How to Use This Checklist
CMMC Level 2 maps directly to NIST SP 800-171, which has 110 security requirements organized into 14 "families." Every one of these controls is required for certification — there are no optional ones.
As you read through the controls, mentally assess your current state: Met (you have this fully implemented and can show evidence), Partial (you've started but haven't finished, or it's inconsistently applied), or Not Met (you haven't addressed this at all). Click the checkbox on each control as you assess it to track your progress.
Your honest count of Not Met and Partial items tells you the scale of your remediation project. Most small defense contractors, starting from scratch, have 20–50 controls they need to work on. That's not unusual. The goal isn't to be perfectly clean before you start — it's to understand your actual position so you can build a realistic plan.
Don't try to game this checklist. The controls that seem hardest to check are the ones an assessor will scrutinize most. An honest gap assessment is the only foundation for a credible remediation plan.
Want your personalized checklist?
Our free readiness check asks about your actual environment and tells you exactly which controls you're likely already meeting — and which ones need work. Takes 2 minutes.
Take the Free Readiness Check →AC — Access Control (22 controls)
The largest family. Controls who can access what, under what conditions, and how access is managed.
ACAccess Control
22 controls
3.1.1
Limit system access to authorized users onlyOnly people with an account on your system can use it. No shared logins, no "guest" accounts with real access.
3.1.2
Limit access to functions users need for their jobLeast privilege. A sales coordinator doesn't need access to engineering file servers. A technician doesn't need payroll access.
3.1.3
Control flow of CUI in accordance with approved policiesYou have documented rules for how CUI moves through and out of your organization — who can send it, to whom, and how.
3.1.4
Separate duties of individuals to reduce risk of malicious activityNo single person should be able to initiate AND approve sensitive transactions. No single admin controls everything.
3.1.5
Employ least privilege — including for privileged accountsEven admins should only have admin rights where specifically needed. No universal god-mode accounts used daily.
3.1.6
Use non-privileged accounts for non-privileged activitiesYour IT admin has a regular user account for daily work and a separate admin account for admin tasks. They don't browse the web as admin.
3.1.7
Prevent non-privileged users from executing privileged functionsRegular users can't install software, change system settings, or disable security controls.
3.1.8
Limit unsuccessful login attemptsLock accounts after a certain number of failed login attempts (typically 3–10). Prevents brute-force password attacks.
3.1.9
Provide privacy and security notices when users log inA login banner that informs users the system is monitored and that unauthorized use is prohibited. Required before login completes.
3.1.10
Use session lock after period of inactivityScreen locks after inactivity (typically 15 minutes). Requires re-authentication to unlock.
3.1.11
Terminate sessions after defined conditionsSessions end after a defined inactivity period or logout. Logged-off users can't resume without re-authenticating.
3.1.12
Monitor and control remote access sessionsYou know who's connected remotely, when, and from where. Remote sessions are logged and can be terminated.
3.1.13
Employ cryptographic mechanisms for remote accessRemote access uses VPN or other encrypted channel. Plain HTTP or unencrypted RDP is not acceptable.
3.1.14
Route remote access via managed access control pointsRemote workers connect through your VPN or approved secure gateway — not directly to internal systems from the internet.
3.1.15
Authorize remote execution of privileged commands via remote access only for operational needsAdmins don't run privileged remote commands unless operationally necessary and authorized.
3.1.16
Authorize wireless access before allowing connectionsWireless networks require authorization. Rogue APs are detected. Employees can't just plug in a personal router.
3.1.17
Protect wireless access using authentication and encryptionWi-Fi uses WPA2 or WPA3 with strong passwords or certificates. Open or WEP networks are prohibited.
3.1.18
Control connection of mobile devicesMobile devices that access your CUI environment are authorized, managed (MDM enrolled), and configured to policy.
3.1.19
Encrypt CUI on mobile devices and mobile computing platformsLaptops and mobile devices with CUI access have full-disk encryption enabled. BitLocker, FileVault, or equivalent.
3.1.20
Verify and control connections to external systemsYou know which external systems your users connect to and have approved them. Cloud services, contractor portals, etc.
3.1.21
Limit CUI on public systemsCUI is not processed on systems accessible to the public — no CUI on public-facing websites or unauthenticated portals.
