CMMC Checklist: How to Get Ready Before an Assessment

For defense contractors, subcontractors, and compliance teams, the Cybersecurity Maturity Model Certification (CMMC) is no longer something to leave until the last minute. If your business wants to qualify for federal contracts, you need to understand what CMMC requires and where your current security gaps are.

In this CMMC checklist, we’ll help you prepare for certification, avoid the cost of being unprepared, and work through the key requirements step by step. Keep reading to learn what CMMC compliance involves and how to get your organization ready before an assessment.

What Is Required for CMMC Compliance?

A lot. But we’ll make it as easy as possible to understand. CMMC compliance requirements protect two categories of sensitive government information:

1. Federal Contract Information (FCI), and
2. Controlled Unclassified Information (CUI)

What specific controls do you need to meet? It depends on which type of data you handle and what your contract demands. Before you can build a meaningful CMMC checklist, you need to answer three foundational questions.

Know Whether You Handle FCI, CUI, or Both

FCI is any information provided by or generated for the government under a contract that is not intended for public release. CUI is a broader, more sensitive category that includes:

• Export-controlled data
• Technical drawings
• Proprietary acquisition information

If your systems touch CUI, your CMMC compliance checklist becomes significantly more demanding, requiring you to meet NIST SP 800-171 controls at a minimum.

You’ll want to review your:

• Contracts
• Subcontracts
• Data-sharing agreements

Look for language referencing CUI categories, distribution statements (such as Distribution B through F on technical documents) or explicit mentions of DFARS clause 252.204-7012. That clause is your clearest signal that CUI is in play and that CMMC Level 2 or higher likely applies.

Identify the CMMC Level Your Contract Requires

Your business may need varying degrees of compliance, such as:

• Level 1: Meant for contractors handling FCI.
• Level 2: Most common. Required for DIB companies.
• Level 3: The highest level and is meant for sensitive DoD programs.

Before going through your CMMC checklist, verify the level required in your contract.

Scope the Systems That Process, Store, or Transmit CUI

Scoping is the single most impactful step in your CMMC certification checklist. Your assessment boundary defines which systems, networks and users are in scope. Every system inside that boundary must comply. Every system outside it does not.

The goal?

Define boundaries before your assessment begins, not after. Poorly scoped environments inflate cost, extend assessment timelines and introduce findings that could have been avoided.

Step 1: Confirm Your CMMC Level and Assessment Type

You know what your contract demands. Now what? Assessment is the next part of your CMMC checklist. Your requirements will vary based on the respective level. For example:

Level 1 Self-Assessment

Contractors at this level perform an annual self-assessment against the 17 FAR practices and submit their score to the Supplier Performance Risk System (SPRS). No third-party assessor is required. A senior company official must affirm the accuracy of the submission. Documentation, while not formally reviewed, should still exist in case of a DoD audit.

Level 2 Self-Assessment or Third-Party Assessment

Some Level 2 contractors can self-assess and submit to SPRS, similar to Level 1. Contracts that involve programs with higher sensitivity or critical national security information will undergo a third-party assessment.

CMMC compliance checklist items at Level 2 include:

• The 110 controls in NIST SP 800-171
• And are organized across 14 control families.

Level 3 Certification Assessment

CMMC certification requirements at this level involve a government-led assessment conducted by the Defense Contract Management Agency (DCMA). These assessments are reserved for contractors supporting the most sensitive DoD programs.

Does Level 3 apply to you?

Expect a rigorous review of your implementation of NIST SP 800-172 enhanced security requirements on top of the full NIST SP 800-171 baseline. Third-party readiness assistance is strongly recommended before a Level 3 assessment.

Step 2: Map Where CUI and FCI Actually Live

Inaccurate or incomplete data maps are a common cause of CMMC failure. You must view mapping as both organizational or technical, and requiring the help of:

• Contracts
• Legal
• IT
• Operations teams

Our cybersecurity services can also help you prepare for mapping your data properly.

Check Email, File Shares, Cloud Storage, and Endpoints

Start with the obvious places:

• Email inboxes
• Sent folders
• Shared drives
• Endpoint devices
• Desktops and laptops
• Removable media
• Collaboration platforms

CUI often ends up in Google Workspace, Microsoft Teams and SharePoint. Formal processes and governance are necessary for all of these data points. If left uncontrolled, all of these are weak points in your potential assessment.

Don’t Forget Vendors, Subcontractors, and Shared Drives

CUI also flows outside of contractor control, often when it’s passed to other parties, such as:

• Subcontractors
• Third-parties
• Vendors

Flow-down clauses are found in your prime contract and are something to pay close attention to when signing. You may need to add the external parties to your assessment scope so that you all remain compliant.

Reduce Scope Before You Buy More Tools

Add the reduction of scope to your CMMC checklist before you acquire new tools. Vulnerability management includes assessing any new software or solutions before purchasing them. If they do not fit where CUI lives, it will only add to your overall scope.

