What is included in a CMMC Level 2 checklist?

A complete Level 2 checklist covers CUI scoping and asset categorization, the System Security Plan and POA&M, all 110 NIST SP 800-171 Revision 2 requirements with evidence and owners, the SPRS or eMASS reporting path, and the annual affirmation. A list of controls alone is not a checklist — the evidence and sequence are what get you ready.

How many controls are in CMMC Level 2?

There are 110 security requirements in CMMC Level 2, drawn directly from NIST SP 800-171 Revision 2 and organized into 14 control families. NIST SP 800-171A breaks those 110 into 320 assessment objectives that assessors verify.

Is CMMC Level 2 based on NIST SP 800-171 Revision 2 or Revision 3?

CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 under the active CMMC rule. NIST published Revision 3 in 2024, but it does not become the CMMC baseline unless and until DoD changes the rule through formal rulemaking.

Is CMMC Level 2 the same as NIST 800-171?

They are tightly linked but not identical. NIST SP 800-171 is the requirement set for protecting CUI; CMMC is the DoD program that verifies you meet it through assessment and SPRS reporting, with defined levels and assessment types.

Do I need a CMMC Level 2 self-assessment or a C3PAO assessment?

Your contract decides. During Phase 1 (since November 10, 2025), most applicable contracts require a self-assessment as a condition of award; from November 10, 2026 (Phase 2), DoD begins requiring C3PAO certification for applicable Level 2 contracts. Either way, the 110 requirements are the same.

Can you use a POA&M for CMMC Level 2?

Yes, but narrowly. Only 1-point requirements are eligible, with one exception for CUI encryption that is in place but not FIPS-validated, and six specific requirements can never be on a POA&M. You then have 180 days to close the POA&M and reach Final status.

What score do I need for a Conditional Level 2?

At least 88 out of 110 (80%), with only eligible items on the POA&M. A Final Level 2 requires all 110 requirements to be met or properly marked not applicable.

What evidence counts for CMMC Level 2?

Final, dated, in-scope evidence — policies, system configurations, logs, screenshots, tickets, training and HR records, owner interviews, and test results. Drafts, unapproved policies, and statements that a tool can do something do not count.

What goes into SPRS, and what goes into CMMC eMASS?

For a self-assessment, your organization enters the score, SSP details, and any POA&M into SPRS. For a C3PAO assessment, the assessor enters results into CMMC eMASS, which transmits to SPRS.

Who signs the annual affirmation?

A senior official — the Affirming Official — who is responsible for the organization's CMMC compliance and has authority to attest on its behalf. Affirmations are stored in SPRS, must be no older than one year, and are required from both primes and subcontractors.

Can my MSP or MSSP satisfy some of the controls?

Often yes — but the assets and services they provide can be in scope for your assessment, and the split of responsibilities should be documented in a Customer Responsibility Matrix and reflected in your SSP. Their work supports your compliance; it does not automatically transfer it.

Does GCC High automatically make me CMMC compliant?

No. Microsoft GCC High can be an appropriate environment for handling certain CUI, but an environment is not a certification. You still have to implement, evidence, and assess the controls.

Can a C3PAO help me prepare and then assess me?

Generally not for the same engagement. Conflict-of-interest rules in the CMMC ecosystem keep readiness and formal assessment in separate lanes, so the firm that prepares you typically cannot certify you.

I am a small contractor — what should I do first?

Confirm whether you actually handle CUI and what your contract requires, then scope where CUI lives before you implement or buy anything. Scope first, evidence second, remediation third, assessment last.

CMMC Level 2 Checklist: What Actually Gets You Ready (and What Doesn’t)

By The Defense Compliance Report Editorial Team · Last verified: June 12, 2026 · How we verify · Corrections policy

If you searched for a CMMC Level 2 checklist, you’re past the theory. You need the list — what to do, in what order, and how to prove it without burning six months and a six-figure budget in the wrong sequence. So here’s the bottom line first: CMMC Level 2 means implementing all 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families, inside a correctly scoped boundary — and then proving each one with evidence an assessor will actually accept.

