SecurEveryone
CMMC 2.0 Readiness
CMMC 2.0 Compliance Checklist
Updated June 2026
Cybersecurity Maturity Model Certification 2.0
CMMC 2.0 Readiness Checklist — Level 1, Level 2 & Level 3 Practices
Use this checklist to assess your organization's CMMC 2.0 readiness across all three certification levels. Level 1 covers 17 basic safeguarding practices for Federal Contract Information (FCI). Level 2 covers 110 practices aligned to NIST SP 800-171 for Controlled Unclassified Information (CUI). Level 3 includes advanced requirements from NIST SP 800-172 for high-value assets.
17 Level 1 Practices 110 Level 2 Practices 14 Control Domains FAR 52.204-21 NIST SP 800-171 Rev 2 NIST SP 800-172
Schedule a Readiness Call ← Back to CMMC Landing Page
Quick Navigation — 14 CMMC Domains
AC — Access Control
AT — Awareness & Training
AU — Audit & Accountability
CM — Configuration Management
IA — Identification & Authentication
IR — Incident Response
MA — Maintenance
MP — Media Protection
PS — Personnel Security
PE — Physical Protection
RA — Risk Assessment
CA — Security Assessment
SC — System & Communications Protection
SI — System & Information Integrity
Level 1 — 17 Practices FCI only. FAR 52.204-21. Annual self-assessment + annual affirmation via SPRS.
L1
Access Control (AC)
Limit information system access to authorized users and processes acting on behalf of authorized users.
#RequirementEvidence / ArtifactRef
L1.AC.1.001Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).User access lists, IAM policies, access control listsFAR 52.204-21
L1.AC.1.002Limit information system access to the types of transactions and functions that authorized users are permitted to exercise.Role-based access control matrix, RBAC configurationFAR 52.204-21
L1.AC.1.003Verify and control/limit connections to and use of external information systems.VPN policy, external system usage agreementsFAR 52.204-21
L1.AC.1.004Control information posted or processed on publicly accessible information systems.Public content review process, FCI marking proceduresFAR 52.204-21
L1
Identification & Authentication (IA)
Identify information system users, and authenticate (or verify) those users as appropriate.
#RequirementEvidence / ArtifactRef
L1.IA.1.001Identify information system users and processes acting on behalf of users.User account inventory, identity management recordsFAR 52.204-21
L1.IA.1.002Identify asset owners and confirm asset ownership before acquiring, providing, or granting access to organizational assets.Asset ownership registry, access provisioning formsFAR 52.204-21
L1
Media Protection (MP)
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
#RequirementEvidence / ArtifactRef
L1.MP.1.001Protect (e.g., physically control and securely store) information system media containing Federal Contract Information, until media is sanitized or destroyed.Media storage logs, locked storage containers, media checkout proceduresFAR 52.204-21
L1.MP.1.002Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.Media sanitization certificates, disposal logs, NIST 800-88 compliant wipe recordsFAR 52.204-21
L1
Personnel Security (PS)
Screen individuals prior to authorizing access to organizational information systems containing FCI.
#RequirementEvidence / ArtifactRef
L1.PS.1.001Screen individuals prior to authorizing access to organizational information systems containing Federal Contract Information.Background check records, screening policy, access authorization formsFAR 52.204-21
L1
Physical Protection (PE)
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
#RequirementEvidence / ArtifactRef
L1.PE.1.001Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.Visitor logs, access badge system, physical security policiesFAR 52.204-21
L1.PE.1.002Provide security safeguards for each designated system, equipment, and operating environment to prevent unauthorized access and use.Locked server rooms, security cameras, alarm systems, entry logsFAR 52.204-21
L1
System & Communications Protection (SC)
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems).
