110 Controls Mapped

CMMC COMPLIANCE CHECKLIST

CMMC Level 2 requires your organization to implement all 110 security controls from NIST SP 800-171 before a C3PAO assessment. This checklist maps every control family, explains what assessors look for, and gives you a concrete path from gap assessment to certification. Use it to audit your current posture, prioritize remediation, and track progress toward compliance.

CMMC Registered Provider Org|Entire Team CMMC-RP Certified|24+ Years Experience

Get a CMMC Gap Assessment Call (919) 348-4912

CMMC Overview

What Is CMMC and Who Needs It?

The Cybersecurity Maturity Model Certification is the Department of Defense's mandatory cybersecurity framework for defense contractors handling Controlled Unclassified Information.

CMMC 2.0 replaced the original five-tier model with three streamlined levels. Level 1 covers 15 basic safeguarding practices for Federal Contract Information (FCI) and allows annual self-assessment. Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Rev 2 and requires a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) for contracts involving CUI. Level 3 adds requirements from NIST SP 800-172 for the most sensitive DoD programs and requires government-led assessments.

Every company in the Defense Industrial Base (DIB) that handles CUI must achieve at least CMMC Level 2 certification before being awarded new DoD contracts. Prime contractors, subcontractors, and suppliers throughout the supply chain are all subject to CMMC requirements. The DoD began including CMMC clauses in contracts starting in 2025, with full rollout across all applicable solicitations by 2028.

The consequences of non-compliance are severe: loss of existing DoD contracts, ineligibility for new awards, and potential False Claims Act liability if you misrepresent your compliance status. The average SPRS score across the DIB is currently negative, meaning most contractors have significant gaps to close before they can pass a C3PAO assessment.

110Required Controls

14Control Families

6-18 moTypical Timeline

300K+DIB Companies Affected

Video Overview

Preparing for Your CMMC Assessment

Watch our overview of the CMMC assessment process, what C3PAOs evaluate, and how to prepare your organization for a successful certification.

CMMC 5-Point Assessment Overview (6:00)

Complete Checklist

CMMC Level 2 Compliance Checklist: All 14 Control Families

This checklist covers every NIST 800-171 control family required for CMMC Level 2. Use it to identify gaps, assign remediation owners, and track progress toward your C3PAO assessment.

1. Access Control (AC) — 22 Requirements

The largest control family and the one where most contractors fail. Access control governs who can reach CUI, how they authenticate, and what they can do once inside your systems.

3.1.1 — Limit system access to authorized usersRestrict information system access to authorized users, processes acting on behalf of authorized users, and devices. Implement role-based access control (RBAC) and document every user's access justification.

3.1.2 — Limit system access to permitted transactions and functionsEnforce the principle of least privilege so users can only perform authorized functions. Review access rights quarterly and immediately upon role changes.

3.1.3 — Control CUI flowControl the flow of CUI in accordance with approved authorizations. Implement data loss prevention (DLP) tools, network segmentation, and approved information exchange methods to prevent unauthorized CUI transfers.

3.1.5 — Employ the principle of least privilegeAuthorize access only to the minimum necessary CUI and system functions. Use separate admin accounts, restrict elevated privileges, and audit privileged actions.

3.1.7 — Prevent non-privileged users from executing privileged functionsPrevent non-privileged users from executing privileged functions. Disable local admin rights on workstations and enforce application whitelisting.

2. Awareness and Training (AT) — 3 Requirements

Every person who touches CUI must understand the threats and their responsibilities. Assessors look for documented training programs with attendance records.

3.2.1 — Ensure managers and users are aware of security risksProvide security awareness training to all personnel at hire and annually. Training must cover CUI handling, phishing recognition, social engineering, password policies, and incident reporting procedures.

3.2.2 — Ensure personnel are trained for security-related dutiesProvide role-based training to users with significant security responsibilities: system administrators, incident responders, and security managers. Document specific training content and completion records.

3.2.3 — Provide insider threat awarenessTrain all personnel on indicators of insider threat behavior, reporting mechanisms, and the organization's insider threat program. Update training annually with current threat intelligence.

