CMMC Compliance Checklist 2026: Complete Requirements Guide

Posted: March 27, 2026 to Cybersecurity.

CMMC Compliance Checklist 2026: Complete Requirements Guide

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now a contractual reality for defense contractors. The final rule took effect in late 2024, and the Department of Defense has begun including CMMC requirements in new contract solicitations. If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) as part of defense contracts, you need a clear, actionable path to certification, not a vague promise to "get compliant someday."

This guide breaks down exactly what is required at each CMMC level, what assessors evaluate, the typical timeline and cost to achieve certification, and how to prepare without wasting budget on unnecessary controls or falling into common assessment traps.

Understanding the Three CMMC 2.0 Levels

CMMC 2.0 simplified the original five-level model into three levels, each aligned with existing NIST standards:

Level 1 (Foundational): 17 practices based on FAR 52.204-21 basic safeguarding requirements. Applies to organizations handling FCI only (not CUI). Self-assessment is permitted, with results and an annual affirmation submitted to the Supplier Performance Risk System (SPRS). No third-party assessment required.

Level 2 (Advanced): 110 security requirements aligned with NIST SP 800-171 Rev 2. Applies to organizations handling CUI. Third-party assessment by a C3PAO (Certified Third-Party Assessor Organization) is required for contracts involving critical national security information. Self-assessment is permitted for select non-critical programs. Triennial reassessment with annual affirmation.

Level 3 (Expert): 110+ requirements from NIST SP 800-171 plus additional controls from NIST SP 800-172 (Enhanced Security Requirements). Government-led assessments conducted by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center). Reserved for the most sensitive programs involving the highest-value CUI.

Level 1 Checklist: Foundational Cyber Hygiene

Level 1 covers fundamental security practices that every organization should already implement. The 17 practices span 6 domains:

Access Control (4 practices)

• Limit information system access to authorized users, processes acting on behalf of authorized users, and devices
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute
• Verify and control/limit connections to and use of external information systems
• Control information posted or processed on publicly accessible information systems

Identification and Authentication (2 practices)

• Identify information system users, processes acting on behalf of users, or devices
• Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access

Media Protection (1 practice)

• Sanitize or destroy information system media containing FCI before disposal or release for reuse

Physical Protection (4 practices)

• Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals
• Escort visitors and monitor visitor activity
• Maintain audit logs of physical access
• Control and manage physical access devices

System and Communications Protection (2 practices)

• Monitor, control, and protect organizational communications at the external boundaries of the information systems and at key internal boundaries within the systems
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

System and Information Integrity (4 practices)

• Identify, report, and correct information and information system flaws in a timely manner
• Provide protection from malicious code at appropriate locations within organizational information systems
• Update malicious code protection mechanisms when new releases are available
• Perform periodic scans of the information system and real-time scans of files from external sources

Level 2 Checklist: The 110 Controls in Detail

Level 2 maps directly to NIST SP 800-171 Rev 2, organized across 14 control families. Here are the critical areas where most organizations fail assessments and need the most preparation:

Access Control (22 requirements)

This is the largest domain and the one with the most assessment failures. Key requirements include:

• Multi-factor authentication (MFA) for all local and remote privileged access AND remote access to non-privileged accounts
• Role-based access control with documented least-privilege enforcement
• Automatic session lock after a defined period of inactivity (typically 15 minutes)
• Encrypted sessions for all remote access (VPN, RDP, SSH)
• Wireless access authorization, authentication, and encryption (WPA3 or WPA2-Enterprise minimum)
• Control of mobile devices including BYOD policies and MDM solutions

Audit and Accountability (9 requirements)

• Audit log creation for all system and user events involving CUI access, authentication, privilege use, and system changes
• Audit log protection from unauthorized access, modification, and deletion (write-once or cryptographically signed logs)
• Regular audit log review, analysis, and reporting (at minimum weekly, preferably daily or continuous via SIEM)
• Time synchronization across all systems using NTP to a reliable authoritative time source
• Audit reduction and report generation to support after-the-fact investigation

Configuration Management (9 requirements)

• Documented baseline configurations for all information system components
• Change management process with security impact analysis for all proposed changes
• Principle of least functionality enforced on all systems (disable unnecessary services, ports, protocols)
• Application execution policies (application whitelisting or restrictions on software installation)
• Tracking, review, and approval of all configuration changes

