remediation well before C3PAO engagement.

CMMC Level 3 Checklist (Expert-Level Controls)

Level 3 adds 24 practices from NIST SP 800-172 on top of the full Level 2 practice set, for a total of 134 practices. These enhanced requirements target organizations protecting high-value CUI on critical DoD programs. Assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not a C3PAO, and current Level 2 status is a prerequisite.

The 24 additional practices focus on five enhanced control areas:

• Enhanced access control: Employ dynamic access control approaches that coordinate with organizational risk strategy and support real-time access decisions
• Advanced configuration management: Establish and maintain a configuration management system capable of tracking changes with integrity verification
• Strengthened incident response: Establish a security operations center (SOC) capability and employ automated mechanisms to support incident handling
• Supply chain risk management: Assess the risk associated with suppliers, developers, and external providers and address the risk through contractual requirements
• Advanced system and communications protection: Employ architectural capabilities and system configurations that leverage managed interfaces and employ boundary protection devices and mechanisms

Level 3 organizations must also demonstrate persistent monitoring, threat-hunting capability, and coordination with federal cybersecurity agencies. Because DIBCAC conducts government-led assessments, scheduling lead times are significant and early coordination with DoD program offices is essential before beginning Level 3 CMMC checklist preparation.

Documentation and Evidence Checklist

Documentation and evidence gaps are the most common reason CMMC assessments stall or fail. Your SSP is the central artifact in any CMMC checklist, but assessors require a complete evidence package spanning every domain in scope.

SSP and documentation:

• Complete descriptions of all in-scope assets across all five categories
• Current network diagrams showing CUI data flows and system boundaries
• Documentation of all security controls and their implementation status
• Roles and responsibilities for security control implementation
• Incident response procedures and contacts
• All listed non-POA&M practices fully implemented (AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, PE.L2-3.10.5)

Evidence collection:

• System logs demonstrating continuous monitoring (AU domain)
• Access control configurations and current authorized user lists
• Multi-factor authentication records across all in-scope systems
• Security awareness training completion records with dates and content
• Incident response plan with documented exercise records
• Configuration baselines and change management records
• Vulnerability assessment results and remediation tracking
• Cryptography documentation and certificates
• Physical access logs for CUI areas
• Media sanitization records
• Third-party and cloud service provider CUI handling documentation

Post-certification maintenance:

• Annual self-assessment with senior executive attestation
• Annual affirmation submitted to SPRS
• Continuous monitoring and audit logging maintained
• SSP updated when environment changes
• Recertification planning initiated before expiration

Per the Cyber AB CAP, without an adequately documented SSP, an assessment cannot proceed and results in a failed assessment by default. Build your CMMC checklist evidence repository continuously throughout preparation, not in the weeks before your assessment date.

Common Mistakes in CMMC Checklist Implementation

Many contractors approach CMMC with confidence in their existing security programs, only to stall during assessment preparation. These are the most frequent failure points and how to avoid them.

Scoping Errors that Derail Assessments

Over-scoping your CUI environment inflates cost and complexity without improving security. If a system never processes, stores, or transmits CUI, proper Contractor Risk Managed Asset (CRMA) designation and technical segregation can legitimately reduce your assessment footprint. However, per the CMMC process, CRMA designations are "subject to the assessor's discretion." Every CRMA must be backed by documented justification in your SSP.

Equally dangerous: under-scoping by excluding backup systems containing CUI, cloud services processing CUI, or remote worker endpoints. If CUI can traverse a system, that system is in scope regardless of informal declarations.

Documentation that Describes Intent, not Reality

Per the Cyber AB CAP, without an adequately documented System Security Plan, an assessment cannot proceed and results in a failed assessment by default. Your SSP is the single most critical document in CMMC, and it must reflect actual operational state, not aspirational posture.

Common evidence gaps include access control lists missing recently added personnel, policies lacking senior management endorsement, and attestations signed by employees who are not the proper owner, operator, or supervisor.

POA&M Mismanagement

Some practices cannot be placed on a Plan of Action and Milestones (POA&M), including CA.L2-3.12.4 (System Security Plan), several physical protection practices, and specific access control practices. If you enter a C3PAO assessment with gaps in these controls, you can face a completely new assessment.

If you receive a Conditional CMMC Status with open POA&M items, the close-out clock is absolute. Per DoD CMMC guidance, failure to close POA&Ms within the documented period means your status expires with no documented extension option.

