Previous All Posts Next

CMMC Compliance Checklist 2026

Posted: December 31, 1969 to Compliance.

Defense contractor compliance officer reviewing a CMMC checklist on a laptop with a secure network diagram on the wall

If your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on behalf of the Department of Defense, the Cybersecurity Maturity Model Certification (CMMC) is no longer a future problem. The 32 CFR Part 170 final rule became effective on November 10, 2025, and the companion 48 CFR contract clause began rolling into new DoD solicitations on a phased schedule that starts in 2026. Every contractor and subcontractor in the defense industrial base will eventually need a certification level written into their contract, and the level will be non-negotiable.

This checklist is practical rather than academic. It covers Level 1, Level 2, and Level 3 in that order, plus the supporting artifacts the Department of Defense asks for: the System Security Plan, the Plan of Action and Milestones, and the Supplier Performance Risk System score. It ends with common failure points and an FAQ.

Petronella Technology Group is a CMMC-AB Registered Provider Organization (RPO #1449). Our team holds the Registered Practitioner (CMMC-RP) credential. We do not issue certifications. A Certified Third Party Assessor Organization (C3PAO) does that for Level 2 and Level 3. We prepare defense contractors for a passing assessment.

What is CMMC 2.0 and who needs it

CMMC is the Department of Defense's framework for verifying that contractors and subcontractors have implemented the cybersecurity practices already required by contract. The current structure, referred to as CMMC 2.0, has three levels.

  • Level 1 (Foundational) covers 17 basic safeguarding practices drawn from FAR 52.204-21. It applies to contractors that handle Federal Contract Information (FCI) only. Self-assessment is allowed, with an annual senior-official affirmation in the Supplier Performance Risk System (SPRS).
  • Level 2 (Advanced) covers the 110 security requirements in NIST SP 800-171 Revision 2. It applies to contractors that handle Controlled Unclassified Information (CUI). Most Level 2 contracts require a third-party assessment by a C3PAO, refreshed every three years, with the senior official affirming continuing compliance annually.
  • Level 3 (Expert) layers 24 additional requirements drawn from NIST SP 800-172 on top of the Level 2 baseline. It applies to a smaller subset of contractors handling CUI associated with the highest-priority DoD programs. The assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The simplified rule of thumb: if your contract references DFARS 252.204-7012, you are almost certainly heading for Level 2 at minimum. If you are not sure what you handle, ask your contracting officer in writing which category of information is in scope for the contract you are bidding, and get the answer in writing before you price the work.

For the full picture on the underlying control set, our NIST 800-171 compliance guide walks through each practice family. The flagship CMMC compliance pillar covers scope decisions, cost ranges, and timeline planning.

Level 1 checklist: the 17 practices you can self-assess

Level 1 applies when the only sensitive data category in scope is Federal Contract Information. FCI is information not intended for public release that is provided by, or generated for, the Government under a contract. The 17 Level 1 practices map one-to-one with the basic safeguarding requirements in FAR 52.204-21(b)(1) and are grouped into six families. Each item below is a checkbox for your internal audit.

Access Control (AC), 4 practices

  • Limit system access to authorized users, processes, and devices.
  • Limit transactions and functions to the types each authorized user is permitted to execute.
  • Verify and control connections to and use of external information systems.
  • Control information posted or processed on publicly accessible systems.

Identification and Authentication (IA), 2 practices

  • Identify users, processes, or devices before allowing access.
  • Authenticate users, processes, or devices as a prerequisite to allowing access.

Media Protection (MP), 1 practice

  • Sanitize or destroy media containing FCI before disposal or release for reuse.

Physical Protection (PE), 4 practices

  • Limit physical access to systems, equipment, and operating environments to authorized individuals.
  • Escort visitors and monitor visitor activity.
  • Maintain audit logs of physical access.
  • Control and manage physical access devices such as keys, badges, and locks.

System and Communications Protection (SC), 2 practices

  • Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems.
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

System and Information Integrity (SI), 4 practices

  • Identify, report, and correct information and system flaws in a timely manner.
  • Provide protection from malicious code at appropriate locations.
  • Update malicious code protection mechanisms when new releases are available.
  • Perform periodic scans of the information system and real-time scans of files from external sources.

Level 1 is self-assessed, but do not treat the affirmation casually. The senior official who signs the SPRS affirmation is signing under the False Claims Act. That risk is real, and it is the reason a serious walkthrough with documented evidence is always worth the time even at Level 1.

