CMMC Compliance Checklist & Requirements

This guide covers everything defense contractors need to know about CMMC compliance: what each certification level requires, which controls apply to your business, and how to prepare for assessment. Whether you are starting from scratch or refining an existing security program, CMIT Solutions can guide you through every stage of the process.

Explore our CMMC compliance support to see how CMIT Solutions guides defense contractors through every stage of certification.

 

What is CMMC compliance, and who needs it?

CMMC, the Cybersecurity Maturity Model Certification, is a U.S. Department of Defense (DoD) framework that protects sensitive federal information across the defense contractor supply chain. If your business holds, processes, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), CMMC compliance is a contractual requirement.

At CMIT Solutions, our CMMC compliance services help defense contractors identify exactly what the framework requires and build the layered security infrastructure to meet it, so your environment is protected by design, not just by policy.

For many defense contractors, the biggest challenge is not intent but uncertainty, not knowing exactly what applies to their business, their data, or their contracts. The DoD finalized CMMC 2.0 in October 2024, replacing the original five-level model with a streamlined three-level structure.

Implementation began on November 10, 2025, rolling out in four phases over a three-year period. For small and mid-size defense contractors, the path to certification is now clearer, but the compliance work required to get there remains substantial, and the rules are now codified in federal acquisition regulations.

Two terms define the type of information your required CMMC level is based on:

• Federal Contract Information (FCI): Information provided by or generated for the government under a contract, not intended for public release. Basic handling protections apply at Level 1.
• Controlled Unclassified Information (CUI): Information the government designates as sensitive and requiring safeguarding. This triggers Level 2 or Level 3 requirements depending on the sensitivity of the program. The National Archives CUI Registry is the authoritative repository for CUI categories and subcategories.

If you are unsure whether the information on your systems qualifies as CUI, CMIT Solutions can help you work through that determination alongside your contracting officer or prime contractor before you sign.

The three CMMC levels explained

As cybersecurity requirements grow more complex, knowing which rules apply to your business is the first step to getting compliant. CMMC 2.0 organizes contractors into three certification levels based on the type of information they handle and the associated risk.

Identifying the right level for your business is where CMIT Solutions starts every CMMC engagement.

CMMC Level	Information Type	Practices Required	Assessment Type
Level 1 — Foundational	FCI only	17 practices	Annual self-assessment
Level 2 — Advanced	CUI (most programs)	110 practices	Self-assessment or C3PAO third-party audit
Level 3 — Expert	CUI (high-priority programs)	110+ practices	Government-led assessment (DCMA DIBCAC)

Level 1 — Foundational applies to contractors who handle FCI but not CUI. The 17 required practices align with the basic safeguarding requirements in FAR clause 52.204-21.

Businesses at this level complete an annual self-assessment and submit results to the DoD’s Supplier Performance Risk System (SPRS).

Level 2 — Advanced is where the majority of the DoD supply chain falls. It maps directly to the 110 security requirements in NIST SP 800-171.

Whether a contractor needs a third-party assessment from a DoD-authorized C3PAO (Certified Third-Party Assessment Organization) or can rely on a self-assessment depends on the sensitivity of the programs involved. Phase 1 of CMMC implementation focuses primarily on Level 1 and Level 2 self-assessments, with C3PAO requirements expanding in subsequent phases.

Level 3 — Expert targets contractors working on the most sensitive DoD programs. It incorporates all 110 NIST SP 800-171 controls plus additional requirements drawn from NIST SP 800-172, and assessments are conducted directly by the Defense Contract Management Agency’s DIBCAC (Defense Industrial Base Cybersecurity Assessment Center).

💡 Additional reading: data compliance regulations

CMMC compliance checklist: Level 1 (17 practices)

Level 1 requires contractors to implement basic cyber hygiene practices that protect FCI from unauthorized access or disclosure. These 17 controls come directly from FAR 52.204-21 and cover foundational security behaviors most businesses should already have in place.