#RequirementEvidence / ArtifactRef
L1.SC.1.001Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundary and key internal boundaries of the information systems.Firewall rules, network diagrams, perimeter monitoring logsFAR 52.204-21
L1.SC.1.002Employ cryptographic mechanisms to protect organizational information in storage and in transit over any medium that is not owned, operated, or controlled by the organization.TLS/SSL certificates, VPN configuration, encryption at rest policiesFAR 52.204-21
L1
System & Information Integrity (SI)
Identify, report, and correct system flaws in a timely manner.
#RequirementEvidence / ArtifactRef
L1.SI.1.001Identify, report, and correct information system flaws in a timely manner.Patch management logs, vulnerability remediation records, SLA documentationFAR 52.204-21
L1.SI.1.002Provide protection from malicious code (e.g., anti-virus, anti-spyware) at appropriate locations within organizational information systems.EDR/AV deployment records, updated definitions, scan logsFAR 52.204-21
L1.SI.1.003Monitor system security alerts and distribute appropriate information to appropriate personnel within the organization.SIEM dashboards, alert routing procedures, incident response contactsFAR 52.204-21
L1.SI.1.004Update malicious code protection mechanisms when new releases are available.Update schedules, version tracking, deployment recordsFAR 52.204-21
Level 2 — 110 Practices CUI protection. NIST SP 800-171 Rev 2. Annual self-assessment or third-party C3PAO assessment depending on contract.
AC
Access Control (14 practices)
Control account management, separation of duties, least privilege, failed login lockout, system use notification.
Monitor and control remote access sessions. Route remote connections through boundary protection devices.
#RequirementEvidence / ArtifactRef
AC.L2-3.1.1Limit information system access to authorized users, processes acting on behalf of authorized users, and authorized devices (including other information systems).IAM policies, user provisioning logs, access control matrixNIST SP 800-171
AC.L2-3.1.2Limit information system access to the types of transactions and functions that authorized users are permitted to exercise.RBAC configuration, application access controlsNIST SP 800-171
AC.L2-3.1.3Control the flow of CUI in accordance with approved authorizations.Data flow diagrams, information barrier policies, DLP configurationNIST SP 800-171
AC.L2-3.1.4Separate the duties of individuals to reduce the risk of malevolent activity without collusion.Duties segregation matrix, role assignmentsNIST SP 800-171
AC.L2-3.1.5Employ the principle of least privilege, allowing only authorized accesses necessary for users' assigned duties.Privileged access management, minimal privilege policyNIST SP 800-171
AC.L2-3.1.6Use non-privileged accounts or roles when accessing nonsecurity functions.Separated admin/user roles, privileged access workstation (PAW) usageNIST SP 800-171
AC.L2-3.1.7Prevent non-privileged users from executing privileged functions and audit execution of privileged functions.Privileged function monitoring, admin action logsNIST SP 800-171
AC.L2-3.1.11Terminate information system connections after 15 minutes of inactivity.Session timeout policies, idle timeout configurationNIST SP 800-171
AC.L2-3.1.12VPN logs, remote access policy, jump server configurationNIST SP 800-171
AC.L2-3.1.14Control the flow of CUI external to the organization. Control content of CUI in transit.Encryption in transit, approved communication channels, CUI markingNIST SP 800-171
AC.L2-3.1.15Implement subnetworks for publicly accessible system components that are physically/logically separated from internal networks.DMZ architecture, network segmentation diagramsNIST SP 800-171
AT
Awareness & Training (3 practices)
Role-based security awareness, cybersecurity training before access, periodic refresher training.
#RequirementEvidence / ArtifactRef
AT.L2-3.2.1Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.Security awareness training records, completion certificates, training calendarNIST SP 800-171
AT.L2-3.2.2Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.Training completion records, role-specific curricula, skills assessmentsNIST SP 800-171
AT.L2-3.2.3Provide security awareness training on recognizing and reporting potential and actual security incidents.Incident reporting procedure, phishing simulation results, training materialsNIST SP 800-171
AU
Audit & Accountability (5 practices)
Event logging, timestamp synchronization, content audit logs, review and reporting, non-repudiation.