Level 2 checklist: 110 practices across 14 control families

Level 2 is where most defense contractors land. The 110 security requirements come directly from NIST SP 800-171 Revision 2 and are organized into 14 control families. The summary below flags the practices that drive the most findings in real assessments. The full practice text lives in the NIST publication itself, and we encourage reading it rather than relying on paraphrases.

3.1 Access Control (22 practices). Limit access to authorized users and devices, enforce least privilege, separate duties, employ the principle of least functionality, and monitor wireless and remote access. Watch-item: practice 3.1.20 on connections to external systems. This is where cloud services, including personal mail and file-sharing accounts, create scope creep that surprises contractors on assessment day.

3.2 Awareness and Training (3 practices). Security awareness training for all users, role-based training for those with security responsibilities, and insider threat awareness. Watch-item: training records must be current and tied to named individuals, not just a "completed by most of the team" spreadsheet.

3.3 Audit and Accountability (9 practices). Create and retain audit logs sufficient to support monitoring, analysis, investigation, and reporting. Protect logs from unauthorized access and modification. Watch-item: logging must cover privileged user actions and be retained long enough to investigate an incident discovered late. Retention of less than 90 days is a common finding.

3.4 Configuration Management (9 practices). Establish and maintain baseline configurations, track changes, enforce configuration settings, and restrict the use of unauthorized software. Watch-item: the allowlist approach to application control is the cleanest way to satisfy 3.4.8, and the absence of any application control regime is an automatic finding.

3.5 Identification and Authentication (11 practices). Identify and authenticate users, processes, and devices. Enforce multi-factor authentication for privileged accounts and for network access. Watch-item: 3.5.3 is the MFA practice that drives the most failures in 2026. Scope includes local privileged accounts, not just cloud admin accounts.

3.6 Incident Response (3 practices). Establish operational incident handling capability, track and report incidents, and test the incident response capability. Watch-item: a tabletop exercise that is not documented with participant list, scenario, findings, and corrective actions does not count.

3.7 Maintenance (6 practices). Perform maintenance on systems, control tools used to conduct maintenance, and supervise maintenance activities performed by external personnel. Watch-item: remote maintenance sessions require MFA and session recording.

3.8 Media Protection (9 practices). Protect CUI on system media, limit access to CUI on media, sanitize or destroy media before disposal, and mark media with CUI markings. Watch-item: portable media controls, including USB restrictions, are frequently weaker than the policy documents claim.

3.9 Personnel Security (2 practices). Screen individuals prior to authorizing access and protect CUI during personnel actions such as termination and transfer. Watch-item: termination workflows must include an access-revocation checklist that is signed and retained.

3.10 Physical Protection (6 practices). Limit physical access to the system and the environment where the system operates, escort visitors, maintain logs, and control physical access devices. Watch-item: remote worker home offices inherit physical protection requirements when CUI is handled there.

3.11 Risk Assessment (3 practices). Periodically assess the risk to organizational operations, scan for vulnerabilities, and remediate in accordance with risk. Watch-item: vulnerability scan results must show remediation timelines matched to risk, not "scanned and ignored."

3.12 Security Assessment (4 practices). Periodically assess security controls, develop and implement plans of action to correct deficiencies, monitor controls on an ongoing basis, and develop, document, and periodically update system security plans. Watch-item: the System Security Plan is itself a Level 2 deliverable, and a stale SSP is an immediate finding.

3.13 System and Communications Protection (16 practices). Monitor and control communications at external and internal boundaries, employ cryptography to protect CUI, and separate user functionality from system management. Watch-item: 3.13.11 requires FIPS-validated cryptography for CUI. Commercial VPN products that have not been FIPS validated do not satisfy this requirement even if they advertise strong encryption.

3.14 System and Information Integrity (7 practices). Identify, report, and correct flaws; provide protection from malicious code; monitor security alerts and advisories; and detect and report unauthorized use. Watch-item: endpoint detection and response coverage gaps on seldom-used workstations are a frequent finding.

Our CMMC compliance pillar covers scope decisions and assessment cost ranges in detail.