• Limit system access to authorized users. Only people and devices with a defined need should be able to access company systems and the federal information on them.
• Limit system access to authorized transaction types. Users should only be able to perform actions relevant to their job functions, not everything the system allows.
• Verify and control external system connections. Any connection from an external device or network into your environment should be authorized and logged.
• Control the flow of FCI to external systems. Establish rules governing how FCI is shared, transferred, or made accessible outside your controlled environment.
• Use unique identifiers for all users. Shared or generic accounts are not acceptable. Each user must have their own login credentials tied to their identity.
• Authenticate the identities of users and devices. Passwords alone are the baseline. Multi-factor authentication (MFA) is strongly recommended and increasingly required by cyber insurers.
• Sanitize or destroy media before disposal. Hard drives, USB drives, and other storage media containing FCI must be securely wiped or physically destroyed before disposal.
• Limit physical access to organizational systems. Server rooms, workstations, and other hardware containing FCI should be physically secured with controlled access.
• Escort visitors and monitor visitor activity. Visitors to areas where FCI is processed or stored should be supervised and access logged.
• Maintain audit logs of physical access. Records of who enters controlled areas and when must be maintained.
• Monitor, control, and protect organizational communications. Network traffic carrying FCI should be monitored and protected from unauthorized interception.
• Implement subnetworks for publicly accessible systems. Systems exposed to the internet should be separated from internal systems holding FCI.
• Identify, report, and correct information security flaws. Systems should be regularly scanned and patched. Vulnerabilities must not be left unaddressed for extended periods.
• Provide protection from malicious code. Anti-malware tools must be active, updated, and deployed across all systems handling FCI.
• Perform periodic scans of your systems. Regular vulnerability scans and real-time scanning of files from external sources are required.
• Update malicious code protection mechanisms. Anti-malware definitions and engines must be kept current.
• Provide security awareness training. Everyone in your organization who touches FCI must receive security awareness training. This is often the most overlooked Level 1 requirement.

Together, these 17 controls form the foundation of a proactive security posture. CMIT Solutions can assess your current environment against each of them, identify where your security standards fall short of baseline expectations, and build a remediation plan that puts layered protection across your systems and users before your self-assessment submission.

CMMC compliance checklist: Level 2 (110 practices across 14 domains)

For most small and mid-size defense contractors, Level 2 is where the real compliance work happens, and where in-house IT resources most often struggle to keep pace. Level 2 maps to the full set of 110 security requirements in NIST SP 800-171, organized across 14 practice domains.

The DoD currently conducts CMMC assessments against NIST SP 800-171 Rev. 2 requirements, though contractors may implement the updated Rev. 3 using DoD-approved parameters. Below is a domain-by-domain checklist covering what each area requires.

Access control (AC) — 22 practices

Access control is the largest domain in NIST SP 800-171. It governs who can access your systems, under what conditions, and what they can do once inside.

Requirements include enforcing the principle of least privilege, separating duties between users, controlling remote access, encrypting CUI on wireless networks, and controlling the use of portable storage devices. Session lock requirements, such as automatic screen timeouts after a period of inactivity, also fall under this domain.

Awareness and training (AT) — 3 practices

Your people are part of your security posture. This domain requires training all users on cybersecurity risks and policies, ensuring personnel with elevated responsibilities receive role-based training, and keeping awareness activities current as threats evolve.

Protecting systems, networks, and data means nothing if the human layer is left exposed. Documentation proving training completion is typically required at assessment.

Audit and accountability (AU) — 9 practices

You need to know what is happening on your systems. Audit and accountability requires creating and retaining system audit logs, protecting logs from unauthorized access or modification, reviewing logs regularly, and ensuring individuals can be held accountable for their actions on systems containing CUI.

Alert mechanisms for audit failures are also required.

Configuration management (CM) — 9 practices

Systems must be configured securely and consistently. This domain covers establishing and maintaining baselines for system configurations, controlling changes to those configurations, restricting software installation to authorized applications only, and documenting the security settings applied to each system.

Running unauthorized software on systems that process CUI is a common gap found during assessments.

Identification and authentication (IA) — 11 practices

This domain goes beyond basic passwords. Contractors must enforce multi-factor authentication for local and network access to systems containing CUI, manage authenticators (passwords, tokens, certificates) with defined security requirements, store and transmit credentials securely, and employ replay-resistant authentication mechanisms.

Weak or reused passwords are among the most frequently cited deficiencies.

Incident response (IR) — 3 practices

When something goes wrong, you need a plan. Incident response requires establishing an operational capability to address incidents involving CUI, tracking and documenting incidents, and testing your incident response plan.

This domain also ties to reporting obligations. DoD contractors may be required to report certain cyber incidents to the DoD within 72 hours under DFARS 252.204-7012.

Maintenance (MA) — 6 practices

System maintenance must be controlled and documented. This includes performing maintenance on systems containing CUI in a controlled manner, sanitizing equipment before allowing it off-site for maintenance, ensuring maintenance personnel have appropriate authorization, and logging all maintenance activities.

