CMMC Compliance Checklist β CMMC Level 2 Self-Assessment Guide
A comprehensive, open-source CMMC compliance checklist for defense contractors and organizations in the Defense Industrial Base (DIB) preparing for CMMC Level 2 certification. This checklist covers all 110 security requirements from NIST SP 800-171 Rev. 2, organized by control family with implementation guidance and assessment tips.
Maintained by Petronella Technology Group β A cybersecurity and compliance firm based in Raleigh, NC with 23+ years of experience helping organizations achieve and maintain compliance. For professional CMMC assessment and implementation services, visit our CMMC Compliance page.
Table of Contents
- What is CMMC?
- Who Needs CMMC Compliance?
- CMMC 2.0 Levels Overview
- How to Use This Checklist
- CMMC Level 2 Checklist by Control Family
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- CMMC Assessment Preparation Tips
- Scoring Your Self-Assessment
- Common CMMC Compliance Gaps
- CMMC Timeline and Deadlines
- Additional Resources
- About
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for verifying that defense contractors implement adequate cybersecurity practices to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC 2.0 streamlined the original five-level model into three levels, with Level 2 aligning directly to the 110 security requirements in NIST SP 800-171 Rev. 2.
Under the CMMC 2.0 Final Rule (32 CFR Part 170), defense contractors handling CUI must achieve CMMC Level 2 certification through either a self-assessment or a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO), depending on the sensitivity of the CUI involved.
Who Needs CMMC Compliance?
CMMC compliance is required for:
- Prime contractors holding DoD contracts involving CUI
- Subcontractors at any tier who handle, process, store, or transmit CUI
- IT service providers (MSPs/MSSPs) supporting defense contractors
- Cloud service providers hosting CUI for DIB organizations
- Manufacturers and suppliers in the defense supply chain
If your organization has a DFARS 252.204-7012 clause in any contract, you are expected to comply with NIST SP 800-171 and will eventually need CMMC certification.
CMMC 2.0 Levels Overview
| Level | Name | Requirements | Assessment Type |
|---|---|---|---|
| Level 1 | Foundational | 17 practices (FAR 52.204-21) | Annual self-assessment |
| Level 2 | Advanced | 110 requirements (NIST SP 800-171) | Self-assessment or C3PAO assessment |
| Level 3 | Expert | 110+ requirements (NIST SP 800-172) | Government-led assessment (DIBCAC) |
This checklist focuses on CMMC Level 2, which is the most common requirement for defense contractors handling CUI.
How to Use This Checklist
- Download or fork this repository
- Work through each control family systematically
- Mark each requirement as Implemented, Partially Implemented, Planned, or Not Applicable
- Document evidence for each implemented control (policies, screenshots, configurations)
- Create POA&Ms (Plans of Action and Milestones) for any gaps
- Calculate your SPRS score using the scoring methodology in NIST SP 800-171A
- Submit your score to the Supplier Performance Risk System (SPRS)
For a downloadable CSV version of this checklist, see cmmc-level2-checklist.csv.
CMMC Level 2 Checklist by Control Family
Access Control (AC)
The Access Control family contains 22 requirements focused on limiting system access to authorized users, processes, and devices.