3. Audit and Accountability (AU) — 9 Requirements

Logging is the foundation of accountability. C3PAO assessors will verify that you capture, protect, and regularly review audit records across all CUI-touching systems.

3.3.1 — Create and retain system audit logsCreate and retain system audit records to enable monitoring, analysis, investigation, and reporting. Logs must capture user identity, timestamps, event type, source, and outcome for all CUI system activity.

3.3.2 — Ensure individual accountabilityEnsure actions can be traced to individual users. Eliminate shared accounts, enforce unique user IDs, and correlate authentication events with system activity.

3.3.5 — Correlate audit record review and reportingDeploy a SIEM or centralized log management solution that correlates events across systems. Define alert thresholds for suspicious patterns like multiple failed logins, after-hours access, and privilege escalation.

4. Configuration Management (CM) — 9 Requirements

Baseline configurations and change control prevent unauthorized modifications that could expose CUI. Assessors check for documented baselines and active enforcement.

3.4.1 — Establish and maintain baseline configurationsDocument and maintain baseline configurations for every information system component. Include hardware, software, firmware, and security settings. Update baselines when changes are approved.

3.4.2 — Establish and enforce security configuration settingsApply and enforce security configuration settings for all IT products. Use CIS Benchmarks or DISA STIGs as your baseline, scan for deviations, and remediate drift promptly.

3.4.5 — Define and enforce access restrictions for changeControl and restrict physical and logical access to diagnostic and test equipment, and define access restrictions for systems undergoing configuration changes.

5. Identification and Authentication (IA) — 11 Requirements

Multi-factor authentication is mandatory for all remote access and privileged accounts. Weak authentication is one of the top reasons contractors fail their assessment.

3.5.1 — Identify system users and processesIdentify information system users, processes acting on behalf of users, and devices. Maintain a current inventory of all accounts and their associated authorization levels.

3.5.3 — Use multi-factor authenticationImplement MFA for local and network access to privileged accounts, and for all remote network access. Use phishing-resistant authenticators (FIDO2 tokens or push notifications) rather than SMS codes.

3.5.7 — Enforce minimum password complexityEnforce a minimum password length of 14 characters with complexity requirements. Implement password history, lockout policies, and prevent use of known-compromised passwords.

6. Incident Response (IR) — 3 Requirements

You need a documented and tested incident response plan specifically covering CUI-related incidents. Assessors will ask for evidence of tabletop exercises.

3.6.1 — Establish incident response capabilitiesDevelop an incident response plan that includes preparation, detection, analysis, containment, eradication, and recovery phases. The plan must address CUI spillage, unauthorized disclosure, and DoD reporting requirements.

3.6.2 — Track, document, and report incidentsTrack and document all cybersecurity incidents from detection through resolution. Report cyber incidents involving CUI to the DoD DIBNet portal within 72 hours of discovery.

3.6.3 — Test incident response capabilitiesConduct tabletop exercises or functional tests of your incident response plan at least annually. Document lessons learned and update the plan based on test results and actual incidents.

7. Maintenance (MA) — 6 Requirements

System maintenance must be controlled, documented, and supervised when performed by external parties. Remote maintenance sessions require additional safeguards.

3.7.1 — Perform maintenance on systemsPerform maintenance on organizational systems in a timely manner. Use approved maintenance tools and document all maintenance activities including date, personnel, and components serviced.

3.7.5 — Require MFA for remote maintenanceRequire multi-factor authentication for all remote maintenance sessions and terminate the connection when maintenance is complete. Monitor the session in real time when performed by external vendors.

3.7.6 — Supervise external maintenance personnelSupervise maintenance activities of personnel without required access authorization. Escort external maintenance workers and verify that diagnostic tools brought in do not contain unauthorized software.

8. Media Protection (MP) — 9 Requirements

Any media that stores CUI must be protected throughout its lifecycle: storage, transport, sanitization, and disposal. This includes USBs, backup tapes, and cloud storage.

