CMMC compliance checklist: 15 key steps

A practical guide for DoD contractors navigating CMMC 2.0 requirements – what to prepare, what to verify, and how to reduce risk before certification becomes mandatory.

Infor_3D Platform Image_Library_Dark_06.jpg

CMMC compliance checklist

Who needs CMMC 2.0 certification?
15-step CMMC compliance checklist
Applying the checklist at each level
Common CMMC 2.0 compliance issues
Maintaining CMMC 2.0 compliance
CMMC compliance FAQs

As of November 10th, 2025, the Department of Defense’s (DoD) final CMMC 2.0 rule takes effect, beginning a phased three-year rollout of contractual CMMC compliance requirements. If your organization wishes to compete for new DoD work – or maintain existing contracts – you’ll need to be actively preparing for this shift before it’s too late. This handy 15-step CMMC compliance checklist can help you understand what’s required, prepare effectively, and be sure you’re ready when the time comes.

Who needs CMMC 2.0 certification and what’s at stake?

No matter where you are on the Defense Industrial Base (DIB) – from manufacturing components, providing services, or supporting programs indirectly – CMMC 2.0 applies to you. Prime contractors, subcontractors, vendors, and service providers that handle DoD-related government information must meet these requirements to remain eligible for contracts.

CMMC 2.0 has been streamlined to three levels from the original five introduced in 2020. Here’s a top-level look at the requirements for each level:

Level 1 (Foundational): The Foundational level of CMMC applies to organizations that only handle FCI. While it requires an annual self-assessment, it’s still a formal compliance obligation.
Level 2 (Advanced): The Advanced level applies to most prime and subcontractors handling CUI. Organizations must implement all 110 security controls from NIST SP 800-171, and a Certified Third-Party Assessment Organization (C3PAO) is usually required.
Level 3 (Expert): The Expert level applies to top-tier contractors managing CUI for the DoD’s most sensitive mission-critical programs. It includes all the security controls from Level 2 as well as enhanced controls from NIST SP 800-172, and assessments are DoD-led.

While the model is structured, implementation is never exactly simple — especially for organizations balancing legacy environments, active contracts, and phased rollout timelines.

15-step CMMC compliance checklist: quick reference

This 15-step checklist is a quick reference for how most organizations approach this process as they start reviewing their CMMC compliance. Print it out or bookmark it to refer to as you go through the compliance process. You’ll also find a more in-depth explanation of each step below the checklist.

Understand the CMMC framework, structure, and required maturity levels
The first step is to start developing a foundational understanding of CMMC 2.0, its objectives, and how each maturity level aligns with DoD contract requirements.
Confirm whether your organization handles FCI, CUI, or both
Determine your compliance obligations by identifying the types of information you create, process, store, or transmit. Understand where FCI and CUI exist and how they move through your organization.
Determine which CMMC maturity level applies to your DoD contracts
Review contract clauses, data handling requirements, and solicitation language to confirm your required CMMC level. Your assigned level drives scope, timelines, cost, and assessment requirements.
Assign a dedicated compliance owner or cross-functional project team
At this stage, teams find it essential to designate clear ownership for planning, coordination, and progress tracking. Defined accountability helps prevent gaps, delays, and duplicated efforts.
Define your CMMC scope and build an inventory of in-scope assets
Document your CMMC boundary by mapping systems, users, devices, applications, data flows, and access points. A clear scope ensures you protect exactly what is required.
Assess gaps against required controls and document them in a POA&M
During this step, evaluate your current practices against applicable CMMC controls and record unmet requirements in a Plan of Action and Milestones (POA&M) to show that you are actively working towards compliance.
Develop or update your System Security Plan (SSP)
Document how each required control is implemented and maintained within your defined boundary. The SSP serves as a core reference for assessors and must remain accurate and up to date.
Implement required policies, procedures, and technical safeguards
At this stage of the process, address identified gaps by deploying or updating administrative, technical, and operational controls. This may involve policy development, configuration changes, or adopting new tools.
Train staff on handling FCI/CUI and reinforce security awareness
As you move through this phase, it’s important to ensure all personnel with access to in-scope systems receive appropriate cybersecurity and data-handling training. Maintain records and plan ongoing training to meet evolving compliance needs.
Establish continuous protection and incident response measures
Apply monitoring, patching, MFA, malware protection, and incident response practices across in-scope systems. These safeguards must operate continuously – not only in preparation for assessments.
Conduct internal audits or self-assessments to validate controls
An important next step is to begin to test control implementation, identify weaknesses, and confirm effectiveness. Regular self-assessments reduce risk and help ensure readiness for formal evaluations.
Collect and maintain documentation and evidence
Maintain logs, records, and supporting documentation that show how controls operate, how issues are tracked, and how security events are managed. Evidence should be current, organized, and reviewable.
Schedule and complete a formal assessment if required
For applicable contracts, you may wish to engage a CMMC Third-Party Assessment Organization (C3PAO) to conduct a Level 2 assessment or prepare for a government-led review where required.
Submit required results and affirmations through SPRS
Enter self-assessment results, required affirmations, and certification status in the Supplier Performance Risk System (SPRS) as required for contract eligibility.
Maintain ongoing compliance through continuous review
Finally, regularly update your SSP, retest controls, retrain staff, and refresh documentation. CMMC 2.0 compliance is an ongoing operational responsibility, not a one-time milestone.