This is the checklist we wish existed when we started reading the rule. We built it by going to the source — the program rule at 32 CFR Part 170, the DoD CIO’s CMMC Assessment Guide – Level 2, NIST SP 800-171 Revision 2 and its companion assessment manual NIST SP 800-171A, the CMMC Level 2 Scoping Guide, and the DFARS contract clauses themselves — and translating it into something a CISO, IT director, FSO, or small-business owner can act on by Friday. The Defense Compliance Report is an independent trade publication; we’re not a C3PAO, not affiliated with the Cyber AB, and not paid by any single provider to push a product.

What changes the answer (read this before you scroll)

Level 2 looks the same on paper for everyone, but four things move the work:

CUI vs. FCI. If your systems only touch Federal Contract Information — the basic, non-public information you get just by doing the contract — you’re probably a Level 1 company, not Level 2. Level 2 is triggered by Controlled Unclassified Information (CUI).
Self-assessment vs. C3PAO. The 110 requirements are identical either way. What differs is who validates you and where the result is recorded. Your solicitation decides.
Your scope. A 12-person shop with one CUI enclave and a 1,200-person prime have wildly different efforts — driven almost entirely by how much of the environment touches CUI.
Your starting maturity. If you already run MFA everywhere and FIPS-validated encryption, you’re closing gaps. If you’re starting from commercial Microsoft 365 and shared logins, you’re building.

Quick answer: do you even need a Level 2 checklist?

Use this checklist when your DoD contract, solicitation, or a prime’s flow-down points you to CMMC Level 2 because Controlled Unclassified Information (CUI) is processed, stored, or transmitted in your systems. FCI-only work generally points to Level 1; the most sensitive CUI work points to Level 3, which requires a final Level 2 third-party certification first. The contract language — not your company size or preference — controls which path applies.

Before you touch a single control, confirm you’re on the right page. Both the self and third-party paths use the same 110 Level 2 requirements— the difference is validation and reporting.

Your situation	How to use this checklist	What you’ll end up needing	Assessment path
FCI only, no CUI	This isn't your main page — see our Level 1 guide	Level 1 self-assessment + annual affirmation	Level 1 (Self)
CUI + solicitation says Level 2 (Self)	Use all 110 rows + the evidence steps	A defensible SPRS score + annual affirmation	Self-assessment
CUI + solicitation says Level 2 (C3PAO)	Use all 110 rows + assessor-ready evidence	Conditional or Final Level 2 (C3PAO) status, recorded in CMMC eMASS → SPRS	C3PAO assessment
Prime is flowing CUI down to you	Start with the flow-down branch, then scope	Written flow-down + at least Level 2 (Self)	Usually Level 2 (Self); C3PAO if the prime's contract requires it
Level 3 requirement	Use Level 2 only as the prerequisite	Final Level 2 (C3PAO) first	Level 3 is assessed by DCMA DIBCAC

A C3PAO is a CMMC Third-Party Assessment Organization authorized or accredited through the Cyber AB to perform official Level 2 certification assessments. DIBCAC is the Defense Industrial Base Cybersecurity Assessment Center, the government team that runs Level 3 assessments. Under 32 CFR § 170.23, a sub handling only FCI can be required at Level 1; a sub handling CUI needs Level 2 at minimum. See our flow-down guide for the full subcontractor breakdown.

Which DFARS clause are you actually looking at?

Five DFARS clauses come up around CMMC, and they do different jobs. DFARS 252.204-7012 covers safeguarding Covered Defense Information and reporting cyber incidents. DFARS 252.204-7019 and -7020 are the existing NIST SP 800-171 DoD Assessment and SPRS-posting framework. DFARS 252.204-7021 is the CMMC contract clause that carries your ongoing obligation. DFARS 252.204-7025 is the solicitation provision that puts you on notice and makes your CMMC status a condition of award.

252.204-7012 — Safeguarding Covered Defense Information and cyber incident reporting. The long-standing clause that already requires NIST SP 800-171 and 72-hour incident reporting.
252.204-7019 / -7020 — The Notice of, and requirement for, a NIST SP 800-171 DoD Assessment with results in SPRS. This is the pre-CMMC self-scoring regime, and it still flows down to subs.
252.204-7021 — Contractor Compliance With the CMMC Level Requirements. The contract clause (effective November 10, 2025) that requires you to maintain your CMMC status, flow it down, submit CMMC Unique Identifiers, and file annual affirmations.
252.204-7025 — Notice of CMMC Level Requirements. The solicitation provision that tells you which level is coming and makes a current CMMC status a condition of award eligibility. When you see -7025 in a solicitation, expect -7021 in the resulting contract.

