A CMMC assessment is not a pass-or-fail moment that arrives without warning. It is the conclusion of a preparation process that either positioned your organization to demonstrate compliant security practices or exposed the gaps that prevent certification. By the time the C3PAO assessors arrive, the outcome is largely determined by what happened in the months preceding the assessment.
This checklist is designed for defense contractors preparing for CMMC Level 2 certification, the most common certification level required by DoD contracts. It covers the specific documentation, technical controls, and operational practices that C3PAO assessors evaluate, organized in the sequence that makes the preparation process manageable rather than overwhelming.
Work through this checklist systematically. Every item that is not addressed before the assessment is an item that assessors will find. Finding gaps during preparation costs time. Finding them during the assessment costs certification.
Section 1: Documentation Foundations
Documentation is the first thing assessors examine and the foundation everything else builds on. Assessors do not take your word that controls are implemented. They look for documented evidence that controls exist, that people know about them, and that they are followed.
System Security Plan
The System Security Plan is the central document of your CMMC compliance program. It describes how your organization meets each of the 110 NIST SP 800-171 security requirements. A complete SSP includes a description of your organization’s boundary, covering the systems, networks, and locations where controlled unclassified information is processed, stored, or transmitted. For each of the 110 practices it must document the implementation status, how the practice is implemented in your specific environment, the system components to which the practice applies, and the responsible roles. It also requires descriptions of your network architecture, data flows involving CUI, and the interconnections between your system and external systems.
Before the assessment, confirm that the SSP covers all 110 NIST SP 800-171 practices without gaps or placeholders, that the boundary description accurately reflects current infrastructure including cloud services and remote work configurations, that implementation descriptions are specific to your environment rather than copied from generic templates, that the SSP has been reviewed within the past 12 months, and that responsible roles and personnel reflect actual current assignments.
Plan of Action and Milestones
The POA&M documents every NIST SP 800-171 requirement that is not yet fully implemented, the planned actions to achieve full implementation, the milestones for each action, and the resources required. A POA&M that was accurate when written but has not been updated is a liability during assessment. Assessors compare the POA&M to the actual state of controls and identify discrepancies. A POA&M with expired milestones and unresolved items that predate the assessment signals that the compliance program is not actively managed.
Confirm that every practice not fully implemented is documented in the POA&M, that no items have missed milestones without documented explanations and revised timelines, that completed items are marked closed with closure dates, that the POA&M has been reviewed within the past 30 days, and that planned timelines for open items are realistic and achievable.
Incident Response Plan
The incident response plan documents how your organization detects, responds to, and recovers from security incidents. NIST SP 800-171 requires an operational incident-handling capability covering preparation, detection, analysis, containment, recovery, and post-incident activity. What a complete cyber incident response plan must include covers the specific components that assessors verify are present and operational, not just documented.
Confirm that the plan assigns specific roles with named backup contacts, includes procedures for incidents involving CUI specifically, documents DoD notification procedures under DFARS 252.204-7012 including the 72-hour reporting requirement, has been tested through a tabletop exercise within the past 12 months, and that all response team contact information is current and stored outside production systems.
Configuration Management Plan
The configuration management plan documents how your organization establishes and maintains baseline configurations for systems in scope, controls changes to those configurations, and manages the security implications of configuration changes. Confirm that baseline configurations are documented for all system components in scope, that change control procedures are documented and followed, that the plan addresses software installation restrictions, and that recent changes to in-scope systems are captured in the change log.
System and Communications Protection Documentation
Documentation of network architecture, boundary protection, and data flow controls demonstrates how your organization implements the network security requirements in NIST SP 800-171. Confirm that current network architecture diagrams accurately reflect the environment, that data flow diagrams show how CUI moves through the environment and where it is stored, that boundary protection controls including firewalls and access control lists are documented, and that remote access configurations are documented and justified.
Section 2: Access Control
Access control is one of the most heavily assessed NIST SP 800-171 families. Assessors verify that access to CUI systems is limited to authorized users, that privileges are appropriate for roles, and that access management practices prevent unauthorized access.
Confirm that user accounts on CUI systems have been reviewed and that any accounts that should not have access are removed or disabled. Every user account must be associated with a specific individual, and shared accounts that cannot be attributed to a single user must be eliminated or justified. Privileged accounts should be limited to personnel who require elevated access for their job functions, and administrators should not use privileged accounts for routine non-administrative tasks.
