CMMC Level 2 Readiness Checklist

Self-assessment checklist covering all 14 NIST 800-171 control families. Use this to identify gaps before your formal assessment.

Use this checklist to evaluate your organization’s readiness against the 110 security requirements in NIST SP 800-171 Rev 2, organized by the 14 control families. For each area, answer the key questions honestly. Any “no” answer indicates a gap that must be addressed before your CMMC Level 2 assessment.

Access Control (AC)

  • Do you have documented access control policies that define who can access which systems and data?
  • Are user accounts provisioned on a least-privilege basis, with access rights reviewed at least annually?
  • Do you enforce session locks and automatic termination after a defined period of inactivity?

Awareness & Training (AT)

  • Do all personnel with system access complete security awareness training before gaining access and at least annually thereafter?
  • Are personnel with specialized security roles (administrators, incident responders) trained on their specific responsibilities?
  • Do you maintain training records that document completion dates, content covered, and personnel trained?

Audit & Accountability (AU)

  • Are audit logs enabled on all systems that process, store, or transmit CUI?
  • Do your audit records capture sufficient detail to establish what events occurred, when, where, and by whom?
  • Are audit logs protected from unauthorized modification, and do you have alerting for audit log failures?

Configuration Management (CM)

  • Do you maintain baseline configurations for all information systems in your CUI environment?
  • Is there a formal change control process that requires review and approval before configuration changes are deployed?
  • Are unnecessary functions, ports, protocols, and services disabled or removed from all systems?

Identification & Authentication (IA)

  • Are all users uniquely identified, with no shared or generic accounts used for CUI access?
  • Is multi-factor authentication enforced for all network access and for all privileged accounts?
  • Are passwords managed in accordance with NIST guidelines (minimum length, complexity, rotation where required)?

Incident Response (IR)

  • Do you have a documented incident response plan that covers detection, analysis, containment, eradication, and recovery?
  • Has your incident response team been trained, and have you conducted a tabletop exercise within the past 12 months?
  • Do you have a process for reporting security incidents to your Contracting Officer and, where applicable, to DC3?

Maintenance (MA)

  • Is all system maintenance — local and remote — logged and performed by authorized personnel only?
  • Are maintenance tools inspected and controlled, and are media containing diagnostic programs sanitized before reuse?
  • Is remote maintenance performed only through approved, encrypted channels with proper authentication?

Media Protection (MP)

  • Do you have policies governing the handling, transport, and storage of media containing CUI?
  • Is digital media containing CUI encrypted at rest using FIPS-validated cryptographic modules?
  • Are media sanitization procedures documented and followed before disposal, release, or reuse of any media?

Personnel Security (PS)

  • Are background investigations completed for all personnel with access to CUI before access is granted?
  • Is access to CUI promptly revoked when personnel are terminated, transferred, or no longer require access?
  • Do you have a process for retrieving all organizational assets (credentials, badges, equipment) upon separation?

Physical Protection (PE)

  • Are physical access controls in place for all facilities and areas where CUI is processed or stored?
  • Do you maintain visitor logs and escort procedures for individuals without authorized physical access?
  • Are physical access devices (keys, badges, combinations) managed and inventoried, including prompt revocation when compromised?

Risk Assessment (RA)

  • Do you conduct risk assessments at least annually and whenever significant changes occur in your environment?
  • Are vulnerability scans performed on all systems in your CUI boundary at a defined frequency (quarterly at minimum)?
  • Are identified vulnerabilities tracked and remediated according to a risk-based prioritization process?

Security Assessment (CA)

  • Do you have a System Security Plan (SSP) that accurately describes your system boundaries, environments, and control implementations?
  • Are Plans of Action and Milestones (POA&Ms) documented for all known gaps, with assigned owners and target dates?
  • Do you periodically assess your security controls to verify they are implemented correctly and operating as intended?

System & Communications Protection (SC)

  • Do you monitor and control communications at the boundary of your CUI environment (firewalls, proxies, DMZ)?
  • Is CUI encrypted in transit using FIPS-validated cryptographic mechanisms (TLS 1.2+ at minimum)?
  • Are collaborative computing devices (cameras, microphones) controlled, and are session-based protections in place?

System & Information Integrity (SI)

  • Do you identify, report, and correct information system flaws in a timely manner through a formal patch management process?
  • Is malicious code protection deployed and kept current at all system entry and exit points?
  • Do you monitor your information systems for unauthorized access, use, and anomalous activity with active alerting?

Next Steps

If you answered “no” to any of these questions, those areas represent gaps in your CMMC Level 2 readiness. Prioritize gaps by risk severity and begin remediation immediately.

For a comprehensive gap analysis and remediation roadmap tailored to your specific environment, book a CMMC readiness triage with our compliance team.