Incident Response (3 requirements)

• Documented incident response plan that is tested at least annually through tabletop exercises or simulations
• Incident tracking, documentation, and reporting to designated authorities (including the DoD within 72 hours for cyber incidents)
• Operational incident response capability including personnel, tools, and procedures for CUI-related incidents

System and Communications Protection (16 requirements)

• Boundary protection between CUI networks and external networks including the internet
• FIPS 140-2 validated encryption for CUI in transit across all network boundaries
• FIPS 140-2 validated encryption for CUI at rest on all storage media
• Network segmentation separating CUI processing environments from general corporate networks
• DNS filtering and control of all outbound network traffic

Assessment Preparation Timeline

Based on working with defense contractors through CMMC preparation and assessment, plan for these realistic timeframes:

1. Months 1-2: Gap assessment. Conduct a thorough assessment against all 110 NIST 800-171 requirements. Document which controls are fully implemented, partially implemented, or not implemented. Use the standard SSP (System Security Plan) and POA&M (Plan of Action and Milestones) templates from NIST.
2. Months 2-4: Remediation planning. Prioritize gaps by risk and effort. Create a realistic POA&M with specific milestones, responsible parties, and completion dates. Budget for technology purchases, policy development, and staff training.
3. Months 4-8: Implementation. Deploy technical controls (MFA, encryption, SIEM, EDR), develop and publish required policies and procedures, train all staff on new security requirements, and test incident response procedures.
4. Months 8-10: Internal assessment. Conduct a mock assessment using the CMMC assessment guide. Validate that all controls are operating effectively and evidence is documented. Conduct tabletop exercises. Fix any remaining gaps.
5. Months 10-12: Third-party assessment. Engage a C3PAO for the official Level 2 assessment. The assessment typically takes 1 to 2 weeks of on-site and remote evaluation.

The DoD CIO CMMC website maintains the current list of authorized C3PAOs, assessment timelines, and official guidance documents.

Common Assessment Failures

The most frequent reasons organizations fail their CMMC assessment, based on published C3PAO feedback and industry experience:

• Incomplete CUI scoping: Not knowing where CUI resides, how it flows through your systems, and who has access. Without accurate CUI data flow mapping, controls are applied inconsistently and assessors find gaps. This is the number one failure cause.
• Missing documentation: Having controls in place without written policies, standard operating procedures, and evidence of implementation is insufficient. Assessors need to see both the control and the documentation proving it is implemented, tested, and maintained.
• POA&M misuse: Plans of Action and Milestones are intended for minor gaps with clear remediation timelines (typically under 180 days). Assessors will not accept a POA&M for fundamental missing controls like encryption, MFA, or access control. If a control is critical and missing, you fail.
• Shared infrastructure without segmentation: If your CUI processing environment shares infrastructure with your general corporate network without proper segmentation, the entire corporate network becomes part of the CUI scope, dramatically increasing the number of systems that must meet all 110 requirements.
• Inherited controls without validation: Using a cloud service provider or managed service provider does not automatically satisfy controls. You must validate that the CSP/MSP actually implements the control, document the shared responsibility, and ensure your configuration activates the control.

Cost Considerations

CMMC compliance costs vary significantly based on organizational size, current security maturity, and the scope of your CUI environment:

• Level 1 self-assessment: $5,000 to $15,000 for gap analysis, documentation, and SPRS score submission
• Level 2 preparation and remediation: $50,000 to $500,000+ depending on gap severity. Organizations starting from minimal security maturity will be at the higher end.
• Level 2 C3PAO assessment: $50,000 to $150,000 for the formal assessment engagement
• Ongoing maintenance: 10-20% of initial implementation cost annually for continuous monitoring, policy updates, training, and triennial reassessment preparation

The DoD recognizes these costs and has indicated that CMMC compliance expenses may be allowable as a reimbursable contract cost. Work with your contracting officer to understand cost recovery options specific to your contract vehicle.

For a deeper understanding of how CMMC fits into the broader defense contractor compliance landscape, review our CMMC compliance guide and CMMC final rule implementation timeline.

Frequently Asked Questions