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 1 | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) | [ ] |
| 2 | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute | [ ] |
| 3 | 3.1.3 | Control the flow of CUI in accordance with approved authorizations | [ ] |
| 4 | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion | [ ] |
| 5 | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts | [ ] |
| 6 | 3.1.6 | Use non-privileged accounts or roles when accessing nonsecurity functions | [ ] |
| 7 | 3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs | [ ] |
| 8 | 3.1.8 | Limit unsuccessful logon attempts | [ ] |
| 9 | 3.1.9 | Provide privacy and security notices consistent with applicable CUI rules | [ ] |
| 10 | 3.1.10 | Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity | [ ] |
| 11 | 3.1.11 | Terminate (automatically) a user session after a defined condition | [ ] |
| 12 | 3.1.12 | Monitor and control remote access sessions | [ ] |
| 13 | 3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions | [ ] |
| 14 | 3.1.14 | Route remote access via managed access control points | [ ] |
| 15 | 3.1.15 | Authorize remote execution of privileged commands and remote access to security-relevant information | [ ] |
| 16 | 3.1.16 | Authorize wireless access prior to allowing such connections | [ ] |
| 17 | 3.1.17 | Protect wireless access using authentication and encryption | [ ] |
| 18 | 3.1.18 | Control connection of mobile devices | [ ] |
| 19 | 3.1.19 | Encrypt CUI on mobile devices and mobile computing platforms | [ ] |
| 20 | 3.1.20 | Verify and control/limit connections to and use of external systems | [ ] |
| 21 | 3.1.21 | Limit use of portable storage devices on external systems | [ ] |
| 22 | 3.1.22 | Control CUI posted or processed on publicly accessible systems | [ ] |
Implementation Tips: - Deploy a centralized identity management solution (Active Directory, Azure AD, or equivalent) - Implement role-based access control (RBAC) across all systems in the CUI boundary - Configure account lockout policies (e.g., 3-5 failed attempts, 15-30 minute lockout) - Enable screen lock timeout at 15 minutes or less for all workstations - Use FIPS-validated encryption (AES-256) for all remote access (VPN, RDP) - Maintain an access control policy document reviewed at least annually
Awareness and Training (AT)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 23 | 3.2.1 | Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems | [ ] |
| 24 | 3.2.2 | Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities | [ ] |
| 25 | 3.2.3 | Provide security awareness training on recognizing and reporting potential indicators of insider threat | [ ] |
Implementation Tips: - Conduct security awareness training within 30 days of hire and at least annually thereafter - Include phishing simulation exercises as part of the training program - Document all training activities with dates, attendees, and topics covered - Cover topics: social engineering, phishing, password hygiene, physical security, CUI handling, incident reporting
Audit and Accountability (AU)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 26 | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | [ ] |
| 27 | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions | [ ] |
| 28 | 3.3.3 | Review and update logged events | [ ] |
| 29 | 3.3.4 | Alert in the event of an audit logging process failure | [ ] |
| 30 | 3.3.5 | Correlate audit record review, analysis, and reporting processes to support organizational processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity | [ ] |
| 31 | 3.3.6 | Provide audit record reduction and report generation to support on-demand analysis and reporting | [ ] |
| 32 | 3.3.7 | Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records | [ ] |
| 33 | 3.3.8 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion | [ ] |
| 34 | 3.3.9 | Limit management of audit logging functionality to a subset of privileged users | [ ] |
Implementation Tips: - Deploy a SIEM solution for centralized log collection and analysis - Enable audit logging on all systems within the CUI boundary (Windows Event Logs, syslog, application logs) - Configure NTP synchronization across all systems - Retain audit logs for a minimum of 90 days online, 1 year archived - Review logs at least weekly for anomalous activity
Configuration Management (CM)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 35 | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles | [ ] |
| 36 | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems | [ ] |
| 37 | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems | [ ] |
| 38 | 3.4.4 | Analyze the security impact of changes prior to implementation | [ ] |
| 39 | 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems | [ ] |
| 40 | 3.4.6 | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities | [ ] |
| 41 | 3.4.7 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services | [ ] |
| 42 | 3.4.8 | Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software | [ ] |
| 43 | 3.4.9 | Control and monitor user-installed software | [ ] |
Implementation Tips: - Use CIS Benchmarks or DISA STIGs as baseline configurations - Implement a formal change management process with documented approvals - Maintain a current hardware and software inventory (updated at least quarterly) - Disable unnecessary services, ports, and protocols on all systems - Consider application whitelisting for systems processing CUI
Identification and Authentication (IA)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 44 | 3.5.1 | Identify system users, processes acting on behalf of users, and devices | [ ] |