3.1.22
Control CUI posted or processed on publicly accessible information systemsIf CUI is ever on a publicly accessible system, it's protected with strong access controls. Ideally it never is.
AT — Awareness and Training (3 controls)
ATAwareness and Training
3 controls
3.2.1
Ensure personnel are aware of security risksAll employees who use your systems understand that cyber threats are real, what they look like (phishing, social engineering), and what to do.
3.2.2
Ensure personnel are trained on security responsibilitiesTraining is documented and tracked. Not just a one-time orientation — periodic refreshers, especially after incidents or policy changes.
3.2.3
Provide security awareness training on recognizing and reporting threatsSpecifically: insider threat awareness training. Employees know the signs of compromised coworkers and how to report concerns.
AU — Audit and Accountability (9 controls)
AUAudit and Accountability
9 controls
3.3.1
Create and retain audit logs for monitoring and investigationSystem event logs are created and kept long enough to investigate incidents (typically 90 days minimum). Can't just let logs roll over.
3.3.2
Ensure individual user actions can be tracedLogs are tied to specific user accounts. "Someone logged in" is not enough — it has to be "user jsmith logged in at 2:47 PM."
3.3.3
Review and update logged eventsPeriodically review which events you're logging to make sure you're capturing what matters. Document the review.
3.3.4
Alert when audit logging failsIf your logging system stops working, someone gets alerted immediately. Logging failure is a serious security event.
3.3.5
Correlate audit record review and analysisLogs from different systems are analyzed together. A SIEM (Security Information and Event Management) system handles this.
3.3.6
Provide audit reduction and report generationYou can search, filter, and report on your logs. Not just raw log files — you can ask questions and get answers.
3.3.7
Provide system clock with authoritative time sourceAll systems use the same time source (NTP server). Log correlation requires consistent timestamps across systems.
3.3.8
Protect audit information from unauthorized access or modificationLogs can't be deleted or modified by the people being logged. Separate log storage that only security personnel can access.
3.3.9
Limit log management to authorized usersOnly designated personnel can manage the logging system. Follows least privilege — not everyone can see or manipulate audit logs.
CM — Configuration Management (9 controls)
CMConfiguration Management
9 controls
3.4.1
Establish and maintain baseline configurationsYou have a documented "standard build" for each type of system. New computers are built to the baseline. Deviations are tracked.
3.4.2
Establish a change management processChanges to systems go through an approval process. No unauthorized software installs, no configuration changes without documentation.
3.4.3
Track, review, approve, and log changesEvery change is documented with who authorized it, what was changed, and when. This is your change log.
3.4.4
Analyze security impact of changes before implementingBefore a major system change, someone considers the security implications. Documented analysis — not just a verbal check.
3.4.5
Define, document, approve, and enforce physical access restrictionsYour baselines define physical access rules for system components. Server rooms require access control.
3.4.6
Employ principle of least functionality — only essential capabilitiesSystems only have software and features they need. Disable unneeded services, ports, and protocols. Don't install software you don't use.
3.4.7
Restrict, disable, or prevent the use of nonessential programsApplication allowlisting or software restriction policies prevent unauthorized software from running.
3.4.8
Apply deny-by-default policy for unauthorized softwareDefault is to block unknown software. Only explicitly approved software runs. This is application control.
3.4.9
Control and monitor user-installed softwareUsers can't install software without approval. If they install something, it gets detected and addressed.
IA — Identification and Authentication (11 controls)
IAIdentification and Authentication
11 controls
3.5.1
Identify all users, processes, and devicesEverything on your network has an identity. No unidentified devices, no anonymous processes, no unnamed service accounts.
3.5.2
Authenticate the identity of users, processes, and devicesNot just username — you verify it's really them. Passwords at minimum, MFA for CUI access.
3.5.3
Use multi-factor authentication for local and network access to CUIMFA is required for accessing systems containing CUI. Username + password alone isn't enough. This is a critical control — no POA&M allowed.
3.5.4
Employ replay-resistant authentication mechanismsAuthentication methods that can't be defeated by capturing and replaying credentials. MFA handles this for most environments.
3.5.5
Employ identifier management — disable inactive accountsUnused accounts are disabled after a defined inactivity period (typically 30–90 days). Terminated employees' accounts are disabled immediately.