A CMMC UID is a CMMC Unique Identifier — a 10-character code assigned in SPRS to each assessed information system that handles FCI or CUI; you list those UIDs in your proposal.

Why November 10, 2026 is the date that matters

The CMMC rollout runs in four phases over three years, tied to the DFARS rule’s effective date of November 10, 2025. You’re in Phase 1 now, when most applicable contracts require a Level 1 or Level 2 self-assessment as a condition of award. Phase 2 begins November 10, 2026 — and in Phase 2, DoD intends to include Level 2 (C3PAO) status for applicable solicitations and contracts as a condition of award, while keeping discretion to delay that requirement to an option period. (32 CFR § 170.3)

The 110 requirements aren’t changing on a phase boundary. What changes is how you have to prove them.

Now through November 9, 2026 (Phase 1): DoD includes Level 1 (Self) or Level 2 (Self) as a condition of award on applicable contracts, and may require Level 2 (C3PAO) at its discretion.
From November 10, 2026 (Phase 2): DoD begins adding the Level 2 (C3PAO) requirement to applicable solicitations as a condition of award, while retaining discretion to delay to an option period rather than at award.

DoD estimated roughly 8,350 medium and large entitieswould need a Level 2 (C3PAO) assessment as a condition of award — and projected only about 135 C3PAO assessments completed in year one, ~673 in year two, ~2,252 in year three, and ~4,452 in year four. Demand vastly outpaces near-term assessor throughput. See our C3PAO wait-time guide for current backlog data.

Planning milestones: work backward from Nov. 10, 2026

Milestone	Target timing	Why this lead time
Define and freeze your CUI scope	By ~Q1 2026	Everything downstream depends on the boundary
Finish the SSP + evidence package	By ~mid-2026	The SSP is reviewed first; evidence takes longest to assemble
Remediate every non-deferrable control	By ~summer 2026	The high-value controls can't go on a POA&M (more below)
Get on a C3PAO's schedule	As early as possible	Assessor capacity is finite and the queue is real

These dates are planning estimates based on typical readiness timelines and DoD’s own throughput projections — not deadlines set by the rule. And remember: a conditional status can win you the award, but the 180-day close clock starts the day you get it.

The CMMC Level 2 checklist, phase by phase

A CMMC Level 2 checklist is not a list of 110 controls you tick off. It’s an ordered sequence: confirm the requirement, scope where CUI lives, build the documentation, implement and evidence each control, score yourself honestly, submit, affirm, and maintain. Run it in this order and you stop spending money in the wrong sequence — which is the single most expensive mistake small contractors make.

Phase	The job	What you must produce	Primary-source anchor	The mistake that bites people
0. Confirm Level 2 applies	Read the clause and classify your data	Contract/solicitation/flow-down language; an FCI vs. CUI determination	DFARS 252.204-7021 / -7025; 32 CFR § 170.23	Preparing for Level 2 (Self) when the clause actually requires a C3PAO
1. Find the CUI	Map where CUI enters, lives, and moves	CUI inventory; data-flow map; user and location list	32 CFR § 170.19	Checking controls before you know where CUI actually is
2. Define the scope	Categorize every in-scope asset	Asset inventory by category; external-provider (ESP/CSP) list	32 CFR § 170.19; CMMC Scoping Guide – Level 2	Leaving your MSP, MSSP, or cloud provider out of the picture
3. Build the SSP	Describe the real system, not a template	System Security Plan with boundary, components, and control narratives	NIST SP 800-171 (3.12.4); 32 CFR §§ 170.16–170.17	A template SSP that doesn't match the environment you actually run
4. Map the 110	Track every requirement by family and objective	A 110-row tracker mapped to the 14 families and 320 objectives	NIST SP 800-171 Rev. 2; NIST SP 800-171A	Using the Revision 3 structure for a Revision 2 assessment
5. Implement & evidence	Make controls real and provable	Policies, configs, logs, tickets, training records, diagrams, test results	NIST SP 800-171A; CMMC Assessment Guide – Level 2	Marking a control “implemented” with no evidence behind it
6. Score & POA&M	Calculate honestly; plan the gaps	MET / NOT MET / N/A status; SPRS score; eligible POA&M with a close plan	32 CFR §§ 170.21, 170.24	Putting a high-value or prohibited control on a POA&M
7. Submit & affirm	Record the result; sign for it	SPRS entry (Self) or C3PAO eMASS path; CMMC UID; Affirming Official record	32 CFR §§ 170.16, 170.17, 170.22	Signing an affirmation you can't defend with evidence
8. Maintain	Treat it as ongoing, not one-and-done	Evidence refresh cadence; change log; annual affirmation; 3-year reassessment	32 CFR § 170.22	Treating CMMC as a project instead of an operating state

