DEFENSE CONTRACTOR COMPLIANCE
CMMC Compliance Checklist: Your Step-by-Step Path to Certification (2026)
A practical CMMC compliance checklist for 2026 — scope CUI, run a gap assessment, implement the 110 Level 2 controls, build your SSP and POA&M, and get assessment-ready.
⏱ 9 min read
Before You Start: Know Your Level
Your required level is written into your contracts, so check there first. Level 1 protects Federal Contract Information and requires an annual self-assessment. Level 2 protects Controlled Unclassified Information (CUI) and equates to the 110 controls in NIST SP 800-171 — most contractors working with CUI need Level 2. This checklist focuses on the Level 2 journey, since it is the most common and the most involved.
The 7-Step CMMC Compliance Checklist
Follow these seven steps in order. Each one builds on the last, and skipping ahead is the most common reason contractors fail their assessment.
Trace where CUI is created, stored, processed, and transmitted — then shrink that footprint. Fewer systems in scope means a smaller, cheaper assessment.
Compare your current state to all 110 Level 2 requirements. This produces your first SPRS score, the basis the DoD uses for supplier risk.
Close the gaps: MFA, encryption, centralized logging, endpoint protection, and least-privilege access across the CUI boundary.
The System Security Plan is the living document explaining how you meet every requirement. A weak SSP is a top reason assessors fail contractors.
Capture any unmet requirements with owners and due dates. Some controls allow POA&M items, but they must close within 180 days.
Deliver and document security awareness training. Human error drives most breaches, and assessors expect an active training program.
Run a mock assessment to surface weak spots, then schedule your C3PAO assessment (or self-assessment where allowed).
Certification lasts three years with annual affirmations. Treat the checklist as a standing operating standard, not a one-time project — ongoing monitoring, regular internal audits, and timely patching keep you assessment-ready year-round.
Step 3 in Depth: Operating the 110 Security Controls
Sealing the holes the gap assessment reveals is where most of the effort — and budget — goes. Common priorities include:
- Multi-factor authentication on all access to CUI.
- Encryption of data at rest and in transit (FIPS-validated where required).
- Centralized logging and monitoring to detect and investigate incidents.
- Endpoint protection and prompt patch management.
- Least-privilege access control.
To store email and documents, many contractors migrate to a CUI-ready cloud such as a GCC High environment, which can satisfy several controls at once.
The numbers that shape every CMMC Level 2 readiness effort — keep them front of mind as you work the checklist.
A weak System Security Plan is one of the most common reasons contractors fail their CMMC assessment.
Be specific and keep it current. Your SSP should describe exactly how each of the 110 requirements is met in your environment, with evidence assessors can verify. Vague or copy-pasted language is a red flag.
Don’t Treat Certification as the Finish Line
Another common mistake is exhaling the moment the certificate arrives. CMMC certification runs on a three-year cycle, but your controls must operate continuously, and you’ll provide an annual affirmation that you remain compliant. Use this checklist as a standing operating standard rather than a one-time project. Ongoing monitoring, regular internal audits, and timely patching keep you assessment-ready year-round.
Make the Checklist Work for You
The contractors who certify are the ones who start early, scope narrowly, and document thoroughly. Rushing the process almost always costs more — either in tools you didn’t really need, or in a failed assessment you have to repeat.
If you don’t want to navigate the 110 controls alone, our CMMC consulting team walks DoD contractors in the DC, Maryland, and Northern Virginia area through every step of this checklist — from scoping all the way to passing the assessment.
Frequently Asked Questions
Level 2 requires implementing the 110 security controls of NIST SP 800-171, documenting them in a System Security Plan, and — for most contracts — a third-party C3PAO assessment every three years.
A contractor starting from a low baseline typically needs several months to a year to reach Level 2 readiness, depending on scope, the size of the gaps, and how quickly remediation is funded.
The SSP describes how you meet the requirements today. The POA&M lists the requirements you have not yet met, with owners and deadlines to close them.
Some controls allow POA&M items, but critical requirements must be met before assessment and POA&M entries generally must be closed within 180 days.
Ready to Work the Checklist with a Partner?
Solvere One guides defense contractors across Virginia, DC, and Maryland through every step of this CMMC compliance checklist — from scoping your CUI environment to passing your C3PAO assessment. Schedule your readiness conversation today.