Multi-factor authentication must be enabled for all accounts accessing CUI systems, including remote access, privileged accounts, and accounts accessing cloud-hosted CUI. Remote access sessions require MFA without exception, and legacy authentication protocols that cannot support MFA must be disabled. Access to CUI must be controlled on a need-to-know basis, inactive accounts must be disabled after a documented inactivity period, and account management procedures must cover creation, modification, and termination including prompt disabling of terminated employee accounts.
Section 3: Audit and Accountability
Assessors verify that your organization generates and retains audit logs sufficient to investigate security incidents and demonstrate accountability for actions on CUI systems. Audit logging must be enabled on all CUI systems including servers, endpoints, and network devices, capturing logon and logoff events, account management actions, object access to CUI, privilege use, system events, and network connection events.
Log retention must meet the 90-day online and three-year archive requirement specified for organizations subject to DFARS. Centralized log collection must be implemented so that logs are preserved even if individual systems are compromised. Logs must be reviewed on a defined schedule with documented evidence of that review, and alerting must be configured and tested for failed logon attempts, account lockouts, privilege escalations, and large data transfers. Time synchronization must be configured across all in-scope systems so that log timestamps are consistent and reliable for correlation.
Section 4: Configuration Management
Configuration management assessments evaluate whether your organization maintains documented, secure baseline configurations and controls changes to in-scope systems. Security configuration baselines must be established for each operating system and application type in scope, referencing documented benchmarks such as CIS Benchmarks or DISA STIGs. Systems must be configured according to those baselines and deviations must be documented and justified.
Software inventory must be maintained for all systems in scope with only authorized software installed. Automatic update mechanisms must be configured to apply security patches promptly, or a documented patch management process must define how patches are evaluated, tested, and applied. The most recent vulnerability scan of in-scope systems must have been conducted within the past 30 days with findings addressed or documented in the POA&M. USB and removable media use must be controlled, and users must be restricted from installing unauthorized software on CUI systems without IT authorization.
Section 5: Identification and Authentication
Beyond the access control MFA requirements, this section addresses how your organization manages user identities, authenticates users, and manages credentials. Password policies must enforce minimum complexity, minimum length of at least 12 characters, and prohibit commonly used passwords, with higher standards for privileged accounts. MFA implementation must cover all required access scenarios including remote access, privileged access, and access to non-privileged accounts that access CUI when technically feasible.
Service accounts, application accounts, and API keys must be inventoried, managed, and rotated on a defined schedule. Authenticators including passwords, tokens, and certificates must be protected from unauthorized disclosure, and all default passwords on systems and devices must have been changed from manufacturer defaults.
Section 6: Incident Response
The incident response capability assessment goes beyond documentation to verify that the capability is operational. The incident response plan must be accessible to all team members without requiring production system access, and the response team must have been trained on the plan within the past year. A tabletop exercise testing the incident response procedures must have been conducted and documented within the past 12 months, and gaps identified in that exercise must have been addressed and the plan updated.
The organization must have the capability to detect, report, and respond to security incidents including the forensic investigation capability required to support DFARS reporting. DFARS 252.204-7012 notification procedures must be specifically documented including the 72-hour reporting window, the DIBNet portal submission process, and the system image preservation requirement.
Section 7: Maintenance
System maintenance controls address how privileged maintenance activities are performed, especially remote maintenance. Maintenance activities on CUI systems must be performed by authorized individuals. Remote maintenance sessions must use encrypted connections and be terminated after completion, and remote maintenance tool access must be controlled with sessions monitored. Maintenance equipment brought into the facility must be inspected for malicious code before connection to CUI systems.
Section 8: Media Protection
Media protection controls address how CUI on physical media is handled, transported, and disposed of. Physical media containing CUI must be labeled appropriately and protected during transport using encryption or secure physical controls. Media sanitization procedures must be documented and followed, with CUI securely destroyed before media disposal or reuse. Access to systems and media containing CUI must be limited to authorized users, and portable storage devices used with CUI systems must be controlled and inventoried.
