banner-why-daymark.jpg

Information Technology Navigator

Tips, Advice & Insights from Technology Pros

CMMC 2.0 Requirements Checklist for Defense Contractors

Posted by Daymark Solutions

Mon, Jun 01, 2026

Meeting CMMC 2.0 requirements isn't something you can improvise six weeks before a contract deadline. Defense contractors who handle controlled unclassified information (CUI) are subject to a formal set of cybersecurity obligations that now carry real teeth — third-party audits, affirmations, and eventually mandatory inclusion in DoD contracts under DFARS 7012 and its successor clauses. This guide breaks down exactly what you need to do: the controls, the documentation, the technical work, and the assessment process — organized so an IT director or CISO can use it as a working roadmap.

Key Insights

  • CMMC 2.0 consolidates the original five-level model into three levels. Most defense contractors fall under CMMC Level 2, which maps directly to all 110 NIST SP 800-171 controls.
  • The CMMC checklist isn't just a technical exercise. It includes policy development, personnel training, and formal documentation that assessors review just as closely as firewall configurations.
  • A System Security Plan (SSP) and Plan of Action & Milestones (POA&M) are mandatory artifacts. Without them, no C3PAO will certify you.
  • Third-party assessments for Level 2 are conducted by accredited C3PAO (Certified Third-Party Assessment Organizations). Their evaluators look for evidence, not intent.
  • CUI identification is step zero — you can't protect data you haven't scoped.
  • GCC High (Microsoft's government community cloud for defense) is often the fastest path to meeting cloud-specific DoD requirements, particularly for contractors already in the Microsoft ecosystem.
  • Common audit failures involve access control gaps, missing multi-factor authentication, inadequate audit logging, and undocumented incident response procedures.
  • Compliance sequencing matters — organizations that start with scoping, then documentation, then technical controls, then gap remediation consistently perform better in assessments than those who start with technology.

What the CMMC 2.0 Requirements Framework Actually Covers

The Department of Defense released the final CMMC 2.0 rule in December 2024, with phased implementation beginning in 2025. Understanding what the framework covers — and doesn't cover — is the first practical step.

Three levels, one clear target for most contractors. Level 1 applies to companies handling Federal Contract Information (FCI) but not CUI — it covers 17 basic safeguarding practices drawn from FAR 52.204-21. Level 2 is where the vast majority of defense contractors land. It requires all 110 NIST 800-171 controls across 14 security domains, and it's the level that requires a formal third-party assessment for most organizations. Level 3 applies to programs involving National Security Systems and requires additional controls from NIST SP 800-172 — it's a smaller population, assessed by DCSA.

The framework is not self-attested at Level 2 for most primes. Unlike the original CMMC 1.0 concept that allowed self-attestation broadly, CMMC 2.0 distinguishes between contractors where self-attestation is permitted and those where a C3PAO must conduct and validate the assessment. The DoD determines which contracts require third-party validation based on the sensitivity of the program.

DFARS 7012 is still the legal foundation. Even as CMMC clauses roll into contracts, contractors are still required to comply with DFARS 252.204-7012, which mandates adequate security per NIST SP 800-171 and requires reporting of cyber incidents to DoD within 72 hours. CMMC certification is the formal verification that those obligations are actually met.

The 14 Domains: What You're Actually Being Measured Against

All 110 NIST 800-171 controls fall within 14 security domains. The number of controls per domain varies significantly — understanding which domains carry the most weight helps you prioritize.

Access Control (AC) — 22 controls. The largest domain. Covers who can access what systems, how access is granted and revoked, least-privilege principles, remote access controls, and CUI data flow. This is consistently the domain with the most findings in assessments.

Audit and Accountability (AU) — 9 controls. Requires that systems generate audit logs, that those logs are protected, and that someone reviews them. Many contractors have logging turned on but no documented review process, which counts as a gap.

Awareness and Training (AT) — 3 controls. Small domain, but often overlooked. Requires that personnel are made aware of security risks and that role-based training is provided. Documentation of who completed what training is required evidence.

