CMMC Self-Assessment Checklist

FREE LEAD MAGNET // DIB READINESS TOOL

CMMC Level 2 Self-Assessment Checklist

A 14-domain rapid-readiness checklist for Defense Industrial Base contractors preparing for CMMC 2.0 Level 2 assessment under NIST SP 800-171. Built by an operator who has actually enforced these controls.

→ view services
Tip: Use Ctrl+P (or +P) and select “Save as PDF” for a clean printable version.
// HOW TO USE
Score each control honestly as MET, PARTIAL, or NOT MET. Anything not fully MET goes onto your Plan of Action & Milestones (POA&M). A C3PAO assessor will check the same items — better to find your gaps now than after a failed certification.
Disclaimer: This is a high-level readiness aid, not a substitute for a formal gap assessment. Consult an authorized CMMC Certified Professional (CCP) or Certified Assessor (CCA) before submitting your SPRS score.
$ ./preflight –check

Pre-Flight: Scope & Boundary

// SCOPECUI Boundary Definition
  • I have identified all systems that store, process, or transmit Controlled Unclassified Information (CUI).
  • I have a current network / data-flow diagram showing the CUI boundary.
  • I have a current asset inventory (hardware, software, cloud services) for in-scope systems.
  • I have identified all External Service Providers (ESPs) that touch CUI and verified their FedRAMP Moderate or equivalent status.
  • If using Microsoft 365, I am on GCC High (or have a documented justification for Commercial / GCC).
$ ./controls –list-all

14 NIST 800-171 Domains — 110 Controls

01 // ACAccess Control
  • Unique user accounts; no shared/generic logins on CUI systems.
  • Role-based access enforced; least-privilege documented and reviewed.
  • Separation of duties for privileged functions.
  • Session lock after 15 minutes of inactivity on CUI systems.
  • Remote access is encrypted, logged, and routed through approved channels (VPN/jump host).
  • Mobile device access to CUI is controlled and encrypted at rest.
  • Public CUI posting is blocked; no CUI on public-facing sites.
02 // ATAwareness & Training
  • Annual security awareness training completed and documented for all users.
  • Role-based training for privileged users and ISSOs.
  • Insider-threat awareness module included.
03 // AUAudit & Accountability
  • Audit logs are generated for all in-scope systems and centrally collected (SIEM).
  • Logs are retained for the minimum required period (1 year typical, longer if contract requires).
  • Logs are protected from unauthorized modification or deletion.
  • Logs are reviewed regularly; documented review cadence and named reviewer.
  • Time synchronization (NTP) is enforced across all logging sources.
04 // CMConfiguration Management
  • Baseline configurations exist for all in-scope OS, applications, and network devices (DISA STIGs or CIS Benchmarks).
  • Change-control process documented and followed.
  • Least-functionality principle applied: unnecessary services, ports, and protocols disabled.
  • Software whitelisting / application control deployed where feasible.
  • User-installed software is restricted on CUI systems.
05 // IAIdentification & Authentication
  • MFA enforced for all privileged accounts and all remote access to CUI systems.
  • Password policy meets NIST 800-63 guidance (length, complexity, no forced rotation absent compromise).
  • FIPS 140-2/140-3 validated cryptography used for authenticator transmission and storage.
  • Stored passwords are cryptographically protected (hashed + salted).
06 // IRIncident Response
  • Documented Incident Response Plan covering preparation, detection, containment, eradication, recovery, post-incident.
  • IR roles and responsibilities are assigned and trained.
  • Tabletop exercise conducted within last 12 months.
  • 72-hour DoD reporting capability via dibnet.dod.mil established and tested.
07 // MAMaintenance
  • Maintenance activities are scheduled, approved, and logged.
  • Maintenance tools are inspected before use on CUI systems.
  • Remote maintenance sessions are authorized, monitored, and use MFA.
  • Media is sanitized before equipment leaves the organization.
08 // MPMedia Protection
  • CUI on physical media is marked and controlled.
  • Removable media use on CUI systems is restricted or disabled.
  • Media is sanitized or destroyed per NIST 800-88 prior to disposal or reuse.
  • Encryption is applied to CUI on portable storage.
09 // PSPersonnel Security
  • Background screening completed for personnel with access to CUI.
  • Termination procedures revoke access to CUI systems within 24 hours.
  • Transfer/role-change procedures trigger access reviews.
10 // PEPhysical Protection
  • Physical access to facilities housing CUI systems is controlled and logged.
  • Visitors are escorted and access is logged.
  • Alternate work sites (telework) have documented physical safeguards for CUI.
11 // RARisk Assessment
  • A documented risk assessment exists and is reviewed annually.
  • Vulnerability scans run on a defined cadence (monthly or better).
  • Identified vulnerabilities are tracked and remediated per documented timelines.
12 // CASecurity Assessment
  • System Security Plan (SSP) authored, current, and signed.
  • Plan of Action & Milestones (POA&M) actively maintained.
  • Self-assessment completed against NIST 800-171A; SPRS score submitted.
  • Continuous monitoring program documented and operating.
13 // SCSystem & Communications Protection
  • CUI is encrypted in transit using FIPS-validated cryptography (TLS 1.2+).
  • CUI is encrypted at rest using FIPS-validated cryptography.
  • Boundary protections deployed (firewall, IDS/IPS, DNS filtering).
  • Internal network segmented from CUI enclave.
  • Mobile / collaborative computing devices controlled (cameras, mics, screen-sharing).
14 // SISystem & Information Integrity
  • Anti-malware deployed, updated, and centrally monitored on all CUI systems.
  • Patch management process documented; critical patches applied within 30 days.
  • System-generated security alerts are monitored 24/7 (in-house or via MSSP).
  • Email and web protections deployed (anti-phishing, URL filtering, sandboxing).
  • Spam protection and inbound mail filtering active.

// Scoring Your Readiness

110 / 110You are likely ready for a C3PAO assessment. Schedule a mock audit to validate.
88 – 109Level 2 conditional certification is realistic with a focused 90-day remediation sprint.
< 88A formal gap assessment and remediation engagement should precede any C3PAO booking.

Need a hand walking the controls?

Southern Cyber Solutions provides operator-grade CMMC readiness, gap assessments, remediation, and pre-assessment mock audits for the Defense Industrial Base. The first 30 minutes are free.

▶ book a discovery call → full service catalog
© Southern Cyber Solutions, LLC — Free readiness aid. Not a substitute for formal CMMC assessment.
Scroll to Top