CMMC 2.0 Compliance Checklist: Everything Your Organization Needs to Meet CMMC Requirements

Has your team won a new Department of Defense (DoD) contract? Are you a defense contractor that wants to continue working for the DoD? Then you will need to meet Cybersecurity Maturity Model Certification (CMMC) requirements, which will begin to enter contracts in Q4 2025.

The CMMC certification process can be complex and difficult, especially if you haven’t navigated it before. Following a compliance checklist ensures you cover all the security requirements without feeling overwhelmed.  

This checklist is designed to turn the CMMC certification process into a clear, actionable plan. We cover the compliance requirements for the CMMC 2.0 framework with practical insights to help you achieve CMMC compliance faster.

The goal is to make certification structured and manageable, to help you lower your costs and maintain your position in the Defense Industrial Base (DIB).

What Is CMMC Compliance?

CMMC is the DoD’s cybersecurity framework that ensures contractors in the DIB and DoD supply chain partners protect sensitive data.

All contractors and subcontractors working with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) must demonstrate CMMC compliance to better protect this data from breaches and cybersecurity attacks across the defense supply chain.

The CMMC framework aligns closely with the standards created and maintained by the National Institute of Standards and Technology (NIST), specifically NIST 800-171. CMMC will be used to verify implementation meets the cybersecurity standards needed to retain and bid for DoD contracts.

When Does CMMC Roll Out?

CMMC requirements will begin to appear in some DoD contracts in Q4 2025 and the full roll out will be complete by 2028

If you handle sensitive federal information in the Defense Industrial Base, you need CMMC certification. Here's who that includes:

• Prime contractors: Who work directly with the DoD and protect FCI and CUI. Prime contractors must ensure their own compliance as well as any subcontractors they work with.
• Subcontractors: Companies that work for prime contractors will be bound by flow-down clauses from prime contractors. The compliance level required depends on the data you handle.
• Service providers: You supply commercial products or services. When those involve CUI or FCI, you comply.

What are the CMMC Levels?

CMMC 2.0 has three certification levels for defense contractors:

CMMC Level 1

CMMC level 1 is for organizations handling only FCI, and requires implementing 17 cybersecurity practices from Far 52.204-21. Level 1 does not require assessments from C3PAOs, only an annual self-assessment.

Key controls include:

• Access control
• Identification and authentication
• Media protection
• System and communications protection
• System and information integrity
• Physical protection

CMMC Level 2

CMMC Level 2 is for organizations handling CUI and dealing with sensitive information, including Controlled Technical Information (CTI). It incorporates all 110 security controls outlined in NIST SP 800-171.

The 14 Security domains:

1. Access Control

2. Audit and Accountability

3. Awareness and Training

4. Configuration Management

5. Identification and Authentication

6. Incident Response

7. Maintenance

8. Media Protection

9. Personnel Security

10. Physical Protection

11. Risk Assessment

12. Security Assessment

13. System and Communications Protection

14. System and Information Integrity

CMMC Level 3

The highest level is CMMC Level 3. An organization will only need to achieve level three if it handles the most sensitive CUI that could impact national security. It addresses Advanced Persistent Threats (APTs), adding requirements beyond Level 2 using NIST SP 800-172.

Key requirements:

• Meet all NIST SP 800-171 security controls.
• Include additional security controls from NIST SP 800-172.
• Include a managed security plan to actively manage evolving cybersecurity requirements.

CMMC Controls List and Documentation

Following the CMMC controls list and preparing in-depth CMMC documentation reduces assessment risk and streamlines certification, at every level.

• System Security Plan (SSP): Demonstrates control implementation, defines the CMMC scope, and acts as a blueprint foundation for your cybersecurity posture.
• Plans of Action & Milestones (POA&M): Addresses gaps identified during assessments, outlines remediation steps, and details timelines.
• Evidence Collection: You should maintain records demonstrating control implementation for audits.

CMMC Compliance Checklist for 2025

Navigating CMMC requirements doesn’t have to feel overwhelming. The goal of this CMMC checklist is to provide a structured and step-by-step roadmap to help your organization achieve CMMC compliance in an efficient and cost-effective manner.

1. Determine your CMMC level and Data scope

Understand what data you handle, whether it’s FCI or CUI. Any organization that handles CUI will need to be at CMMC level 2 or more. Your defense contract will also specify which CMMC level your organization needs to achieve by stating it outright, or with a DFARS 7012 clause.

If you’re still confused, you can get in contact with your contract officer or the organization above you in the supply chain if you’re a subcontractor.

2. Perform a Self-Assessment

Compare your current controls and security practices against your CMMC level requirements to undergo gap analysis and identify current vulnerabilities.