| 45 | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems | [ ] |
| 46 | 3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts | [ ] |
| 47 | 3.5.4 | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts | [ ] |
| 48 | 3.5.5 | Prevent reuse of identifiers for a defined period | [ ] |
| 49 | 3.5.6 | Disable identifiers after a defined period of inactivity | [ ] |
| 50 | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created | [ ] |
| 51 | 3.5.8 | Prohibit password reuse for a specified number of generations | [ ] |
| 52 | 3.5.9 | Allow temporary password use for system logons with an immediate change to a permanent password | [ ] |
| 53 | 3.5.10 | Store and transmit only cryptographically-protected passwords | [ ] |
| 54 | 3.5.11 | Obscure feedback of authentication information | [ ] |
Implementation Tips: - Deploy MFA for all user accounts (hardware tokens, authenticator apps, or push notifications) - Set minimum password length to 14+ characters per current NIST guidance - Disable accounts after 90 days of inactivity - Prohibit reuse of at least the last 24 passwords - Use FIPS 140-2 validated cryptographic modules for password storage
Incident Response (IR)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 55 | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities | [ ] |
| 56 | 3.6.2 | Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization | [ ] |
| 57 | 3.6.3 | Test the organizational incident response capability | [ ] |
Implementation Tips: - Develop a written incident response plan (see our Incident Response Plan Template) - Designate an incident response team with defined roles and responsibilities - Conduct tabletop exercises at least annually - Know your reporting obligations: DFARS requires reporting cyber incidents to DIBNet within 72 hours - Document all incidents, actions taken, and lessons learned
Maintenance (MA)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 58 | 3.7.1 | Perform maintenance on organizational systems | [ ] |
| 59 | 3.7.2 | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance | [ ] |
| 60 | 3.7.3 | Ensure equipment removed for off-site maintenance is sanitized of any CUI | [ ] |
| 61 | 3.7.4 | Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems | [ ] |
| 62 | 3.7.5 | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete | [ ] |
| 63 | 3.7.6 | Supervise the maintenance activities of maintenance personnel without required access authorization | [ ] |
Media Protection (MP)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 64 | 3.8.1 | Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital | [ ] |
| 65 | 3.8.2 | Limit access to CUI on system media to authorized users | [ ] |
| 66 | 3.8.3 | Sanitize or destroy system media containing CUI before disposal or release for reuse | [ ] |
| 67 | 3.8.4 | Mark media with necessary CUI markings and distribution limitations | [ ] |
| 68 | 3.8.5 | Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas | [ ] |
| 69 | 3.8.6 | Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards | [ ] |
| 70 | 3.8.7 | Control the use of removable media on system components | [ ] |
| 71 | 3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner | [ ] |
| 72 | 3.8.9 | Protect the confidentiality of backup CUI at storage locations | [ ] |
Personnel Security (PS)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 73 | 3.9.1 | Screen individuals prior to authorizing access to organizational systems containing CUI | [ ] |
| 74 | 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers | [ ] |
Physical Protection (PE)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 75 | 3.10.1 | Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals | [ ] |
| 76 | 3.10.2 | Protect and monitor the physical facility and support infrastructure for organizational systems | [ ] |
| 77 | 3.10.3 | Escort visitors and monitor visitor activity | [ ] |
| 78 | 3.10.4 | Maintain audit logs of physical access | [ ] |
| 79 | 3.10.5 | Control and manage physical access devices | [ ] |
| 80 | 3.10.6 | Enforce safeguarding measures for CUI at alternate work sites | [ ] |
Risk Assessment (RA)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 81 | 3.11.1 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI | [ ] |
| 82 | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified | [ ] |
| 83 | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments | [ ] |
Implementation Tips: - Conduct vulnerability scans at least monthly (internal and external) - Perform a comprehensive risk assessment at least annually - Remediate critical and high vulnerabilities within 30 days - Maintain a risk register and track remediation progress
Security Assessment (CA)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 84 | 3.12.1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application | [ ] |
| 85 | 3.12.2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems | [ ] |
| 86 | 3.12.3 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls | [ ] |
| 87 | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems | [ ] |
Implementation Tips: - Develop a System Security Plan (SSP) that documents your CUI boundary and all 110 controls - Create POA&Ms for all non-compliant controls with realistic remediation timelines - Review and update the SSP at least annually or after significant changes - Conduct internal security assessments at least annually
System and Communications Protection (SC)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 88 | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems | [ ] |
| 89 | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems | [ ] |