How this CMMC compliance checklist applies at each level

The 15-step CMMC 2.0 compliance checklist above provides an overview of the process for achieving DoD certification. While the specific requirements vary by level, the core actions remain largely the same: define scope, assess gaps, remediate controls, document implementation, and maintain compliance over time. Here is how to apply the checklist for each CMMC 2.0 level.

Loading component...

LEVEL 1

CMMC 2.0 Level 1 (FCI only)

CMMC 2.0 Level 1 requirements focus on safeguarding FCI and require compliance with FAR 52.204-21. At Level 1, you need to do an annual self-assessment. To meet Level 1 requirements, prioritize these elements of the checklist:

Clarify scope and eligibility

Use Steps 2–5 to confirm that you handle only FCI, define your in-scope systems, and map where that FCI is stored, processed, and transmitted.

Run a focused gap analysis and POA&Ms

Apply Steps 6 and 7 to compare your current practices to the 15 FAR 52.204-21 controls, documenting shortfalls and remediation tasks in POA&Ms.

Implement essential controls and awareness

In Steps 8–10, implement missing policies and basic technical safeguards, and make sure all staff understand their responsibilities for handling FCI.

Self-assess, document, and submit to SPRS

Use Steps 11–14 to complete your annual self-assessment, assemble supporting evidence, and submit results to the DoD Supplier Performance Risk System (SPRS).

Maintain basic ongoing hygiene

For Step 15, keep patching, monitoring, and training on a regular cadence so your organization is ready for each yearly reaffirmation.

Loading component...

Level 2

CMMC 2.0 Level 2 (CUI)

CMMC 2.0 Level 2 requirements focus on protecting CUI and align with the 110 practices in NIST SP 800-171. The same 15 steps still apply, but each one becomes more detailed and cross-functional than for Level 1. Here’s how the 15 steps expand for Level 2 organizations:

Confirm that Level 2 really applies to you

Use Steps 1–3 to understand the CMMC framework, confirm that you handle CUI as well as FCI, and determine that your contracts call for Level 2.

Define a precise CUI scope and boundary

In Steps 4–5, assign a compliance owner or team and map your CUI data flows, systems, users, and locations – often including a defined CUI enclave.

Perform a NIST 800-171 gap analysis and create POA&Ms

Apply Steps 6 and 7 to assess your posture against all 110 controls, documenting each unmet requirement in POA&Ms and updating your System Security Plan (SSP).

Remediate with policies, tools, and platform choices

With Steps 8–10, implement missing controls, update policies and procedures, and determine whether your existing systems suffice or new platforms are needed to support CMMC 2.0 compliance at scale.

Rehearse assessment and prepare supporting evidence

Use Steps 11–13 to conduct internal self-assessments, address outstanding POA&M items, and prepare the documentation and evidence required by C3PAOs or government assessors.

Submit SPRS score and maintain continuous compliance

Finally, in Steps 14–15, submit your NIST 800-171 score to SPRS with the appropriate attestation, then keep your SSP, controls, and evidence up to date between assessments.

Loading component...

