VIVID TECHNICAL
CMMC

CMMC Compliance Checklist: Step-by-Step Guide (2026)

You’ve been told your company needs CMMC. Maybe it showed up in a solicitation. Maybe a prime contractor sent you a letter. Either way, you’re staring down a list of cybersecurity requirements and trying to figure out where to start.

Most CMMC checklists floating around the internet are useless. They either restate the NIST language word for word — which reads like it was written by a committee of lawyers (because it was) — or they’re so vague they could apply to anything. “Implement access controls.” Great. What does that actually mean for a 40-person machine shop?

This checklist is different. We’ve organized it by what you actually need to do, in plain English, based on what we see assessors look for. Print it out, hand it to your IT person, and start checking boxes.

Before You Start: Which CMMC Level Do You Need?

Before you dive into the checklist, you need to know which level applies to you. Get this wrong and you’ll either over-invest or show up to an assessment unprepared.

You need Level 1 if:

  • Your contracts involve Federal Contract Information (FCI) — things like delivery schedules, contract performance data, or basic program information
  • Your contracts do not involve Controlled Unclassified Information (CUI)
  • You don’t see DFARS 252.204-7012 in your contract clauses

You need Level 2 if:

  • Your contracts involve CUI — technical drawings, specifications, test results, engineering data, or anything marked “CUI”
  • Your contract includes DFARS 252.204-7012 (the “safeguarding covered defense information” clause)
  • A prime contractor has told you that you handle CUI as part of their supply chain

Not sure? Look at your contract clauses. If you see DFARS 252.204-7012, you’re handling CUI and need Level 2. If you only see FAR 52.204-21, Level 1 covers you. If you’re still not sure, ask your contracting officer — it’s their job to tell you.

CMMC Level 1 Checklist (17 Practices)

Level 1 covers the basics. These are 17 practices that any business handling government data should already have in place. You self-assess annually — no outside auditor.

We’ve grouped them by category so you can work through them in order.

Access Control

  • Only authorized users can access your systems. Every person who logs into a company computer, email, or file share has their own account. No shared logins. Former employees are removed immediately.
  • Users can only access what they need. Not everyone has admin access. People can only reach the files and systems their job requires. The receptionist doesn’t have access to engineering drawings.
  • External connections are controlled. You have a firewall between your network and the internet. You know what connections go in and out. Remote access requires a VPN or secure method.
  • Public-facing systems don’t expose FCI. Your website, public file shares, or any internet-facing system doesn’t accidentally contain government contract data.

Identification and Authentication

  • You can identify every user on your systems. Each person has a unique account. You know who is logged in at any given time. No generic “admin” or “office” accounts being shared.
  • Users prove who they are before getting access. At minimum, passwords. Ideally, multi-factor authentication (MFA) — that’s the code sent to your phone or an authenticator app on top of your password.

Media Protection

  • You wipe or destroy storage before disposal. Hard drives, USB drives, old laptops — anything that stored government data gets wiped clean or physically destroyed before you recycle, donate, or throw it away.

Physical Protection

  • Server rooms and IT equipment are locked down. Your servers, network equipment, and any systems that store government data are in a room that locks. Not everyone has a key.
  • Visitors are escorted. People who don’t work for you don’t wander your facility unattended — especially near areas where government work happens.
  • You keep visitor logs. You know who visited, when they arrived, and when they left.
  • You control physical access devices. Keys, badges, access cards — you know who has them and you collect them when people leave.

System and Communications Protection

  • You monitor network traffic at boundaries. Your firewall actively monitors what’s coming in and going out of your network. You’d notice if something unusual happened.
  • Public-facing systems are separated. If you have a public website or customer portal, it’s on a separate network segment from your internal systems. An attacker compromising your website can’t hop straight to your file server.

System and Information Integrity

  • You patch known vulnerabilities. When Microsoft, Adobe, or your software vendors release security updates, you install them in a timely manner. You don’t ignore those “update available” notifications for months.
  • You run antivirus / anti-malware. Every endpoint — desktops, laptops, servers — has protection software installed and running.
  • Antivirus signatures stay current. Your protection software updates its threat definitions automatically and regularly. An antivirus that hasn’t updated in six months isn’t protecting anything.
  • You scan for malicious code at key points. Email attachments, file downloads, USB drives — your protection scans these when they enter your environment, not just on a weekly schedule.

That’s it for Level 1. If you checked every box above, you’re in good shape. Document your compliance, submit your SPRS score, and submit your annual affirmation.

If you have gaps, most of these are straightforward to fix. The total cost for Level 1 typically runs $3,000–$15,000 depending on your starting point.

