CMMC Level 2 Readiness Checklist [Free Download]

How to Use This Checklist

This checklist is designed to be completed by your internal team before engaging a C3PAO assessor. Use it to:

1. Identify gaps in your current implementation against each of the 110 NIST 800-171 requirements
2. Prioritize remediation based on which controls are failing and their CMMC scoring weight
3. Build your POA&M for gaps that can't be closed before assessment
4. Prepare your SSP by documenting how each control is implemented

For each control, mark: Met, Partially Met, or Not Met. Add notes describing your implementation and any known gaps.

Important: A documentation review is not sufficient. Each item on this checklist should be verified against actual system configurations, not just policy documents.

Pre-Assessment Preparation

Before working through the control checklist, complete these foundational activities:

• CUI inventory complete - You have identified all CUI in your environment and documented how it flows through your systems
• System boundary defined - Your assessment boundary (all systems that process, store, or transmit CUI) is documented
• External service providers identified - All cloud service providers, managed service providers, and SaaS tools in scope are documented
• FedRAMP status verified - Any CSPs handling CUI are FedRAMP authorized at Moderate or above
• SSP draft started - Your System Security Plan is in progress with boundary diagram and asset inventory

AC - Access Control (22 Requirements)

Foundational (Level 1)

• AC.1.001 - Information system access is limited to authorized users, processes, and devices
• AC.1.002 - Access is limited to the types of transactions authorized users are permitted to execute

Advanced (Level 2)

• AC.2.005 - Privacy and security notices are provided consistent with CUI rules
• AC.2.006 - Use of portable storage devices on external systems is limited
• AC.2.007 - Principle of least privilege is employed - review: are IAM roles/policies scoped to minimum required permissions?
• AC.2.008 - Privileged functions are performed only in privileged accounts
• AC.2.009 - Limit unsuccessful logon attempts - verify lockout policies are configured
• AC.2.010 - Provide privacy and security notices at system login
• AC.2.011 - Authorize wireless access before connecting - verify Wi-Fi policy covers CUI systems
• AC.2.012 - Control wireless access using authentication and encryption
• AC.2.013 - Monitor and control remote access sessions
• AC.2.015 - Route remote access via managed access control points
• AC.2.016 - Control flow of CUI in accordance with approved authorizations
• AC.3.017 - Separation of duties is enforced to reduce risk of malevolent activity
• AC.3.018 - Non-privileged users cannot execute privileged functions - verify no sudo/admin for standard accounts
• AC.3.019 - Terminate sessions after defined period of inactivity
• AC.3.020 - Control connection of mobile devices
• AC.3.021 - Authorize remote execution of privileged commands via remote access only for documented operational needs
• AC.3.022 - Employ cryptographic mechanisms to protect confidentiality of remote access sessions

Cloud-specific verification:

• MFA is enforced for all console access (SCP or Policy level, not just per-user)
• No IAM users with console access and no MFA
• Root account has hardware MFA
• No active access keys for root account
• IAM access keys rotated within 90 days
• Unused IAM accounts disabled

AU - Audit and Accountability (9 Requirements)

• AU.2.041 - Audit records establish accountability - records must include what, when, who, and from where
• AU.2.042 - Logged events are reviewed and updated
• AU.2.043 - Unauthorized access to audit logging is alerted
• AU.3.045 - Audit records reviewed and analyzed for inappropriate activity
• AU.3.046 - Correlate audit record review and analysis across agencies and organizations
• AU.3.048 - Collect audit information into one or more central repositories
• AU.3.049 - Protect audit information and audit tools from unauthorized access
• AU.3.050 - Limit management of audit logging to a subset of privileged users
• AU.3.052 - Provide audit record reduction and report generation to support analysis

Cloud-specific verification:

• CloudTrail enabled in ALL regions (including regions you don't actively use)
• CloudTrail management events: ALL (Read and Write)
• CloudTrail data events configured for S3, Lambda, and other sensitive services
• CloudTrail log file validation enabled
• VPC flow logs enabled for all VPCs in CUI environment
• S3 access logging enabled for all CUI buckets
• Log retention configured for minimum 3 years
• Logs stored in separate security account with restricted access
• Log integrity monitoring alerts configured

AT - Awareness and Training (3 Requirements)

• AT.2.056 - Personnel informed of security risks associated with their activities
• AT.2.057 - Personnel trained to perform assigned security responsibilities
• AT.3.058 - Security awareness training includes recognizing and reporting threats

Evidence needed:

• Training completion records for all personnel with CUI access
• Training content covers threats relevant to defense contractor environment
• Training frequency meets requirement (annual minimum)

CM - Configuration Management (9 Requirements)

• CM.2.061 - Baseline configurations established and maintained for information systems
• CM.2.062 - Security configuration settings established and implemented
• CM.2.064 - Changes to organizational systems are authorized, documented, tested, and reviewed
• CM.2.065 - Inventory of organizational information systems maintained
• CM.3.068 - Nonessential programs, functions, ports, and services restricted or disabled
• CM.3.069 - Control use of portable storage devices on system components
• CM.3.072 - Define, document, approve, and enforce physical and logical access restrictions for configuration changes

Cloud-specific verification:

• All CUI infrastructure defined as code (IaC)
• No unmanaged resources in CUI accounts (detect with AWS Config, Azure Policy)
• Approved AMI/container image list maintained
• Security scanning in CI/CD pipeline blocks non-compliant deployments
• Change management process documented and followed for cloud config changes
• Unnecessary services disabled in CUI systems

IA - Identification and Authentication (11 Requirements)

• IA.1.076 - System users, processes, and devices identified
• IA.1.077 - Identities of users, processes, or devices verified before access
• IA.2.078 - Minimum password complexity enforced
• IA.2.079 - Passwords are not reused for specified generations
• IA.2.080 - Temporary passwords changed at first use
• IA.2.081 - No default passwords on systems
• IA.3.083 - MFA used for local and network access to privileged accounts and CUI systems
• IA.3.084 - Replay-resistant authentication mechanisms employed
• IA.3.085 - Identifiers managed by disabling after inactivity, preventing reuse
• IA.3.086 - Disable identifiers after inactivity period
• IA.5.108 - Employ privileged account management

Cloud-specific verification:

• Hardware MFA for all privileged cloud accounts
• Service accounts use roles and temporary credentials, not long-lived keys
• Access key rotation enforced (90-day maximum)
• Unused service accounts and access keys identified and removed
• Identity provider (SSO) integrated with MFA enforcement

IR - Incident Response (3 Requirements)

• IR.2.092 - Operational incident-handling capability established
• IR.2.093 - Incidents tracked, documented, and reported
• IR.3.098 - Incident response capability tested

DFARS-specific:

• DIBNet registration complete for 72-hour incident reporting
• Incident response contacts documented (CISO, legal, PR, executive)
• Cloud forensics procedures documented (snapshot creation, evidence preservation)
• US-CERT reporting procedures documented

MA - Maintenance (6 Requirements)

• MA.2.111 - Maintenance performed on organizational systems
• MA.2.112 - System tools/media with diagnostic programs controlled, monitored
• MA.2.113 - MFA used for remote maintenance sessions
• MA.2.114 - Remote diagnostic sessions terminated after use
• MA.3.115 - Maintenance personnel without required clearance accompanied and supervised
• MA.3.116 - Media sanitized before systems removed for maintenance

MP - Media Protection (9 Requirements)

• MP.1.118 - System media containing CUI protected
• MP.2.119 - Access to CUI on system media limited to authorized users
• MP.2.120 - Disposition/use of portable storage controlled
• MP.2.121 - External system media with CUI controlled during transport
• MP.3.122 - CUI marked with necessary markings and distribution limitations
• MP.3.123 - External media sanitized or destroyed before reuse
• MP.3.124 - CUI system media containing CUI protected during transport
• MP.3.125 - CUI media sanitized before disposal or reuse

Cloud-specific verification:

• Encryption at rest enabled on all CUI storage resources (EBS, S3, RDS, etc.)
• Customer-managed KMS keys used for CUI data
• S3 public access blocked on all CUI buckets
• No CUI stored in public S3 buckets
• EBS snapshot encryption enforced

PE - Physical Protection (6 Requirements)

For cloud-hosted CUI, physical protection requirements are largely inherited from your FedRAMP-authorized cloud provider. Verify:

• CSP FedRAMP authorization documentation covers physical protection controls
• Physical access to any on-premise CUI systems documented and controlled
• Visitor access to CUI facilities controlled

PS - Personnel Security (2 Requirements)

• PS.2.127 - Personnel screened before authorizing access to CUI
• PS.2.128 - CUI protected during/after personnel actions

Verification:

• Background check process documented
• Access revocation procedures documented and tested
• Off-boarding checklist includes immediate account deprovisioning

RA - Risk Assessment (3 Requirements)

• RA.2.141 - Risk to organizational operations periodically assessed
• RA.2.142 - Vulnerabilities in systems and applications scanned
• RA.3.144 - Risk assessments performed periodically

Evidence needed:

• Documented risk assessment from past 12 months
• Vulnerability scanning reports from past 30 days
• Risk assessment process documentation

CA - Security Assessment (4 Requirements)

• CA.2.157 - Security controls periodically assessed for effectiveness
• CA.2.158 - Plans of action developed for corrective actions
• CA.3.161 - Security controls monitored on ongoing basis
• CA.3.162 - Cyber incident responses periodically tested

SC - System and Communications Protection (16 Requirements)

• SC.1.175 - Organizational communications monitored, controlled, protected
• SC.1.176 - Boundary protection implemented
• SC.3.177 - FIPS-validated cryptography used to protect CUI confidentiality
• SC.3.178 - Connections to external systems prohibited unless authorized
• SC.3.179 - Publicly accessible systems do not contain CUI
• SC.3.180 - Split tunneling for remote access prohibited unless secured
• SC.3.181 - CUI transfer encrypted when transmitted outside controlled boundaries
• SC.3.182 - Wireless access points identified and unauthorized wireless detected
• SC.3.183 - Network communications to/from CUI systems monitored
• SC.3.185 - Session authenticity implemented
• SC.3.187 - Cryptographic keys managed
• SC.3.188 - Control and monitor use of mobile code
• SC.3.190 - Protect authenticity of communications sessions
• SC.3.192 - Prohibit remote activation of collaborative computing devices

Cloud-specific verification:

• TLS 1.2 minimum enforced on all endpoints
• No weak cipher suites enabled
• All inter-service communication encrypted in transit
• Security groups restrict inbound traffic to necessary ports/protocols only
• No 0.0.0.0/0 inbound on non-web ports
• VPC network ACLs configured appropriately
• WAF deployed on all externally accessible web applications
• Private endpoints used for cloud service API access where available

SI - System and Information Integrity (7 Requirements)

• SI.1.210 - Information and system flaws identified, reported, and corrected
• SI.1.211 - Protection from malicious code at appropriate locations
• SI.1.212 - Malicious code protection mechanisms updated
• SI.2.214 - Periodic scans and real-time scans performed
• SI.2.216 - Organizational systems monitored to detect attacks and attack indicators
• SI.2.217 - Unauthorized use of organizational systems identified
• SI.3.218 - Security alerts, advisories, and directives received and responded to

Cloud-specific verification:

• Inspector/Defender for Cloud/Security Command Center enabled for vulnerability scanning
• GuardDuty/Microsoft Defender/Security Command Center Threat Detection enabled
• Patch management process meets required timelines (30 days for critical, 90 days for high)
• Container image scanning in CI/CD pipeline
• SIEM integration for centralized security event monitoring

Final Pre-Assessment Steps

• SSP complete and accurate - All 110 controls documented with honest implementation descriptions
• POA&M created for all "Partially Met" and "Not Met" items
• Evidence package organized for all "Met" items
• C3PAO selected and engaged with assessment timeline confirmed
• Technical pre-assessment conducted to verify documented posture matches actual configurations
• Staff prepared for assessor interviews - key personnel know their security responsibilities
• Incident response procedures tested within past 12 months

Automate This Checklist

This manual checklist catches gaps but doesn't prevent them from re-emerging. PolicyCortex continuously evaluates your cloud environment against these same controls - detecting drift in real time and remediating automatically.

Assessment preparation with PolicyCortex: Generate the evidence report. The continuous audit trail is already assembled.

See how PolicyCortex handles your CMMC controls automatically →