Media protection (MP) — 9 practices

CUI must be protected whether it is on a hard drive, a USB stick, a printed document, or in transit. Media protection covers labeling CUI media, controlling access to it, sanitizing it before disposal or reuse, protecting it during transport, and restricting the use of removable media, a common vector for data exfiltration.

Personnel security (PS) — 2 practices

Insider risk is real. This domain requires screening individuals before granting access to systems containing CUI and protecting CUI during and after personnel transitions, including when employees leave the organization.

Prompt termination of access when employment ends is a core control here.

Physical protection (PE) — 6 practices

CUI environments need physical controls. Requirements include limiting and logging physical access to systems, protecting and monitoring physical facilities, escorting visitors, and maintaining physical access logs.

For businesses that rely heavily on cloud infrastructure, the applicable physical controls shift to the cloud service provider, but the responsibility for ensuring those controls meet DoD requirements remains with the contractor, and CMIT can help verify that your provider’s configuration meets the standard.

Risk assessment (RA) — 3 practices

Contractors must periodically assess the risk to operations, assets, and individuals associated with their systems. This includes scanning for vulnerabilities at regular intervals, remediating findings, and updating risk assessments when there are significant changes to systems or the threat environment.

The frequency and rigor of vulnerability scanning is a point of focus for assessors.

Security assessment (CA) — 4 practices

This domain requires periodically assessing the security controls in your environment to confirm they are effective, developing and maintaining a plan of action and milestones (POA&M) to address deficiencies, monitoring your environment on an ongoing basis, and developing a system security plan (SSP).

The SSP is a foundational document for any CMMC assessment. It describes what you have, why you have it, and how it protects CUI.

System and communications protection (SC) — 16 practices

This is a broad domain covering how your systems and the communications between them are protected. It includes network segmentation, protecting CUI in transit using encryption, controlling connections to external networks, implementing denial-of-service protections, and managing session authenticity.

Organizations that use cloud services for CUI must ensure those services meet FedRAMP Moderate or equivalent standards. Standard commercial Microsoft 365 plans do not meet this threshold without a GCC High or equivalent configuration.

System and information integrity (SI) — 7 practices

This domain governs the ongoing health and integrity of your systems. Requirements include deploying malware protection, scanning for vulnerabilities regularly, monitoring for and alerting on security events, patching flaws in a timely manner, and identifying unauthorized use of your systems.

Continuous monitoring and threat visibility are at the core of this domain. Security information and event management (SIEM) tools are commonly used to meet the monitoring requirements here.

CMIT Solutions works through each of these 14 domains with defense contractors, applying consistent tools and standards to map your existing controls against the requirements and deliver cybersecurity-informed recommendations on what needs to change before an assessment.

💡 Additional reading: NIST compliance

Find out where your gaps are before an assessor does — explore our CMMC compliance services.

 

What the self-assessment vs. third-party assessment decision means for your business

Not every Level 2 contractor needs a C3PAO assessment, but without clear guidance, many businesses default to the wrong path and waste significant time and budget as a result. The DoD’s four-phase implementation plan distinguishes between contractors on critical programs, who must use a C3PAO, and those on non-critical programs, who may submit a self-assessment.

This matters because the costs, timelines, and preparation requirements differ significantly.

A self-assessment requires completing the NIST SP 800-171 DoD Assessment Methodology, calculating your score, and submitting results to SPRS. A perfect score is 110 points.

Points are deducted for each unimplemented control, with higher-value deductions for controls considered more critical. Scores can be negative. Before submitting, most organizations should have an independent review of their scoring methodology to reduce the risk of overstating their compliance posture, which is something the DoD has begun scrutinizing closely.

A third-party C3PAO assessment involves an authorized assessment organization formally evaluating your environment against all 110 controls. Accredited C3PAOs and resources for finding them are listed through the DoD CMMC program site.

Assessments typically take several months from initial scoping to certification issuance. Organizations should expect to provide extensive documentation, walk assessors through their systems, and demonstrate that controls are operational, not just documented on paper.

Consider this scenario: a small defense subcontractor with 30 employees has been handling CUI for years under a prime contractor. When the prime contractor’s next contract cycle requires CMMC Level 2 flow-down, the subcontractor needs to determine whether a self-assessment will satisfy the contract terms.