Level 3

CMMC 2.0 Level 3 requirements (high-value CUI)

CMMC 2.0 Level 3 requirements apply to organizations supporting the DoD’s most sensitive, mission-critical programs and handling high-value CUI. This level builds on Level 2 by introducing enhanced practices aligned with NIST SP 800-172 and requires government-led assessments. At Level 3, CMMC becomes a formal security program with executive oversight, not an extension of checklist-based compliance. Applying the checklist to Level 3 shifts the focus toward governance, resilience, and sustained operational readiness:

Establish governance and define the Level 3 scope

Use Steps 1–5 to confirm you support high-value CUI, identify in-scope systems and data, and establish a governed boundary. This typically includes defined ownership, executive accountability, and alignment with enterprise risk management.

Extend gap analysis to enhanced NIST SP 800-172 controls

In Steps 6–8, expand your assessment beyond NIST SP 800-171 to include the additional Level 3 practices. Update POA&Ms and SSPs to reflect enhanced security objectives, control maturity, and remediation planning.

Strengthen resilience, detection, and response capabilities

Apply Steps 9–10 with emphasis on advanced monitoring, threat detection, incident response, and recovery. Controls at this level are designed to withstand advanced persistent threats and maintain continuity for mission-critical operations.

Prepare for government-led assessment and sustained scrutiny

Use Steps 11–13 to rehearse for DIBCAC or other government-led assessments. Ensure documentation, evidence, and operational practices are consistently review-ready and supported by trained, cross-functional teams.

Operate Level 3 as an ongoing security program

With Steps 14–15, integrate Level 3 into your broader security and governance framework. Maintain SPRS records, keep documentation and evidence current, and treat reassessments as continuous risk management—not a one-time event.

Loading component...

Common CMMC certification issues and how to avoid them

Any time you’re dealing with multiple stakeholders, conflicting interpretations, legacy systems, and a multi-year rollout of compliance guidelines, there are bound to be issues that can affect contract eligibility, increase costs, and delay certification. One of the most common issues is assuming that CMMC Level 1 requirements can be addressed informally, when they actually require a defined scope, documented controls, and an annual self-assessment submitted to SPRS. Another common issue is assuming that CMMC applies only when organizations permanently store CUI. In practice, receiving, viewing, transmitting, or processing CUI during contract performance – along with handling certain types of FCI – triggers specific CMMC 2.0 requirements and determines whether Level 1 or Level 2 applies.

Organizations can sometimes view CMMC as a one-time certification milestone rather than an ongoing program that requires continuous evidence, up-to-date documentation, active POA&Ms, and ongoing alignment with NIST SP 800-171. As a result, remediation is rushed, evidence is incomplete, and certification timelines are delayed. Many teams also expect assessors to provide guidance during the audit. They don’t. They also underestimate the effort required to map CUI boundaries correctly or assume that purchasing new security tools alone is sufficient for CMMC compliance. These gaps can result in expanded scope, higher costs, or rework late in the process. Finally, some organizations overlook how cross-functional CMMC really is. Compliance requires coordinated effort across IT, operations, HR, engineering, and leadership – not just cybersecurity teams. Being aware of these issues and addressing them early helps build a smoother, more predictable path to CMMC readiness.

Loading component...

How to maintain CMMC compliance requirements and stay audit-ready

As you’ve probably gathered, achieving CMMC 2.0 compliance is only the starting point. To remain eligible for DoD contracts, organizations must show continuous alignment with their certification level, keep documentation current, and maintain the security controls defined in NIST SP 800-171. This includes regularly updating the SSP, maintaining accurate POA&Ms, and keeping evidence such as logs, access reviews, training records, and asset inventories ready for audit. Ongoing monitoring – patching, threat detection, vulnerability scanning, and incident response – is essential to demonstrate that controls remain effective over time.

Assessment obligations also continue after certification. Level 1 requires an annual self-assessment and SPRS submission. Level 2 organizations must submit yearly affirmations and undergo a C3PAO assessment every three years. Level 3 requires government-led reassessments on the same cycle. Treating CMMC as an ongoing program – not a one-time project – helps organizations stay prepared and compliant throughout the contract lifecycle.

Loading component...

Conclusion

CMMC 2.0 introduces a higher, more consistent standard for protecting FCI and CUI across the defense supply chain, and preparing for it requires thoughtful planning, cross-functional coordination, and ongoing attention. By using this CMMC compliance checklist as a guide – defining your scope, assessing gaps, implementing controls, documenting evidence, and maintaining continuous readiness – your organization can move through the process with greater clarity and confidence.

Loading component...

Discover how Infor’s GovCloud solutions support CMMC 2.0 compliance requirements out of the box.

Read the executive brief

Loading component...

CMMC compliance checklist: 15 key steps