#RequirementEvidence / ArtifactRef
AU.L2-3.3.1Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.SIEM configuration, log retention policy, audit log storageNIST SP 800-171
AU.L2-3.3.2Ensure that the actions of individual information system users can be uniquely traced to those users so that they can be held accountable for their actions.Unique user IDs, authentication logs, audit trail integrityNIST SP 800-171
AU.L2-3.3.3Review and update logged events. Alert appropriate personnel of audit processing failures.Log review schedule, alerting rules, escalation proceduresNIST SP 800-171
CM
Configuration Management (9 practices)
Baseline configurations, configuration change control, least functionality, software restrictions, approved configurations.
#RequirementEvidence / ArtifactRef
CM.L2-3.4.1Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.System inventory, configuration baseline documents, asset management systemNIST SP 800-171
CM.L2-3.4.2Establish and enforce security configuration settings for information technology products employed on organizational information systems.STIGs/benchmarks applied, CIS benchmarks, configuration baselinesNIST SP 800-171
CM.L2-3.4.3Track, review, approve/disapprove, and audit changes to organizational information systems.Change management process, CAB meeting records, change ticketsNIST SP 800-171
CM.L2-3.4.5Define, implement, and evaluate security safeguards/countermeasures as part of a configuration management process.Security controls documentation, SSP, remediation recordsNIST SP 800-171
IA
Identification & Authentication (6 practices)
User identification, strong authentication, credential management, account lifecycle, identifier management.
#RequirementEvidence / ArtifactRef
IA.L2-3.5.1Identify information system users, processes acting on behalf of users, and devices.Identity management system, user account inventoryNIST SP 800-171
IA.L2-3.5.2Authenticate (or verify) the identity of those users, processes, or devices as a prerequisite to allowing access to organizational information systems.MFA enforcement, password policy, authentication logsNIST SP 800-171
IA.L2-3.5.3Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.MFA coverage reports, conditional access policies, authentication methods usedNIST SP 800-171
IA.L2-3.5.4Prevent reuse of identifiers. Prohibit the reuse of the same identifier across the organization's information systems.Unique identifier policy, deprovisioning proceduresNIST SP 800-171
IA.L2-3.5.5Prevent the use of expired passwords. Disable identifiers after 35 days of inactivity.Account lifecycle policy, automated deactivation schedulesNIST SP 800-171
IR
Incident Response (4 practices)
Incident handling plan, reporting procedures, incident tracking, testing and training.
#RequirementEvidence / ArtifactRef
IR.L2-3.6.1Establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, eradication, and recovery.IR plan, incident response team contacts, runbooksNIST SP 800-171
IR.L2-3.6.2Track, document, and report incidents to designated organizational officials and/or authorities.Incident reporting procedures, DoDreporting requirements, CUI incident chain of custodyNIST SP 800-171
IR.L2-3.6.3Test the organizational incident response capability.Incident response exercises, tabletop test results, after-action reportsNIST SP 800-171
MA
Maintenance (3 practices)
Flaw remediation, controlled maintenance, privileged tool management.
#RequirementEvidence / ArtifactRef
MA.L2-3.7.1Perform periodic and on-demand maintenance on organizational information systems, and provide maintenance support.Maintenance schedule, maintenance logs, vendor support agreementsNIST SP 800-171
MA.L2-3.7.2Provide controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.Maintenance accounts, remote access controls for vendorsNIST SP 800-171
MP
Media Protection (5 practices)
CUI media protection, sanitization, transport controls, accountability, markings.