3.8.1 — Protect system media containing CUIRestrict access to system media containing CUI to authorized individuals. Store digital media in access-controlled areas and physical media in locked cabinets with access logs.

3.8.3 — Sanitize media before disposal or reuseSanitize or destroy system media containing CUI before disposal or release for reuse. Use NIST SP 800-88 guidelines for media sanitization and maintain destruction certificates.

3.8.6 — Implement cryptographic mechanisms for portable mediaImplement cryptographic mechanisms to protect CUI stored on digital media during transport. Use FIPS 140-2 validated encryption modules and control the encryption keys.

9. Personnel Security (PS) — 2 Requirements

Personnel security focuses on screening individuals before granting access to CUI and taking prompt action when employees leave or change roles.

3.9.1 — Screen individuals before authorizing accessScreen individuals prior to authorizing access to systems containing CUI. Conduct background checks appropriate to the role, verify employment history, and document clearance status.

3.9.2 — Protect CUI during personnel actionsEnsure CUI and CUI systems are protected during and after personnel actions such as terminations, transfers, and reassignments. Disable accounts within 24 hours of termination and recover all credentials and access devices.

10. Physical Protection (PE) — 6 Requirements

Physical access to facilities and systems that process CUI must be restricted, monitored, and logged. Visitor management is a common gap.

3.10.1 — Limit physical access to authorized individualsLimit physical access to organizational systems, equipment, and operating environments to authorized individuals. Use badge readers, biometric locks, or key-card systems with audit trails.

3.10.2 — Protect and monitor the physical facilityProtect and monitor the physical facility and support infrastructure. Deploy security cameras, maintain visitor logs, escort all visitors in CUI-processing areas, and conduct periodic walk-throughs.

3.10.6 — Enforce safeguarding measures at alternate work sitesEnforce safeguarding measures for CUI at alternate work sites including home offices and remote locations. Provide VPN access, require encrypted drives, and prohibit CUI on personal devices.

11. Risk Assessment (RA) — 3 Requirements

Risk assessments are the foundation of your entire security program. Assessors expect current, documented risk assessments with prioritized findings and active remediation.

3.11.1 — Periodically assess organizational riskPeriodically assess the risk to organizational operations, assets, and individuals resulting from CUI processing, storage, and transmission. Update the risk assessment when significant changes occur or at least annually.

3.11.2 — Scan for vulnerabilitiesScan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities are identified. Run authenticated scans at least quarterly and penetration tests annually.

3.11.3 — Remediate vulnerabilities in a timely mannerRemediate vulnerabilities in accordance with risk assessments. Establish a defined remediation timeline: critical within 15 days, high within 30 days, medium within 90 days, and low within 180 days.

12. Security Assessment (CA) — 4 Requirements

Internal assessments and continuous monitoring ensure your controls remain effective between C3PAO assessments. This is where your System Security Plan lives.

3.12.1 — Assess security controls periodicallyPeriodically assess the security controls in organizational systems to determine if they are effective. Conduct internal assessments at least annually using the NIST 800-171A assessment procedures.

3.12.2 — Develop and implement Plans of ActionDevelop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities. POA&Ms must include milestones, responsible parties, estimated completion dates, and resource requirements.

3.12.4 — Develop and update a System Security PlanDevelop, document, and maintain a System Security Plan (SSP) that describes the system boundary, operating environment, security requirements, and how each of the 110 controls is implemented or planned. The SSP is the single most important document for your C3PAO assessment.

13. System and Communications Protection (SC) — 16 Requirements

The second-largest control family covers network boundary protection, CUI encryption, session management, and cryptographic key management. This is where CUI enclaves are defined.

3.13.1 — Monitor and protect communications at system boundariesMonitor, control, and protect communications at external and key internal boundaries. Deploy firewalls, intrusion detection/prevention systems, and web application firewalls at every CUI boundary.

3.13.8 — Implement cryptographic mechanisms to prevent unauthorized disclosureImplement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission. Use TLS 1.2 or higher with FIPS 140-2 validated encryption for all CUI data in transit.

