CMMC Level 2 Readiness Checklist [Free Download]

How to Use This Checklist

This checklist is designed to be completed by your internal team before engaging a C3PAO assessor. Use it to:

1. Identify gaps in your current implementation against each of the 110 NIST 800-171 requirements
2. Prioritize remediation based on which controls are failing and their CMMC scoring weight
3. Build your POA&M for gaps that can't be closed before assessment
4. Prepare your SSP by documenting how each control is implemented

For each control, mark: Met, Partially Met, or Not Met. Add notes describing your implementation and any known gaps.

Important: A documentation review is not sufficient. Each item on this checklist should be verified against actual system configurations, not just policy documents.

Pre-Assessment Preparation

Before working through the control checklist, complete these foundational activities:

• CUI inventory complete — You have identified all CUI in your environment and documented how it flows through your systems
• System boundary defined — Your assessment boundary (all systems that process, store, or transmit CUI) is documented
• External service providers identified — All cloud service providers, managed service providers, and SaaS tools in scope are documented
• FedRAMP status verified — Any CSPs handling CUI are FedRAMP authorized at Moderate or above
• SSP draft started — Your System Security Plan is in progress with boundary diagram and asset inventory

AC — Access Control (22 Requirements)

Foundational (Level 1)

• AC.1.001 — Information system access is limited to authorized users, processes, and devices
• AC.1.002 — Access is limited to the types of transactions authorized users are permitted to execute

Advanced (Level 2)

• AC.2.005 — Privacy and security notices are provided consistent with CUI rules
• AC.2.006 — Use of portable storage devices on external systems is limited
• AC.2.007 — Principle of least privilege is employed — review: are IAM roles/policies scoped to minimum required permissions?
• AC.2.008 — Privileged functions are performed only in privileged accounts
• AC.2.009 — Limit unsuccessful logon attempts — verify lockout policies are configured
• AC.2.010 — Provide privacy and security notices at system login
• AC.2.011 — Authorize wireless access before connecting — verify Wi-Fi policy covers CUI systems
• AC.2.012 — Control wireless access using authentication and encryption
• AC.2.013 — Monitor and control remote access sessions
• AC.2.015 — Route remote access via managed access control points
• AC.2.016 — Control flow of CUI in accordance with approved authorizations
• AC.3.017 — Separation of duties is enforced to reduce risk of malevolent activity
• AC.3.018 — Non-privileged users cannot execute privileged functions — verify no sudo/admin for standard accounts
• AC.3.019 — Terminate sessions after defined period of inactivity
• AC.3.020 — Control connection of mobile devices
• AC.3.021 — Authorize remote execution of privileged commands via remote access only for documented operational needs
• AC.3.022 — Employ cryptographic mechanisms to protect confidentiality of remote access sessions

Cloud-specific verification:

• MFA is enforced for all console access (SCP or Policy level, not just per-user)
• No IAM users with console access and no MFA
• Root account has hardware MFA
• No active access keys for root account
• IAM access keys rotated within 90 days
• Unused IAM accounts disabled

AU — Audit and Accountability (9 Requirements)

• AU.2.041 — Audit records establish accountability — records must include what, when, who, and from where
• AU.2.042 — Logged events are reviewed and updated
• AU.2.043 — Unauthorized access to audit logging is alerted
• AU.3.045 — Audit records reviewed and analyzed for inappropriate activity
• AU.3.046 — Correlate audit record review and analysis across agencies and organizations
• AU.3.048 — Collect audit information into one or more central repositories
• AU.3.049 — Protect audit information and audit tools from unauthorized access
• AU.3.050 — Limit management of audit logging to a subset of privileged users
• AU.3.052 — Provide audit record reduction and report generation to support analysis

Cloud-specific verification:

• CloudTrail enabled in ALL regions (including regions you don't actively use)
• CloudTrail management events: ALL (Read and Write)
• CloudTrail data events configured for S3, Lambda, and other sensitive services
• CloudTrail log file validation enabled
• VPC flow logs enabled for all VPCs in CUI environment
• S3 access logging enabled for all CUI buckets
• Log retention configured for minimum 3 years
• Logs stored in separate security account with restricted access
• Log integrity monitoring alerts configured

