CMMC Compliance Checklist: Your Essential Guide to CMMC 2.0 Compliance

TL;DR: A CMMC compliance checklist for 2026 must account for more than the 110 controls in NIST SP 800-171. With Phase 2 enforcement mandatory from November 10, 2026, organizations across the Defense Industrial Base need a clear picture of their certification level, domain requirements, and evidence obligations before a C3PAO assessment arrives.

When organizations do business with the federal government, they often create or handle sensitive data. To keep this data secure, the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC). The CMMC framework is mandatory for companies in the Defense Industrial Base (DIB) and those seeking a DoD contract.

CMMC was updated to version 2.0 in 2021, codified in 32 CFR Part 170, which took effect on December 16, 2024. The acquisition rule that operationalizes it through DFARS became effective November 10, 2025.

CMMC 2.0 compliance is a condition of DoD contract eligibility, not a voluntary standard. Organizations subject to DFARS 252.204-7021 must meet meet their required certification level before contract award.

This CMMC compliance checklist covers the key requirements for version 2.0 and can help your organization get started on the path to certification.

What Is CMMC 2.0?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the DoD's framework for verifying that defense contractors have implemented the cybersecurity controls required to protect Controlled Unclassified Information (CUI). Operationalized through DFARS 252.204-7021 (effective November 10, 2025), it is a condition of contract award, not a voluntary standard.

Two terms govern scope across the entire CMMC framework. The distinction between them determines which certification level applies to your organization.

• CUI (Controlled Unclassified Information): This is information that the government creates or possesses, or that an entity creates or possesses on behalf of the government, that a government law, regulation, or policy requires or permits an agency to handle using protective or disclosure controls.
• FCI (Federal Contract Information): This is information, not intended for public release, that is provided or generated for the government under a contract to develop or deliver a product or service to the government, but does not include information provided by the government to the public.

The distinction between the two data types matters because it determines where your organization sits within the three-level certification structure.

Who needs CMMC certification?

CMMC applies primarily to organizations within the DIB, which includes over 300,000 businesses and universities involved in the production of equipment and capabilities for the U.S. Armed Forces.

• Prime contractors: Must comply with CMMC requirements and ensure their supply chain meets applicable certification levels before contract award.
• Subcontractors: Must independently achieve their own certification. Certification cannot be inherited through a prime.
• Engineering and technical staff: Subject to CMMC requirements if they handle FCI or CUI under a DoD contract.
• Supply chain and R&D entities: Must achieve the appropriate certification level if they participate in DoD programs and handle regulated data.

The required CMMC level is specified by the DoD in each Request for Information (RFI) and Request for Proposals (RFP).

What are the objectives of CMMC compliance?

CMMC compliance exists to ensure that DIB contractors handle CUI securely, including data that flows to subcontractors throughout the supply chain.

The framework is not simply a checklist to complete before a contract award. It establishes a continuous standard for how organizations manage, protect, and account for sensitive government information.

• Protect sensitive information through appropriate cybersecurity practices, often employing a "trust but verify" model aligned with the CMMC controls list
• Continuously strengthen existing cybersecurity practices to keep pace with the evolving threat landscape
• Ensure accountability throughout the organization so that errors can be identified and resolved
• Facilitate compliance with DoD requirements
• Foster a collaborative culture that prioritizes cybersecurity and cyber resilience
• Maintain public trust through the highest standards of professionalism, ethics, and transparency

The CMMC aligns with NIST SP 800-171 and NIST SP 800-172, so organizations seeking certification should familiarize themselves with those standards and carefully review the full controls list before beginning their compliance program.

CMMC compliance levels

Your CMMC certification level determines which DoD contracts your organization is eligible to bid on and hold. CMMC 2.0 defines three levels, each with distinct requirements.

Level 1, Foundational

Applies to organizations that handle FCI but not CUI, where that data is not critical to national security. Certification requires adherence to 17 cybersecurity practices derived from FAR 52.204-21, demonstrated through an annual self-assessment. Any DIB organization that possesses FCI must achieve Level 1 at minimum.