| 90 | 3.13.3 | Separate user functionality from system management functionality | [ ] |
| 91 | 3.13.4 | Prevent unauthorized and unintended information transfer via shared system resources | [ ] |
| 92 | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks | [ ] |
| 93 | 3.13.6 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) | [ ] |
| 94 | 3.13.7 | Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling) | [ ] |
| 95 | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards | [ ] |
| 96 | 3.13.9 | Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity | [ ] |
| 97 | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems | [ ] |
| 98 | 3.13.11 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI | [ ] |
| 99 | 3.13.12 | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device | [ ] |
| 100 | 3.13.13 | Control and monitor the use of mobile code | [ ] |
| 101 | 3.13.14 | Control and monitor the use of Voice over Internet Protocol (VoIP) technologies | [ ] |
| 102 | 3.13.15 | Protect the authenticity of communications sessions | [ ] |
| 103 | 3.13.16 | Protect the confidentiality of CUI at rest | [ ] |
System and Information Integrity (SI)
| # | Requirement ID | Requirement | Status |
|---|---|---|---|
| 104 | 3.14.1 | Identify, report, and correct system flaws in a timely manner | [ ] |
| 105 | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems | [ ] |
| 106 | 3.14.3 | Monitor system security alerts and advisories and take action in response | [ ] |
| 107 | 3.14.4 | Update malicious code protection mechanisms when new releases are available | [ ] |
| 108 | 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed | [ ] |
| 109 | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks | [ ] |
| 110 | 3.14.7 | Identify unauthorized use of organizational systems | [ ] |
Implementation Tips: - Deploy endpoint detection and response (EDR) on all endpoints within the CUI boundary - Enable automatic updates for operating systems and applications - Subscribe to vulnerability feeds (CISA, vendor advisories) - Patch critical vulnerabilities within 14 days of release - Monitor network traffic with IDS/IPS at boundary points
CMMC Assessment Preparation Tips
Before Your Assessment
- Define your CUI boundary β Know exactly where CUI enters, is processed, stored, and exits your environment
- Complete your SSP β The System Security Plan is the single most important document for your assessment
- Prepare evidence binders β Organize evidence for each of the 110 requirements (policies, configurations, screenshots, logs)
- Conduct a mock assessment β Walk through every control as if a C3PAO assessor were asking the questions
- Train your staff β Everyone in the CUI boundary should understand their role in protecting CUI
- Update your SPRS score β Ensure your current score is accurately reported
Common Evidence Types
| Evidence Type | Examples |
|---|---|
| Policies | Access Control Policy, Incident Response Policy, System Security Plan |
| Procedures | Account provisioning procedures, change management procedures |
| Technical | Firewall rules, GPO screenshots, SIEM dashboards, MFA configuration |
| Records | Training records, audit logs, vulnerability scan reports, incident reports |
| Plans | POA&Ms, contingency plans, configuration management plans |
Scoring Your Self-Assessment
CMMC Level 2 self-assessments use the NIST SP 800-171 DoD Assessment Methodology:
- Maximum score: 110 (all requirements fully implemented)
- Each requirement starts at the value assigned in the methodology (1, 3, or 5 points)
- Deductions are taken for unimplemented or partially implemented requirements
- POA&Ms can be used for some requirements but your score reflects the current state
- Your score must be submitted to SPRS (Supplier Performance Risk System)
A score of 110 means full compliance. Most organizations initially score between 50-80 and must remediate gaps before certification.
Common CMMC Compliance Gaps
Based on industry experience, these are the most frequently observed gaps during CMMC assessments:
- Multifactor Authentication (3.5.3) β MFA not deployed for all accounts, especially non-privileged network access
- Audit Log Review (3.3.5) β Logs collected but not regularly reviewed or correlated
- FIPS-Validated Encryption (3.13.11) β Using encryption that is not FIPS 140-2 validated
- CUI Boundary Definition β Scope is too broad or too narrow, or data flows are not well documented
- System Security Plan β SSP is incomplete, outdated, or does not reflect actual implementation
- Vulnerability Management (3.11.2) β Scans not performed regularly, or remediation timelines not met
- Media Protection (3.8.3) β No documented process for sanitizing media before disposal
- Security Awareness Training (3.2.1) β Training is generic and does not cover CUI-specific handling
- Incident Response Testing (3.6.3) β No evidence of tabletop exercises or incident response drills
- Configuration Baselines (3.4.1) β No documented baseline configurations or system inventory
CMMC Timeline and Deadlines
The CMMC 2.0 Final Rule was published in October 2024, with a phased implementation:
- Phase 1 (starting 2025): CMMC Level 1 self-assessments and Level 2 self-assessments appear in contracts
- Phase 2 (starting 2026): Level 2 C3PAO assessments begin appearing in contracts
- Phase 3 (starting 2027): Level 3 requirements appear in contracts
- Phase 4 (starting 2028): Full implementation across all applicable contracts
Organizations should begin preparation now, as remediation typically takes 6-18 months depending on the current security posture.
