Skip links

A 12-Step CMMC Compliance Checklist

CMMC Compliance Checklist

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ global_colors_info=”{}”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.19.5″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]

CMMC Compliance Checklist

Any company that works with the United States Department of Defense (DoD) will need CMMC certification after May 2023. This includes DoD contractors, anyone along the supply chain, and anyone who contacts the Defense Industrial Base (DIB). If this is you, a CMMC compliance checklist can help you meet CMMC standards.

CMMC certification is for businesses that may access sensitive government data. This is high-stakes data, so the DoD can’t risk its integrity by sharing it on a system with insufficient cybersecurity measures.

If you don’t become CMMC-compliant, your company can’t work with the DoD or they could nullify your current contract. Prevent this situation by consulting our 12-step CMMC checklist to see how you can prepare for your assessment and what will happen in the process.

While You’re Following this CRMMC Compliance Checklist, Learn More about CMMC

Your Complete CMMC Assessment Guide


1. Determine Your CMMC Level

CMMC levels are based on information sensitivity. There are different CMMC standards for different CMMC levels. Therefore, you need to understand exactly what level of CMMC you’ll deal with in your role.

The CMMC levels are:

  1. Level 1 (Foundational): Applies to anyone who works with Federal Contract Information (FCI) based on the 17 domains highlighted in FAR 52.204-21.
  2. Level 2 (Advanced): Level 2 certification is required for anyone who will work with Controlled Unclassified Information (CUI) based on the 14 domains highlighted in NIST SP 800-171.
  3. Level 3 (Expert): Applies to companies who work with the highest security CUI and are in need of Advanced Threat Protection (APT). It is based on 130 domains from both NIST 800-171 and NIST 800-172. Level 3 is new to CMMC 2.0.

Your CMMC level will be decided by the requirement noted in the contract you are bidding on or the requirement of any current contracts.

Learn More About Cybersecurity


2. Identify Who Needs to Be Involved

Achieving CMMC certification is not a one-size fits all endeavor. It depends on the type of data you will work with and who may come into contact with it.

For that reason, identify who needs to be involved in your certification process. These people may include (but may not be limited to):

  • IT professionals, including your managed IT service providers.
  • The HR team who will be responsible for undertaking your CMMC training.
  • Any legal personnel who will be involved in your contract.
  • Financial professionals involved in your contract or who may see DoD purchases.
  • Anyone who may store DoD data on their inventory management system.


💡 Note: In 2026, all defense contractors except for those who are only managing Commercial Off The Shelf (COTS) application will require at least Level 1 CMMC certifcation.


3. Perform a Gap Analysis

There’s a chance that your current cybersecurity system won’t be enough to satisfy CMMC compliance. Perform a cybersecurity risk assessment to see if anything is below standards.

You will need documentation of your gap analysis for your official CMMC assessment. Be sure to track all evidence or ensure that your managed cybersecurity partner is doing so.


4. Hire a C3PAO if Necessary

Level 2 and higher certifications need a C3PAO (Third-Party Assessment Organization) with accreditation from the CMMC Accreditation Body (CMMC AB).

Finding a C3PAO is your responsibility. The number of C3PAO organizations is limited, so if you anticipate needing to gain a level 2 or level 3 certifications, then CP Cyber would recommend finding a C3PAO long before your official assessment so this doesn’t delay the process.

Only C3PAOs are authorized by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to perform CMMC audits.


5. Create a System Security Plan (SSP)

Create a System Security Plan (SSP) that outlines how you will stay within CMMC compliance going forward. You must update this plan regularly as technology changes. Have this document on hand for your CMMC assessment.


6. Create a Plan of Action and Milestones (POA&M)

Demonstrate the corrective steps you will take to correct gaps in a Plan of Actions and Milestones (POA&M). This document will show your C3PAO that your company is actively addressing any existing issues to ensure compliance.


7. Prepare for Your CMMC Assessment

Have all the proper documentation from your gap analysis on hand for your assessment. Consider how you can fill any gaps and meet CMMC requirements and be prepared to discuss it with your auditor.

Fill in as many compliance gaps as possible before your assessment. You won’t receive CMMC certification if you miss something and fail the assessment.


Prepare for Your CMMC Assessment with a Cybersecurity Risk Analysis

Learn More


8. Conduct a CMMC Assessment

At this point, your C3PAO will perform their audit. They will request evidence for each of the CMMC requirements and may request interviews with key personnel that are responsible for implementing the controls and those who perform ongoing tasks related to specific controls. Your organization should be prepared to spend some time to address these requests and should assign a primary point of contact for the 3PAO requests. The point of contact will then likely need to manage other employees to gather the evidence requested. This project manager role will make sure that delays are minimal.

Every C3PAO has their own CMMC audit checklist, but we commonly see the following:

  1. They’ll check what type of data you have across all systems.
  2. They’ll assess your IT system’s overall cybersecurity posture.
  3. They’ll assess that the controls in place are operating effectively.


9. Receive Your CMMC Report

Your C3PAO will create a report that highlights their findings. If you meet compliance, you will be granted certification. CMMC certification is valid for 3 years. You need to get recertified after this timeframe.

If you fail, your report will explain why. However, it won’t tell you how to fix it.


10. Review Your CMMC Assessment

If you didn’t make it, you can try again. Review your report to see where the issues were. There won’t be any suggestions on how to fix them. You will need to educate yourself on what you can do to remediate them.


11. Implement Remediations

If you failed, you have 90 days to fix your non-compliance issues and submit evidence before reapplication. 90 days feels tight when you’re implementing new cybersecurity protocols. That’s why you should try to attain compliance before the assessment.


12. Watch for CMMC Updates

CMMC 1.0 launched in September 2020 and it evolved into CMMC 2.0 in November 2021. This shows that compliance standards are subject to change as technology develops. Keep your eye out for updates and see if it affects your certification.

CMMC Compliance Checklist


Let CP Cyber Help You Complete Your CMMC Compliance Checklist

CP Cyber is prepared to help you get ready for your CMMC audit. Alongside cybersecurity experts, our team includes Federal Government contractors, former NSA and FBI agents, and US Armed Forces veterans. So, we have a good idea of what to expect from CMMC.

Our IT auditors have extensive experience helping top corporations and have multiple certifications such as CEH and CPT. We’ve performed compliance audits for SOX, NIST 800-53, and ISO 27000-27005.

Get in touch with our team for expert help with your CMMC preparation.


Share the Post: