CMMC Level 2 Checklist — What Defense Contractors Need to Know

If you’re a defense contractor working with Controlled Unclassified Information (CUI), you already know CMMC is coming for you. What many organizations underestimate is the scope of what’s actually required. This CMMC Level 2 checklist breaks down the 110 practices across 14 domains that assessors will evaluate — and what you need to have in place before you book a C3PAO.

Table of Contents

1. What Is CMMC Level 2?
2. CMMC Level 2 Checklist — The 14 Control Families
3. What Assessors Will Look For
4. POA M: What to Do When You Have Gaps
5. What This Means for Your Organization
6. How Cover6 Solutions Can Help
7. Frequently Asked Questions

What Is CMMC Level 2?

Cybersecurity Maturity Model Certification (CMMC) Level 2 applies to DoD contractors who handle CUI. It maps directly to the 110 security requirements in NIST SP 800-171 Rev 2 across 14 control families. Level 2 requires a third-party assessment (C3PAO) for most contracts, with self-assessment allowed only for a limited subset of programs.

The stakes are high: CMMC Level 2 certification will be required to bid on defense contracts involving CUI. Organizations that are not certified will be locked out of the supply chain.

CMMC Level 2 Checklist — The 14 Control Families

Each domain below represents a control family. The number in parentheses is the count of NIST 800-171 practices required.

1. Access Control (AC) — 22 practices. Limit system access to authorized users and processes. Enforce least privilege. Control remote access. Manage external connections and mobile devices.
2. Awareness and Training (AT) — 3 practices. Ensure personnel understand security risks. Provide role-based training. Document training completion.
3. Audit and Accountability (AU) — 9 practices. Create and retain audit logs. Review and analyze logs for anomalies. Protect audit data from unauthorized access or modification.
4. Configuration Management (CM) — 9 practices. Establish baseline configurations. Control changes to systems. Restrict, disable, or prevent the use of nonessential programs and ports.
5. Identification and Authentication (IA) — 11 practices. Uniquely identify all users and devices. Enforce multi-factor authentication for privileged access and remote connections. Manage authenticator strength and lifecycle.
6. Incident Response (IR) — 3 practices. Establish an operational incident response capability. Track, document, and report incidents. Test the incident response plan.
7. Maintenance (MA) — 6 practices. Perform maintenance on organizational systems. Control maintenance tools and remote maintenance sessions. Require MFA for remote maintenance.
8. Media Protection (MP) — 9 practices. Protect system media containing CUI — both paper and digital. Control access, transport, and disposal of media. Sanitize or destroy media before disposal or reuse.
9. Personnel Security (PS) — 2 practices. Screen individuals prior to authorizing access to CUI systems. Ensure CUI is protected during and after personnel actions such as terminations and transfers.
10. Physical Protection (PE) — 6 practices. Limit physical access to CUI systems to authorized individuals. Protect and monitor physical facilities and support infrastructure.
11. Risk Assessment (RA) — 3 practices. Conduct risk assessments. Scan for vulnerabilities periodically and when new vulnerabilities are identified. Remediate vulnerabilities in accordance with risk assessments.
12. Security Assessment (CA) — 4 practices. Periodically assess the security controls in your systems. Develop and implement plans of action to correct deficiencies. Monitor security controls on an ongoing basis.
13. System and Communications Protection (SC) — 16 practices. Monitor, control, and protect communications at external boundaries. Implement architectural designs and network segmentation. Employ encryption for CUI in transit and at rest.
14. System and Information Integrity (SI) — 7 practices. Identify, report, and correct information and system flaws. Provide protection from malicious code. Monitor systems to detect attacks and indicators of compromise.

What Assessors Will Look For

A CMMC Level 2 assessment is not a documentation review. Assessors from a certified C3PAO will examine your System Security Plan (SSP), test technical controls, interview personnel, and look for evidence that your practices are implemented, documented, and operationally sustained — not just described in a policy document.

The three most common failure points in CMMC assessments are: incomplete or missing SSP documentation, MFA not implemented for privileged and remote access, and inadequate CUI boundary definition. If you don’t know what systems touch CUI and where CUI flows in your environment, you can’t assess or protect it effectively.

POA&M: What to Do When You Have Gaps

A Plan of Action and Milestones (POA&M) documents identified deficiencies, the resources required to close them, and the timeline for remediation. A POA&M is not a pass on compliance — it’s a commitment to a remediation timeline. Some contracts allow a limited POA&M at award; others require full compliance prior to award. Know your contract requirements before assuming a POA&M buys you time.

What This Means for Your Organization

CMMC Level 2 certification is not a one-time project. It requires an ongoing security program with continuous monitoring, annual self-assessments between C3PAO cycles, and a documented response capability. Organizations that treat CMMC as a checkbox exercise will fail the assessment or fail to maintain certification. Organizations that build a genuine security program will find that CMMC compliance is a by-product of good security hygiene.

Working with a virtual CISO experienced in CMMC significantly reduces the time and cost of getting assessment-ready. The alternative — attempting to self-navigate 110 practices across 14 domains without security program leadership — is where most organizations stall.

How Cover6 Solutions Can Help

Cover6 Solutions provides CMMC advisory and vCISO services for DoD contractors navigating Level 2 certification. We assess your current posture against all 110 practices, build your SSP and POA&M, and prepare your organization for a C3PAO assessment. SDVOSB-certified.

Schedule a Free CMMC Readiness Consultation →

Frequently Asked Questions

Does CMMC Level 2 require a third-party assessment?

For most DoD contracts involving CUI, yes. CMMC Level 2 requires a triennial assessment by a certified C3PAO. A limited set of programs may allow annual self-assessments — check your specific contract language and the DoD CMMC program guidance at acq.osd.mil/cmmc.

How long does CMMC Level 2 certification take?

Organizations starting from zero should expect 9–18 months to achieve assessment readiness, depending on their current security posture. Organizations with an existing NIST 800-171 self-assessment and documented SSP may reach readiness in 3–6 months.

What happens if I fail a CMMC assessment?

A failed assessment results in no certification for that assessment period. You can remediate findings and request a reassessment, but this takes time and costs additional assessment fees. Prevention is substantially cheaper than remediation post-failure.