CMMC Level 2 Checklist (110 Requirements by Domain)

Level 2 is a significant step up. It covers all 110 security requirements from NIST SP 800-171, organized into 14 domains. Everything in Level 1 still applies, plus a lot more.

We’re not going to list all 110 requirements individually — that would be a 30-page document that puts you to sleep. Instead, we’ve broken each domain into the key actions your company needs to take. If you can check these boxes, you’re covering the controls.

For each domain, we’ve noted the number of requirements so you know the weight of each area.

Access Control (22 requirements)

This is the largest domain and often the one with the most findings during assessments.

  • Role-based access is enforced. Every user has a defined role, and system permissions match that role. Engineers access engineering files. Accounting accesses financial systems. Nobody has access to everything “just in case.”
  • Least privilege is implemented. Users have the minimum access needed to do their jobs — no more. Admin accounts are separate from daily-use accounts. The person who reads email isn’t doing it from an admin account.
  • Remote access is controlled and monitored. VPN with MFA for anyone working remotely. You can see who’s connected, from where, and what they’re accessing. Sessions time out after inactivity.
  • Wireless access is secured and restricted. Your Wi-Fi uses WPA2/WPA3 enterprise authentication (not a shared password on a sticky note). Guest Wi-Fi is separated from your corporate network.
  • Mobile devices are managed. If phones or tablets can access CUI (even through email), they’re either fully managed or protected with app-level policies that encrypt and isolate company data.
  • CUI data flow is documented and controlled. You know exactly where CUI enters your environment, where it’s stored, where it’s processed, and where it leaves. This is documented in a data flow diagram.
  • External systems are authorized before connecting. Contractor laptops, vendor systems, partner connections — nothing plugs into your network without approval and documentation.

Awareness and Training (3 requirements)

  • All users complete security awareness training. Everyone with system access completes training at least annually. The training covers phishing, password hygiene, CUI handling, and your company’s security policies. It’s documented — who took it, when, and what it covered.
  • IT staff receive role-specific training. Your system administrators and security personnel get additional training relevant to their responsibilities, beyond the general awareness training.
  • Insider threat awareness is included. Training covers how to recognize and report potential insider threats — not just external hackers.

Audit and Accountability (9 requirements)

  • System activity is logged. Logins, failed logins, file access, privilege changes, admin actions — all captured in audit logs. If something goes wrong, you can see what happened and who did it.
  • Logs are protected from tampering. Audit logs are stored where regular users (and even admins) can’t modify or delete them. A compromised account shouldn’t be able to cover its tracks.
  • Logs are reviewed regularly. Someone (or an automated tool) actually looks at the logs. Weekly at minimum. You’re looking for anomalies — failed login attempts, off-hours access, unusual data transfers.
  • Log retention meets requirements. Audit logs are retained long enough to support incident investigation. Best practice is at least one year, with 90 days readily accessible.
  • Timestamps are synchronized. All systems use the same time source (NTP) so your logs tell a coherent story when correlated.

Configuration Management (9 requirements)

  • System baselines are documented. You have a documented standard configuration for each type of system — workstations, servers, network devices. You know what “normal” looks like so you can spot deviations.
  • Changes go through a process. No one makes changes to production systems on the fly. There’s a change management process — who requested it, what’s changing, who approved it, and when it happened.
  • Unnecessary services and software are removed. Systems run only what’s needed. No leftover demo software, no unused services listening on the network, no “we installed that for testing and forgot about it.”
  • Security settings are configured and enforced. Group policies, security templates, or configuration management tools enforce your baseline settings. If someone changes a security setting, it gets flagged or reverted.

Identification and Authentication (11 requirements)

  • Multi-factor authentication is enforced. MFA for all network access, remote access, and privileged accounts. A password alone isn’t enough. This is non-negotiable at Level 2.
  • Passwords meet complexity standards. Minimum length (at least 12-15 characters recommended), complexity requirements, and no reuse of recent passwords. Better yet, use a password manager.
  • Default passwords are changed. Every device, application, and service that came with a default password has been changed. Routers, switches, printers, software — all of them.
  • Accounts lock after failed attempts. After a set number of bad password guesses (typically 3-5), the account locks temporarily. This stops brute force attacks.
  • Identifiers are managed throughout their lifecycle. Accounts are created when people join, modified when roles change, and disabled the day they leave. Stale accounts from employees who left two years ago are a common assessment finding.