Source: 32 CFR Part 170. Level 2 self-assessment results go into SPRS; C3PAO results go into CMMC eMASS then to SPRS; affirmations are required after each assessment and annually; a POA&M must be closed within 180 days.

Should your checklist be built for self-assessment or a C3PAO?

Level 2 (Self) and Level 2 (C3PAO) require the same 110 NIST SP 800-171 Revision 2 requirements. What differs is who scores you and where it’s recorded: a self-assessment is scored by your own organization and entered into SPRS, while a C3PAO assessment is performed by an authorized or accredited third party, entered into CMMC eMASS, and transmitted to SPRS. Both require an annual affirmation by a senior official, and both run on a three-year cycle. “Self-assessment” does not mean “lighter requirements.”

	Level 2 (Self)	Level 2 (C3PAO)
Requirement set	All 110 (NIST SP 800-171 Rev. 2)	All 110 (NIST SP 800-171 Rev. 2)
Who scores it	Your organization (the OSA)	A C3PAO assessment team
Where it's recorded	SPRS	CMMC eMASS → SPRS
Resulting status	Conditional or Final Level 2 (Self)	Conditional or Final Level 2 (C3PAO)
Cycle	Every 3 years + annual affirmation	Every 3 years + annual affirmation
Evidence bar	Must be defensible (you may be audited later)	Must be assessor-ready on day one

OSAis the Organization Seeking Assessment — the contractor being assessed. The CMMC rule sets Level 2 assessments on a three-year cycle with an annual affirmationof continued compliance in between. If a competing page tells you a C3PAO re-assesses you every year, that’s wrong. The cadence is assess every three years, affirm every year.

One nuance worth saying plainly: even on the self-assessment path, the Georgia Tech case (which we cover under submission) is a reminder that “we scored ourselves” is not the same as “no one will ever check.” Your SPRS score is a representation to the government. Build it like someone will read it, because someone might.

How to scope CUI before you touch the 110 requirements

Scope comes before controls — always. Under 32 CFR § 170.19, your CMMC Assessment Scope is the set of assets that will be assessed. Level 2 scoping uses five asset categories: four of them are inside the Level 2 assessment scope, and the fifth, Out-of-Scope Assets, sits outside it only if you can show those assets can’t process, store, or transmit CUI and play no role in protecting CUI. Get the scope wrong and the checklist gives you a false sense of readiness.

Scoping is the most consequential decision on this entire checklist. Define your boundary too broadly and you’ll spend money hardening laptops, servers, and SaaS tools that never see CUI. Define it too narrowly and you fail — an assessor can challenge a boundary that leaves obvious gaps. You propose the boundary; the assessor gets to push back.

Category	What it is	How it’s treated at Level 2	Examples
CUI Assets	Process, store, or transmit CUI (or Security Protection Data)	Assessed against all 110 requirements	CUI file server; an engineer's workstation handling controlled drawings
Security Protection Assets (SPA)	Provide security functions that protect CUI	Assessed against the requirements relevant to their function	SIEM, firewall, identity provider, endpoint detection (EDR)
Contractor Risk Managed Assets (CRMA)	Can access CUI but aren't intended to, and aren't fully separated	Managed by risk-based policies; assessor can do a limited check	An admin laptop on the same VLAN as CUI systems
Specialized Assets	Operational tech, IoT, government-furnished equipment, test equipment	In the asset inventory, SSP, and network diagram; managed by risk-based policies; assessor reviews SSP only	A CNC machine; an IoT sensor; GFE
Out-of-Scope Assets	No ability to process, store, or transmit CUI and no role in protecting it	Not in the Level 2 assessment scope — but you must justify the separation	Guest Wi-Fi; a physically isolated lab

Source: 32 CFR § 170.19 and the DoD CIO’s CMMC Scoping Guide – Level 2. “Security Protection Data” (SPD) is the security-relevant information that protection assets handle. External Service Providers (ESPs) and Cloud Service Providers (CSPs) that manage your environment can pull into scope; the Customer Responsibility Matrix (the document that splits security duties between you and the provider) belongs in your scoping work and your SSP.