#RequirementEvidence / ArtifactRef
MP.L2-3.8.1Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.Locked storage, media accountability logs, CUI handling proceduresNIST SP 800-171
MP.L2-3.8.2Sanitize or destroy information system media containing CUI before disposal or release for reuse.NIST SP 800-88 compliant sanitization, disposal certificatesNIST SP 800-171
MP.L2-3.8.3Control access to media containing CUI, and maintain accountability for media during transport.Media transport logs, chain of custody forms, escort proceduresNIST SP 800-171
MP.L2-3.8.4Mark media with CUI distribution restrictions and applicable CUI markings.CUI labeling standard (DFARS 252.204-7012), media marking templatesNIST SP 800-171
PS
Personnel Security (2 practices)
Screening, personnel termination, access revocation.
#RequirementEvidence / ArtifactRef
PS.L2-3.9.1Screen individuals prior to authorizing access to information systems containing CUI.Background investigation records, NISPOM compliance, screening policyNIST SP 800-171
PS.L2-3.9.2Ensure that organizational information systems containing CUI are protected during personnel actions such as terminations and transfers.Offboarding checklists, access revocation procedures, exit interviewsNIST SP 800-171
PE
Physical Protection (2 practices)
Physical access controls, monitoring, perimeter security for CUI systems.
#RequirementEvidence / ArtifactRef
PE.L2-3.10.1Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.Access badge system, visitor logs, alarm systems, mantrap entriesNIST SP 800-171
PE.L2-3.10.2Provide security safeguards to protect against and limit the effects of environmental threats.Environmental controls (fire suppression, HVAC), DR location considerationsNIST SP 800-171
RA
Risk Assessment (3 practices)
Security assessment, vulnerability scanning, risk treatment plan.
#RequirementEvidence / ArtifactRef
RA.L2-3.11.1Periodically assess the risk to organizational operations, assets, and individuals, using the results of the security assessment.Annual risk assessment, SSP updates, risk registerNIST SP 800-171
RA.L2-3.11.2Scan for vulnerabilities in organizational information systems and remediate those vulnerabilities according to an assessed level of risk.Vulnerability scan reports, patch cadence records, remediation trackingNIST SP 800-171
CA
Security Assessment (4 practices)
Control monitoring, plan of action, security assessment, continuous monitoring.
#RequirementEvidence / ArtifactRef
CA.L2-3.12.1Develop, document, and periodically update system security plans describing the security controls and the process to implement those controls.System Security Plan (SSP), POA&M, plan review scheduleNIST SP 800-171
CA.L2-3.12.2Develop, document, and implement processes to monitor and respond to findings from security assessments, audits, and reviews.Audit response procedures, remediation tracking, SSP updatesNIST SP 800-171
SC
System & Communications Protection (14 practices)
Boundary protection, security function isolation, CMMC overlay, FIPS-validated cryptography, key management.
#RequirementEvidence / ArtifactRef
SC.L2-3.13.1Monitor, control, and protect communications (i.e., information transmitted or received by organizational information systems) at the external boundary and at key internal boundaries of organizational information systems.Firewall rules, IDS/IPS, segmentation architectureNIST SP 800-171
SC.L2-3.13.3Use cryptographic mechanisms to prevent unauthorized disclosure and modification of CUI during transmission.TLS 1.2+, FIPS 140-2 validated crypto modules, VPN for all CUI transmissionNIST SP 800-171
SC.L2-3.13.5Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.DMZ configuration, web server isolation, perimeter securityNIST SP 800-171
SC.L2-3.13.6Deny network communications traffic by default. Allow only exception-based communications on a per-port/protocol basis.Default-deny firewall policy, whitelisted ports and protocolsNIST SP 800-171
SC.L2-3.13.15Use controlled releases (e.g., formal change control, security impact analysis, testing) to manage roll-out of new functionality to operational environments.Staged deployment process, change management, security testing in stagingNIST SP 800-171
SI
System & Information Integrity (7 practices)
Flaw remediation, malicious code protection, security alerts, system integrity monitoring, firmware integrity, software integrity controls.
Monitor system security alerts and distribute appropriate information to appropriate organizational personnel.