Additional Resources
Official Sources
- NIST SP 800-171 Rev. 2 β The source requirements for CMMC Level 2
- NIST SP 800-171A β Assessment procedures
- CMMC Program Website β Official DoD CMMC program page
- SPRS Portal β Submit your self-assessment score
- Cyber AB (The Accreditation Body) β Find C3PAOs and registered practitioners
Related Open-Source Resources
- NIST 800-171 Controls Matrix β Detailed controls mapping with cross-references
- Incident Response Plan Template β Free IR plan template for CMMC compliance
Professional CMMC Services
For organizations that need expert guidance on their CMMC compliance journey, Petronella Technology Group provides:
- CMMC readiness assessments and gap analysis
- System Security Plan (SSP) development
- POA&M development and remediation support
- Managed security services for ongoing compliance
- CMMC assessment preparation and evidence gathering support
- CUI boundary scoping and network architecture review
Visit petronellatech.com/compliance/cmmc/ to learn more about our CMMC compliance services.
β οΈ Why Most DIY CMMC Assessments Fail
Self-assessment is a valuable starting point, but the #1 reason defense contractors lose contracts is incomplete or incorrect CMMC documentation. Common mistakes we see:
- Scoping errors β Failing to identify all systems that process CUI, leaving entire segments unassessed
- Insufficient evidence β Checking a box without artifacts that a C3PAO assessor will accept
- POA&M overuse β Treating Plan of Action & Milestones as a workaround instead of a remediation plan
- SSP gaps β System Security Plans that describe intent rather than implemented controls
- Inherited controls confusion β Assuming cloud provider controls satisfy your requirements without verifying shared responsibility
83% of organizations that attempt CMMC Level 2 without professional guidance require a second assessment attempt β costing months of delays and tens of thousands in additional fees.
π Need Help Getting CMMC Certified?
This checklist tells you what to do. We help you actually do it β correctly, the first time.
Petronella Technology Group has helped defense contractors across North Carolina and the Eastern U.S. achieve CMMC compliance since the framework's inception. As a Registered Practitioner Organization (RPO), we provide:
| Service | What You Get |
|---|---|
| Free Gap Assessment | 60-minute call to identify your biggest compliance gaps |
| CMMC Readiness Package | SSP, POA&M, CUI boundary scoping, evidence collection |
| Managed Compliance | Ongoing monitoring, annual reviews, assessment prep |
| CUI Enclave Deployment | Isolated infrastructure purpose-built for CUI handling |
β Schedule a Free CMMC Gap Assessment | Call (919) 422-8500
"We went from zero documentation to assessment-ready in 90 days. Petronella's team knew exactly what the C3PAO would look for." β Defense contractor, Fayetteville NC
About
This CMMC compliance checklist is maintained by Petronella Technology Group, a cybersecurity and IT compliance firm headquartered in Raleigh, North Carolina. Founded in 2002, Petronella Technology Group has over 23 years of experience helping organizations in the Defense Industrial Base achieve and maintain compliance with CMMC, NIST, HIPAA, and other regulatory frameworks.
Other Compliance Resources
- HIPAA Security Risk Assessment Template
- NIST 800-171 Controls Matrix
- Incident Response Plan Template
- Cybersecurity Awareness Training Materials
This checklist is provided for informational purposes and should not be considered legal or compliance advice. Organizations should consult with qualified CMMC compliance professionals and legal counsel for their specific situation. This checklist is based on NIST SP 800-171 Rev. 2 and CMMC 2.0 requirements as of 2026.
Licensed under CC-BY-SA-4.0. Contributions welcome β see CONTRIBUTING.md.