3.13.11 — Employ FIPS-validated cryptographyEmploy FIPS-validated cryptography when used to protect CUI. Ensure all encryption implementations use FIPS 140-2 or FIPS 140-3 validated cryptographic modules, not just FIPS-compliant algorithms.

3.13.16 — Protect CUI at restProtect the confidentiality of CUI at rest using encryption. Implement full-disk encryption on all endpoints and database-level encryption for CUI stored in applications and file servers.

14. System and Information Integrity (SI) — 7 Requirements

The final family covers flaw remediation, malware protection, security monitoring, and ensuring the integrity of your CUI processing systems.

3.14.1 — Identify and remediate flaws in a timely mannerIdentify, report, and correct information system flaws in a timely manner. Establish a patch management program that applies critical security updates within 14 days and all others within 30 days.

3.14.2 — Provide malware protectionProvide protection from malicious code at appropriate locations within organizational systems. Deploy endpoint detection and response (EDR) solutions on all systems, keep signatures current, and enable real-time scanning.

3.14.6 — Monitor systems for unauthorized accessMonitor organizational systems including inbound and outbound traffic to detect attacks and indicators of compromise. Deploy a managed detection and response solution or 24/7 SOC monitoring for continuous coverage.

3.14.7 — Identify unauthorized use of systemsIdentify unauthorized use of organizational systems. Correlate audit records, network traffic, and user behavior analytics to detect anomalous patterns that indicate compromise or policy violations.

Assessment Timeline

CMMC Certification Timeline

Most defense contractors need 6 to 18 months to go from initial gap assessment to passing their C3PAO assessment. Here is the typical path.

Gap Assessment

Month 1-2. Evaluate your current posture against all 110 controls. Calculate your SPRS score. Identify every gap and prioritize remediation.

SSP and POA&M

Month 2-4. Develop your System Security Plan documenting how each control is implemented. Create Plans of Action and Milestones for open items.

Remediation

Month 3-12. Close gaps identified in your assessment. Deploy technical controls, update policies, train personnel, and implement monitoring systems.

C3PAO Assessment

Month 9-18. Engage a C3PAO for your formal assessment. Provide evidence, support interviews, and demonstrate control implementation across all 14 families.

Organizations with mature security programs and existing compliance documentation (ISO 27001, SOC 2, FedRAMP) can often complete the process in 6 to 9 months. Those starting from scratch with minimal security infrastructure should plan for 12 to 18 months. The single biggest factor affecting timeline is the size and complexity of your CUI boundary. A CMMC gap assessment provides a realistic timeline estimate based on your specific environment.

Cost of Non-Compliance

What Happens If You Fail CMMC?

The consequences of CMMC non-compliance extend far beyond a failed assessment. Defense contractors that cannot demonstrate compliance face a cascade of business impacts that threaten their viability as government contractors.

Loss of DoD contracts: Without CMMC certification at the required level, your organization cannot bid on or be awarded contracts that require CUI handling. For many defense contractors, DoD work represents 50-80% of their revenue. Losing eligibility means losing the core of your business.

Supply chain exclusion: Prime contractors are increasingly requiring CMMC compliance from their subcontractors before the DoD mandate takes full effect. Even if your specific contract does not yet require CMMC, your prime may drop you in favor of a certified competitor.

False Claims Act exposure: If you self-attested compliance on SPRS and later fail your C3PAO assessment, you could face False Claims Act liability. Recent DOJ settlements in cybersecurity fraud cases have reached tens of millions of dollars. The DOJ's Civil Cyber-Fraud Initiative specifically targets contractors who misrepresent their cybersecurity posture.

Competitive disadvantage: Contractors that achieve CMMC certification early gain a significant competitive advantage. They can bid on contracts that non-certified competitors cannot, and they demonstrate to primes that they take CUI protection seriously.

Incident liability: A data breach involving CUI when your organization is not compliant dramatically increases your legal exposure. Without documented controls and incident response procedures, the financial and reputational damage from a breach is amplified.