3.5.6
Manage authenticators — change defaults, protect storageDefault passwords are changed. Passwords are stored hashed, not in plaintext. Password managers are approved and used.
3.5.7
Enforce minimum password complexity and change requirementsPasswords meet complexity requirements (length, character types). Force changes when compromised. NIST recommends 12+ characters.
3.5.8
Prohibit password reuseUsers can't recycle their last N passwords (typically 5–10). Password history is enforced by your directory system.
3.5.9
Allow temporary password use with immediate change requirementWhen you issue a temporary password (new employee, reset), the user must change it on first login.
3.5.10
Store and transmit only cryptographically protected passwordsPasswords are hashed using approved algorithms (bcrypt, Argon2, PBKDF2). Never stored or sent in plaintext.
3.5.11
Obscure feedback of authentication information during loginPassword fields show dots, not characters. No password-visible toggle on sensitive systems. Nothing that reveals what someone types.
IR — Incident Response (3 controls)
IRIncident Response
3 controls
3.6.1
Establish an operational incident-handling capabilityYou have a written Incident Response Plan. When a breach happens, people know what to do, who to call, and in what order.
3.6.2
Track, document, and report incidentsIncidents are documented and reported to appropriate authorities. DFARS 252.204-7012 requires reporting to DoD within 72 hours of discovery.
3.6.3
Test the incident response capabilityYou exercise your incident response plan at least annually — tabletop exercise, red team test, or actual test scenario. Document results.
MA — Maintenance (6 controls)
MAMaintenance
6 controls
3.7.1
Perform maintenance on organizational systemsRegular patching and maintenance is scheduled and performed. Systems aren't running years behind on security updates.
3.7.2
Provide controls on tools and personnel for maintenancePeople doing maintenance are authorized. External maintenance technicians are supervised and their tools are checked.
3.7.3
Ensure remote maintenance is secureRemote maintenance sessions are encrypted, authorized in advance, and logged. Vendor remote access is controlled and time-limited.
3.7.4
Check maintenance equipment for malicious codeExternal USB drives or laptops brought in by maintenance technicians are scanned before connecting to your systems.
3.7.5
Require MFA for remote maintenance sessionsRemote maintenance access requires multi-factor authentication — not just a username and password.
3.7.6
Supervise and review maintenance activities of non-local maintenance personnelWhen outside contractors do maintenance remotely, an authorized internal person monitors what they're doing.
MP — Media Protection (9 controls)
MPMedia Protection
9 controls
3.8.1
Protect system media containing CUIPhysical and digital media with CUI is secured. USB drives, laptops, printed documents — all have appropriate controls.
3.8.2
Limit access to CUI on media to authorized usersNot everyone can access every USB drive or file server. CUI media access is controlled and logged.
3.8.3
Sanitize or destroy media before disposal or reuseBefore a computer is sold, recycled, or repurposed, its drive is securely wiped (DoD 7-pass or physical destruction). No CUI leaves on old drives.
3.8.4
Mark media with necessary CUI markings and distribution limitationsMedia containing CUI is labeled appropriately. USB drives with CUI are marked. Printed CUI documents are marked per NARA guidelines.
3.8.5
Control access to media containing CUI during transportCUI media being transported (shipped, carried) is protected. Encryption on laptops, double-wrapped for physical shipments.
3.8.6
Implement cryptographic mechanisms to protect CUI during transport unless protected by physical safeguardsCUI data in transit is encrypted. USB drives are encrypted. Emailed CUI is encrypted.
3.8.7
Control use of removable media on systemsUSB ports are controlled — either disabled entirely or limited to approved devices. Unknown USB drives can't be plugged in.
3.8.8
Prohibit use of portable storage without identified ownerUnidentified USB drives can't be used in your environment. Every portable device has a documented owner.
3.8.9
Protect backups of CUIBackups containing CUI are encrypted and stored securely. Access to backup systems is controlled. Backup integrity is tested.
PE — Personnel Security (2 controls)
PEPersonnel Security
2 controls
3.9.1
Screen individuals prior to authorizing access to CUIBackground checks for employees with CUI access. The depth of screening is commensurate with the risk of the position.
