DEFENSE CONTRACTOR COMPLIANCE

CMMC Compliance Checklist: Your Step-by-Step Path to Certification (2026)

A practical CMMC compliance checklist for 2026 — scope CUI, run a gap assessment, implement the 110 Level 2 controls, build your SSP and POA&M, and get assessment-ready.

⏱ 9 min read

Becoming certified can look like a mountain standing in front of you, but a concise CMMC compliance checklist turns that mountain into a sequence of steps you can actually complete. Whether you’re pursuing Level 1 or Level 2, the approach is the same: know your data, protect it, document it, and prove it. Here’s the roadmap for DoD contractors in 2026.

Before You Start: Know Your Level

Your required level is written into your contracts, so check there first. Level 1 protects Federal Contract Information and requires an annual self-assessment. Level 2 protects Controlled Unclassified Information (CUI) and equates to the 110 controls in NIST SP 800-171 — most contractors working with CUI need Level 2. This checklist focuses on the Level 2 journey, since it is the most common and the most involved.

The 7-Step CMMC Compliance Checklist

Follow these seven steps in order. Each one builds on the last, and skipping ahead is the most common reason contractors fail their assessment.

1Scope your environment

Trace where CUI is created, stored, processed, and transmitted — then shrink that footprint. Fewer systems in scope means a smaller, cheaper assessment.

2Run a gap assessment

Compare your current state to all 110 Level 2 requirements. This produces your first SPRS score, the basis the DoD uses for supplier risk.

3Implement the 110 controls

Close the gaps: MFA, encryption, centralized logging, endpoint protection, and least-privilege access across the CUI boundary.

4Build your SSP

The System Security Plan is the living document explaining how you meet every requirement. A weak SSP is a top reason assessors fail contractors.

5Develop a POA&M

Capture any unmet requirements with owners and due dates. Some controls allow POA&M items, but they must close within 180 days.

6Train your people

Deliver and document security awareness training. Human error drives most breaches, and assessors expect an active training program.

7Readiness check & assessment

Run a mock assessment to surface weak spots, then schedule your C3PAO assessment (or self-assessment where allowed).

Certification lasts three years with annual affirmations. Treat the checklist as a standing operating standard, not a one-time project — ongoing monitoring, regular internal audits, and timely patching keep you assessment-ready year-round.

Step 3 in Depth: Operating the 110 Security Controls

Sealing the holes the gap assessment reveals is where most of the effort — and budget — goes. Common priorities include:

  • Multi-factor authentication on all access to CUI.
  • Encryption of data at rest and in transit (FIPS-validated where required).
  • Centralized logging and monitoring to detect and investigate incidents.
  • Endpoint protection and prompt patch management.
  • Least-privilege access control.

To store email and documents, many contractors migrate to a CUI-ready cloud such as a GCC High environment, which can satisfy several controls at once.

Scoping CUI systems on a network diagram for the CMMC compliance checklist

The numbers that shape every CMMC Level 2 readiness effort — keep them front of mind as you work the checklist.

110
Level 2 controls from NIST SP 800-171
180
Days to close POA&M items after assessment
3
Years of certification validity before reassessment

A weak System Security Plan is one of the most common reasons contractors fail their CMMC assessment.

Be specific and keep it current. Your SSP should describe exactly how each of the 110 requirements is met in your environment, with evidence assessors can verify. Vague or copy-pasted language is a red flag.

Implementing the 110 controls on the CMMC compliance checklist with MFA

Don’t Treat Certification as the Finish Line

Another common mistake is exhaling the moment the certificate arrives. CMMC certification runs on a three-year cycle, but your controls must operate continuously, and you’ll provide an annual affirmation that you remain compliant. Use this checklist as a standing operating standard rather than a one-time project. Ongoing monitoring, regular internal audits, and timely patching keep you assessment-ready year-round.

Make the Checklist Work for You

The contractors who certify are the ones who start early, scope narrowly, and document thoroughly. Rushing the process almost always costs more — either in tools you didn’t really need, or in a failed assessment you have to repeat.

If you don’t want to navigate the 110 controls alone, our CMMC consulting team walks DoD contractors in the DC, Maryland, and Northern Virginia area through every step of this checklist — from scoping all the way to passing the assessment.

Frequently Asked Questions

Level 2 requires implementing the 110 security controls of NIST SP 800-171, documenting them in a System Security Plan, and — for most contracts — a third-party C3PAO assessment every three years.

A contractor starting from a low baseline typically needs several months to a year to reach Level 2 readiness, depending on scope, the size of the gaps, and how quickly remediation is funded.

The SSP describes how you meet the requirements today. The POA&M lists the requirements you have not yet met, with owners and deadlines to close them.

Some controls allow POA&M items, but critical requirements must be met before assessment and POA&M entries generally must be closed within 180 days.

Ready to Work the Checklist with a Partner?

Solvere One guides defense contractors across Virginia, DC, and Maryland through every step of this CMMC compliance checklist — from scoping your CUI environment to passing your C3PAO assessment. Schedule your readiness conversation today.