CMMC Compliance Checklist: A Phased Approach to Certification Readiness

After guiding dozens of defense contractors through CMMC readiness, we have found that organizations with a structured, phased approach consistently achieve certification faster and at lower cost than those who try to address everything at once. This checklist reflects the methodology that works.

Preparing for CMMC certification is not a weekend project. It requires systematic planning across multiple organizational functions — IT, security, legal, operations, and executive leadership. The organizations that succeed are those that break the effort into manageable phases, establish accountability at each step, and maintain momentum through what is typically a 12-to-18-month journey.

This checklist provides a phased roadmap from initial scoping through assessment day. Whether you are pursuing CMMC Level 1 self-assessment or Level 2 C3PAO certification, the foundational steps are the same. We have organized this into five phases that build on each other sequentially, with specific deliverables at each stage.

Phase 1: Scope and Foundation (Weeks 1-6)

The most critical phase of CMMC preparation is defining what is in scope. Every decision you make about controls, documentation, and investment depends on accurately identifying your CUI environment.

1.1 Identify Your CUI Environment

Before you can protect CUI, you need to know where it lives. This means mapping every system, application, network segment, and physical location where CUI is stored, processed, or transmitted.

Checklist items:

• Review all active DoD contracts and subcontracts for CUI requirements
• Identify the types of CUI your organization handles (categories per the CUI Registry)
• Map CUI data flows from receipt through processing, storage, and transmission
• Document where CUI enters your environment (email, file transfer, portals, physical delivery)
• Document where CUI exits your environment (deliverables, subcontractor sharing, archival)
• Identify all systems that touch CUI at any point in the data flow

1.2 Build Your Asset Inventory

A comprehensive asset inventory is foundational to CMMC. Assessors will cross-reference your asset inventory against your SSP and network diagrams to verify completeness.

Asset Category	What to Document	Examples
Endpoints	Device type, OS, owner, location	Laptops, desktops, mobile devices
Servers	Purpose, OS, hosting location	File servers, application servers, domain controllers
Network Devices	Type, firmware version, location	Firewalls, switches, routers, access points
Cloud Services	Provider, service type, data stored	Microsoft 365, AWS GovCloud, cloud backup
Applications	Name, version, data processed	ERP systems, CAD software, email clients
Security Tools	Type, coverage, version	EDR, SIEM, vulnerability scanner
Physical Locations	Address, access controls, CUI present	Offices, data centers, manufacturing facilities

1.3 Create Network Diagrams

Your network diagram must show CUI data flows, system boundaries, and the separation between CUI and non-CUI environments. This is not a generic IT network diagram — it must specifically illustrate:

• CUI boundary demarcation
• Network segmentation between CUI and non-CUI systems
• External connections (internet, VPN, partner connections)
• Security device placement (firewalls, IDS/IPS, proxy servers)
• Cloud service connections
• Data flow direction for CUI

1.4 Establish Key Roles

CMMC compliance requires clearly defined security roles with documented responsibilities. At minimum, establish the following:

• Information System Security Officer (ISSO) — Day-to-day security management and compliance oversight
• CUI Program Manager — Oversees CUI identification, handling, and marking procedures
• System Administrator — Manages technical controls and system configurations
• Incident Response Lead — Coordinates detection, response, and reporting
• Executive Sponsor — Provides organizational authority and resource commitment

Document these roles, their responsibilities, and the individuals assigned to them. This becomes part of your SSP.

Phase 2: Gap Assessment (Weeks 4-10)

With your scope defined and foundations established, the next phase is an honest assessment of where you stand against the 110 NIST 800-171 controls that form the basis of CMMC Level 2.

2.1 Assess Against All 110 Controls

For each of the 110 NIST 800-171 controls, evaluate your current implementation status:

• Fully Implemented — Control is documented, implemented, and operating with evidence
• Partially Implemented — Control exists but has gaps in scope, documentation, or evidence
• Not Implemented — Control is not in place
• Not Applicable — Control does not apply to your environment (rare — document justification)

Key assessment areas by control family:

Control Family	# Controls	Common Gap Areas
Access Control (AC)	22	Least privilege enforcement, remote access controls, session management
Awareness & Training (AT)	3	Role-based training, training records, security awareness program
Audit & Accountability (AU)	9	Log retention, log review process, audit trail completeness
Configuration Management (CM)	9	Baseline configurations, change control, software restriction
Identification & Authentication (IA)	11	MFA implementation, password policies, device identification
Incident Response (IR)	3	IR plan testing, incident handling procedures, reporting
Maintenance (MA)	6	Remote maintenance controls, maintenance personnel oversight
Media Protection (MP)	9	CUI marking, media sanitization, portable media controls
Personnel Security (PS)	2	Screening, personnel termination procedures
Physical Protection (PE)	6	Visitor management, physical access logs, monitoring
Risk Assessment (RA)	3	Vulnerability scanning, risk assessments, vulnerability remediation
Security Assessment (CA)	4	System connections, continuous monitoring, security assessments
System & Communications Protection (SC)	16	Encryption at rest/in transit, boundary protection, CUI separation
System & Information Integrity (SI)	7	Flaw remediation, malicious code protection, security alerts

2.2 Calculate Your SPRS Score

Using the DoD's NIST 800-171 Assessment Methodology, calculate your current SPRS score. Each of the 110 controls has an assigned point value, and unimplemented controls reduce your score from the maximum of 110. This score provides a quantitative baseline for tracking progress.

2.3 Prioritize Gaps

Not all gaps are equal. Prioritize remediation based on:

1. Controls that cannot be placed on POA&M under CMMC — these must be fully implemented before assessment
2. High-weighted controls in the SPRS scoring methodology
3. Controls with dependencies — some controls enable others (e.g., asset inventory enables configuration management)
4. Controls requiring long lead times — technology procurement, infrastructure changes, or policy development

2.4 Document Findings

Produce a formal gap assessment report that documents each control's status, identified gaps, remediation recommendations, estimated effort, and priority. This report becomes the foundation for your remediation plan.

For more on the gap assessment process, see our guide on CMMC gap assessment.

Phase 3: Remediation (Weeks 8-40)

Remediation is typically the longest and most resource-intensive phase. The scope depends entirely on your gap assessment findings. Organizations with mature security programs may need only documentation improvements, while those starting from a lower baseline may require significant technical and organizational changes.

3.1 Technical Remediation

Address technical gaps identified in the gap assessment. Common remediation areas include:

Identity and Access Management

• Deploy multi-factor authentication (MFA) across all CUI-touching systems
• Implement role-based access control with documented access review procedures
• Configure session timeout and lockout policies
• Establish privileged access management controls

Network Security

• Segment CUI environment from general corporate network
• Deploy and configure boundary protection devices (firewalls, IDS/IPS)
• Implement encrypted communications for all CUI in transit (TLS 1.2+ minimum)
• Configure DNS filtering and web content controls

Endpoint Security

• Deploy endpoint detection and response (EDR) across all in-scope endpoints
• Establish baseline configurations and hardening standards
• Implement application whitelisting or software restriction policies
• Configure full-disk encryption on all endpoints that may contain CUI

Logging and Monitoring

• Deploy centralized log management (SIEM) covering all in-scope systems
• Configure audit logging per NIST 800-171 requirements
• Establish log review procedures and retention policies (minimum 1 year recommended)
• Implement alerting for security-relevant events

Data Protection

• Implement encryption at rest for all CUI storage locations
• Configure data loss prevention (DLP) policies for CUI-containing data
• Establish media sanitization procedures and tools
• Deploy backup and recovery solutions with CUI protection

3.2 Organizational Remediation

Technical controls alone are insufficient. CMMC assessors evaluate organizational processes with equal rigor.

Security Awareness Training

• Develop and deliver CUI-specific security awareness training
• Implement role-based training for personnel with security responsibilities
• Establish training tracking and completion verification
• Schedule recurring training (at minimum annually, with new-hire onboarding)

Incident Response

• Develop or update your incident response plan to address CUI-specific scenarios
• Define incident severity levels and escalation procedures
• Establish relationships with external incident response resources
• Conduct tabletop exercises to test your IR plan (document the exercise and findings)
• Ensure alignment with DFARS 72-hour reporting requirements

POA&M Management

• Establish a formal POA&M process for tracking and remediating identified weaknesses
• Assign ownership, milestones, and target dates for each POA&M item
• Implement regular POA&M review cadence (monthly recommended)
• Document closure evidence for completed POA&M items

For more on managing POA&Ms effectively, see our CMMC POA&M guide.

Risk Management

• Conduct periodic risk assessments of the CUI environment
• Document risk acceptance decisions with executive approval
• Maintain a risk register tied to your security control implementation
• Perform regular vulnerability scanning and remediation

3.3 Consider an Enclave Approach

One of the most effective strategies for managing CMMC scope and cost is implementing a CUI enclave — a dedicated, isolated environment specifically for CUI processing, storage, and transmission. By concentrating CUI in a smaller, more controlled environment, you reduce the number of systems, personnel, and controls in scope for assessment.