If the program involves critical infrastructure, a C3PAO assessment is required and cannot be substituted. Starting the process 18 to 24 months before the contract award window is a reasonable planning horizon.

CMIT Solutions acts as a strategic advisor throughout this process, providing strategic technology guidance that aligns the assessment decision with your broader operational and contractual goals, so resources go toward the right remediation work from the start.

Not sure which assessment path applies to your business? Contact us and we’ll help you work it out.

 

How to build a system security plan (SSP) for CMMC

The System Security Plan is the backbone of any CMMC Level 2 compliance program. For businesses that rely on multiple vendors, cloud providers, or third-party tools, the SSP is also where accountability gaps become visible, as every external connection that touches your CUI environment must be documented and assessed.

Assessors use the SSP to evaluate the scope of your environment, the controls you have implemented, and the gaps you are working to close. An incomplete or inaccurate SSP is one of the fastest ways to lose points before an assessor has reviewed a single system.

A well-structured SSP covers:

• System boundary and scope: Define exactly which systems, components, users, and locations are in scope for CUI handling. Scoping accurately can reduce the number of controls you need to implement by limiting which assets are covered.
• CUI inventory: Identify where CUI lives in your environment, including servers, workstations, cloud storage, email, removable media, and data in transit between systems.
• Control implementation statements: For each of the 110 NIST SP 800-171 controls, document whether it is fully implemented, partially implemented, or not yet implemented. Partial and not-implemented controls must appear in your POA&M.
• Responsible parties: Identify who owns each control in your organization and who is responsible for maintaining it.
• Interconnections and external services: Document all external systems, cloud services, or third-party tools that touch your CUI environment. Each of these connections is within scope.

NIST provides supplemental SSP and POA&M templates through its NIST SP 800-171 publication page. Building a credible SSP from scratch typically takes six to twelve months for organizations without a prior compliance baseline.

CMIT Solutions brings security-first managed IT expertise to that process, leading from initial scoping through final documentation and delivering cybersecurity-informed guidance at every step, so the foundation we build supports your compliance posture as your business grows.

Common CMMC compliance gaps found during assessments

When CMIT Solutions evaluates contractor environments, the same deficiencies appear repeatedly. Each one represents a genuine risk, whether data loss, operational disruption, or a failed assessment that delays contract work.

A proactive approach to security means identifying and closing these gaps before an assessor or a threat actor finds them first.

• Multi-factor authentication not fully deployed. MFA is required for all accounts accessing CUI, including service accounts and privileged accounts. Partial rollouts, where MFA is active for some users but not others, are a common finding.
• CUI on non-compliant cloud systems. Storing or processing CUI in cloud environments that have not achieved FedRAMP Moderate authorization (or equivalent) is a significant violation. According to the DoD’s CMMC FAQ, cloud service providers that process, store, or transmit CUI must meet FedRAMP Moderate baseline requirements.
• Inadequate vulnerability management cadence. NIST SP 800-171 requires vulnerability scanning at regular intervals. Many organizations scan infrequently or fail to remediate findings within defined timelines.
• Weak or missing incident response documentation. Having a written incident response plan is required, but it must also be tested. An untested plan does not satisfy the standard.
• Uncontrolled removable media use. USB drives and other portable media that are not authorized, encrypted, or logged represent a recurring gap in media protection controls.
• Employee training gaps. Security awareness training must cover threats specific to handling CUI, not just general cybersecurity hygiene. Documentation of completion is required.
• Inaccurate or outdated system security plans. SSPs that describe controls as implemented when they are only partially implemented, or that exclude systems actually in scope, create significant assessment risk.

Many businesses assume their cyber insurance will cover them after an attack, but insurers increasingly require specific security controls, including several that appear on this list, before issuing or renewing coverage.

Use our insurance readiness assessment to see whether your current security environment aligns with modern insurer expectations.

 

CMMC timeline: what to expect from start to certification

CMMC compliance is not a short runway, and for businesses that treat security as a maintenance task rather than a strategic priority, the timeline can become a serious operational problem. Organizations that begin preparation only when a contract requirement appears are already behind.

Below is a realistic sequence for a small to mid-size contractor pursuing Level 2 certification.