AT — Awareness and Training (3 Requirements)

• AT.2.056 — Personnel informed of security risks associated with their activities
• AT.2.057 — Personnel trained to perform assigned security responsibilities
• AT.3.058 — Security awareness training includes recognizing and reporting threats

Evidence needed:

• Training completion records for all personnel with CUI access
• Training content covers threats relevant to defense contractor environment
• Training frequency meets requirement (annual minimum)

CM — Configuration Management (9 Requirements)

• CM.2.061 — Baseline configurations established and maintained for information systems
• CM.2.062 — Security configuration settings established and implemented
• CM.2.064 — Changes to organizational systems are authorized, documented, tested, and reviewed
• CM.2.065 — Inventory of organizational information systems maintained
• CM.3.068 — Nonessential programs, functions, ports, and services restricted or disabled
• CM.3.069 — Control use of portable storage devices on system components
• CM.3.072 — Define, document, approve, and enforce physical and logical access restrictions for configuration changes

Cloud-specific verification:

• All CUI infrastructure defined as code (IaC)
• No unmanaged resources in CUI accounts (detect with AWS Config, Azure Policy)
• Approved AMI/container image list maintained
• Security scanning in CI/CD pipeline blocks non-compliant deployments
• Change management process documented and followed for cloud config changes
• Unnecessary services disabled in CUI systems

IA — Identification and Authentication (11 Requirements)

• IA.1.076 — System users, processes, and devices identified
• IA.1.077 — Identities of users, processes, or devices verified before access
• IA.2.078 — Minimum password complexity enforced
• IA.2.079 — Passwords are not reused for specified generations
• IA.2.080 — Temporary passwords changed at first use
• IA.2.081 — No default passwords on systems
• IA.3.083 — MFA used for local and network access to privileged accounts and CUI systems
• IA.3.084 — Replay-resistant authentication mechanisms employed
• IA.3.085 — Identifiers managed by disabling after inactivity, preventing reuse
• IA.3.086 — Disable identifiers after inactivity period
• IA.5.108 — Employ privileged account management

Cloud-specific verification:

• Hardware MFA for all privileged cloud accounts
• Service accounts use roles and temporary credentials, not long-lived keys
• Access key rotation enforced (90-day maximum)
• Unused service accounts and access keys identified and removed
• Identity provider (SSO) integrated with MFA enforcement

IR — Incident Response (3 Requirements)

• IR.2.092 — Operational incident-handling capability established
• IR.2.093 — Incidents tracked, documented, and reported
• IR.3.098 — Incident response capability tested

DFARS-specific:

• DIBNet registration complete for 72-hour incident reporting
• Incident response contacts documented (CISO, legal, PR, executive)
• Cloud forensics procedures documented (snapshot creation, evidence preservation)
• US-CERT reporting procedures documented

MA — Maintenance (6 Requirements)

• MA.2.111 — Maintenance performed on organizational systems
• MA.2.112 — System tools/media with diagnostic programs controlled, monitored
• MA.2.113 — MFA used for remote maintenance sessions
• MA.2.114 — Remote diagnostic sessions terminated after use
• MA.3.115 — Maintenance personnel without required clearance accompanied and supervised
• MA.3.116 — Media sanitized before systems removed for maintenance

MP — Media Protection (9 Requirements)

• MP.1.118 — System media containing CUI protected
• MP.2.119 — Access to CUI on system media limited to authorized users
• MP.2.120 — Disposition/use of portable storage controlled
• MP.2.121 — External system media with CUI controlled during transport
• MP.3.122 — CUI marked with necessary markings and distribution limitations
• MP.3.123 — External media sanitized or destroyed before reuse
• MP.3.124 — CUI system media containing CUI protected during transport
• MP.3.125 — CUI media sanitized before disposal or reuse

Cloud-specific verification:

• Encryption at rest enabled on all CUI storage resources (EBS, S3, RDS, etc.)
• Customer-managed KMS keys used for CUI data
• S3 public access blocked on all CUI buckets
• No CUI stored in public S3 buckets
• EBS snapshot encryption enforced

PE — Physical Protection (6 Requirements)

For cloud-hosted CUI, physical protection requirements are largely inherited from your FedRAMP-authorized cloud provider. Verify:

• CSP FedRAMP authorization documentation covers physical protection controls
• Physical access to any on-premise CUI systems documented and controlled
• Visitor access to CUI facilities controlled

PS — Personnel Security (2 Requirements)

• PS.2.127 — Personnel screened before authorizing access to CUI
• PS.2.128 — CUI protected during/after personnel actions

Verification:

• Background check process documented
• Access revocation procedures documented and tested
• Off-boarding checklist includes immediate account deprovisioning

RA — Risk Assessment (3 Requirements)

• RA.2.141 — Risk to organizational operations periodically assessed
• RA.2.142 — Vulnerabilities in systems and applications scanned
• RA.3.144 — Risk assessments performed periodically

Evidence needed:

• Documented risk assessment from past 12 months
• Vulnerability scanning reports from past 30 days
• Risk assessment process documentation

CA — Security Assessment (4 Requirements)

• CA.2.157 — Security controls periodically assessed for effectiveness
• CA.2.158 — Plans of action developed for corrective actions
• CA.3.161 — Security controls monitored on ongoing basis
• CA.3.162 — Cyber incident responses periodically tested

SC — System and Communications Protection (16 Requirements)

• SC.1.175 — Organizational communications monitored, controlled, protected
• SC.1.176 — Boundary protection implemented
• SC.3.177 — FIPS-validated cryptography used to protect CUI confidentiality
• SC.3.178 — Connections to external systems prohibited unless authorized
• SC.3.179 — Publicly accessible systems do not contain CUI
• SC.3.180 — Split tunneling for remote access prohibited unless secured
• SC.3.181 — CUI transfer encrypted when transmitted outside controlled boundaries
• SC.3.182 — Wireless access points identified and unauthorized wireless detected
• SC.3.183 — Network communications to/from CUI systems monitored
• SC.3.185 — Session authenticity implemented
• SC.3.187 — Cryptographic keys managed
• SC.3.188 — Control and monitor use of mobile code
• SC.3.190 — Protect authenticity of communications sessions
• SC.3.192 — Prohibit remote activation of collaborative computing devices

Cloud-specific verification:

• TLS 1.2 minimum enforced on all endpoints
• No weak cipher suites enabled
• All inter-service communication encrypted in transit
• Security groups restrict inbound traffic to necessary ports/protocols only
• No 0.0.0.0/0 inbound on non-web ports
• VPC network ACLs configured appropriately
• WAF deployed on all externally accessible web applications
• Private endpoints used for cloud service API access where available

SI — System and Information Integrity (7 Requirements)

• SI.1.210 — Information and system flaws identified, reported, and corrected
• SI.1.211 — Protection from malicious code at appropriate locations
• SI.1.212 — Malicious code protection mechanisms updated
• SI.2.214 — Periodic scans and real-time scans performed
• SI.2.216 — Organizational systems monitored to detect attacks and attack indicators
• SI.2.217 — Unauthorized use of organizational systems identified
• SI.3.218 — Security alerts, advisories, and directives received and responded to

Cloud-specific verification:

• Inspector/Defender for Cloud/Security Command Center enabled for vulnerability scanning
• GuardDuty/Microsoft Defender/Security Command Center Threat Detection enabled
• Patch management process meets required timelines (30 days for critical, 90 days for high)
• Container image scanning in CI/CD pipeline
• SIEM integration for centralized security event monitoring

Final Pre-Assessment Steps

• SSP complete and accurate — All 110 controls documented with honest implementation descriptions
• POA&M created for all "Partially Met" and "Not Met" items
• Evidence package organized for all "Met" items
• C3PAO selected and engaged with assessment timeline confirmed
• Technical pre-assessment conducted to verify documented posture matches actual configurations
• Staff prepared for assessor interviews — key personnel know their security responsibilities
• Incident response procedures tested within past 12 months

Automate This Checklist

This manual checklist catches gaps but doesn't prevent them from re-emerging. PolicyCortex continuously evaluates your cloud environment against these same controls — detecting drift in real time and remediating automatically.

Assessment preparation with PolicyCortex: Generate the evidence report. The continuous audit trail is already assembled.

See how PolicyCortex handles your CMMC controls automatically →