An enclave approach typically involves:

• A dedicated network segment with strict boundary controls
• A limited set of hardened endpoints for CUI access
• Restricted personnel access (only those with a need-to-know)
• Dedicated security controls optimized for the enclave environment

This approach can significantly reduce assessment scope and remediation costs, particularly for organizations with large IT environments where only a subset of personnel and systems interact with CUI.

Phase 4: Documentation (Weeks 30-50)

Documentation is where self-assessed compliance and CMMC-ready compliance diverge most sharply. Every control must be documented, and the documentation must be detailed enough for an assessor who has never seen your environment to understand your implementation.

4.1 System Security Plan (SSP)

Your SSP is the central document for your CMMC assessment. It must include:

• System description — Purpose, function, and boundary of the CUI environment
• System environment — Network architecture, hardware, software, and interconnections
• System boundary — Clear delineation of in-scope vs. out-of-scope systems
• Control implementation — For each of the 110 controls, document:
  • How the control is implemented
  • What technologies support it
  • Who is responsible for it
  • What evidence demonstrates it is operating
• Roles and responsibilities — Security roles with named individuals
• Interconnections — External system connections with security agreements

4.2 Policies and Procedures

Develop or update security policies and procedures covering each NIST 800-171 control family. Each policy should include:

• Purpose and scope
• Roles and responsibilities
• Specific requirements aligned to NIST 800-171 controls
• Review and approval cadence
• Version history

Procedures should be actionable step-by-step instructions that personnel can follow. Assessors will check that procedures align with actual practice — a policy that says one thing while staff does another is a finding.

4.3 Evidence Library

Build and maintain a centralized library of evidence artifacts organized by control family. Examples include:

• Configuration screenshots demonstrating security settings
• System-generated reports showing control operation (access reviews, scan results)
• Training completion records
• Incident response exercise documentation
• Change management records
• Physical access logs
• Audit log samples demonstrating completeness and retention

Update this evidence regularly. Assessors want to see evidence of ongoing operation, not a one-time collection assembled the week before assessment.

Phase 5: Assessment Preparation (Weeks 45-55)

With remediation complete and documentation in order, the final phase focuses on preparing your organization for the assessment itself.

5.1 Conduct a Readiness Assessment

Before scheduling your C3PAO assessment, conduct an internal readiness review or engage an independent consultant to perform a mock assessment. This should simulate the C3PAO assessment process:

• Document review of your SSP, policies, and evidence
• Personnel interviews to verify knowledge of security procedures
• Technical examination of control implementations
• Identification of any remaining gaps

5.2 Select and Schedule a C3PAO

Choose a CMMC Third-Party Assessment Organization from the Cyber AB marketplace. Consider:

• Industry experience relevant to your sector
• Assessor availability and scheduling lead times
• Geographic proximity (for on-site assessment components)
• References from organizations of similar size and complexity
• Independence — the C3PAO cannot have provided consulting services to your organization

Schedule well in advance. C3PAO availability is limited and lead times can extend several months.

For detailed guidance on selecting a C3PAO, see our CMMC C3PAO guide.

5.3 Prepare Your Team

The people in your organization are as important to assessment success as your technical controls. Prepare them by:

• Briefing all in-scope personnel on the assessment process and their roles
• Conducting practice interviews with key personnel (ISSO, system administrators, incident response leads)
• Ensuring everyone knows where to find relevant documentation and evidence
• Designating a single point of contact for assessment logistics
• Preparing a dedicated workspace for assessors with access to necessary systems and documentation

5.4 Pre-Assessment Logistics

• Compile all documentation in an organized, accessible format
• Verify that all evidence artifacts are current and complete
• Confirm that all POA&M items are either closed or within allowable limits
• Test remote access tools if parts of the assessment will be conducted remotely
• Prepare an agenda and schedule aligned with the C3PAO's assessment plan

Post-Assessment: Maintaining Compliance

CMMC certification is valid for three years, but compliance is continuous. After achieving certification:

• Monitor controls continuously — Do not let controls degrade between assessments
• Update documentation — Reflect system changes, personnel changes, and process updates in your SSP
• Maintain your evidence library — Continue collecting evidence of control operation
• Conduct annual self-assessments — Use CMMC assessment criteria to evaluate your own posture annually
• Submit annual affirmation — Confirm your organization's continued compliance status
• Track regulatory changes — Monitor for CMMC updates, including potential transition to NIST 800-171 Rev 3

CMMC compliance is a program, not a project. The organizations that maintain certification most efficiently are those that integrate security controls into daily operations rather than treating them as periodic compliance exercises.

For a comprehensive overview of CMMC requirements, see our CMMC requirements guide.