Phase	Activity	Typical Duration
Scoping	Define system boundary, CUI data flows, asset inventory	4–8 weeks
Gap assessment	Assess current controls against all 110 NIST SP 800-171 requirements	4–8 weeks
Remediation	Implement missing or deficient controls, configure systems, deploy tools	3–12 months
Documentation	Build or finalize SSP, POA&M, policies, and procedures	Concurrent with remediation
Pre-assessment readiness review	Internal or third-party readiness check before formal assessment	4–6 weeks
C3PAO assessment (if required)	Formal assessment by an authorized organization	4–12 weeks
Certification issuance	Results submitted, certificate issued	2–6 weeks post-assessment

The total path from gap assessment to certification can range from 9 months to over two years, depending on your starting compliance posture. Security gaps left open during that period carry real operational and financial risk.

CMIT Solutions helps contractors plan realistically against this timeline, prioritizing the remediation activities that build the strongest security foundation first. And once certification is achieved, our continuous monitoring and threat response capabilities keep your environment defended as requirements and threats evolve.

Use our IT downtime calculator to estimate what unplanned disruption could cost your business. Results are illustrative and will vary based on your specific environment and operations.

 

How CMIT Solutions supports CMMC readiness for defense contractors

For small and mid-size defense contractors, CMMC compliance can feel like a full-time job layered on top of running a business. Navigating 110 security controls, building an SSP from scratch, scoping a CUI environment, and preparing for a C3PAO assessment requires technical expertise that most SMBs don’t have in-house.

CMIT Solutions steps in as a trusted technology advisor, bringing both the technical depth and the strategic perspective that CMMC compliance demands, so your team gains stronger cybersecurity protection without losing focus on growth.

With more than 30 years of experience helping businesses align their IT with operational and regulatory goals, CMIT’s nationwide network of technology and cybersecurity experts delivers enterprise-level capabilities through locally trusted relationships, with on-site support available whenever in-person assistance is needed. We work directly with defense contractors to assess their current environment, identify gaps against the CMMC model, and translate those findings into a practical remediation roadmap grounded in security-first managed IT practices.

The result is an IT environment that exceeds baseline security standards, supports long-term resilience, and positions your business to pursue and retain defense contracts with confidence.

To see what that looks like in practice, take a look at our Optyx case study. CMIT Solutions helped Optyx, a multi-location optical retailer, unify its IT infrastructure across locations, delivering consistent, secure systems that scaled with its business growth.

Call us at (800) 399-2648 or reach out via our contact page to get started with a CMMC readiness evaluation and see how CMIT Solutions can protect your business while keeping your IT aligned with your goals.

 

FAQs

What are the legal risks of submitting an inaccurate CMMC self-assessment score to SPRS?

Submitting an inflated CMMC score to the Supplier Performance Risk System is not a documentation error. It can constitute a false claim under the False Claims Act, carrying significant civil and criminal liability.

The DoD has signaled active enforcement interest in inaccurate self-assessments. Scoring methodology should be independently reviewed before submission, with documentation retained for every point claimed.

Can a small business outsource CMMC compliance to a managed IT provider instead of building capabilities in-house?

Yes. For many small businesses, a managed security services provider is the most practical path to CMMC compliance. A qualified provider can deliver the continuous monitoring, endpoint protection, patch management, and incident response capabilities required by NIST SP 800-171.

Any managed service provider with access to CUI must meet applicable CMMC requirements and be documented in the contractor’s SSP.

Does CMMC apply to subcontractors who don’t hold the DoD prime contract directly?

CMMC requirements flow down through the entire defense supply chain. If a prime contractor handles CUI and a subcontract requires access to, processing of, or storage of that information, the subcontractor is subject to the same CMMC level as the prime.

Prime contractors are increasingly embedding CMMC flow-down clauses in teaming agreements and subcontracts, making early preparation essential.

What is a CMMC Plan of Action and Milestones (POA&M), and when is one required?

A CMMC POA&M is a structured document that lists every security control not yet fully implemented, the remediation steps planned to close each gap, and the target completion date. A POA&M is required for any Level 2 self-assessment where the score is below a perfect 110.

For C3PAO assessments, a credible POA&M may support conditional certification status while remediation continues.

How often does CMMC certification need to be renewed, and what triggers an early reassessment?

CMMC Level 2 certifications issued through a C3PAO are valid for three years, after which a full reassessment is required. Level 2 self-assessments must be affirmed annually.

Level 1 self-assessments require annual affirmation and resubmission to SPRS. Significant changes to a contractor’s IT environment, such as migrating to a new cloud platform, adding locations, or altering CUI handling processes, may require an updated assessment before the standard renewal date.