Level 3 checklist: the 24 enhanced practices from NIST 800-172

Level 3 applies to a narrow subset of contracts handling CUI tied to the highest-priority DoD programs. The Level 3 baseline is the full Level 2 set (all 110 practices implemented without any open Plan of Action and Milestones items) plus a selected subset of 24 requirements drawn from NIST SP 800-172. These additions are designed to raise the bar against advanced persistent threats.

The 24 additional requirements cluster into themes rather than new families. Key themes include:

  • Penetration testing and red team exercises against the CUI environment on a defined cadence, with findings remediated.
  • Advanced threat hunting based on current adversary tactics, techniques, and procedures, not just signature-based detection.
  • Network segmentation that isolates CUI from the rest of the enterprise with enforceable controls, not just routing preferences.
  • Cyber threat intelligence integration into detection, response, and architecture decisions.
  • Dual authorization for high-risk actions such as mass data export and emergency access grants.
  • Automated mechanisms for monitoring and for information flow control, reducing dependence on manual review.
  • Supply chain risk management that identifies and mitigates risk from third-party software and services in the CUI environment.

The Level 3 assessment is conducted by DIBCAC directly, not by a commercial C3PAO. Organizations that qualify for Level 3 should plan for a longer remediation runway and more mature documentation. Our guide to NIST 800-53 compliance provides useful cross-reference reading, since many 800-172 practices borrow concepts from the 800-53 high baseline.

SPRS score calculation and submission

The Supplier Performance Risk System is the DoD system of record for contractor cyber compliance scores. At Level 2, you self-score your NIST 800-171 implementation and post the result to SPRS, and that score is a gate for contract award until your C3PAO assessment is on file.

The SPRS score formula is straightforward in principle. You start at 110. For each of the 110 NIST 800-171 requirements, you assess whether it is fully implemented. If a requirement is not fully implemented, you subtract its assigned weight from 110. The weights come from the DoD Assessment Methodology and are 1, 3, or 5 depending on the requirement. A score of 110 means full implementation with no open items. A score below 110 means at least one requirement has a deduction. The score can be negative if multiple heavily weighted requirements are not implemented.

Practical steps to produce a defensible SPRS score:

  • Map your in-scope system boundary first. The score applies to the system that processes, stores, or transmits CUI.
  • Use the NIST 800-171A assessment objectives as the standard of evidence. A practice is not "fully implemented" because a policy mentions it. It is fully implemented when evidence shows the practice operating as intended across the defined scope.
  • Document the assessment date, the assessor, the assessment scope description, and the system security plan version that the score was calculated against.
  • Submit through the SPRS web portal at sprs.csd.disa.mil. An authorized individual affiliated with the CAGE code posts the score.
  • Refresh the score on a defined cadence, and any time a material change to scope or implementation happens.

Score honestly. The DoD can and does sample self-scores for validation under DoD Cyber Crime Center oversight. A score that does not reconcile with the evidence during assessment becomes a finding, and in extreme cases a False Claims Act matter. When our team supports a contractor through SPRS calculation, the first deliverable is always a written scope narrative tied to the system security plan.

System Security Plan (SSP) checklist

The SSP is the single most important CMMC document. If the SSP is strong, the assessment is navigable. If the SSP is weak, every other artifact inherits the weakness. Required components at Level 2 include the following.

  • System identification. System name, unique identifier, operational status, system type (general support, major application, or minor application), and authorizing official.
  • System environment. Hardware, software, network topology, physical location, and data flows. Include diagrams that a non-specialist can read.
  • System interconnections and information sharing. Every connection in and out of the CUI boundary, the type of data, the protection mechanism, and the agreement or authorization that permits it.
  • Information types and categorization. The categories of information processed, with emphasis on CUI categories and their markings.
  • Roles and responsibilities. Named individuals or positions for system owner, information owner, information system security officer, system administrator, and authorizing official.
  • Control implementation details. For each of the 110 NIST 800-171 requirements, a description of how the requirement is met in your environment. Vague language such as "we follow best practices" fails this section. Name the tool, the configuration, the frequency, and the evidence source.
  • Rules of behavior. A document users acknowledge, tailored to the CUI environment.
  • Related plans and artifacts. References to the incident response plan, contingency plan, configuration management plan, and continuous monitoring plan.
  • Assessment and authorization history. Dates of prior assessments, findings, and authorizations.
  • Version control. A change log with dates, author, and a brief summary of each revision.

