CMMC Compliance Checklist: Everything You Need Before Your Asses…

Preparing for a CMMC assessment without a checklist is how contractors end up scrambling the week before their C3PAO shows up. The requirements are specific, the evidence demands are granular, and the consequences of missing something are binary: you either have the certification or you don’t compete.

This checklist covers every phase of CMMC Level 2 preparation, from initial scoping through assessment day. Use it as your project tracker. Work through each section in order. Don’t skip ahead. The later sections depend on the earlier ones being complete.

Phase 1: Scoping and Boundary Definition

Get this wrong and everything built on top of it collapses. Scoping errors are the leading cause of assessment failures.

CUI Identification

Reviewed all current DoD contracts for DFARS clauses referencing CUI
Identified all CUI categories present in your environment using the CUI Registry
Documented CUI marking and handling procedures
Confirmed whether contracts require C3PAO certification or allow self-assessment

Data Flow Mapping

Mapped how CUI enters your environment (email, file transfer, portal download, physical media)
Mapped how CUI moves through internal systems (storage, processing, sharing, collaboration)
Mapped how CUI exits your environment (delivery, transmission, disposal)
Identified all systems and endpoints that touch CUI at any point in the flow, including applications that process or display it

Asset Inventory

Cataloged all CUI Assets (systems that directly store, process, or transmit CUI)
Cataloged all Security Protection Assets (firewalls, SIEM, endpoint protection, IAM tools)
Cataloged all Contractor Risk Managed Assets (assets that are not intended to, but are capable of, processing, storing, or transmitting CUI because of the security policy, procedures, and practices in place)
Identified Specialized Assets (IoT, OT, government-furnished equipment, test equipment)
Identified Out-of-Scope Assets and documented the rationale for their exclusion from the assessment boundary
Documented asset ownership and responsible parties for each

Scope Reduction

Evaluated network segmentation opportunities to reduce the CUI boundary
Identified systems that can be moved out of scope through architectural changes
Documented the rationale for any systems excluded from the assessment boundary

External Service Providers

Identified all MSPs, cloud providers, and ESPs that access or store CUI
Confirmed FedRAMP Moderate (or equivalent) authorization for any Cloud Service Provider (CSP) storing, processing, or transmitting CUI, per DFARS 252.204-7012
Developed or obtained a customer responsibility matrix (CRM) for each provider
Verified that each provider’s environment supports the controls they’re responsible for

Phase 2: Gap Assessment

In gap assessments we’ve conducted across mid-tier defense contractors, roughly a third of controls are scored NOT MET at initial assessment — with the largest gaps concentrated in Audit and Accountability and Configuration Management. Honest self-evaluation against all 110 controls, working at the assessment-objective level rather than the control level, is what separates organizations that pass from those that don’t.

Assessment Execution

Evaluated all 110 NIST 800-171 Rev 2 controls against the 320 assessment objectives in SP 800-171A
Scored each control as MET, NOT MET, or NOT APPLICABLE (with documented justification for any N/A)
Calculated current SPRS score using the DoD Assessment Methodology
Identified all controls scored NOT MET
Flagged which NOT MET controls are POA&M-eligible and which must be implemented before assessment

Gap Documentation

Created a remediation register listing every NOT MET control with specific gap description
Prioritized gaps: POA&M-ineligible controls first, then by implementation dependency
Estimated effort and cost for each remediation item
Identified controls requiring new tool procurement, configuration changes, policy development, or training

Want to see where your gaps are before committing to a full remediation plan? Talk to our team to identify your highest-priority control gaps.

Phase 3: Remediation

Closing the gaps identified in Phase 2. Sequence matters. Dependencies matter. Ownership matters.

Technical Controls

Multi-factor authentication (MFA) deployed for all CUI system access
FIPS-validated encryption implemented for CUI at rest and in transit
Audit logging enabled and configured per AU control family requirements (retention, review, alerting)
Network segmentation implemented or verified to enforce CUI boundary
Vulnerability scanning operational with defined scan frequency and remediation timelines
Endpoint protection deployed across all in-scope devices
Backup and recovery procedures implemented and tested for CUI systems
Session controls configured (timeout, lock, concurrent session limits)
Wireless access restrictions implemented for CUI environments
Remote access controls configured with encryption and MFA

Administrative Controls

Access control policy written and approved, specific to your environment
Incident response plan developed, with defined roles, escalation procedures, and reporting timelines
Configuration management policy established with baseline configurations documented
Media protection procedures defined (marking, storage, transport, sanitization, disposal)
Personnel security procedures in place (screening, termination procedures, access revocation)
Risk assessment conducted and documented within the past 12 months
Security assessment procedures defined for periodic self-evaluation
Maintenance procedures documented for in-scope systems

Training and Awareness

Security awareness training delivered to all personnel with system access
Role-based training delivered to personnel with security responsibilities
CUI handling training delivered to all personnel who access, process, or transmit CUI
Training records documented with dates, attendees, and content covered
Insider threat awareness included in training program

At this point, remediation is done — but the work of proving it hasn’t started. The shift from Phase 3 to Phase 4 is where many organizations stall, because building the thing and documenting the thing require different disciplines.

Phase 4: Documentation

The evidence packages we review most often fail on currency — artifacts that were accurate six months ago but don’t reflect today’s environment. Your C3PAO evaluates your evidence package, not your intentions, and continuous evidence capture eliminates this failure mode.

