Previous All Posts Next

CMMC Compliance Checklist 2026: Complete Requirements Guide

Posted: March 6, 2026 to Compliance.

CMMC Compliance Checklist 2026: What Every Defense Contractor Must Know

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now fully enforceable, and defense contractors who fail to meet its requirements risk losing their Department of Defense contracts entirely. After spending more than two decades helping organizations navigate federal cybersecurity mandates, I can tell you that CMMC compliance is not something you can improvise. It requires methodical preparation, documented evidence, and a clear understanding of every control domain.

This checklist covers everything you need to prepare for CMMC Level 1 and Level 2 certification in 2026. Whether you are a small machine shop with a single DoD contract or a mid-size defense subcontractor handling Controlled Unclassified Information (CUI), this guide will walk you through the requirements step by step.

Understanding CMMC 2.0 Levels

CMMC 2.0 simplified the original five-level model into three tiers. Each level builds on the one below it, and the certification level you need depends on the type of information you handle.

Level 1: Foundational

Level 1 applies to contractors who handle Federal Contract Information (FCI) but not CUI. It requires compliance with 17 practices drawn from FAR 52.204-21. Self-assessment is permitted at this level, and results must be submitted to the Supplier Performance Risk System (SPRS).

Level 2: Advanced

Level 2 applies to contractors who handle CUI. It requires full implementation of all 110 security controls from NIST SP 800-171 Revision 2. Most Level 2 contractors will require a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). A subset of Level 2 contractors may qualify for self-assessment depending on the sensitivity of the CUI involved.

Level 3: Expert

Level 3 is reserved for contractors working on the most sensitive DoD programs. It incorporates a subset of controls from NIST SP 800-172 and requires a government-led assessment by the Defense Contract Management Agency (DCMA).

Pre-Assessment Preparation Checklist

Before you begin implementing controls, you need to establish the foundational elements that every CMMC assessment will examine.

Define Your CUI Boundary

Identify exactly where CUI enters, resides, and exits your environment. This includes workstations, servers, file shares, email systems, cloud services, mobile devices, and any removable media. Document your CUI data flow with diagrams that show how information moves between systems, users, and external parties.

Complete Your System Security Plan (SSP)

Your SSP is the single most important document in your CMMC compliance program. It must describe your information system boundary, the security controls you have implemented, how those controls operate, and who is responsible for maintaining them. A weak or incomplete SSP is the number one reason organizations fail assessments.

At Petronella Technology Group, we use our proprietary ComplianceArmor platform to generate comprehensive SSPs that map every NIST 800-171 control to your specific environment. This eliminates the guesswork and ensures nothing falls through the cracks.

Conduct a Gap Assessment

Compare your current security posture against every applicable CMMC control. For Level 2, that means all 110 controls in NIST 800-171. Document each control as fully implemented, partially implemented, or not implemented. For any control that is not fully met, create a Plan of Action and Milestones (POA&M) with specific remediation steps, responsible parties, and target completion dates.

Calculate Your SPRS Score

Your SPRS score reflects your current compliance with NIST 800-171. A perfect score is 110. Each unmet control reduces your score by 1, 3, or 5 points depending on its weight. You must submit your current SPRS score to the DoD, and this score will be verified during your assessment. Organizations with scores below 110 must have documented POA&Ms for every gap.

CMMC Level 1 Checklist: 17 Practices

Level 1 covers four domains with 17 practices. Here is what you must demonstrate.

Access Control (AC)

  • AC.L1-3.1.1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices including other systems
  • AC.L1-3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute
  • AC.L1-3.1.20: Verify and control connections to and use of external information systems
  • AC.L1-3.1.22: Control information posted or processed on publicly accessible information systems

Identification and Authentication (IA)

  • IA.L1-3.5.1: Identify information system users, processes acting on behalf of users, or devices
  • IA.L1-3.5.2: Authenticate or verify the identities of those users, processes, or devices as a prerequisite to allowing access

Media Protection (MP)

  • MP.L1-3.8.3: Sanitize or destroy information system media containing FCI before disposal or release for reuse

Physical Protection (PE)

  • PE.L1-3.10.1: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals
  • PE.L1-3.10.3: Escort visitors and monitor visitor activity
  • PE.L1-3.10.4: Maintain audit logs of physical access
  • PE.L1-3.10.5: Control and manage physical access devices

System and Communications Protection (SC)

  • SC.L1-3.13.1: Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries
  • SC.L1-3.13.5: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

System and Information Integrity (SI)

  • SI.L1-3.14.1: Identify, report, and correct information and information system flaws in a timely manner
  • SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems
  • SI.L1-3.14.4: Update malicious code protection mechanisms when new releases are available
  • SI.L1-3.14.5: Perform periodic scans of the information system and real-time scans of files from external sources

CMMC Level 2 Checklist: 110 Controls by Domain

Level 2 requires full implementation of NIST SP 800-171 Rev 2. Here is a domain-by-domain checklist of the most critical controls and common failure points.

Access Control (AC) - 22 Controls

Access control is the largest domain and the one where most organizations have gaps. Key requirements include implementing least privilege (3.1.5), limiting unsuccessful login attempts (3.1.8), providing session lock after inactivity (3.1.10), and controlling remote access through managed access control points (3.1.12). You must also encrypt CUI on mobile devices (3.1.19) and restrict the use of portable storage devices (3.1.21).