Step 3: Build the Core CMMC Control Checklist

Define your scope. Systematic reviews of your controls will help you when it comes time to run a CMMC self-assessment or C3PAO assessment. Three areas to focus on:

Start With Access, MFA, and Least Privilege

Your CMMC checklist should include:

• Multi-factor authentication (MFA) for all accounts, especially those that have to access CUI. Remote access and privileged accounts also need to have MFA.
• Follow least-privilege principles. Individuals should only be able to access systems and data that pertain to their role. If their role doesn’t require access, then they don’t need it.
• Keep privileged accounts separate from standard user accounts. Access must be logged and monitored.
• Inactive accounts must be disabled after a defined period so that access is revoked to prevent security breaches.
• Remote access sessions must use encrypted channels.

Assessors will verify MFA, so be sure it’s in place throughout the organization.

Fix Vulnerabilities and Patch Gaps Before They Become Findings

Vulnerability management (Practice Family SI and RA) is another high-finding area. Before your assessment, conduct a vulnerability scan using an authenticated scanner against all in-scope systems. Remediate critical and high findings. Document your patch cadence and show that it is consistently followed.

Vulnerabilities that you fail to patch are automatically found and flagged.

Can’t patch certain issues due to operational constraints? Add it to your POA&M.

Document What You Do, Not What You Wish You Did

Documentation is where many technically capable organizations fail their CMMC assessment. Write your policies and procedures to reflect what actually happens in your environment. If your patch cycle is 30 days, document 30 days, not 7. If your incident response team is two people, document two people. Aspirational documentation that does not match observed practice creates findings and damages your credibility with the assessor.

Step 4: Prepare Evidence Before the Assessor Asks

An assessment is an evidence review. Use your CMMC checklist to organize evidence by control domain.

Policies, Procedures, and the System Security Plan

Your SSP is the single most important document in your CMMC preparation. It describes your system boundary, the users and roles within it, the technologies in use and how each of the 110 NIST SP 800-171 controls is implemented.

The SSP must be:

• Current
• Accurate
• Cross-referenced to your actual environment

Assessors will use it as a roadmap. At a minimum, your CMMC checklist should include:

• A complete, current SSP covering all in-scope systems
• Acceptable Use Policy
• Access Control Policy
• Incident Response Plan
• Configuration Management Plan
• Media Protection Policy
• Physical Security Policy
• Risk Assessment documentation
• Security Awareness Training records

Screenshots, Logs, Reports, Tickets, and Configurations

For each control, prepare supporting evidence in advance. Common evidence types include:

• Screenshots of MFA enforcement in your identity provider or directory service
• Vulnerability scan reports with remediation tracking
• Audit log exports demonstrating that logging is active and reviewed
• Patch management reports showing compliance with your documented cadence
• User access review records
• Security awareness training completion certificates
• Configuration baseline documents and hardening checklists
• Help desk tickets showing security-related events and how they were handled

Organize this evidence by control number.

POA&M Items and What Must Be Closed

Every CMMC compliance checklist should include:

• Known gaps
• Remediation approach
• Responsible owners
• Target closure dates

Close any of these items before your assessment. Every open issue remains a potential finding that can impact your contract.

How Much Does a CMMC Assessment Cost?

Unfortunately, there’s no straightforward answer to costs on this – or any – CMMC checklist. You have to factor in C3PAO fees that can be $20,000 – $100,000, but then there are remediation costs and others that compound on top of them.

Common CMMC Readiness Mistakes Contractors Make

Most assessment failures and delays trace back to a handful of predictable mistakes. If you are building your CMMC checklist and CMMC compliance checklist, use this section as a warning list.

Treating CMMC Like a One-Time Audit

CMMC certification is not a point-in-time checkbox. It is a continuous compliance posture. Assessors evaluate whether your controls are implemented and operational, not whether they were configured once and never touched again. Organizations that treat their CMMC audit checklist as a sprint to certification rather than an ongoing operational discipline typically encounter findings related to:

• Log review
• Patch management
• Access reviews
• Training

These are all controls that require regular attention to remain in compliance.

Waiting Until the Contract Mentions CMMC

A CMMC checklist started 18 months before your first assessment is far more valuable than one started 60 days before.

Buying Tools Before Fixing Process and Scope

Broken processes cannot be eliminated with technology. Invest in scope, documentation and process first before buying more tools.

How Cyber Husky Can Support CMMC Readiness

At Cyber Husky, we help contractors and businesses meet CMMC security requirements. Our team will run a full readiness check and help you rectify issues before your assessment so that they’re not held against you.

A CMMC Checklist Is Only Useful If It Leads to Action

What can you do now? Take action. A CMMC checklist is only useful when execution takes place. Work with any stakeholders that you can and go down the list to tick off each box.