CMMC Compliance Checklist for Defense Contractors

If your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and works on DoD contracts, CMMC compliance is not optional. The right checklist tells you exactly where you stand before an assessor does.

Phase 1 of the CMMC rollout went live November 10, 2025. It focuses primarily on Level 1 and Level 2 self-assessments, though DoD may require Level 2 C3PAO status for some applicable contracts. Phase 2 begins November 10, 2026, when Level 2 third-party certification requirements are expected to appear more broadly in DoD solicitations and contracts. Contractors without an active readiness plan are already losing pre-award conversations.

This guide walks through every phase of the CMMC compliance process, from scoping your environment to preparing for your C3PAO audit. Use it to identify gaps, prioritize remediation, and build the documentation package your assessment requires.

Nexeris has guided 35+ defense contractors through CMMC certification, with consultants holding CISA, CISSP, CISM, and CMMC-RP credentials. We start work within 24 hours of engagement or we credit your account $1,000.

What the CMMC Framework Requires

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s framework for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Under the CMMC 2.0 final rule, contractors that process, store, or transmit this data on contractor information systems must maintain the CMMC status required by their DoD contract or subcontract before award, renewal, or option exercise when the clause applies.

The DoD CMMC program is being phased into contracts from 2025 through 2028, which means contractors in the Defense Industrial Base that handle FCI or CUI should be in motion now. Waiting until a contract requires a current CMMC status puts your bid at risk.

What Counts as CUI

CUI includes technical specifications, export-controlled data, defense procurement information, and other sensitive materials the government has designated for protection. If your company receives, generates, processes, stores, or transmits any of it on contractor information systems under a DoD contract or subcontract, evaluate the required CMMC status before assuming the work is out of scope.

Many subcontractors are surprised to learn they handle CUI without knowing it. Scoping your CUI environment is step one of every CMMC compliance checklist, and it shapes every decision that follows.

How CMMC Relates to NIST 800-171

CMMC Level 2 is built directly on the 110 security requirements for protecting CUI defined in NIST SP 800-171 Rev 2. If you have already been working toward NIST compliance, your gap will be smaller, but CMMC requires independent verification that those controls are implemented and working.

The CMMC assessment process goes beyond self-reporting. A certified C3PAO assessor evaluates evidence of control performance, not just policy documentation.

CMMC Compliance Levels Explained

CMMC 2.0 has three compliance levels. Which level applies to your company depends on the type of information you handle and the contract requirements your primes or the DoD specify.

Level 1: Foundational

Level 1 covers FCI only and requires satisfying the 15 basic safeguarding requirements in FAR 52.204-21(b)(1). Government contractors at this level must self-assess annually and submit a compliance result to the Supplier Performance Risk System (SPRS), with senior-official affirmation. Some checklists show 17 Level 1 assessment rows because one FAR physical-protection requirement is split into three assessment phrases, but the official requirement count is 15.

Level 1 is the entry point for most smaller DoD contractors. It is not a reason to delay getting started, because the documentation and process habits built here feed directly into Level 2 readiness.

Level 2: Advanced

Level 2 covers CUI and requires meeting all 110 NIST SP 800-171 Rev 2 requirements across the related assessment objectives. For many contracts at this level, certification comes through a triennial assessment by a Certified Third-Party Assessor Organization (C3PAO), with annual senior-official affirmations submitted to SPRS in between. Some lower-sensitivity Level 2 contracts allow self-assessment instead.

Level 2 is where many CUI-handling defense contractors in the DIB are focused. It is also where most gaps, POA&Ms, and failed assessments occur. See our DFARS and CMMC compliance guidance for a deeper breakdown of what Level 2 requires alongside your DFARS obligations.

Level 3: Expert

Level 3 is reserved for contractors working on the most critical DoD programs. It requires Final Level 2 (C3PAO) status as a prerequisite, then adds 24 selected requirements from NIST SP 800-172 with DoD-approved parameters. Assessments at this level are conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not a C3PAO.

Most commercial defense contractors will not need Level 3. If your contracting officer has not specified it, confirm whether the work requires Level 1 or Level 2 before investing further.

CMMC Level 1 Checklist

CMMC Level 1 contains 15 requirements from FAR 52.204-21(b)(1) and covers six control families: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. The checklist below uses 17 assessment rows because FAR 52.204-21(b)(1)(ix) is split into three physical-protection assessment phrases. Each row must be implemented and verifiable. Self-attesting to something you cannot demonstrate evidence for is not compliance.