Section 9: Personnel Security
Personnel security controls address how your organization manages the security risk associated with personnel who have access to CUI. Personnel accessing CUI systems must have been screened appropriately for their role and the sensitivity of their access. Security awareness training covering CUI handling, phishing recognition, incident reporting, and acceptable use must have been completed by all personnel with access to CUI within the past year, with training completion documented for each individual.
Personnel termination procedures must include timely revocation of CUI access including badge access, system accounts, VPN credentials, and cloud service access. Non-disclosure agreements covering CUI must be executed with employees and contractors who have access to CUI.
Section 10: Risk Assessment
Risk assessment controls require periodic evaluation of organizational risk and vulnerability remediation. A risk assessment must have been conducted within the past year covering CUI systems and the applicable threats and vulnerabilities, with findings documented and reflected in the POA&M. Vulnerability scans of CUI systems must be conducted regularly, at minimum monthly, with findings remediated or documented. Vulnerability assessment services that produce prioritized, environment-specific findings provide the documented evidence that assessors look for in this control family.
Penetration testing must have been conducted or be scheduled. For Level 2 organizations undergoing C3PAO assessment, penetration testing evidence strengthens the risk management demonstration, and penetration testing services that produce documented findings and remediation evidence directly support this section. Risk assessment results must be used to inform security investment and prioritization decisions.
Section 11: Security Assessment
Security assessment controls require periodic evaluation of your security controls and a process for correcting deficiencies. Security assessments of CUI systems must be conducted periodically and documented, with findings tracked in the POA&M. The security assessment process must produce evidence that controls are implemented and functioning, not just documented. Continuous monitoring must be implemented to detect configuration drift and security control failures between formal assessments. Managed security services with 24/7 SOC monitoring provide the continuous monitoring evidence that assessors expect to find in this section.
Section 12: System and Communications Protection
Network security controls are among the most technically verifiable and frequently assessed areas. Assessors can validate network segmentation, encryption configurations, and boundary protection through technical examination. CUI systems must be on network segments separated from general corporate networks, with segmentation preventing unauthorized lateral access. Communications carrying CUI must be encrypted in transit using current encryption standards, and FIPS 140-2 or FIPS 140-3 validated cryptographic modules must be used where required.
Wireless networks used to access CUI must use current security protocols, as WEP and WPA are not acceptable for CUI access. Boundary protection devices including firewalls must be configured to deny traffic by default and permit only authorized communications. Email security controls must be implemented including protections against malicious attachments and phishing. Session lock must be configured on workstations accessing CUI after a defined inactivity period, and remote access sessions must be terminated after appropriate inactivity timeouts.
Section 13: System and Information Integrity
Integrity controls address malware protection, security alerts, and software and firmware integrity. Malware protection must be deployed on all CUI systems including endpoints and servers, with definitions updated regularly through automatic updates. Security alerts from malware protection, intrusion detection, and other security tools must be monitored and acted upon. Security updates and patches must be applied to CUI systems within defined timeframes documented in policy. Spam and malicious content filtering must be implemented for email, and file integrity monitoring must be implemented for critical system files and CUI repositories where technically feasible.
Pre-Assessment Final Verification
Before the assessment begins, verify these items that span multiple control families and represent common assessment failure points.
SPRS Score Accuracy
Your SPRS score submitted to the Supplier Performance Risk System must accurately reflect your current implementation of NIST SP 800-171 requirements. Compare your SPRS score against your current SSP and POA&M. If the SPRS score is higher than your actual implementation warrants, update the score before the assessment. A SPRS score that does not match the assessment findings creates False Claims Act exposure independent of the assessment outcome.
Evidence Organization
C3PAO assessors will request evidence for each practice. Having evidence organized and accessible before the assessment begins reduces assessment time and reduces the risk of assessors concluding that evidence does not exist because it could not be located promptly. Organize evidence by NIST SP 800-171 practice number and have documentation, screenshots, configuration exports, or other evidence ready to present for each practice.
Personnel Preparation
Assessors interview personnel to verify that documented controls are actually followed. Personnel who are unfamiliar with documented procedures create credibility problems even when the procedures themselves are adequate. Brief the personnel who will be interviewed including IT staff, system administrators, HR personnel for personnel security controls, and management for oversight and authorization questions. They should be familiar with documented procedures and able to describe how they are followed in practice.