3.9.2
Ensure CUI is protected during and after personnel actions such as terminations and transfersWhen someone is fired or leaves, their access is immediately revoked. CUI they had access to is accounted for.
PS — Physical Protection (6 controls)
PEPhysical Protection
6 controls
3.10.1
Limit physical access to systems to authorized individualsYour server room, data closets, and areas where CUI systems are located have physical access controls — keys, key cards, or combination locks.
3.10.2
Protect and monitor the physical facility and support infrastructureThe building that houses your CUI environment has physical security. Cameras, alarms, or other monitoring appropriate to the risk.
3.10.3
Escort visitors and monitor visitor activityVisitors to areas with CUI are escorted by authorized personnel. They don't wander unaccompanied through sensitive areas.
3.10.4
Maintain audit logs of physical accessPhysical access is logged — key card logs, sign-in/sign-out sheets, or equivalent. Know who entered restricted areas and when.
3.10.5
Control and manage physical access devicesKeys and access cards are issued, tracked, and collected when no longer needed. Terminated employees' cards are deactivated immediately.
3.10.6
Enforce safeguarding measures for CUI at alternate work sitesPeople working from home or remote locations take the same CUI protection precautions they would in the office. Documented in your telework policy.
RA — Risk Assessment (3 controls)
RARisk Assessment
3 controls
3.11.1
Periodically assess risk to organizational operationsYou conduct a formal risk assessment at least annually and whenever major changes occur. Document what you found and how you responded.
3.11.2
Scan for vulnerabilities in systems periodically and when new vulnerabilities are identifiedRegular vulnerability scans of your systems. Scan results are reviewed and critical vulnerabilities are remediated promptly.
3.11.3
Remediate vulnerabilities in accordance with risk assessmentsVulnerabilities are prioritized by risk and remediated accordingly. Critical/high findings get addressed faster than low findings.
CA — Security Assessment (4 controls)
CASecurity Assessment
4 controls
3.12.1
Periodically assess security controls to determine if they're effectiveYou test your security controls — not just assume they work. Annual assessments or audits of your security posture.
3.12.2
Develop and implement Plans of Action and Milestones (POA&Ms)When you find gaps, you document them in a POA&M with remediation timelines. Then you actually fix them.
3.12.3
Monitor security controls on an ongoing basisContinuous monitoring — not just annual. Regular review of logs, alerts, and security metrics to catch issues between assessments.
3.12.4
Develop, document, and periodically update a System Security Plan (SSP)Your SSP describes your entire security environment — systems, controls implemented, personnel, and how everything fits together. Updated annually and after major changes.
SC — System and Communications Protection (16 controls)
SCSystem and Communications Protection
16 controls
3.13.1
Monitor, control, and protect communications at external boundariesYour network perimeter is secured — firewall, intrusion detection, and monitoring of what goes in and out at the edge.
3.13.2
Employ architectural designs and configurations that promote securityNetwork architecture follows security principles — segmentation, defense in depth, layered controls. Not just one firewall protecting everything.
3.13.3
Separate user functionality from system management functionalityAdmin interfaces are separate from user interfaces. Admins don't manage systems through the same portal users use to work.
3.13.4
Prevent unauthorized and unintended information transferData doesn't leak between security domains. Your engineering server doesn't have an open path to your public website.
3.13.5
Implement subnetworks for publicly accessible system componentsPublic-facing systems (web servers, email) are in a DMZ, separated from internal systems that hold CUI.
3.13.6
Deny network communications traffic by default; allow by exceptionFirewall default is block. Only explicitly permitted traffic gets through. Not the other way around.
3.13.7
Prevent remote devices from simultaneously using tunneled and non-tunneled connections (split tunneling)When connected to VPN, all traffic goes through the VPN — not a split-tunnel where only some traffic is encrypted.
3.13.8
Implement cryptographic mechanisms to protect CUI during transmissionData in transit is encrypted — TLS 1.2 or higher for web traffic, encrypted email, VPN for network connections. No cleartext transmission of CUI.
3.13.9
Terminate network connections after defined period of inactivityIdle network sessions time out. A VPN session left open overnight gets terminated after inactivity.
3.13.10
Establish and manage cryptographic keysEncryption keys have defined lifetimes, are stored securely, and are rotated on schedule. Key management isn't ad hoc.