Access Control

• Limit information system access to authorized users, processes acting on behalf of authorized users, and devices
• Limit information system access to the types of transactions and functions authorized users are permitted to execute
• Verify and control connections to and use of external information systems
• Control information posted or processed on publicly accessible information systems

Identification and Authentication

• Identify information system users, processes acting on behalf of users, and devices
• Authenticate or verify the identities of those users, processes, or devices before allowing access to organizational systems

Media Protection

• Sanitize or destroy information system media containing FCI before disposal or release for reuse

Physical Protection

• Limit physical access to organizational systems, equipment, and operating environments to authorized individuals
• Escort visitors and monitor visitor activity
• Maintain audit logs of physical access
• Control and manage physical access devices

System and Communications Protection

• Monitor, control, and protect organizational communications at external and key internal system boundaries
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

System and Information Integrity

• Identify, report, and correct system flaws in a timely manner
• Provide protection from malicious code at appropriate locations within organizational information systems
• Update malicious code protection mechanisms when new releases are available
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed

Once all 15 Level 1 requirements are met across these assessment rows, complete the Level 1 self-assessment and submit the compliance result to SPRS with senior-official affirmation. Level 1 requires annual reassessment and does not permit POA&Ms. If your scope or compliance status materially changes, reassess before representing that your CMMC status remains current.

CMMC Level 2 Checklist

Level 2 compliance requires demonstrating all 110 NIST SP 800-171 Rev 2 requirements across 14 families. This section organizes the work by family so you can assess readiness by area and prioritize where gaps are highest-risk.

Access Control (AC): 22 Requirements

Scope who can reach what. Document every access policy and verify that technical controls enforce it. Review privileged user lists, remote access configurations, and least-privilege enforcement across all CUI systems.

Awareness and Training (AT): 3 Requirements

Train personnel on the security risks associated with their activities and on applicable policies and procedures. Train users to recognize and report potential indicators of insider threat. Maintain training completion records as evidence.

Audit and Accountability (AU): 9 Requirements

Create and retain audit logs sufficient to monitor, analyze, investigate, and report unlawful or unauthorized activity on systems that process or store CUI. Logs must be protected from unauthorized modification and retained for a defined period. Verify that your logging solution captures the events the assessment objectives require.

Configuration Management (CM): 9 Requirements

Maintain a documented baseline configuration for every CUI system. Control changes through a formal process and document deviations. Many contractors have informal configuration practices that will not pass the CM family under a C3PAO review.

Identification and Authentication (IA): 11 Requirements

Multifactor authentication is required for local and network access to privileged accounts and for network access to non-privileged accounts. Password management policies, authenticator lifecycle controls, and device identity are all evaluated here.

Incident Response (IR): 3 Requirements

Document your incident response plan and test it. DFARS 252.204-7012 requires rapidly reporting covered cyber incidents to DoD within 72 hours of discovery through the DoD-designated reporting process, using the credentials or certificates required by that process. Your IR plan must address that obligation explicitly. See our DFARS 7012 compliance services for full incident reporting guidance.

Maintenance (MA): 6 Requirements

All maintenance on CUI systems must be controlled and documented. Remote maintenance sessions must use secure mechanisms and be reviewed. Maintenance personnel without authorized access to CUI must be supervised.

Media Protection (MP): 9 Requirements

Mark all CUI media. Control access to it. Sanitize or destroy it before disposal. Many contractors underestimate how much CUI lives on portable media, printed documents, and decommissioned equipment.

Personnel Security (PS): 2 Requirements

Screen individuals before giving them access to CUI systems. Protect CUI during and after personnel actions including termination and role changes. These are short in count but easy to overlook in smaller organizations.

Physical Protection (PE): 6 Requirements

Physical access to systems that process CUI must be restricted to authorized personnel. Visitor access must be controlled and logged. Physical controls are often the fastest to remediate, but assessors take them seriously.

Risk Assessment (RA): 3 Requirements

Conduct periodic risk assessments of your CUI environment. Identify, evaluate, and document risks. Scan for vulnerabilities in systems and applications and remediate them in accordance with your risk assessment. The output feeds your POA&M and informs your SPRS score calculation.

Security Assessment (CA): 4 Requirements

Periodically assess your security controls and document findings. Develop a POA&M for any deficiencies. The CMMC assessment process will ask to see your CA work product. A missing or outdated assessment is a red flag for assessors.

System and Communications Protection (SC): 16 Requirements

Separate CUI from non-CUI systems architecturally where possible. Encrypt data in transit. Control network boundary traffic. This family is technically intensive and where many organizations discover the largest gaps.

System and Information Integrity (SI): 7 Requirements

Deploy and maintain malware protections. Monitor systems for security alerts and advisories. Patch known vulnerabilities within defined timeframes. SI controls are ongoing, not one-time implementations.

Pre-Assessment Readiness Steps

A CMMC self-assessment before a Level 2 C3PAO engagement is the only way to know your true readiness posture. Assessors do not coach you during the formal assessment. Gaps found during the official review become findings that affect CMMC status.

