Previous All Posts

CMMC Level 2 Checklist: 14 Domain Readiness Guide

Posted: December 31, 1969 to Compliance.

CMMC Level 2 Checklist: 14 Domain Readiness Guide

What is a CMMC Level 2 checklist and why does it matter?

A CMMC Level 2 checklist is a structured readiness tool that maps every one of the 110 NIST SP 800-171 Rev 2 controls to concrete artifacts, configurations, and policies a Department of Defense contractor must produce before a Certified Third Party Assessor Organization (C3PAO) can certify the environment. It matters because Level 2 is the threshold where Controlled Unclassified Information (CUI) enters the picture, and a failed assessment can remove a contractor from the supply chain for three years.

Petronella Technology Group has walked dozens of prime and sub contractors through this process, and the pattern is always the same. Contractors who treat the checklist as a living document, not a one-time audit exercise, pass. Contractors who pull it out the week before the C3PAO visit do not.

Overview: How the 14 domains fit together

NIST 800-171 organizes its 110 security requirements into 14 families, often called domains in CMMC shorthand. Each family targets a different slice of the protection surface. The families work together as a system. Access Control limits who can reach CUI. Identification and Authentication proves those users are who they say they are. Audit and Accountability records what they did. Incident Response reacts when something goes wrong. Miss one family and the others cannot compensate.

Before we walk through the 14 domains, review the full CMMC cost breakdown and the broader CMMC compliance program page so you understand how the assessment fits into your budget and timeline.

The 14 NIST 800-171 domains with one action item each

1. Access Control (AC)

Action item: Build a documented role matrix that maps every job title to the specific CUI systems, folders, and applications that role is authorized to access. Review it quarterly. Most failures here come from orphaned accounts and over-permissioned shared drives.

2. Awareness and Training (AT)

Action item: Deliver annual CUI handling training to every person with access, plus role-based training for system administrators and incident responders. Keep signed attestations on file for every attendee. Generic phishing training alone does not satisfy AT-2.

3. Audit and Accountability (AU)

Action item: Stand up a central log aggregation platform that captures authentication events, privileged actions, and CUI file access from every in-scope system. Retain logs for at least 90 days online and a year cold. Prove you review them with weekly reviewer initials or a SIEM ticket trail.

4. Configuration Management (CM)

Action item: Publish an approved baseline configuration for every operating system, application, and network device in scope. Tie every change to a ticket with approver, tester, and rollback plan. Baseline drift is one of the most common findings in failed assessments.

5. Identification and Authentication (IA)

Action item: Enforce multi-factor authentication on every account that can reach CUI, including local admin, service, and break-glass accounts. Phishing-resistant MFA (FIDO2 or PIV) is strongly preferred. Legacy SMS-based codes will raise questions during the assessment.

6. Incident Response (IR)

Action item: Write an incident response plan that defines categories, severities, roles, notification thresholds, and the 72-hour DoD reporting requirement. Run at least one tabletop exercise per year with documented outcomes and corrective actions.

7. Maintenance (MA)

Action item: Log every piece of maintenance on in-scope systems, including who performed it, what they changed, and what data they could touch. Remote maintenance requires pre-approval and session recording. Vendor tickets alone are not enough.

8. Media Protection (MP)

Action item: Build a media inventory that tracks every removable drive, tape, and portable device authorized to handle CUI. Label media at the CUI level, control transport, and document destruction with certificates. Lost USB sticks cause real failures here.

9. Personnel Security (PS)

Action item: Require a background check before granting CUI access and a documented offboarding process that revokes every credential within the same business day. Map each step to HR, IT, and facilities so nothing is missed when someone leaves.

10. Physical Protection (PE)

Action item: Identify every physical space where CUI is stored, processed, or discussed, then apply layered controls: locked entry, visitor logs, badge readers, camera coverage, and clear-desk rules. Home offices and co-working spaces need the same treatment if CUI is accessed there.

11. Risk Assessment (RA)

Action item: Perform and document an annual risk assessment that identifies threats, vulnerabilities, likelihood, and impact to CUI. Feed the output into the System Security Plan and into your Plan of Action and Milestones. Vulnerability scans alone do not equal a risk assessment.

12. Security Assessment (CA)

Action item: Write a System Security Plan that covers all 110 controls and a Plan of Action and Milestones that lists every open gap with an owner, a remediation step, and a target close date. These two documents are the backbone of the assessment.