Scoping worksheet

These are the questions an assessor will effectively be asking, in the order you should answer them.

Scope question	Evidence to collect	Why it matters
Where does CUI enter?	Contract docs, CUI markings, email/portal intake list	Defines your data flow
Where is CUI stored?	File shares, M365, ERP, PLM/CAD, ticketing, backups	Defines your CUI Assets
Who touches CUI?	User and role list	Drives access control
What protects the CUI systems?	SIEM, EDR, firewall, identity tooling	These may be SPAs
Which providers touch the environment?	MSP/MSSP/CSP contracts + Customer Responsibility Matrix	These may enter scope
What's out of scope, and how do you know?	Segmentation evidence, diagrams, VDI/enclave assumptions	Out-of-scope must be defensible

What “done” actually means: the evidence behind each control

A Level 2 requirement is MET only when every applicable assessment objective is satisfied with final evidence — not drafts, not “the tool can do it,” not an unapproved policy. NIST SP 800-171A breaks the 110 requirements into 320 assessment objectives, and assessors confirm them using three methods: examine, interview, and test. There is no partial credit. A single unmet objective can make the whole requirement NOT MET.

There are essentially eight kinds of evidence, and most requirements need more than one:

1. Policy and procedure — the documented intent and the step-by-step process.
2. System configuration — settings that prove the control is enforced (MFA enabled, encryption configured).
3. Logs and records — proof the control runs over time, not just on the day you looked.
4. Screenshots and exports — dated, sourced, and tied to the in-scope system.
5. Tickets and change records — evidence that changes are controlled and tracked.
6. Training and HR records — who was screened, onboarded, offboarded, and trained.
7. Interviews and owner attestations — a real person who can explain how the control works.
8. Test results — proof the control actually does what the config claims.

MET vs. NOT MET vs. N/A:MET is every applicable objective satisfied with evidence. NOT MET is one or more objectives unsatisfied — no partial score for “mostly.” N/A is legitimate only when a requirement genuinely doesn’t apply to your environment, and you must document why. “We don’t do that” is not the same as “that doesn’t apply to us.”

Requirement	Weak status	Assessment-ready status
Multi-factor authentication	"Enabled"	MFA policy finalized; identity-provider export dated; privileged and remote users verified; a test screenshot; exception list reviewed
System Security Plan	"We have a template"	SSP with name, version, and date; scope diagram; asset inventory; control narratives; Customer Responsibility Matrix references; POA&M cross-linked
Audit logging	"SIEM is installed"	Log sources listed; retention configured; a documented review cadence; alert tickets; an owner interview; a sample log export

How to work through all 110 requirements (the 14-family matrix)

The 110 Level 2 requirements come from NIST SP 800-171 Revision 2 and are organized into 14 control families, from Access Control (22 requirements) to System and Information Integrity (7). Work them by family and assessment objective — tracking each requirement’s evidence, owner, and status — rather than by buying tools first. The counts below sum to exactly 110.

One accuracy point we’ll keep hammering because it costs real money: build to Revision 2. NIST published SP 800-171 Revision 3 in 2024 and it restructures the controls, but CMMC Level 2 is still tied to Revision 2 under 32 CFR § 170.14. Preparing a Revision 3 package for a Revision 2 assessment is a self-inflicted wound. Also see our NIST 800-171 gap analysis guide.