The SSP should be written so that a new assessor can walk into the environment and verify your claims against the evidence. Length is not the measure; clarity and traceability are. A 200-page SSP that does not connect each practice to evidence is worse than an 80-page SSP that does.

POA&M checklist: what is allowed at Level 2 versus Level 3

A Plan of Action and Milestones (POA&M) is a controlled registry of security requirements that are not fully implemented, with a plan and schedule to close each gap. At Level 2, the 32 CFR Part 170 rule permits POA&M items for a limited, enumerated set of NIST 800-171 requirements, and only for those rated as a 1-point deduction. Higher-weighted requirements must be fully implemented for certification. Open POA&M items must be closed within 180 days of the assessment.

POA&M hygiene checklist:

  • Every open item has an identifier, a description, an assigned owner, a target completion date, a status, and a current resource estimate.
  • Items reference the specific NIST 800-171 practice and the assessment objectives that are not yet met.
  • Target dates are realistic, and missed target dates trigger a rescheduling decision with written justification.
  • Closed items are retained in the register with a closure date and evidence of the corrective action, not deleted.
  • The register is reviewed on a defined cadence and is available to the assessor in its current state.

At Level 3, POA&M items are not permitted for certification. All applicable requirements must be fully implemented at the time of assessment. Plan accordingly.

C3PAO assessment prep checklist

A Level 2 certification assessment is conducted by a C3PAO against the CMMC Assessment Process and the NIST SP 800-171A assessment objectives. Plan the engagement as a program of work, not a test date.

Six to twelve months out.

  • Confirm the CMMC level your contracts will require.
  • Define the CUI system boundary in writing, including any cloud services and subcontractor environments.
  • Complete a gap assessment against all 110 NIST 800-171 requirements using the 800-171A objectives.
  • Build a remediation plan with owners and target dates.
  • Begin evidence production in the format the assessor will request: screenshots, config exports, log samples, policy documents, and interview preparation notes.

Three to six months out.

  • Select a C3PAO from the Cyber AB Marketplace. Diligence their industry experience, scheduling availability, and pricing model.
  • Execute the assessment contract and provide the SSP, network diagrams, and asset inventory for pre-assessment review.
  • Run a dry-run assessment with an internal or external Registered Practitioner. Remediate findings before the real assessment starts.
  • Freeze major system changes during the final month to avoid introducing new findings.

During the assessment.

  • Designate a single point of contact for assessor questions. Every answer routes through this person to avoid contradictory statements.
  • Produce evidence promptly. Slow evidence delivery extends the assessment and signals weak documentation discipline.
  • Log every finding as it is issued, along with the evidence the assessor cited and the practice reference.

Common findings in 2026 assessments:

  • Partial MFA coverage. Cloud admin accounts protected, local privileged accounts and service accounts not.
  • Missing FIPS-validated cryptography for specific data flows.
  • Weak physical protections at remote worker locations.
  • Inadequate log retention, especially for privileged actions and for boundary devices.
  • Stale System Security Plans that do not reflect the current environment.
  • Flow-down requirements in subcontractor agreements that are missing, generic, or not tracked.

Defense contractors working with us typically schedule a free fifteen-minute scoping call before committing to a formal engagement. Our voice agent Penny books these calls directly at (919) 348-4912.

Common failure points in 2026

A year into CMMC 2.0 enforcement, the failure patterns are consistent across industry segments. Four deserve specific attention.

MFA coverage gaps. NIST 800-171 practice 3.5.3 requires multi-factor authentication for privileged account access and for network access. Contractors routinely satisfy the cloud admin portion and miss the local privileged accounts, the service accounts, and the network device management interfaces. The fix is an inventory of every privileged account across every system component, followed by MFA coverage mapped to that inventory.

Media handling and sanitization. Portable media controls are weak when policy outruns implementation. Removable media should be inventoried, encrypted at rest, tracked when issued, and sanitized on return using a method appropriate to the media type. Disposing of a hard drive by dropping it in a shred bin is not enough unless the chain of custody from removal to destruction is documented.

CUI marking. CUI must be marked at creation, and the marking must follow the National Archives Controlled Unclassified Information Registry conventions. The most common failures are inconsistent marking across document types, markings that disappear when content is copied into a new document, and email subject lines that omit CUI designators.

Flow-down requirements. Prime contractors must flow down DFARS 252.204-7012 and related CMMC requirements to subcontractors that will handle FCI or CUI. A generic boilerplate clause in a purchase order is not a flow-down; tracking which subcontractors have which certification levels is. Build a subcontractor register tied to active contracts.