PTG CMMC Services

How Petronella Helps You Get Certified

Petronella Technology Group is a CMMC Registered Provider Organization (RPO) with an entire team of CMMC-RP certified practitioners. We guide defense contractors from initial assessment through successful C3PAO certification.

CMMC Gap Assessment

CMMC Remediation

NIST 800-171 Assessment

Penetration Testing

CMMC Compliance Guide

Virtual CISO Consulting

Our CMMC engagement follows a proven process: comprehensive gap assessment with validated SPRS scoring, SSP and POA&M development, hands-on remediation support, mock assessments that mirror the C3PAO methodology, and ongoing compliance monitoring using AI-powered automation. We have served 2,500+ clients since 2002, and our team includes Craig Petronella (CMMC-RP, CCNA, CWNE, DFE #604180) along with Blake Rea, Justin Summers, and Jonathan Wood, all CMMC-RP certified.

FAQ

CMMC Compliance Checklist FAQ

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 covers 15 basic safeguarding practices from FAR 52.204-21 and applies to organizations handling only Federal Contract Information (FCI). It allows annual self-assessment. Level 2 maps to all 110 NIST SP 800-171 security requirements and applies to organizations handling Controlled Unclassified Information (CUI). Level 2 requires a third-party assessment by a certified C3PAO. The jump from Level 1 to Level 2 is substantial, requiring significantly more documentation, technical controls, and organizational processes. Learn more in our CMMC levels explained guide.

How much does CMMC Level 2 certification cost?

Total cost ranges from $100,000 to $500,000+ depending on organizational size, current security posture, and scope of CUI processing. A gap assessment typically costs $15,000 to $50,000. Remediation is the largest variable, ranging from $50,000 for organizations with mature security to $300,000+ for those starting from scratch. The C3PAO assessment itself costs $50,000 to $150,000. CUI enclave solutions can significantly reduce total cost by minimizing the assessment boundary. PTG's gap assessment provides a detailed cost estimate specific to your environment.

How long does it take to achieve CMMC Level 2 certification?

Most organizations need 6 to 18 months from initial gap assessment to passing the C3PAO assessment. Organizations with existing compliance programs (ISO 27001, SOC 2, or FedRAMP) and documented security policies can often complete in 6 to 9 months. Those building security programs from the ground up should plan for 12 to 18 months. The biggest factors affecting timeline are the size of your CUI boundary, current SPRS score, and available internal resources.

What is a System Security Plan (SSP) and do I need one?

A System Security Plan is the foundational document for your CMMC assessment. It describes your information system boundary, the operating environment, how you implement each of the 110 NIST 800-171 controls, and the connections to other systems. Every organization pursuing CMMC Level 2 must have a complete, current SSP. It is literally the first document your C3PAO will request. PTG develops SSPs using the DoD-recommended format and populates each control with specific evidence of your implementation.

Can I use a CUI enclave to reduce my CMMC scope?

Yes. A CUI enclave is a segmented network environment specifically designed for processing, storing, and transmitting CUI. By isolating CUI in a dedicated enclave, you reduce the number of systems that fall within your CMMC assessment boundary. This can dramatically reduce both the cost and timeline for certification. The enclave must be properly segmented with documented data flows, and users who access the enclave must still meet all 110 requirements within that boundary. PTG deploys CUI enclaves using proven architectures that have successfully passed C3PAO assessments.

What happens if my organization fails the C3PAO assessment?

If you do not pass, you receive a report detailing the specific controls that were not met. You can remediate the findings and request a reassessment, but you will need to pay for the reassessment. During the gap period, you cannot be awarded new contracts requiring CMMC at that level. This is why PTG recommends conducting a thorough gap assessment and mock assessment before engaging a C3PAO, so you identify and close all gaps before the formal assessment begins.

Start Your CMMC Compliance Journey

Our CMMC-RP certified team has helped defense contractors across North Carolina prepare for and pass their C3PAO assessments. Get a gap assessment and know exactly where you stand.

Schedule a CMMC Assessment Book a Free Assessment Call (919) 348-4912