CMMC

CMMC Level 2 Requirements Checklist for DoD Contractors

A Complete Readiness Guide

What Are the CMMC Level 2 Requirements?

The CMMC Level 2 requirements define the cybersecurity practices and processes that DoD contractors must implement to protect Controlled Unclassified Information (CUI) and demonstrate compliance with the security requirements outlined in NIST SP 800-171.

CMMC Level 2 applies to organizations that handle CUI as part of their contracts with the Department of Defense (DoD). Unlike basic cybersecurity frameworks, CMMC Level 2 requires contractors to not only implement security controls but also provide documented evidence that these practices are operating effectively.

A successful CMMC Level 2 assessment requires contractors to establish, maintain, and prove their cybersecurity capabilities across access control, risk management, incident response, system protection, and other critical security domains.

CMMC Level 2 Requirements Checklist

Before scheduling a CMMC assessment, DoD contractors should verify that they have implemented the following requirements:

Establish a CUI Protection Strategy

☐ Identify where CUI is created, stored, processed, and transmitted
☐ Define the systems, applications, and users that handle CUI
☐ Establish boundaries for the CUI environment
☐ Implement security measures to prevent unauthorized access
☐ Maintain a documented CUI data flow diagram

Protecting CUI begins with understanding where sensitive information exists across your environment. Without proper identification and scoping, organizations often struggle to demonstrate compliance during assessment.

Implement NIST SP 800-171 Security Controls

CMMC Level 2 requires implementation of 110 security practices from NIST SP 800-171 Rev. 2 across 14 control families. The major NIST 800-171 control areas include:

Access Control (AC)
☐ Limit system access to authorized users
☐ Enforce least privilege access
☐ Control remote access and external connections
☐ Restrict access to CUI based on business requirements

Awareness and Training (AT)
☐ Provide cybersecurity awareness training
☐ Train employees on protecting CUI
☐ Maintain training records and documentation

Audit and Accountability (AU)
☐ Generate and review system audit logs
☐ Monitor user activity involving sensitive systems
☐ Maintain audit records for required periods

Configuration Management (CM)
☐ Establish secure system configurations
☐ Manage system changes through documented processes
☐ Maintain hardware and software inventories

Identification and Authentication (IA)
☐ Implement multi-factor authentication (MFA)
☐ Manage user identities and credentials
☐ Protect authentication information

Incident Response (IR)
☐ Establish an incident response plan
☐ Define procedures for detecting and reporting incidents
☐ Conduct incident response exercises

Maintenance (MA)
☐ Control system maintenance activities
☐ Authorize and monitor maintenance personnel
☐ Protect systems during maintenance activities

Media Protection (MP)
☐ Control access to removable media
☐ Protect CUI stored on physical devices
☐ Secure media disposal processes

Personnel Security (PS)
☐ Screen individuals requiring CUI access
☐ Define personnel security responsibilities
☐ Manage access when employees leave the organization

Physical Protection (PE)
☐ Restrict physical access to systems containing CUI
☐ Monitor physical security controls
☐ Protect facilities and equipment

Risk Assessment (RA)
☐ Conduct cybersecurity risk assessments
☐ Identify vulnerabilities and threats
☐ Document risk mitigation activities

Security Assessment (CA)
☐ Evaluate security control effectiveness
☐ Maintain security assessment reports
☐ Track remediation activities

System and Communications Protection (SC)
☐ Protect data transmission
☐ Implement encryption where required
☐ Secure network communication channels

System and Information Integrity (SI)
☐ Deploy malware protection
☐ Monitor system vulnerabilities
☐ Apply security updates and patches

Maintain Required Documentation and Policies

A common challenge during CMMC assessments is not the absence of security practices, but the lack of documented evidence. Your CMMC Level 2 checklist should include:

☐ System Security Plan (SSP)
☐ Plan of Action and Milestones (POA&M), if applicable
☐ Policies and procedures for security practices
☐ Incident response plan
Risk assessment documentation
☐ Asset inventory
☐ Network diagrams
☐ Access control policies
☐ Security awareness training records

Your documentation should clearly demonstrate how security practices are implemented, managed, and maintained.

Prepare Evidence for CMMC Assessment

What evidence is required for a CMMC Level 2 assessment?
Assessors will review documentation and technical evidence demonstrating that cybersecurity practices are operating effectively. Common evidence includes:

☐ System configurations
☐ Security tool reports
☐ Vulnerability scan results
☐ Access control records
☐ Authentication logs
☐ Training completion records
☐ Incident response documentation
☐ Policy acknowledgments
☐ Risk assessment reports

Evidence should be current, accurate, and directly mapped to applicable CMMC practices.

Conduct a CMMC Readiness Assessment

Before the official CMMC assessment, contractors should perform a readiness review to identify security gaps. A CMMC readiness assessment should include:

☐ Review current cybersecurity controls
☐ Map existing controls against NIST 800-171 requirements
☐ Identify missing practices and gaps
☐ Prioritize remediation activities
☐ Update documentation
☐ Validate technical implementations

A proactive readiness assessment helps organizations avoid surprises during the certification process.

What Are the Most Common CMMC Level 2 Compliance Challenges?

Many DoD contractors struggle with:

  • Defining the CUI Environment: Organizations often lack visibility into where CUI exists and which systems require protection.
  • Maintaining Accurate Documentation: Security practices may exist, but insufficient documentation can create assessment challenges.
  • Implementing Technical Controls: Requirements such as MFA, logging, encryption, vulnerability management, and access control require consistent execution.
  • Managing Third-Party Risks: Contractors must ensure vendors and subcontractors handling CUI follow appropriate security practices.
  • Maintaining Continuous Compliance: CMMC compliance is not a one-time activity.

Organizations must continuously monitor, maintain, and improve cybersecurity practices.

How Long Does CMMC Level 2 Readiness Take?

The timeline for CMMC Level 2 readiness depends on factors such as:

  • Current cybersecurity maturity
  • Size and complexity of the environment
  • Amount of CUI handled
  • Existing security controls
  • Documentation maturity
  • Required remediation efforts

Organizations with established security programs may achieve readiness faster, while those starting from limited cybersecurity maturity may require significant planning and remediation.

CMMC Level 2 Checklist: Final Readiness Review

Before your CMMC assessment, confirm:

  • CUI environment is identified and properly scoped
  • NIST SP 800-171 requirements are implemented
  • Security policies and procedures are documented
  • Required evidence is collected and organized
  • Technical controls are tested and validated
  • Employees understand CUI protection responsibilities
  • Remediation activities are tracked and completed
  • Organization is prepared for assessment interviews and reviews

How Accorian Helps DoD Contractors Prepare for CMMC Level 2

Preparing for CMMC Level 2 requires more than checking compliance boxes. Organizations need a clear understanding of their security gaps, technical requirements, documentation needs, and assessment expectations.

Accorian helps DoD contractors navigate CMMC readiness through:

  • CMMC gap assessments
  • NIST 800-171 control mapping
  • CUI environment analysis
  • System Security Plan (SSP) development
  • POA&M creation and remediation guidance
  • Security control implementation support
  • Assessment preparation

With deep cybersecurity and compliance expertise, Accorian helps defense contractors build stronger security programs and confidently prepare for CMMC Level 2 assessments.

Ready to evaluate your CMMC readiness?

Partner with Accorian to strengthen your cybersecurity posture and move closer to assessment success.

CONTACT US

Table of Contents

Related Articles