Configuration Management (CM) — 9 controls. Baseline configurations for all systems, change control processes, and restrictions on software installation. If your endpoints allow users to install arbitrary software, this domain will produce findings.

Identification and Authentication (IA) — 11 controls. Multi-factor authentication, password complexity, management of privileged accounts, and authenticator lifecycle. MFA on all accounts — especially those accessing CUI — is non-negotiable here.

Incident Response (IR) — 3 controls. An incident response plan must exist, be tested, and include reporting procedures that align with DFARS 7012's 72-hour reporting requirement. Tabletop exercises are the standard evidence of testing.

Maintenance (MA) — 6 controls. Covers how systems are maintained, whether maintenance is performed remotely, and what controls are in place during maintenance activities. Remote access for maintenance must be monitored and controlled.

Media Protection (MP) — 9 controls. Sanitization and disposal of media, protection of CUI on portable devices, and controls around physical media containing sensitive data. USB port controls and encryption of removable media are common requirements here.

Personnel Security (PS) — 2 controls. The smallest domain. Requires screening of individuals before granting access to CUI systems and a process for terminating access when personnel leave.

Physical Protection (PE) — 6 controls. Physical access controls to systems that process or store CUI. Badge access logs, visitor management, and physical security of server rooms or workstations.

Risk Assessment (RA) — 3 controls. A periodic risk assessment process, identification of vulnerabilities, and remediation tracking. Vulnerability scanning with documented remediation timelines satisfies this domain.

Security Assessment (CA) — 4 controls. Internal security assessments, system interconnection management, and a Plan of Action & Milestones (POA&M) to address findings. This is where your documentation infrastructure is formally evaluated.

System and Communications Protection (SC) — 16 controls. Network segmentation, encryption of CUI in transit, architectural controls on CUI flow, and protection of communications at system boundaries. This domain often requires the most infrastructure work for organizations without a formal network architecture.

System and Information Integrity (SI) — 7 controls. Anti-malware, security alerting, patch management, and protection against malicious code. Patch cadence documentation and endpoint detection are the primary evidence items here.

Documentation Requirements: SSP, POA&M, and What Assessors Actually Read

Documentation is where many technically capable organizations fall short. A C3PAO assessment is not a penetration test — it's an evidence review. Assessors spend significant time in documents before they ever look at a system.

The System Security Plan (SSP) is your primary artifact. The SSP must describe your information system boundary, how CUI flows through it, the security controls you've implemented, how each control is satisfied, and where responsibility lies. For any control that's not fully implemented, the SSP references the POA&M. Assessors use the SSP to scope the assessment — if it's incomplete, unclear, or inconsistent with what they observe in the environment, that gap itself becomes a finding.

The POA&M tracks what isn't done yet. A POA&M is not an admission of failure — it's a structured plan for addressing known gaps. It should include each open finding, the remediation action planned, the responsible owner, the resources required, and a realistic completion milestone. DoD accepts POA&Ms as part of the assessment process, provided they meet specific criteria: items cannot be open indefinitely, and certain high-priority controls (particularly those protecting CUI directly) must be remediated before certification can be granted.

Supporting documentation assessors expect to see:

  • Network diagrams showing CUI data flows and system boundaries
  • Asset inventory covering all hardware, software, and cloud services in scope
  • Policy documents for each security domain (access control policy, incident response plan, configuration management policy, etc.)
  • User account listings with role assignments
  • Training completion records
  • Audit log samples and evidence of log review
  • Vulnerability scan results and remediation tracking
  • Vendor/subcontractor agreements covering CUI handling

CMMC documentation should be maintained as living documents, not point-in-time artifacts. Assessors frequently check document revision dates and compare stated procedures against observed configurations to identify inconsistencies.

Technical Controls Checklist: The High-Priority Items

While all 110 controls matter, certain technical requirements appear most frequently in assessment findings and should be addressed early in any CMMC compliance steps planning.