Family (NIST 800-171 prefix)	#	What the checklist must prove	Evidence examples	Common blocker	Likely owner
Access Control (3.1)	22	Only authorized users, processes, and devices reach CUI and systems	Access lists, role matrix, remote-access config, session controls	Shared accounts; unmanaged remote access	IT / MSP
Awareness & Training (3.2)	3	People who touch CUI know their obligations	Training records, role-based awareness, insider-threat topics	Generic security training only	HR / compliance
Audit & Accountability (3.3)	9	Logs exist, are protected, and are reviewed	Log config, retention, review records, alert tickets	Logs collected but never reviewed	MSSP / IT
Configuration Management (3.4)	9	Systems are baselined, controlled, and changed deliberately	Baselines, change tickets, hardening standards, inventories	No formal change evidence	IT / MSP
Identification & Authentication (3.5)	11	Users and devices are identified and authenticated, including MFA	MFA settings, identity records, password policy, privileged-access proof	Partial MFA (email yes, VPN no)	IT / identity provider
Incident Response (3.6)	3	Incidents can be detected, reported, handled, and tested	IR plan, incident tickets, tabletop records	A plan that's never been tested	vCISO / MSSP
Maintenance (3.7)	6	Maintenance is authorized, controlled, logged, and protected	Maintenance logs, remote-maintenance MFA, vendor records	Unmanaged vendor access	IT / MSP
Media Protection (3.8)	9	CUI media is controlled, marked, sanitized, and destroyed	Media inventory, encryption, sanitization certificates	Forgotten removable media	IT / facilities
Personnel Security (3.9)	2	People are screened; access is removed on departure	Onboarding/offboarding records, access-revocation tickets	Delayed offboarding evidence	HR / IT
Physical Protection (3.10)	6	Facilities and devices that touch CUI are physically protected	Badge logs, visitor logs, access lists, camera records	Visitor escort/log gaps	Facilities / security
Risk Assessment (3.11)	3	Risks and vulnerabilities are identified and remediated	Risk register, vulnerability scans, remediation records	Scans with no remediation trail	vCISO / MSSP
Security Assessment (3.12)	4	Controls are assessed; SSP is current; POA&M is managed	SSP, POA&M, control-review records, monitoring plan	SSP not tied to the real scope	RPO / vCISO
System & Communications Protection (3.13)	16	CUI is protected in transit, at boundaries, and by encryption	Network diagrams, boundary controls, FIPS evidence, segmentation	Encryption or boundary assumptions	MSP / MSSP / cloud
System & Information Integrity (3.14)	7	Flaws, malware, and alerts are handled in time	Patch records, AV/EDR config, alert tickets, vuln remediation	Tools installed but no operating evidence	MSSP / IT
Total	110	Assessed against 320 objectives under NIST SP 800-171A

Assessors don’t grade your intentions, they grade objectives. Attach the evidence and the owner to each row now — not the week before your assessment. The teams that struggle aren’t the ones missing controls; they’re the ones missing proof.

Can you put unfinished items on a POA&M?

Sometimes — but narrowly. You start at a score of 110 and lose 1, 3, or 5 points per unmet requirement (the score can fall as low as −203). A Conditional Level 2 status requires a score of at least 88 out of 110 (80%), with only eligible items on the Plan of Action and Milestones (POA&M). Only 1-point requirements are POA&M-eligible, with one exception, and six specific requirements can never be on a POA&M. You then have 180 days to close every POA&M item and pass a closeout assessment to reach Final status.

A POA&Mis a Plan of Action and Milestones — the documented plan to fix a NOT MET requirement, with owners, resources, and deadlines. It is not a loophole. Source: 32 CFR § 170.24 (scoring) and 32 CFR § 170.21 (POA&M rules).

Question	Answer
Maximum score	110
Point values per requirement	1, 3, or 5 (higher impact = bigger deduction)
Lowest possible score	−203
Score for Final Level 2	110 (all requirements MET or properly N/A)
Minimum score for Conditional Level 2	88 / 110 (80%)
Partial credit?	No — every requirement is MET or NOT MET
What's POA&M-eligible?	Only 1-point requirements
The one exception	CUI encryption (SC.L2-3.13.11) may be on a POA&M only if encryption is in place but not FIPS-validated (treated as a 3-point condition)
Closeout window	180 days to close all POA&M items and pass a closeout assessment, or Conditional status lapses

The six requirements that can never be on a Level 2 POA&M

The rule names these six requirements at 32 CFR § 170.21(a)(2). They must be met — no exceptions, no matter how high your score:

AC.L2-3.1.20 — External Connections
AC.L2-3.1.22 — Control Public Information
CA.L2-3.12.4 — System Security Plan
PE.L2-3.10.3 — Escort Visitors
PE.L2-3.10.4 — Physical Access Logs
PE.L2-3.10.5 — Manage Physical Access

Because only 1-point items are eligible, every 3- and 5-point requirement must be fully MET before you can earn even a Conditional status — which effectively makes controls like MFA, FIPS-validated encryption, and boundary protection non-negotiable at assessment time. And the SSP is special: the absence of a current System Security Plan at the time of assessment results in a finding that the assessment could not be completed. No SSP, no score.