#RequirementEvidence / ArtifactRef
SI.L2-3.14.1Identify, report, and correct system flaws in a timely manner.Patch management policy, SLA compliance records, CVSS scoring processNIST SP 800-171
SI.L2-3.14.2Provide protection from malicious code at appropriate locations within organizational information systems.EDR/AV deployed and updated, endpoint protection coverage reportsNIST SP 800-171
SI.L2-3.14.3SIEM configuration, alert routing matrix, CISA AIS notificationsNIST SP 800-171
SI.L2-3.14.4Verify the integrity of information system software and firmware using cryptographic mechanisms (e.g., code signing, hash comparison).Code signing infrastructure, firmware hash verification, SBOM for supplied softwareNIST SP 800-171
SI.L2-3.14.6Monitor organizational information systems, including traffic and communications, for attacks and indicators of potential attacks.Network monitoring, intrusion detection, threat intelligence feedsNIST SP 800-171
SI.L2-3.14.7Identify unauthorized use of organizational information systems.User behavior analytics, anomaly detection, security monitoringNIST SP 800-171
Level 3 — Enhanced Practices High-value CUI. NIST SP 800-172 subset. Government-led assessment (GSA) required. Includes advanced threat protection for nation-state actors and sophisticated adversaries targeting DIB.
L3
Level 3 Enhanced Requirements (Representative subset)
Focused on advanced persistent threat (APT) protection, specialized security measures, and advanced audit capabilities.
#RequirementEvidence / ArtifactRef
L3.AC.3.001Implement advanced access controls including security policy enforcement mechanisms, metadata completeness checks, and cross-domain solutions for CUI flows.Cross-domain solution (CDS) implementation, metadata tagging for CUI, data loss prevention architectureNIST SP 800-172
L3.AC.3.002Implement cryptographic protection using NIST-approved cryptography in all organizational systems and communications where CUI is stored, processed, or transmitted.FIPS 140-2 Level 2+ validated crypto modules, HSM key managementNIST SP 800-172
L3.AT.3.001Implement advanced cybersecurity workforce development including threat-hunting, incident response, and adversarial tactics training aligned to current threat intelligence.Adversary simulation exercises, threat-hunting curriculum, CTF participation recordsNIST SP 800-172
L3.SC.3.001Implement advanced boundary protection including specialized malware analysis, dynamic analysis, and behavioral analytics at system entry and exit points.Sandboxing solutions, malware detonation chambers, behavior-based intrusion preventionNIST SP 800-172
L3.IR.3.001Develop advanced cyber incident response plan aligned to DoD Cyber Crime Center (DC3) reporting requirements and sector-specific threat intelligence.IR plan with DC3 contacts, threat-intelligence-driven playbooks, sector-specific CTINIST SP 800-172
L3.SI.3.001Implement advanced system integrity monitoring including host-based intrusion detection, file integrity monitoring, and behavioral analytics to detect sophisticated APT activity.HIDS/HIPS deployment, FIM configuration, UEBA platform, YARA rule setsNIST SP 800-172
L3.RA.3.001Conduct threat-hunting activities based on cyber threat intelligence to proactively identify indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).Threat-hunting reports, MITRE ATT&CK mapping, IOC indicator databaseNIST SP 800-172
L3.AU.3.001Implement advanced audit capabilities including automated audit log synthesis, correlation, and real-time alerting for anomalous activity consistent with APT indicators.SIEM with advanced correlation rules, real-time alerting, audit trail preservationNIST SP 800-172
L3.IA.3.001Implement phishing-resistant MFA (PIV/CAC or FIDO2) for all access to CUI systems, with continuous re-authentication risk assessment.PIV/CAC deployment, FIDO2 authenticators, continuous authentication risk scoringNIST SP 800-172
© 2026 SecurEveryone. CMMC assessment support — Schedule a Readiness Call secureveryone.com | hello@secureveryone.com