Across all of these failure points, the common thread is timing. Gap-to-CMMC certification timelines can be substantial, and the costs associated with missed deadlines or repeated assessments are significant. Understanding the realistic budget and timeline picture is the next step.

CMMC Assessment Costs and Timeline Expectations

Budget and timeline are two of the most common concerns for contractors beginning CMMC preparation. Both vary significantly based on your organization's size, existing security maturity, and the certification level you need.

Typical Timeline Ranges

Per DoD CIO guidance, there is no fixed preparation period, but industry experience provides useful benchmarks:

• Level 1 self-assessment: 1-3 months for organizations with basic controls already in place.
• Level 2 with existing NIST SP 800-171 program: 6-12 months covering gap remediation, evidence collection, and C3PAO scheduling.
• Level 2 starting from scratch: 12-18 months or longer, accounting for control implementation, documentation, evidence maturation, and assessor availability.
• Level 3 government assessment: Timeline depends on DIBCAC scheduling and requires current Level 2 status first.

C3PAO availability adds to these timelines. Per GAO-26-107955, assessor capacity is limited, so early engagement is important.

Cost Considerations

Assessment costs depend on your environment size and scope complexity. Key cost categories include consultant and RPO fees for gap analysis and remediation support, C3PAO assessment fees (which vary by organization size and scope), technology investments for controls you have not yet implemented, and internal staff time for documentation and evidence preparation. 

Smaller subcontractors with a narrow CUI scope will spend less than large primes managing complex, multi-site environments. Factor these costs into your program planning early to avoid surprises during solicitation response. With budget and timeline accounted for, the following operational practices help you make the most of both.

Best Practices for Using a CMMC Checklist

Passing a CMMC assessment takes more than checking boxes on a CMMC checklist. These practices help contractors build the sustained CMMC compliance posture that assessors expect.

Start with CUI Discovery, not Control Implementation

Before deploying a single security control, identify every location where CUI exists. Common locations include:

• Email archives and collaboration platforms
• HR files and project documentation
• Supplier documents and meeting notes
• Shared drives and cloud storage

Map exactly how CUI enters your environment, where it travels, where it is stored, and where it exits. This CUI map drives your SSP and directly determines your assessment scope. If external cloud service providers process CUI, they must meet DFARS 252.204-7012(b)(2)(ii)(D) requirements.

Segment your Network Before Assessment

Proper segmentation is the primary mechanism for reducing your assessment scope. Deploy firewalls between internal networks and the internet. Use routing switches to create zones separating CUI environments from general business networks, and encrypt all CUI flowing across the internet. The Singularity Platform's policy enforcement and device control capabilities can support this segmentation by controlling peripheral device access to CUI-handling systems.

Build Evidence over Months, not Days

Establish a structured evidence repository aligned to the CMMC control families. Populate it continuously, not reactively. The Level 2 assessment guide requires evidence demonstrating controls operate consistently over time, so training records, audit log samples, vulnerability scan results, and incident response exercise documentation must show sustained operation. Assessors evaluate operational maturity, not just technical presence.

Prepare your People for Interviews

Personnel who cannot explain their security responsibilities to assessors are a frequently underestimated failure point. Conduct internal interview rehearsals. Ensure every person in scope can explain what they do, why they do it, and where it is documented.

Assessors will interview personnel in several key roles:

• Security awareness training recipients
• Information security training administrators
• Incident response team members
• Audit monitoring and log review staff

Preparation across these groups builds confidence and reduces surprises during the assessment.

Enforce Subcontractor Flow-Down Requirements

Per an NDIA supply chain analysis, DFARS 252.204-7012 flow-down requirements apply "without regard to their supply chain tier position level" for any subcontractor that stores, processes, or generates CUI as part of contract performance. Identify all subcontractors who will handle CUI and include CMMC clause flow-down in subcontract agreements. Verify that each subcontractor has appropriate CMMC status at the required level. Do not flow down CMMC requirements to subcontractors who will not handle CUI.

Applying these practices consistently builds the operational maturity assessors look for. The right security tooling can further reduce the manual effort involved in maintaining that posture.

Key Takeaways

CMMC 2.0 is enforceable now, with Phase 1 active since November 10, 2025. Your CMMC checklist must cover asset scoping, SSP documentation, evidence collection, and ongoing maintenance across Level 2 practices. The most common failures are documentation that describes intent rather than operational reality, incomplete CUI discovery, and reactive evidence gathering. 

Start CMMC compliance preparation well before you need certification, account for limited C3PAO capacity, and build monitoring infrastructure that generates CMMC certification evidence by design.