• Use internal reviews or automated tools to review your organization’s current security posture.
• Prioritize gaps based on risk and contract requirements.
• Thoroughly review against NIST 800-171 security controls if you need to achieve level 2 certification or more.
• Document findings to inform your SSP and remediation plan.

3. Develop Your SSP and POA&M

Meeting all 110 security controls in NIST 800-171 is uncommon. It’s more likely that your organization did not meet some controls, which is where developing a SSP and POA&M is required.

Create a POA&M to list unimplemented or partially implemented controls, define remediation steps and the timelines required, and assign ownership for accountability so you can close these gaps as soon as possible.  TK

After executing your POA&M, update your compliance documentation. That includes your POA&M, SSP, and any policies or procedures you changed to meet CMMC standards.

4. Implement Security Controls

Document everything clearly. Run steps 3 and 4 together as you strengthen your cybersecurity posture. Prioritize high-risk controls first and keep challenges like limited resources or complex networks in mind. Cover technical and operational safeguards like system monitoring and incident response.

5. Review and Internal CMMC Audit

After self-assessment, documentation, and implementation, you can step back for an overview. Is your CMMC compliance documentation thorough? Can you achieve security deficiencies in your POA&M in a timely manner?

Before you undergo a formal assessment, run internal audits to validate controls and documentation, to avoid surprises down the line. Repeat steps 2-5 as often as you need, or until you feel comfortable to progress to the next steps.

6. Work With an RPO  

While a CMMC Registered Provider Organization (RPO)  is optional, it can save you a lot of time and money. RPOs have to pass strict Cyber-AB requirements (the DoD's official accreditation body) and every RPO employs at least one active CMMC Registered Practitioner, so when you work with an RPO, you can trust their ability to align your cybersecurity posture with CMMC requirements and help you prepare for your C3PAO assessment.

7. Schedule Your C3PAO Assessment

Schedule your C3PAO assessment by finding a list of accredited C3PAOs on the Cyber AB Marketplace. The CMMC third-party assessment organization will check your documentation, assess your compliance with NIST 800-171, and even conduct employee interviews to prove your compliance. Once your CMMC assessment completed, you will achieve certification at the level assessed at.

How To Get CMMC Certification: Best Practices

Here are some best practices to help you get CMMC certification and pass the audit with confidence.

1. Select a C3PAO Quickly

Only C3PAOs can perform official audits, not your CMMC readiness consultant. During busy periods, it can take weeks or months to line up an assessor, so plan ahead and verify the assessor is listed by the CMMC Accreditation Body and look for experience in your industry and familiarity with your CMMC level.

2. Prepare for the Audit  

Preparation can take 2-4 weeks, but this ensures the assessment goes as efficiently as possible. Consider staff training so team members understand security processes well, don’t scramble to document last minute, and conduct mock interviews to build confidence.

4. Manage Audit Outcomes and Ongoing Monitoring

Internal audit results may identify gaps or findings that require remediation, make sure these are promptly resolved using POA&Ms, rather than carrying on with the official assessment. Maintain compliance over time through continuous monitoring and periodic internal reviews.

Moving Forward With Your CMMC Roadmap

Achieving CMMC compliance is a journey, not a one-time effort. Whether you’re aiming for certification for the first time or you want to optimize your organization’s cybersecurity posture to be well poised for future assessments, here are some next steps to consider:  

• Continue to monitor and update controls and documentation, based on evolving threats.
• Assign a point of contract for compliance management or utilize automation software to track changes.
• Engage compliance experts like RPOs when you need expert advice to streamline assessment preparation or ongoing compliance.

Workstreet is the only AI-powered RPO on the market that helps you get CMMC compliant. From automated POA&M management to continuous compliance monitoring, Workstreet can help you build comprehensive defense-grade security programs that meet and exceed CMMC Level 2 requirements.

Schedule a call with Workstreet today.

FAQs: CMMC Compliance Checklist

How can smaller businesses handle the cost of CMMC compliance?

Control costs by clearly defining the scope of compliance, leveraging existing internal security tools and processes, and considering managed security services like Workstreet that scale to fit size and budget.

Does partial NIST 800-171 compliance reduce CMMC requirements?

No, while existing NIST 800-171 implementations provide a strong foundation for CMMC certification, contractors must implement all controls required for their CMMC level, plus additional documentation. For more, check our guide to CMMC vs. NIST 800-171.

Does CMMC 2.0 replace DFARS 252.204-7012?

No, CMMC 2.0 does not replace DFARS 252.204-7012. While both apply to defense contractors handling CUI, CMMC provides verified certification while DFARS sets contractual requirements until the full program is implemented.