Frequently asked questions

When does CMMC become mandatory on my contracts? The 32 CFR Part 170 final rule became effective November 10, 2025. The 48 CFR contract clause that writes CMMC requirements into solicitations began phasing in on a DoD-defined schedule starting in 2026, with full rollout planned across three years.

Can I self-assess at Level 2? Only for a narrow set of contracts that the DoD designates as self-assessment eligible. The default for Level 2 is a C3PAO assessment every three years, with annual senior-official affirmation in SPRS.

What is the difference between FCI and CUI? Federal Contract Information is information not intended for public release that is provided by, or generated for, the Government under a contract. Controlled Unclassified Information is a broader category that includes FCI plus specific information types designated across federal agencies, with handling rules in 32 CFR Part 2002 and the CUI Registry.

How long does a Level 2 certification last? Three years, with annual affirmation in SPRS by a senior official of continuing compliance.

What is the SPRS score for? It is the self-reported NIST 800-171 implementation score that the DoD uses as a procurement gate and as input to risk-based supplier selection.

Are Plans of Action and Milestones allowed at Level 3? No. Level 3 requires full implementation of all applicable requirements at assessment time.

Do subcontractors need CMMC certification? Yes, if they will handle FCI or CUI under the prime contract. The level required depends on what information they handle. Prime contractors are responsible for flow-down.

Does cloud service use change my scope? It changes how scope is drawn, not whether you are in scope. A cloud service used to process, store, or transmit CUI is part of the CUI environment. The cloud service provider must meet the FedRAMP Moderate baseline or equivalent, and the CSP responsibility boundary must be documented in the SSP.

What does a Level 2 assessment cost? Pricing is set by each C3PAO and varies with environment complexity and organization size. Published ranges from Cyber AB accredited assessors run from the low five figures for simple environments to the mid six figures for large defense primes. Get multiple quotes.

How long does preparation take? For a contractor starting from a mature NIST 800-171 implementation, six to nine months is realistic. Starting from limited documentation, twelve to eighteen months is more typical.

Can we still win DoD business without CMMC? For contracts that do not include CMMC clauses, yes. For contracts that do, no. Expect clause coverage to expand through the 2026 rollout.

What happens if we fail an assessment? The C3PAO issues findings. You remediate and can request re-assessment. Plan the assessment with enough runway to absorb a re-assessment without losing a contract award window.

Next steps

Use this checklist as the scaffolding for a program, not a one-time audit. CMMC is a continuous monitoring regime with a formal assessment checkpoint, and the contractors who treat it that way are the ones who avoid the fire drills that surround re-certification.

If you want an outside view of where your gaps are, our CMMC-RP team runs readiness assessments that produce a prioritized remediation plan tied to SPRS scoring. You can reach us through our contact form, or book a free fifteen-minute scoping call with Penny at (919) 348-4912. For a deeper dive on the underlying framework, start with our CMMC compliance pillar, the NIST 800-171 guide, and the defense contractor industry page. If your scope includes specialized hardware for CUI enclaves, our hardware catalog includes workstation and server options configured for segmented environments.

Petronella Technology Group is a CMMC-AB Registered Provider Organization (RPO #1449). We are not a C3PAO and we do not issue certifications. We prepare defense contractors for a passing assessment, and we stay through re-certification.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

HIPAA Compliance Checklist 2026 HIPAA Compliance Checklist 2026 CMMC Level 2 Checklist: 14 Controls Most Primes Fail CMMC Level 2 Checklist: 14 Controls Most Primes Fail HIPAA Security Rule 2026 Update: Q3 Deadlines for CEs HIPAA Security Rule 2026 Update: Q3 Deadlines for CEs NIST Compliance Checklist: Complete Framework Guide for 2026 NIST Compliance Checklist: Complete Framework Guide for 2026

About the Author

Craig Petronella, CEO and Founder of Petronella Technology Group
CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent more than 30 years working at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential (RP-1372) issued by the Cyber AB, is an NC Licensed Digital Forensics Examiner (License #604180-DFE), and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. Craig also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served 2,500+ clients, maintained a zero-breach record among compliant clients, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books
Related Service
Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS - we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services
Previous All Posts Next
Free cybersecurity consultation available Schedule Now