Access Control and Least Privilege

  • All user accounts operate with minimum necessary permissions
  • Privileged accounts are separate from standard user accounts
  • Access to CUI systems requires documented authorization
  • Remote access sessions terminate after a defined period of inactivity
  • All external connections are encrypted and controlled

Multi-Factor Authentication

  • MFA is enforced on all accounts that access CUI — no exceptions for service accounts or shared credentials
  • MFA applies to remote access, VPN, email, and cloud services
  • Authenticator management policies are documented and enforced

Encryption

  • CUI is encrypted at rest on all endpoints, servers, and cloud storage
  • CUI is encrypted in transit using FIPS 140-2 validated cryptography
  • Removable media containing CUI is encrypted before data is written

Audit Logging

  • All systems processing CUI generate logs covering authentication events, access events, configuration changes, and privileged operations
  • Logs are stored in a tamper-protected location separate from the systems they monitor
  • Log retention meets the minimum period specified in policy (commonly 90 days online, one year archived)
  • A documented log review process exists, with evidence of reviews occurring

Patch Management

  • Patches are applied within a defined SLA based on severity (typically critical patches within 30 days)
  • Patch status is tracked against the asset inventory
  • End-of-life software and operating systems are remediated or formally accepted as risk

Cloud Environments

  • Cloud services used to process or store CUI meet FedRAMP Moderate authorization or equivalent
  • GCC High is the standard Microsoft cloud environment for defense contractors — standard Microsoft 365 commercial does not meet DoD requirements for CUI handling
  • Shared responsibility documentation is in place with all cloud providers

Policy and Procedure Requirements

Technical controls without documented policy are a gap, not an implementation. Each security domain requires corresponding written procedures that explain how controls are implemented, who is responsible, and how exceptions are handled.

Minimum required policies for CMMC Level 2:

  • Information Security Policy (overarching)
  • Access Control Policy and Procedures
  • Configuration Management Policy
  • Incident Response Plan (tested annually)
  • Media Protection Policy
  • System Maintenance Policy
  • Risk Assessment Procedures
  • Security Awareness and Training Policy
  • Contingency Plan / Business Continuity Plan

Policies must be approved by leadership, distributed to relevant personnel, and reviewed at defined intervals (typically annually). Assessors ask to see version history, distribution records, and acknowledgment signatures or training completion records as evidence of implementation.

Personnel and Training Requirements

People are a control, not just a risk factor. The CMMC controls in the Awareness and Training domain require documented evidence that personnel with access to CUI have received appropriate training before that access is granted.

Role-based training matters. General security awareness training covers the baseline — phishing awareness, CUI handling, incident reporting procedures. But personnel in IT, security, or administrative roles with higher-level access need additional training covering their specific responsibilities. System administrators need training on configuration management and access control procedures. Incident responders need training on the IR plan and DFARS reporting requirements.

Evidence requirements for training:

  • Training completion records with dates and employee names
  • Training content or curriculum documentation
  • Frequency of training (annual at minimum, more frequent for high-risk roles)
  • New hire training completion before CUI access is granted

Personnel screening under the PS domain requires that individuals are screened prior to being granted access to systems containing CUI. The specifics of what screening entails (background checks, reference verification) are left to the organization, but the process must be documented.

Termination procedures must ensure that access to CUI systems is revoked promptly when personnel leave or change roles. Documented offboarding checklists with IT sign-off are the standard evidence artifact.

The Assessment Process: What C3PAO Evaluators Actually Check

Understanding how a C3PAO conducts an assessment helps you prepare more effectively. The process follows a defined methodology established by the Cyber AB (formerly the CMMC Accreditation Body).

Phase 1: Document Review. Before arriving on-site or scheduling technical testing, assessors review your SSP, network diagrams, asset inventory, and supporting policies. Gaps in documentation at this stage signal what areas will receive closer scrutiny in Phase 2.

Phase 2: Interviews. Assessors conduct structured interviews with key personnel — IT staff, system administrators, the security point of contact. They're verifying that the procedures described in your documentation are actually understood and followed by the people responsible for them. An SSP that describes a log review process, combined with an administrator who doesn't know who reviews logs or how often, is a finding.