3.13.11
Employ FIPS-validated cryptographyWhen cryptography is used, it's FIPS 140-2 (or 140-3) validated. Not just any encryption algorithm — validated implementations.
3.13.12
Prohibit remote activation of collaborative computing devicesCameras and microphones in meeting rooms and devices can't be remotely activated without notice to the user. Physical covers on laptop cameras are acceptable.
3.13.13
Control and monitor use of mobile codeJavaScript, ActiveX, Flash, and other mobile code are controlled. Browsers are configured to block or warn about potentially malicious code.
3.13.14
Control and monitor use of Voice over Internet Protocol (VoIP)If you use VoIP, it's authorized, monitored, and not used to transmit CUI without appropriate protections.
3.13.15
Protect the authenticity of communications sessionsYour communications sessions can't be hijacked or spoofed. TLS mutual authentication, session tokens that expire, etc.
3.13.16
Protect CUI at restCUI stored on your systems is encrypted. Full-disk encryption on laptops, encrypted databases, encrypted cloud storage.
SI — System and Information Integrity (7 controls)
SISystem and Information Integrity
7 controls
3.14.1
Identify, report, and correct system flaws in a timely mannerSecurity patches are applied promptly — critical patches within days, not months. Patch management is a documented process, not ad hoc.
3.14.2
Provide protection from malicious code at appropriate locationsEndpoint Detection and Response (EDR) or antivirus on all workstations and servers. Not just endpoint — also at email gateways.
3.14.3
Monitor security alerts and take actionSomeone is actually watching your security alerts. EDR alerts don't just pile up unreviewed. Alerts trigger action, not just emails to an overflowing inbox.
3.14.4
Update malicious code protection mechanismsAV and EDR definitions are updated automatically. You're not running signatures from three months ago.
3.14.5
Perform periodic scans and real-time detection of malicious codeBoth scheduled scans and real-time protection. You don't just scan monthly — you catch threats as they arrive.
3.14.6
Monitor organizational systems for attacks and indicators of compromiseNetwork-level monitoring for attack indicators — unusual traffic patterns, lateral movement, data exfiltration attempts. SIEM or MDR service.
3.14.7
Identify unauthorized use of organizational systemsYou can detect when someone uses your systems in an unauthorized way — off-hours access, unusual data transfers, access from unexpected locations.
Controls are based on NIST SP 800-171 Revision 2. CMMC 2.0 Level 2 maps directly to these 110 requirements. Consult an RPO or C3PAO for guidance specific to your environment.
Frequently Asked Questions
Yes. CMMC Level 2 maps directly to NIST SP 800-171 Revision 2, which contains 110 security requirements across 14 families. All 110 are required. There are no optional controls and no waivers in CMMC Level 2 — you either meet a control or you have a documented Plan of Action and Milestones (POA&M) with a remediation timeline.
CMMC uses the term "practice" while NIST 800-171 uses "requirement" or "control." They refer to the same things. The 110 CMMC Level 2 practices are the 110 NIST 800-171 requirements. Different documents and consultants use different terms, which causes confusion. If someone says "all 110 practices" or "all 110 controls" or "all 110 requirements," they mean the same thing.
Yes, with important caveats. A C3PAO can issue a Conditional CMMC certificate if you have open POA&M items that aren't "critical" deficiencies. Critical deficiencies — things like no multi-factor authentication, no access controls, or no malware protection — cannot be POA&M'd. Non-critical gaps can be POA&M'd with a timeline of no more than 180 days after assessment.
Use this checklist as a starting point for your gap assessment — mentally (or literally) marking each control as Met, Partial, or Not Met based on your current environment. "Met" means you have a technical or administrative control in place and can provide evidence. "Partial" means you have something but it's not fully implemented or documented. "Not Met" means you haven't addressed this control at all.
Access Control (AC) is the largest family with 22 controls, followed by System and Communications Protection (SC) with 16. Access Control is also typically where small contractors have the most gaps — role-based access, least privilege, session timeouts, and remote access controls are often partially or not implemented.
Want your personalized CMMC checklist?
Take our free readiness check and we'll tell you which of the 110 controls you're likely already meeting — and which ones need your attention first.
Start Free Readiness Check →2 minutes. No email required to see results.
Or see pricing & packages →