System Security Plan (SSP)

SSP describes the complete CUI boundary and authorization perimeter
Network architecture diagrams are current and accurately labeled
CUI data flow diagrams included and consistent with actual data movement
Each of the 110 controls documented with environment-specific implementation detail
Roles and responsibilities defined for security management
System interconnections and external provider relationships documented
SSP reviewed and approved by authorized official
SSP date and version current and recently refreshed prior to assessment

Plan of Action and Milestones (POA&M)

All NOT MET controls documented with specific gap description
Remediation actions defined for each item with named owners
Target completion dates set within 180 days of the Conditional CMMC Status date
Confirmed that no POA&M-ineligible controls remain open
POA&M actively tracked and updated as remediation progresses

Policies and Procedures

Policies exist for each of the 14 NIST 800-171 control families
Each policy is specific to your organization, not a generic template
Policies reflect actual current practices, not aspirational descriptions
Policies are version-controlled with approval dates and responsible officials
Procedures provide step-by-step operational guidance for control implementation

Evidence Artifacts

Evidence collected for each of the 110 controls, mapped to assessment objectives
All evidence is current (recently refreshed to reflect the actual state of the environment)
Evidence is organized by control family with consistent naming conventions
Configuration evidence matches the descriptions in your SSP
Training records include dates, attendance, and content summaries
Audit logs demonstrate operational logging and regular review with alerting configured
Vulnerability scan reports show recent scan results and remediation actions
Incident response test/exercise records documented

Phase 5: Pre-Assessment Readiness

Among contractors we’ve supported through readiness reviews, the most common surprise is personnel interviews — technical controls pass, but employees can’t articulate the CUI handling procedures described in the SSP. This phase is the rehearsal before the real thing, catching the gaps that documentation alone doesn’t reveal.

Internal Review

Walked through all 110 controls from the assessor’s perspective
Tested evidence retrieval: can you produce any artifact within 10 minutes of request?
Verified SSP consistency with actual environment (network diagrams match, controls match implementation)
Confirmed no contradictions between policies, SSP, and evidence artifacts
Reviewed POA&M to confirm all items are on track for 180-day closure

Personnel Preparation

Identified which personnel the assessor is likely to interview by role
Briefed personnel on assessment process and interview expectations
Tested personnel knowledge of CUI handling procedures
Tested IT staff knowledge of security configurations, audit log management, and incident response
Tested management knowledge of risk assessment results and security oversight responsibilities
Conducted mock interviews with representative questions

Logistics

Assessment date confirmed with C3PAO
On-site workspace prepared for assessment team (if applicable)
System access arranged for assessor evidence review
Key personnel availability confirmed for interview scheduling during assessment week
Point of contact designated for assessor communication and evidence requests

Phase 6: C3PAO Engagement

Selecting and working with your assessment organization.

Selection

Verified the provider is listed as an Authorized C3PAO on The Cyber AB Marketplace
Confirmed assessor team credentials (Certified CMMC Assessors)
Reviewed C3PAO experience with organizations of similar size and complexity
Obtained assessment cost estimate and confirmed scope-based pricing
Scheduled assessment with adequate lead time (3-6 months recommended)

Pre-Assessment Coordination

Completed scoping call with C3PAO (typically 30 days before assessment)
Submitted required pre-assessment documentation per C3PAO requirements
Confirmed assessment boundary and in-scope systems with assessor team
Clarified evidence format and submission expectations
Confirmed assessment schedule and team composition with the C3PAO

Assessment Week

Opening meeting conducted with assessment team
Key personnel available for interviews throughout the assessment period
Evidence requests fulfilled promptly as they arise
Daily check-ins maintained with assessment team to address questions
Additional evidence provided for any controls where the team requests clarification

Post-Assessment

Reviewed preliminary findings with assessment team
Understood any NOT MET controls and required POA&M items
Confirmed POA&M closure timeline (180 days from the Conditional CMMC Status date)
Planned POA&M remediation and closeout assessment if applicable
Documented lessons learned for continuous improvement

Phase 7: Continuous Compliance

Certification is not the finish line. It’s the starting point for maintaining compliance between assessments.

Annual affirmation process established with designated senior official
Evidence refresh schedule implemented (quarterly minimum for time-sensitive artifacts)
Change management process includes compliance impact assessment for all system changes
SSP update triggers defined for environmental changes (new systems, personnel, providers)
Ongoing security awareness training scheduled and tracked
Vulnerability scanning and remediation maintained on defined schedule
Incident response plan tested at least annually
Triennial reassessment timeline planned (schedule C3PAO 6 months before expiration)

Using This Checklist

This checklist is structured as a sequential project plan. Each phase builds on the previous one. Attempting Phase 4 (documentation) without completing Phase 1 (scoping) produces documentation that doesn’t match your actual boundary. Jumping to Phase 6 (C3PAO engagement) without completing Phase 5 (readiness review) risks paying for an assessment you’re not ready to pass.

For organizations starting from scratch: Work through every item in order. Expect the full process to take 9 to 18 months depending on your current security maturity and the size of your CUI environment.

For organizations with an existing NIST 800-171 program: Start at Phase 2 (gap assessment). Your existing SSP, policies, and evidence give you a head start. The gap assessment will tell you how much of that existing work actually holds up under CMMC assessment-objective-level scrutiny.

For organizations that failed a previous assessment: Focus on the specific findings. Use the checklist to verify that remediation addressed not just the cited controls but the underlying patterns. Scoping errors, stale documentation, and personnel gaps are systemic, meaning fixing one instance doesn’t fix the pattern.

The Difference Between a Checklist and a System

A checklist tells you what to do. A system does the work with you.

Deep Fathom turns this checklist into a guided, orchestrated workflow. Instead of manually tracking 110 controls across spreadsheets, our AI-native platform manages your gap assessment, sequences your remediation plan, captures evidence as work happens, keeps your SSP synchronized with your real environment, and runs pre-assessment readiness reviews so you find gaps before your C3PAO does.

If you’re working through this checklist and want a system that does the heavy lifting, check your readiness or talk to our team.

Related reading:

CMMC Compliance Checklist: Everything You Need Before Your Assessment