Mock Assessment
Conduct an internal mock assessment using the CMMC assessment guide as the evaluation framework. Walk through each practice as an assessor would, looking for evidence and asking the questions an assessor would ask. Gaps identified in the mock assessment can be addressed before the real assessment. Gaps identified during the real assessment cannot. How to prepare for a cybersecurity compliance audit covers the mock assessment methodology and evidence preparation practices that make this final verification phase as productive as possible.
Meet Our CEO, Matt Rosenthal
With more than 30 years of experience in business and technology leadership, Matt Rosenthal has guided defense contractors through CMMC preparation and assessment processes, helping organizations close compliance gaps and build the security programs that assessments verify. As President and CEO of Mindcore Technologies, Matt leads a team that provides CMMC services and cybersecurity compliance support for defense contractors across the country.
Matt’s approach to CMMC preparation is grounded in the recognition that documentation and technical controls must both be present and must be consistent with each other. Assessors who find inconsistencies between what documentation says and what technical evidence shows have found a finding regardless of whether either component individually appears adequate.
Frequently Asked Questions
How long does CMMC Level 2 preparation typically take?
Preparation timeline depends on the current state of the organization’s security program. Organizations that have actively maintained NIST SP 800-171 compliance and submitted accurate SPRS scores typically require three to six months to complete final preparation. Organizations starting from limited prior compliance investment typically require nine to eighteen months to build the documentation, implement the technical controls, and demonstrate sustained operation of those controls before assessment. Assessors are evaluating implemented and functioning controls, not controls that were recently installed in preparation for the assessment.
Can we have open POA&M items during the CMMC Level 2 assessment?
Yes. CMMC Level 2 does not require zero POA&M items. It requires that the overall score meets the threshold and that open items have documented remediation plans with realistic timelines. However, practices that are scored as not implemented in the SPRS submission and that remain not implemented during the assessment will affect the assessment outcome. The POA&M demonstrates active management of known gaps, not acceptance of unlimited gaps.
What is the difference between CMMC Level 1, Level 2, and Level 3?
CMMC Level 1 applies to contractors handling Federal Contract Information and requires annual self-assessment against 17 basic cybersecurity practices. Level 2 applies to contractors handling controlled unclassified information and requires triennial third-party assessment by a C3PAO against 110 NIST SP 800-171 practices, with some contracts permitting annual self-assessment. Level 3 applies to contractors handling the most sensitive CUI on critical programs and requires government-led assessment against practices derived from NIST SP 800-172. The specific level required for a given contractor is specified in the contract’s DFARS clauses. Who needs CMMC certification covers the specific contract and CUI conditions that determine which level applies to your organization.
What happens if the C3PAO assessment finds significant gaps?
If the assessment finds that the score falls below the threshold for certification, the organization receives a Conditional CMMC Certificate if the gaps are documented in a POA&M with a credible remediation plan and timeline. The Conditional status requires completing remediation and reassessment within 180 days. If gaps are severe enough that a Conditional Certificate is not appropriate, certification is denied and the contractor must remediate and reassess. Contractors without certification cannot be awarded contracts requiring CMMC Level 2.
Should we engage a CMMC Registered Practitioner Organization for assessment preparation?
Yes. CMMC Registered Practitioner Organizations and Registered Practitioners can help with gap assessments, documentation development, technical control implementation, and mock assessments that prepare you for C3PAO assessment. They cannot conduct the actual C3PAO assessment, which is performed by a separate Certified Third-Party Assessment Organization. Engaging an RPO for preparation is not a conflict with the C3PAO assessment process. It is the intended use of the RPO role in the CMMC ecosystem.
Build the Compliance Program the Assessment Verifies
CMMC assessment preparation is not a documentation exercise. It is the verification that a security program exists, is implemented, is followed, and produces the protection of controlled unclassified information that DoD requires.
Organizations that approach preparation as a documentation exercise, writing procedures that describe controls they have not actually implemented, consistently fail assessments when technical evidence and personnel interviews reveal the gap between documentation and practice. Organizations that build genuine security programs, implement controls, train personnel, and document what they actually do, approach assessments with confidence because there is nothing to hide.
Mindcore’s CMMC services help defense contractors build and document the security programs that CMMC Level 2 assessments verify. If your organization is preparing for a CMMC assessment or needs to assess your current compliance posture against this checklist, contact Mindcore to begin that process.