Scope Your CUI Environment

Define which systems, personnel, and locations touch CUI. This is your CMMC Assessment Scope. Everything in scope must meet all relevant requirements. Reducing scope before the assessment reduces both cost and complexity.

Calculate Your SPRS Score

For Level 2, your SPRS score is a numerical representation of your NIST 800-171 compliance posture. Start with 110 points and subtract the weighted value of each unimplemented requirement. The DoD requires this score to be on file in SPRS before many contracts can proceed. Learn more about how to run a CMMC self-assessment and SPRS score review before your formal engagement.

Build Your POA&M

A Plan of Action and Milestones documents eligible control gaps, the remediation steps planned, and the timeline for closing each gap. CMMC does not permit POA&Ms for Level 1, and Level 2 or Level 3 POA&Ms are limited to specific eligible requirements, score thresholds, and a 180-day closeout window. A credible POA&M only helps when the open items are permitted under the CMMC POA&M rules.

Identify a C3PAO

For Level 2 CUI contracts that require third-party certification, your assessment must come from a C3PAO authorized by the Cyber AB. Select your C3PAO early. Assessment slots book out, and choosing the wrong assessor wastes time and money.

Documentation Your Assessment Requires

CMMC assessments are evidence-based. Saying a control is implemented does not satisfy an assessor. The evidence does.

System Security Plan

For Level 2 and Level 3, the System Security Plan (SSP) is the foundational document of your CMMC compliance package. It describes your CUI environment, how each NIST 800-171 requirement is implemented, and who owns each requirement. A complete SSP also documents shared responsibilities with any cloud service providers in your environment. Download our free System Security Plan template to start yours today.

Policy and Procedure Documents

Each CMMC family requires documented policies that govern how your organization manages that family. Policies must be current, approved, and traceable to the controls they govern. Many organizations have policies that were written years ago and never updated to reflect operational practice.

Our free CMMC policy templates cover the core families and can be adapted to your specific environment. Do not submit boilerplate policies without tailoring them to your organization.

Evidence of Control Performance

Screenshots, configuration exports, log samples, training completion records, and vendor agreements are all forms of control evidence. Organize evidence by control before your assessment. Searching for it during the assessment window is a sign of poor readiness that assessors notice.

How to Achieve CMMC Certification

Most government contractors who struggle with CMMC do not have a knowledge problem. They have a time and bandwidth problem. The compliance process is genuine work that runs alongside the demands of operating a business.

Set against the alternative, the math is direct. A single mid-size DoD contract loss typically dwarfs the entire readiness investment, and option-year non-renewals compound that loss across multiple fiscal cycles.

The Three-Month Readiness Path

Nexeris delivers audit readiness in three months or less for most Level 2 engagements. Month one focuses on scoping and gap assessment. Month two closes technical control gaps and builds documentation. Month three runs a pre-assessment rehearsal and finalizes the evidence package. See the full process on our CMMC consulting services page.

What Happens During the C3PAO Assessment

A C3PAO assessment often runs two to four weeks, depending on scope and assessor schedule. Assessors review your SSP, interview control owners, inspect technical evidence, and conduct walkthroughs of your CUI environment. The result is a CMMC assessment record that can support Final Level 2 (C3PAO) status, Conditional Level 2 (C3PAO) status if eligible POA&M items remain, or a findings-driven remediation path if the requirements are not met. Read our detailed guide on how to pass your CMMC audit for a full walkthrough of what assessors look for.

Maintaining Compliance After Certification

Final Level 2 (C3PAO) CMMC status is current for three years when annual affirmations remain current and there are no changes that undermine compliance. The requirements behind it are continuous. Security controls must remain in place. Changes to your environment must be assessed against the CMMC framework. Annual senior-official affirmations and SPRS updates are required. A lapse in any of these post-assessment practices creates risk when renewal assessments occur.

Why Defense Contractors Choose Nexeris

Nexeris focuses exclusively on cybersecurity compliance for the U.S. defense industrial base. Our consultants have guided 35+ defense contractors through CMMC certification and hold active CISA, CISSP, CISM, and CMMC-RP credentials.

We offer four guarantees that no generalist IT firm can match. We start work within 24 hours or credit your account $1,000. If you fail your compliance audit on covered services, we credit you $5,000. You can cancel with 30 days’ notice and no fees. Unlimited consulting support for security incidents is included at no extra charge.

Most of our Level 2 engagements reach audit readiness in three months or less. We handle the SSP, the policy documents, the evidence gathering, and the pre-assessment rehearsal. You keep running your business while we manage the compliance process. Visit our CMMC compliance services page to see the full scope of what we offer.

Frequently Asked Questions