Phase 3: Testing and Observation. Assessors directly examine systems. They'll look at active directory group memberships, firewall rule sets, patch levels, audit log configurations, encryption settings, and endpoint protection status. They compare what they observe to what the SSP states.

Phase 4: Scoring. Each of the 110 NIST 800-171 controls receives a score: MET, NOT MET, or NOT APPLICABLE. Controls that are NOT MET must either be remediated before certification or documented in a POA&M with an acceptable closure timeline. The resulting score feeds into the Supplier Performance Risk System (SPRS) — contractors are required to self-report their SPRS score under current DFARS requirements.

What differentiates passing from failing: Organizations that pass assessments consistently have three things: a well-maintained SSP that accurately reflects their environment, personnel who understand and can demonstrate their security procedures, and no critical control gaps in the access control or CUI protection domains.

Common Gaps That Fail Audits

Certain findings appear repeatedly across CMMC audit prep engagements. Knowing them in advance lets you address them before the assessor arrives.

CUI isn't scoped or labeled. If you can't tell an assessor where your CUI lives, what systems process it, and how it flows between systems, you haven't completed the foundational step the entire assessment depends on.

MFA is partially deployed. Many organizations have MFA on their primary email but not on VPN, remote desktop, or cloud storage — all of which may touch CUI.

Audit logs exist but aren't reviewed. Logging infrastructure passes the technical test, but without evidence of regular log review, the control is scored NOT MET.

The SSP describes what should happen, not what does happen. Policies written to describe an ideal state that doesn't match observed configurations are a common failure pattern. SSPs must accurately reflect current implementation.

Subcontractor CUI handling is undocumented. If you pass CUI to subcontractors, your contracts and documented agreements must address CUI protection requirements. Flow-down of DFARS 7012 obligations is required, and assessors check for it.

Incident response plans haven't been tested. A plan that exists only as a document, with no evidence of tabletop exercises or drills, does not satisfy the IR domain's testing requirement.

End-of-life systems remain in scope. Unsupported operating systems or applications that can't receive security patches create findings that are difficult to score around. They need to be upgraded, isolated, or formally accepted as a risk with compensating controls.

Timeline: How to Sequence Your Compliance Efforts

CMMC compliance steps work best when sequenced logically. Organizations that try to implement technical controls before scoping their environment or completing their SSP typically waste effort and miss gaps.

Months 1–2: Scoping and Inventory

Identify all systems that process, store, or transmit CUI. Map CUI data flows. Build your asset inventory. Define the assessment boundary. This work is the prerequisite for everything else — without it, you don't know what you're protecting.

Months 2–4: Gap Assessment and SSP Development

Conduct a formal gap assessment against all 110 controls. Document current state for each control in your SSP. Create your POA&M for every control that's not fully implemented. This gives you a prioritized remediation list and the foundational documentation assessors will review.

Months 4–8: Remediation

Address gaps in priority order: start with controls that directly protect CUI (access control, MFA, encryption) and work outward. For cloud-dependent controls, evaluate whether migrating to GCC High is appropriate. Develop and approve all required policies.

Months 8–10: Internal Assessment and Training

Conduct an internal mock assessment against your SSP. Validate that configurations match documented procedures. Deliver training to all personnel with CUI access. Update your SSP to reflect completed remediation.

Months 10–12: C3PAO Assessment

Engage a C3PAO for your formal assessment. Expect the process to take four to eight weeks from kickoff to final scoring. Maintain your POA&M current throughout.

The realistic timeline for an organization starting from a low baseline is twelve to eighteen months. Organizations with mature security programs that align well to NIST 800-171 controls can often compress this to eight to ten months.

Frequently Asked Questions

What are the CMMC 2.0 requirements for a Level 2 defense contractor?