Incident Response (3 requirements)

  • You have a documented incident response plan. Written down, not just in someone’s head. It covers what constitutes an incident, who to contact (including DoD reporting requirements), roles and responsibilities, and step-by-step response procedures.
  • The plan is tested. You run through the plan at least annually — a tabletop exercise where you walk through a scenario and identify gaps. Did anyone know what to do? Could you actually reach the right people?
  • Incidents are tracked and reported. When something happens, it’s documented: what occurred, when, how you responded, and what you learned. CUI-related incidents must be reported to DoD within 72 hours.

Maintenance (6 requirements)

  • System maintenance is performed and documented. Patching, hardware maintenance, firmware updates — all on a schedule and all recorded. You can show an assessor when each system was last maintained.
  • Remote maintenance is controlled. If a vendor remotely accesses your systems for support, the session is monitored, uses encrypted connections, and is terminated when complete. No standing remote access for vendors.
  • Equipment leaving for maintenance is sanitized. If a laptop or server goes to a repair shop, CUI is removed first. If it can’t be removed, the maintenance is done on-site under supervision.

Media Protection (9 requirements)

  • CUI on physical and digital media is protected. USB drives, external hard drives, printed documents, backup tapes — anything containing CUI is marked, tracked, stored securely, and encrypted (if digital).
  • CUI distribution is controlled. You know who has copies of CUI, how it was transmitted, and where it went. CUI isn’t emailed to personal Gmail accounts or stored on unencrypted thumb drives.
  • Media is sanitized before reuse or disposal. NIST-approved methods for wiping drives. For highly sensitive media, physical destruction. Documented, with records of what was destroyed and when.
  • Media transport is protected. CUI on portable media (drives, laptops carried off-site) is encrypted and physically controlled. You don’t leave a laptop with CUI in an unlocked car.

Personnel Security (2 requirements)

  • Personnel are screened before accessing CUI. Background checks or other screening appropriate for the sensitivity of the data, completed before granting access.
  • CUI is protected when people leave. Access is revoked on the last day. Credentials are disabled. Company devices are returned. Keys and badges are collected. This happens the same day, not “whenever IT gets around to it.”

Physical Protection (6 requirements)

  • Physical access to CUI systems is limited. Server rooms, wiring closets, and any area with systems that store or process CUI are locked and access-controlled. Not everyone in the company can walk in.
  • Visitor access is managed. Visitors are authenticated (ID checked), escorted in sensitive areas, and logged. Visit records are maintained.
  • Physical access logs are maintained. Electronic badge logs or sign-in sheets — you can show who accessed sensitive areas and when.
  • Physical access devices are managed. Key inventory, badge access lists, and combinations are tracked. Lost badges are deactivated immediately.

Risk Assessment (3 requirements)

  • You conduct regular risk assessments. At least annually, you formally evaluate risks to your CUI environment — what could go wrong, how likely it is, and how bad it would be. This isn’t a checkbox exercise; it should actually inform your security decisions.
  • Vulnerabilities are scanned regularly. Automated vulnerability scanning of your systems at least monthly. Results are reviewed and critical vulnerabilities are remediated on a defined timeline.
  • Vulnerabilities are remediated. Scanning is useless if you don’t fix what you find. You have a process for prioritizing and patching vulnerabilities based on severity.

Security Assessment (4 requirements)

  • Your security controls are periodically assessed. At least annually, you review whether your security controls are actually working as intended — not just that they exist, but that they’re effective.
  • You have a plan to fix deficiencies. When assessments find gaps, they go into a Plan of Actions and Milestones (POA&M) with specific remediation steps, responsible parties, and deadlines.
  • POA&Ms are tracked to closure. Open items don’t just sit on a list. Someone owns each one and is accountable for fixing it by the deadline.
  • System security plans are maintained. Your SSP accurately describes your environment, your controls, and how they’re implemented. It’s updated when things change — not written once and forgotten.

System and Communications Protection (16 requirements)

The second-largest domain. This is where your network architecture and encryption practices get scrutinized.

  • Communications at system boundaries are monitored and controlled. Firewalls at every network boundary, configured to deny by default and only allow approved traffic. Inbound and outbound.
  • Your network is segmented. CUI systems are on a separate network segment from general office systems. If someone compromises a workstation in accounting, they can’t reach the engineering servers.
  • CUI is encrypted in transit. Emails containing CUI are encrypted. File transfers use SFTP or HTTPS. VPN tunnels protect remote access. No CUI flowing over the network in plain text.
  • CUI is encrypted at rest. Hard drives on laptops and workstations are encrypted (BitLocker on Windows, FileVault on Mac). Server storage containing CUI is encrypted. Mobile devices are encrypted.
  • FIPS-validated cryptography is used. The encryption tools you use meet the federal standard (FIPS 140-2 or 140-3). Most Microsoft and major vendor products meet this — but verify. Some consumer-grade tools don’t.
  • Collaborative devices are controlled. Conference room cameras, smart speakers, IoT devices in areas where CUI is discussed — they’re either managed or physically disconnected.
  • VoIP and session connections are protected. If CUI is discussed over VoIP or video calls, those communications are encrypted and authenticated.