Level 2, Advanced

Applies to organizations that handle CUI. Certification requires implementing all 110 security practices specified in NIST SP 800-171 Rev 2 and undergoing triennial assessment by a C3PAO. Some Level 2 organizations may qualify for triennial self-assessment depending on program sensitivity. Level 2 is where the majority of DIB organizations operate.

Level 3, Expert

Applies to organizations engaged in high-priority DoD programs where CUI faces risk from advanced persistent threats (APTs). Certification requires implementing all 110 NIST SP 800-171 practices plus additional enhanced practices from NIST SP 800-172 and undergoing triennial assessment conducted by the government directly, not by a C3PAO. Level 2 certification is a prerequisite for Level 3.

CMMC Domains and Practices

CMMC 2.0 organizes all cybersecurity requirements across 14 domains derived from NIST SP 800-171. Every one of the 110 controls required at Level 2 falls within one of these domains. The practices required within each domain scale with certification level.

The 14 domains and their control counts at Level 2 are as follows.

1. Access Control (AC): 22 controls
2. Awareness and Training (AT): 3 controls
3. Audit and Accountability (AU): 9 controls
4. Configuration Management (CM): 9 controls
5. Identification and Authentication (IA): 11 controls
6. Incident Response (IR): 3 controls
7. Maintenance (MA): 6 controls
8. Media Protection (MP): 9 controls
9. Personnel Security (PS): 2 controls
10. Physical Protection (PE): 6 controls
11. Risk Assessment (RA): 3 controls
12. Security Assessment (CA): 4 controls
13. System and Communications Protection (SC): 16 controls
14. System and Information Integrity (SI): 7 controls

Access Control carries the highest number of controls at Level 2 and receives the most scrutiny during C3PAO assessments.

System and Communications Protection is the domain most commonly associated with Conditional certification status, primarily due to FIPS-validated encryption requirements.

Organizations building a remediation plan should prioritize these two domains alongside Audit and Accountability, which governs individual user traceability across all CUI systems.

How to prepare for and complete CMMC Level 2 certification

The seven steps below reflect how real compliance programs run: from scoping through internal readiness. Each step builds on the previous one.

Organizations that skip ahead, starting with control implementation before scoping is confirmed, routinely discover that their evidence does not map to the correct assessment boundary.

Step 1: Scope Your CUI Environment

Every subsequent step depends on the accuracy of the scoping phase. Begin by mapping actual CUI data flows: where CUI enters your environment, how it moves internally, and where it exits.

The DoD CMMC Scoping Guide Level 2 defines five asset categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. Scoping errors are among the most frequently cited causes of assessment failure.

The decision between scoping your entire enterprise or defining a CUI enclave has the largest impact on both certification cost and implementation complexity.

Enclave scoping limits the assessment boundary to systems that directly handle CUI, which can reduce cost and effort significantly, but requires strict controls on how data flows between the enclave and the broader environment.

Step 2: Run Your Gap Assessment and Establish Your SPRS Baseline

With scope confirmed, assess your implementation of all 110 NIST SP 800-171 security requirements against the full set of assessment objectives in the DoD CMMC Assessment Guide Level 2.

This generates your SPRS score, which must be submitted to SPRS. The score must accurately reflect actual posture. An inflated score carries greater legal exposure than a low but accurate one.

Key evidence artifacts required at this stage include a current policy library, network architecture diagrams, an asset inventory, your gap assessment report, and SPRS submission confirmation.

Step 3: Build Your SSP and POA&M

The System Security Plan (SSP) is the primary document a C3PAO uses as its assessment roadmap. An absent or out-of-date SSP can cause an assessment to be terminated before it begins.

The SSP must cover all mandatory sections including scope, assessment boundary, the operating environment, non-applicable requirements, implementation methods, external connections, and update frequency.

Assign a named control owner to each of the 110 controls, and designate the Affirming Official before the SSP is finalized.

The POA&M documents controls that are not yet fully implemented. Two constraints govern it: the assessment score must be at least 80% to qualify for Conditional certification status, and the closeout deadline is 180 days with no extensions available.