The CMMC 2.0 requirements for Level 2 are all 110 controls from NIST SP 800-171, organized across 14 security domains. Level 2 is the tier that applies to most defense contractors handling CUI, and it requires either self-attestation or a third-party assessment by an accredited C3PAO, depending on what the specific contract requires. In addition to the technical controls, CMMC level 2 also mandates a current SSP, a maintained POA&M, and documented compliance with DFARS 252.204-7012.

How is a CMMC checklist different from just implementing NIST 800-171?

A CMMC checklist encompasses everything that goes into CMMC certification — not just the 110 NIST 800-171 controls themselves, but the documentation, the formal assessment process, and the ongoing maintenance obligations. NIST 800-171 is the control set; CMMC is the verification framework that confirms you've actually implemented those controls. Many contractors thought they were compliant with 800-171 based on self-assessment and discovered significant gaps when preparing for a formal C3PAO review.

What is a System Security Plan (SSP) and why is it so important?

An SSP is the primary document that describes your information system, its boundary, how CUI flows through it, and how each of the 110 controls is implemented. The SSP is the artifact your assessor uses to understand your environment before conducting interviews and technical testing. An incomplete or inaccurate SSP is itself a finding — and it signals to assessors where to look for additional gaps. Without a current, accurate SSP, a certification assessment cannot proceed.

What happens if we have gaps during a C3PAO assessment?

Gaps identified during a C3PAO assessment are documented as NOT MET findings. Some findings can be addressed through a POA&M — a documented plan to remediate the gap within a defined timeline. However, not all open controls are POA&M-eligible for certification purposes. Controls that directly affect CUI protection typically must be remediated before certification is granted. For lower-priority gaps, DoD has established criteria for what can remain in a POA&M at the time of certification while remediation continues.

How does GCC High relate to CMMC 2.0 requirements?

GCC High is Microsoft's cloud environment built specifically for organizations subject to DoD requirements and ITAR/EAR restrictions. For defense contractors using Microsoft 365 or Azure, GCC high provides the FedRAMP High authorization and data residency controls required to store and process controlled unclassified information in the cloud. Standard Microsoft 365 commercial (even with E3/E5 licensing) does not satisfy the cloud-hosting requirements for CUI under CMMC 2.0. Migrating to GCC High is often a prerequisite for meeting the System and Communications Protection controls in CMMC Level 2.

How long does it take to get CMMC certified?

The time to achieve CMMC 2.0 certification depends heavily on your starting point. Organizations with a mature security program aligned to NIST 800-171 controls may be assessment-ready in six to nine months. Those starting from a low baseline should plan for twelve to eighteen months of preparation before engaging a C3PAO. The formal assessment process itself — from engagement to final scoring — typically takes four to eight weeks. Planning well in advance of contract requirements is essential, since CMMC audit prep cannot be compressed without cutting corners that will show up as findings.

Get Assessment-Ready with Daymark

Need help mapping your current security posture against CMMC 2.0 requirements? Daymark's CMMC Readiness Assessment identifies gaps and builds a prioritized remediation roadmap. Contact us to start your compliance journey.

Download our guide “7 Steps to CMMC Compliance.”

As a Microsoft AOS-G partner with deep experience in defense contractor compliance, Daymark brings both the technical expertise and the CMMC documentation frameworks that move organizations from gap assessment to certification-ready — efficiently and without surprises.

 

How Can We Help?  Speak With An Expert

About

Daymark Solutions is an experienced technology integration and solutions provider that helps organizations effectively architect, implement, and deploy customized solutions to help their customers grow and scale their IT infrastructure. Specializing in AI, cloud and modern data center solutions, Daymark’s unique combination of in-depth technical knowledge, extensive experience, and proven methodologies enable its customers to successfully address even the most difficult technology challenges.

Connect

    

Links

Contact

Corporate Headquarters
Daymark Solutions
131 Middlesex Turnpike
Burlington, MA 01803

Corporate: +1 781-359-3000

Email: info@daymarksi.com

© 2026 Daymark Solutions, Inc. All rights reserved.  |  Daymark Privacy Policy