Awareness and Training (AT) - 3 Controls

All users must receive security awareness training. Managers and system administrators need role-based training specific to their responsibilities. You must document and maintain training records as evidence. Generic annual security training videos alone are typically insufficient for Level 2 compliance.

Audit and Accountability (AU) - 9 Controls

You must create, protect, and retain system audit logs. Logs must capture who did what, when, and where for all CUI-relevant systems. You need to review and correlate audit records regularly, alert on audit process failures, and protect audit information from unauthorized access and modification. Most organizations need a SIEM solution to meet these requirements effectively.

Configuration Management (CM) - 9 Controls

Establish and enforce security configuration baselines. Track, review, and approve all changes to your information systems. Restrict the use of nonessential programs, and apply the principle of least functionality. Document your baseline configurations and any approved deviations.

Incident Response (IR) - 3 Controls

Establish an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities. Test your incident response plan regularly and report incidents to appropriate authorities. Your incident response plan must be documented, tested, and updated annually.

Maintenance (MA) - 6 Controls

Perform maintenance on organizational systems in a timely manner. Ensure maintenance tools are sanitized before use. Require multifactor authentication for remote maintenance sessions. Supervise maintenance activities of personnel without required access authorization.

Personnel Security (PS) - 2 Controls

Screen individuals before authorizing access to CUI systems. Ensure that CUI and systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Risk Assessment (RA) - 3 Controls

Conduct periodic risk assessments. Scan for vulnerabilities in organizational systems and applications on a regular basis. Remediate vulnerabilities according to risk-based prioritization. We recommend quarterly vulnerability scans as a minimum.

Security Assessment (CA) - 4 Controls

Periodically assess your security controls to determine whether they are effective. Develop and implement plans of action to correct deficiencies. Monitor security controls on an ongoing basis. System interconnections must be authorized and documented.

Recovery (RE) - 2 Controls

Regularly perform and test data backups. Establish alternate processing sites if needed. Your backup strategy must ensure that CUI can be recovered following a disruption. Backups must be encrypted and tested regularly.

Common CMMC Assessment Failures

After guiding dozens of organizations through CMMC preparation, these are the most frequent reasons assessments fail.

Incomplete Documentation

Having the technology in place is only half the battle. Assessors need to see written policies, procedures, and evidence of implementation. If you cannot produce a document that proves a control is in place, the assessor will mark it as not met. This is where ComplianceArmor delivers enormous value. It generates the complete documentation package that assessors expect, including your SSP, POA&Ms, policies, and procedures, all mapped to specific NIST 800-171 controls.

Insufficient Multi-Factor Authentication

NIST 800-171 control 3.5.3 requires MFA for local and network access to privileged accounts and for network access to non-privileged accounts. Many organizations implement MFA for remote access but forget about local console access or service accounts. Every access path to CUI must be covered.

Weak Audit Logging

Turning on basic Windows event logging is not enough. You need centralized log collection, correlation, regular review, alerting on suspicious activity, and protection of log integrity. If your audit logs can be modified or deleted by an administrator, you fail the audit protection controls.

Missing Encryption

CUI must be encrypted both in transit and at rest. FIPS 140-2 validated cryptographic modules are required. Self-signed certificates, expired certificates, and non-FIPS encryption implementations are all common findings.

Your CMMC Compliance Timeline

For organizations starting their CMMC journey now, here is a realistic timeline.

Months 1-2: Assessment and Planning

Complete your gap assessment, calculate your SPRS score, and develop your remediation roadmap. Engage a qualified CMMC consultant to identify blind spots. Learn more about our CMMC compliance services.

Months 3-6: Remediation

Implement technical controls, deploy security tools, and develop required documentation. This phase typically requires the most investment in both technology and staff time.

Months 7-8: Pre-Assessment

Conduct an internal assessment or engage a consultant for a mock assessment. Identify and remediate any remaining gaps. Finalize all documentation.

Months 9-10: Formal Assessment

Engage a C3PAO and schedule your assessment. Be prepared for assessor interviews, evidence review, and technical testing. Respond promptly to any Requests for Information from the assessment team.

Next Steps

CMMC compliance is a significant undertaking, but it does not have to be overwhelming. The key is to start early, document everything, and work with experienced professionals who understand both the technical and administrative requirements.

Petronella Technology Group has been helping defense contractors achieve and maintain compliance with NIST 800-171 and CMMC since the framework was introduced. Our ComplianceArmor platform automates the documentation process, and our team of certified professionals guides you through every step from gap assessment to successful certification.

Schedule a free CMMC readiness assessment to find out where you stand and what it will take to get certified.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

HIPAA Compliance Checklist for NC Healthcare Practices NIST 800-171 Requirements: What Contractors Must Know in 2026 HIPAA Compliance Checklist for 2026: A Step-by-Step Guide What Is CMMC? The Complete Guide for Defense Contractors [2026]
Craig Petronella
Craig Petronella
CEO & Founder, Petronella Technology Group | CMMC Registered Practitioner

Craig Petronella is a cybersecurity expert with over 24 years of experience protecting businesses from cyber threats. As founder of Petronella Technology Group, he has helped over 2,500 organizations strengthen their security posture, achieve compliance, and respond to incidents.

LinkedIn Twitter About
Related Service
Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS — we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services
Previous All Posts Next
Free cybersecurity consultation available Schedule Now