Step 4: Implement the 110 Controls, Starting Where Assessors Focus Most

Four domains carry the highest assessment scrutiny and the most commonly failed evidence requirements.

• Access Control (AC): Key requirements include role-based access control with documented periodic access reviews, least privilege enforcement with separate non-privileged accounts, multi-factor authentication for all remote access through managed control points, and CUI encryption on mobile devices.
• Audit and Accountability (AU): Key requirements include centralized audit log management from all CUI systems, individual user traceability for every action taken, time synchronization with an authoritative source, and protection of audit data from unauthorized modification.
• Configuration Management (CM): Produces the most commonly missing C3PAO artifact, the documented baseline configuration. Key requirements include baselines enforced against recognized benchmarks, formal change control with security impact analysis, and deny-all/permit-by-exception policies for software execution.
• Incident Response (IR): Key requirements of incident response include a documented IR plan covering the full incident lifecycle, tested IR capability through tabletop exercises, and secure, tested backups with verified restoration capability.

The remaining ten domains carry lower individual scrutiny but contribute cumulative point weight. A borderline score can fall below the 80% POA&M threshold through unaddressed gaps in lower-scrutiny domains such as Personnel Security, Physical Protection, or Maintenance.

Step 5: Map Every Control to Assessment-Ready Evidence

C3PAO assessments rely on verifiable evidence, not verbal explanations or documentation of intent. Evidence must span four layers across all domains: policy, configuration, monitoring, and operational records.

All artifacts should be retained for the full record-retention period defined by DoD, currently interpreted as at least six years from the CMMC Status Date.

Three Access Control domain examples illustrate the evidence standard.

• 3.1.1 (Limit system access to authorized users): Implementation is role-based access control with named groups and automated deprovisioning. Required artifacts are access review reports and group membership change logs.
• 3.1.5 (Enforce least privilege): Implementation is just-in-time privilege elevation with no persistent administrative accounts. Required artifacts are privileged access request logs and session recordings.
• 3.1.12 (Monitor remote access sessions): Implementation is VPN with MFA and full session logging. Required artifacts are VPN logs and MFA event records.

Apply this four-layer evidence pattern across all 14 domains before your C3PAO assessment begins.

Step 6: Internal Pre-Assessment Before Engaging a C3PAO

Run an internal readiness assessment mirroring C3PAO methods against all assessment objectives. Validate that every SSP control statement has traceable, dated evidence. Confirm that control owners can walk assessors through the full evidence chain without preparation.

Compile an evidence index mapping all 110 controls to artifacts, file locations, and stored records, then update the SSP, POA&M, and SPRS score to reflect current posture.

Step 7: Engage your C3PAO and complete the assessment

Select an authorized C3PAO from the Cyber AB Marketplace and schedule your assessment. Share your SSP and evidence index before the engagement begins — assessors use both as their roadmap.

The assessment typically spans three to five days. Assessors examine documentation, interview control owners, and test configurations against the 110 assessment objectives. Controls are evaluated as Met, Not Met, or Not Applicable.

If your score is at or above 80%, the C3PAO issues a CMMC certificate and submits it to the DoD. Update your SPRS score and submit annual affirmations each year between triennial reassessments.

How Netwrix Supports CMMC Compliance

CMMC Level 2 certification is fundamentally an evidence generation and retention problem. What most organizations lack is a reliable mechanism for producing dated, attributed, audit-ready artifacts across the Access Control and Audit and Accountability domains on a continuous basis.

Netwrix Auditor addresses the two most evidence-intensive domains in any Level 2 assessment. It generates AD group membership change logs, privileged activity trails, and remote access monitoring evidence, with pre-built compliance mappings to CMMC. It deploys in under 30 minutes.

Netwrix Privilege Secure provides just-in-time privileged access with full session recording, directly addressing the least privilege controls in the AC domain most commonly challenged during assessment.

Netwrix 1Secure supports the scoping phase through automated sensitive data discovery and classification across file servers, SharePoint Online, and Microsoft 365, giving the scoping team a verifiable CUI inventory from the outset.

Request a demo to see how Netwrix maps to CMMC Level 2 control requirements across your environment.