System and Information Integrity (7 requirements)

  • System flaws are identified and fixed promptly. Vulnerability advisories are monitored. Patches are applied within defined timeframes — critical patches within 30 days, routine patches within 90 days.
  • Malicious code protection is active everywhere. Endpoint protection on every system that touches CUI, with real-time scanning and automatic updates. Not just antivirus — modern endpoint detection and response (EDR) tools.
  • Security alerts are monitored. Your security tools generate alerts. Someone — a person or a managed service — actually watches them and investigates anomalies. Alerts that nobody reads don’t protect you.
  • System integrity is monitored. File integrity monitoring or similar tools detect unauthorized changes to critical system files. If someone modifies a system binary, you know about it.
  • Inbound and outbound communications are monitored. Email filtering for inbound threats (phishing, malware). Outbound monitoring for data exfiltration. DNS filtering to block known-bad destinations.

Common Mistakes That Fail Assessments

We’ve sat through enough assessments to know the patterns. These are the mistakes we see over and over:

1. “We have a policy” but nobody follows it. Having a 30-page security policy document is worthless if your people don’t know it exists. Assessors will interview your staff. If the help desk person says “I don’t know what our password policy is,” that’s a finding.

2. Scope creep. Companies try to put their entire network in scope instead of segmenting CUI into a defined boundary. More scope = more controls to implement = more things that can fail. Scope your environment tightly before you start anything else.

3. Documentation doesn’t match reality. Your SSP says you use MFA everywhere. The assessor tests an account and gets in with just a password. That’s not just a finding — it’s a credibility problem that makes assessors look harder at everything else.

4. No evidence of recurring activities. You run vulnerability scans, but can you show the last 12 months of scan reports? You do security training, but where are the completion records? Assessors want proof that you’re actually doing these things consistently, not just once before the assessment.

5. Stale accounts everywhere. Former employees, old service accounts, test accounts from three years ago — still active in your directory. This is one of the easiest things to fix and one of the most common findings.

6. Skipping the gap assessment. Companies jump straight to buying tools and writing policies without understanding where they actually stand. They end up over-investing in areas they were already fine and missing critical gaps. A proper gap assessment is step one, always.

Download the Complete CMMC Checklist

Want a printable version of this checklist that you can work through with your team? We offer a downloadable PDF with checkboxes for every Level 1 and Level 2 requirement, formatted for easy tracking.

Contact us to request the PDF checklist — we’ll send it over along with a brief guide on how to use it.

Frequently Asked Questions

What is a CMMC compliance checklist?

A CMMC compliance checklist maps out every security requirement your company needs to meet based on your CMMC level. For Level 1, that’s 17 basic practices. For Level 2, it’s 110 security requirements from NIST SP 800-171. A good checklist translates these requirements from government jargon into concrete actions your team can take.

How do I know if I need Level 1 or Level 2?

Check your contract clauses. If you see DFARS 252.204-7012, you handle CUI and need Level 2. If you only see FAR 52.204-21, Level 1 covers you. If your contract mentions “Controlled Unclassified Information” anywhere, assume Level 2. When in doubt, ask your contracting officer.

How long does it take to complete this checklist?

For Level 1, a company with decent IT practices can work through the checklist in 1–3 months. Level 2 is a bigger effort — most companies need 6–12 months to fully implement all 110 requirements, build the documentation, and prepare for assessment. The total cost varies significantly based on where you’re starting from.

Can I self-assess against this checklist?

For Level 1, self-assessment is the only option — there’s no third-party assessment. For Level 2, it depends on your contract. Some contracts allow self-assessment while others require a certified third-party assessor (C3PAO). Either way, this checklist helps you understand what you need to implement before any assessment.

What’s the most common reason companies fail CMMC assessments?

Documentation gaps. Companies implement the technical controls but can’t prove it. Missing policies, incomplete System Security Plans, no evidence of recurring activities like log reviews or vulnerability scans. The technology is usually less than half the battle — proving you’ve been doing it consistently is where most companies struggle.

Do I need to hire a consultant to complete this checklist?

Not necessarily. If you have someone on staff who understands cybersecurity and can dedicate time to this, you can work through Level 1 and even Level 2 on your own. But be honest about your capabilities. The DIY approach has a higher failure rate than working with an experienced CMMC consultant, especially for Level 2. At minimum, consider a professional gap assessment to validate your self-assessment.