logo
Sign UpSign InTry for free
CMMC 2.0 COMPLIANCE CHECKLIST

CMMC 2.0 compliance checklist

A step-by-step CMMC 2.0 compliance checklist for DoD contractors. From scope and Level selection through System Security Plan, self-assessment, SPRS submission, and C3PAO assessment - with the end-to-end process rendered as an editable BPMN map.

Official source:

Read the official DoD CMMC programme site
Download the checklist (PDF)Download DOCX
Who must comply with CMMC 2.0

Who CMMC 2.0 applies to

Defense Industrial Base (DIB) contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under DFARS clauses 252.204-7012 / 7019 / 7020 / 7021.

Jurisdiction: US Department of Defense supply chain. Full name: Cybersecurity Maturity Model Certification 2.0.

CMMC 2.0 Checklist

The CMMC 2.0 compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDFDownload DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

  1. STEP 1

    Confirm the CMMC level required by your contract (Level 1, 2, or 3) and the relevant DFARS clause.

  2. STEP 2

    Define the CMMC assessment scope - the people, processes, and IT assets that touch FCI or CUI.

  3. STEP 3

    Inventory FCI and CUI flows, including third-party / cloud handling.

  4. STEP 4

    Author the System Security Plan (SSP) documenting how each control is implemented.

  5. STEP 5

    Self-assess against NIST SP 800-171 (Level 2) or NIST SP 800-172 (Level 3).

  6. STEP 6

    Track Plan-of-Action-and-Milestones (POA&M) items for any temporary gaps.

  7. STEP 7

    Submit your SPRS score in the DoD Supplier Performance Risk System.

  8. STEP 8

    For Level 2 / 3: select an accredited C3PAO and undergo the assessment.

  9. STEP 9

    Receive the Certificate of CMMC Status and maintain affirmation cadence.

  10. STEP 10

    Continuously monitor changes - controls drift, scope changes, supply-chain dependencies.

FILLABLE PDF PREVIEW

CMMC 2.0 compliance checklist

Cybersecurity Maturity Model Certification 2.0

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Confirm the CMMC level required by your contract (Level 1, 2, or 3) and the relevant DFARS clause.

Define the CMMC assessment scope - the people, processes, and IT assets that touch FCI or CUI.

Inventory FCI and CUI flows, including third-party / cloud handling.

Author the System Security Plan (SSP) documenting how each control is implemented.

Self-assess against NIST SP 800-171 (Level 2) or NIST SP 800-172 (Level 3).

+ 5 more checkboxes in the downloaded PDF
CMMC 2.0 Process Map

CMMC 2.0 as a process map

The end-to-end CMMC 2.0 certification flow, from scoping to ongoing affirmation. The remediation loop on self-assessment is the part most teams underestimate.

Open in editor

CMMC 2.0 compliance process

A CMMC 2.0 compliance process rendered as a BPMN 2.0 process map. The flow covers scoping and level selection, System Security Plan authoring, self-assessment, SPRS submission, C3PAO assessment for Level 2 / 3, and certification issuance.

  1. Determine the CMMC level (Level 1, 2, or 3) required by your DoD contract.
  2. Define the CMMC assessment scope - the people, processes, and assets that handle FCI / CUI.
  3. Author the System Security Plan (SSP) documenting how each NIST SP 800-171 control is implemented.
  4. Self-assess control implementation and remediate gaps.
  5. Submit the SPRS score for Level 1; for Level 2 or 3, engage a C3PAO for an assessment.
  6. Receive the Certificate of CMMC Status and maintain continuous compliance.
CMMC 2.0 FAQ

Frequently asked questions

What are the CMMC 2.0 levels?

CMMC 2.0 has three levels. Level 1 (Foundational) covers the 15 basic safeguarding requirements for FCI in FAR 52.204-21(b)(1) - earlier CMMC materials sometimes expressed these as 17 practices before the count was reconciled with the FAR in 32 CFR Part 170. Level 2 (Advanced) implements the 110 NIST SP 800-171 controls for CUI. Level 3 (Expert) adds a subset of NIST SP 800-172 controls for the most sensitive CUI. The required level is dictated by the contract.

Do I need a C3PAO assessment?

Level 1 is self-assessed and self-attested. Level 2 may be self-assessed for some contracts but requires a C3PAO third-party assessment for others. Level 3 always requires a government-led DIBCAC assessment. The contract clause determines which path applies.

When does CMMC 2.0 take effect?

DoD published the final CMMC Program rule (32 CFR Part 170) on 15 October 2024, effective 16 December 2024. The companion DFARS acquisition rule (48 CFR) was published on 10 September 2025 and took effect on 10 November 2025 - that's when contracting officers began including CMMC requirements in solicitations. Phase-in through 2027–2028. Contractors should plan for assessment readiness in line with their contract award dates and the DFARS clause 252.204-7021 phase-in schedule.

How long does CMMC certification last?

Three years, with annual affirmations required during that period to confirm continued compliance with the assessed CMMC level.

How does this checklist help if our scope is still unclear?

Most CMMC programmes fail at the scoping step - too broad and you over-engineer; too narrow and the assessor expands it. The process map on this page positions scoping as the explicit gate that everything else depends on, so you can show your assessment team the assumption you're working under before authoring the SSP.

More Compliance Checklists

Other compliance checklists

HIPAA compliance checklist

The annual HIPAA compliance cycle as a step-by-step checklist: risk analysis, policy updates, workforce training, safeguards, documentation, and re-attestation.

SOC 2 compliance checklist

A practical SOC 2 compliance checklist covering Trust Service Criteria selection, control mapping, evidence gathering, auditor engagement, and report issuance - for both Type I and Type II engagements.

PCI DSS 4.0.1 compliance checklist

A practical PCI DSS 4.

SOX compliance checklist

A practical Sarbanes-Oxley compliance checklist focused on Section 404: scoping significant accounts and ITGCs, documenting control design, testing operating effectiveness, evaluating deficiencies, and supporting management's assertion.

CCPA / CPRA compliance checklist

A practical CCPA / CPRA compliance checklist covering personal-information inventory, privacy notice, consumer rights request workflow, vendor agreements, and staff training - the operational backbone for California consumer privacy obligations.

NIST RMF compliance checklist

A practical NIST compliance checklist focused on the SP 800-37 Rev 2 Risk Management Framework: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Cosmic background pattern
Decorative rectangle pattern

Turn the CMMC 2.0 checklist into a working process

Open the CMMC 2.0 process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.