13. System and Communications Protection (SC)

Action item: Encrypt CUI in transit with FIPS-validated modules and segment CUI networks from general corporate traffic. Boundary firewalls need explicit allow rules for CUI flows, with default deny everywhere else. Document the FIPS 140-2 or 140-3 validation numbers.

14. System and Information Integrity (SI)

Action item: Deploy endpoint detection and response on every in-scope endpoint, patch critical and high vulnerabilities within the timelines defined in your policy, and monitor for indicators of compromise. Unpatched systems and missing EDR coverage account for a large share of SI findings.

What is commonly missed on a CMMC Level 2 checklist?

After years in the field, Petronella has seen the same gaps surface again and again. The top five are:

  1. Scoping errors. Contractors define CUI scope narrowly at first, then the assessor finds CUI in email archives, on shared drives, or in backup tapes that were never declared in scope. Every location that receives, stores, or processes CUI must be in the System Security Plan.
  2. External service providers without documentation. Cloud applications, managed service providers, and outsourced developers all inherit Level 2 scrutiny. If they touch CUI, they need a customer responsibility matrix and, in many cases, their own FedRAMP Moderate equivalent.
  3. Mobile device blind spots. Phones and tablets that can reach corporate email often also reach CUI. Without mobile device management, that traffic is a gap.
  4. Log retention shortfalls. Many contractors collect logs but retain them for 30 days. The assessment wants longer retention and evidence of review.
  5. No PoAM hygiene. Open items drag on for months with no movement. Assessors read the PoAM as an honesty signal. A stale PoAM hurts more than a short one.

The gap analysis process from start to finish

A credible gap analysis follows a predictable five-step rhythm. First, define the CUI boundary and document every system, service, and person that touches that boundary. Second, walk the 110 controls against the boundary and score each as Met, Partially Met, or Not Met, with evidence or a gap note. Third, write the System Security Plan and the Plan of Action and Milestones. Fourth, remediate the highest-risk gaps and re-score. Fifth, book a readiness review with a qualified external assessor before you book the actual C3PAO assessment.

Self scoring can work for contractors with mature internal security teams, but it rarely produces audit-grade documentation. Independent readiness reviews catch the soft spots that internal teams normalize and stop seeing. The Petronella team is led by Craig Petronella, a CMMC Registered Practitioner, and includes additional CMMC-RP analysts who run readiness reviews every week. Learn more about Craig on the Craig Petronella profile.

When do you actually need a C3PAO?

You need a C3PAO when your DoD contract vehicle specifies Level 2 with a third-party assessment requirement, or when you are part of a bid where the prime contractor is flowing that requirement down. Self-assessment is only acceptable when the Department of Defense explicitly allows it for the contract in question. Reading the solicitation language carefully is the fastest way to answer this question. If the clause references DFARS 252.204-7021, a C3PAO is coming.

Book the C3PAO only when your readiness review shows you are at or above 110 out of 110 on mandatory controls, with a clean PoAM covering the few items allowed to be open under the rule. Booking too early wastes money and burns calendar time you do not have. Booking too late puts contracts at risk.

How long does CMMC Level 2 readiness actually take?

Timelines depend on where you start. A contractor already running Microsoft 365 GCC or GCC High with modern identity hygiene, endpoint detection and response already deployed, and a working vulnerability management program can often reach readiness in three to six months. A contractor starting from a commercial Microsoft 365 tenant, flat network, and no documented policies is typically looking at nine to fifteen months. Petronella has seen both ends of this range. The single biggest driver is how much of the documentation work leadership owns early, rather than pushing it down to whoever has free cycles.

The sequence that moves fastest is: define CUI scope in week one, pick the tenant architecture in week two, sign the licensing agreement in week three, start data classification and sensitivity labeling in week four, and then run six weeks of configuration hardening in parallel with policy drafting. Contractors who front-load the scoping decision save months downstream. Contractors who chase tool purchases before defining scope end up buying the wrong tools.

Artifacts the C3PAO will ask for, by domain

Every assessor has a preferred evidence list, but the core set is remarkably consistent. Expect requests in these categories:

  • Access Control: account inventory, role matrix, joiner-mover-leaver tickets, privileged account list, session-timeout configuration screenshots.
  • Audit and Accountability: SIEM coverage list, log-retention policy, sample reviewer sign-offs, incident investigation tickets that trace to logs.
  • Configuration Management: baseline-configuration documents, change tickets, exception list, patch-management reports.
  • Identification and Authentication: MFA enrollment reports, password policy screenshots, FIDO2 or PIV deployment evidence.
  • Incident Response: incident response plan, tabletop exercise after-action report, 72-hour DoD notification procedure, on-call roster.
  • Risk Assessment: annual risk assessment report, risk register, vulnerability scan output, remediation tickets.
  • Security Assessment: System Security Plan, Plan of Action and Milestones, self-assessment scores, readiness review reports.
  • System and Communications Protection: network diagrams, firewall rules, FIPS validation numbers, encryption configuration screenshots.
  • System and Information Integrity: EDR coverage report, patch compliance dashboards, alerting rules, sample incident tickets.

Organize evidence by control family in a single evidence repository. Assessors who can find what they need in minutes finish faster and ask fewer follow-ups. Assessors who have to hunt for evidence ask more probing questions, which is rarely good for the contractor.

Budget reality check

A realistic Level 2 program for a 25 to 75 seat contractor typically spends most of its budget across four buckets: licensing and tools, external readiness consulting, internal staff time, and the C3PAO assessment itself. The proportions shift based on how much work is done in-house, but the four buckets are always present. Contractors who underinvest in readiness consulting often overspend on the assessment itself because they fail once and pay to be re-assessed. Contractors who underinvest in staff time tend to produce thin evidence that the assessor pokes holes in. The CMMC cost breakdown lays out a planning model for each bucket so your finance team can defend the number to the board.

Frequently asked questions about the CMMC Level 2 checklist

Is the checklist the same as the System Security Plan?

No. The checklist is a readiness tool. The System Security Plan is the formal document that describes how your environment meets each of the 110 controls. The checklist helps you build the plan, but a passing assessment requires the plan itself, not just the checklist.

Can a small contractor pass Level 2 without a dedicated security hire?

Yes, in many cases. Contractors with fewer than 25 employees often work with an outside CMMC-RP firm for the readiness work, then keep a fractional security partner for ongoing operations. The budget trade is real: a part-time external partner plus strong internal IT often costs less per year than a full-time senior security engineer and produces comparable evidence when managed well.

Does Level 2 require a Security Operations Center?

The 110 controls do not name a SOC, but the Audit and Accountability, Incident Response, and System and Information Integrity families together describe functions that most organizations staff through a SOC or an equivalent managed service. Whether that SOC is in-house, co-managed, or fully outsourced is a business decision as long as the control outcomes are met and the evidence exists.

What happens if a control is only partially met?

Partial implementation goes onto the Plan of Action and Milestones with an owner, a remediation plan, and a target close date. A limited number of controls are allowed to be in partial state at assessment time under the final rule, but the PoAM must show active work and a credible timeline. Stale or empty PoAMs raise red flags.

Do subcontractors need their own Level 2 certification?

If the prime flows down the DFARS 252.204-7021 clause and the subcontractor receives, stores, processes, or transmits CUI, the answer is usually yes. The prime is responsible for ensuring the flow-down is honored. Subcontractors who do not actually touch CUI may be able to document their status and avoid the assessment, but the decision is contract-specific and should be reviewed with qualified counsel.

Where to go next

If you want a guided version of this checklist with evidence templates, policy starters, and a scoped budget, start with the CMMC cost breakdown to right-size your investment, then move to the CMMC compliance services page to schedule a readiness review. Contractors who start early and document everything pass. Everyone else pays for the lesson twice.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

CMMC Level 2 Checklist: 14 Controls Most Primes Fail CMMC Level 2 Checklist: 14 Controls Most Primes Fail HIPAA Security Rule 2026 Update: Q3 Deadlines for CEs HIPAA Security Rule 2026 Update: Q3 Deadlines for CEs NIST Compliance Checklist: Complete Framework Guide for 2026 NIST Compliance Checklist: Complete Framework Guide for 2026 FedRAMP Compliance Checklist: Authorization Guide FedRAMP Compliance Checklist: Authorization Guide

About the Author

Craig Petronella, CEO and Founder of Petronella Technology Group
CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent more than 30 years working at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential (RP-1372) issued by the Cyber AB, is an NC Licensed Digital Forensics Examiner (License #604180-DFE), and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. Craig also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served 2,500+ clients, maintained a zero-breach record among compliant clients, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books
Related Service
Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS — we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services
Previous All Posts
Free cybersecurity consultation available Schedule Now