POA&M decision logic

Question	If yes	If no
Is your score at least 88/110?	Continue	No Conditional status — remediate first
Is every gap a POA&M-eligible (1-point) item?	Continue	Remediate the ineligible ones first
Is any gap one of the six prohibited requirements?	Fix it before you assess	Continue
Can you close everything within 180 days?	Build the closeout plan	Don't rely on Conditional status
Are you on the C3PAO path?	An authorized C3PAO runs the closeout	On the self path, you run the closeout self-assessment

What you submit: SPRS, eMASS, and the annual affirmation

Level 2 (Self) results are entered into SPRS by your organization. Level 2 (C3PAO) results are entered by the assessor into CMMC eMASS and transmitted to SPRS. In both cases, an Affirming Official — a senior leader with authority to attest on the company’s behalf — must submit an affirmation of compliance after the assessment, after any POA&M closeout, and annually thereafter. For solicitations using DFARS 252.204-7025, an offeror is not eligible for award unless SPRS reflects the required current CMMC status and a current affirmation for each system that will handle FCI or CUI.

Level 2 (Self):your organization scores the 110 requirements and enters the result, your SSP details, and any POA&M into SPRS.
Level 2 (C3PAO): the assessor enters results into CMMC eMASS, which transmits to SPRS. Under 32 CFR § 170.17, the eMASS record must include the list of artifact names, the return value of the hashing algorithm, and the hashing algorithm used.
CMMC UID: each assessed information system that handles FCI or CUI gets a 10-character CMMC Unique Identifier in SPRS, and you list those UIDs in your proposal (DFARS 252.204-7025).
Who signs: the Affirming Official must be a senior representative with authority to attest. Affirmations are stored in SPRS, must be no older than one year, and both primes and subcontractors must file them. Records must be retained for at least six years from the date the CMMC status is obtained. (32 CFR §§ 170.16, 170.17, 170.22)

The cautionary case every Affirming Official should read first

On September 30, 2025, the U.S. Department of Justice announced that Georgia Tech Research Corporation agreed to pay $875,000 to resolve False Claims Act allegations that it failed to meet cybersecurity requirements under certain Air Force and DARPA contracts. Among DOJ’s allegations: the relevant lab didn’t run required antivirus protection, lacked a system security plan, and submitted an SPRS score for a fictitious or “virtual” environment rather than the actual system that handled the data. The settlement resolved allegations only; there was no determination of liability, and the contractor contested the claims. U.S. Department of Justice, Sept. 30, 2025

The recent enforcement pattern under DOJ’s Civil Cyber-Fraud Initiative:

Settlement	Date announced	Amount	What DOJ alleged	The checklist lesson
Georgia Tech Research Corp.	Sep 30, 2025	$875,000	No antivirus, no SSP, an SPRS score tied to a "virtual" environment	Score the real, in-scope system — not a hypothetical one
Raytheon / RTX / Nightwing	May 1, 2025	$8,400,000	Falsely certifying compliance with cybersecurity requirements	Certifications you can't back up are FCA exposure
MORSECORP Inc.	Mar 26, 2025	$4,600,000	Noncompliant email host, no written security plan, SPRS score not updated after a third party lowered it	Keep SPRS current and your SSP real
Pennsylvania State University	Oct 22, 2024	$1,250,000	Failing NIST SP 800-171 safeguards and misrepresenting compliance	Self-attestation is a representation, not a formality

Sources: U.S. Department of Justice press releases for each settlement. None of these outcomes is “typical,” and each rests on its own facts — but the direction of enforcement is unmistakable: an inaccurate self-attestation is a legal exposure, not just a compliance miss.

Which provider category solves which problem (don’t send everything to a C3PAO)

Don’t route every checklist blocker to a C3PAO — and don’t assume one tool equals readiness. The usual sequence is: readiness and scoping help first, implementation or managed security second, evidence/workflow software as a supporting layer, and a C3PAO only when a formal assessment is the actual next step. Conflict-of-interest rules in the CMMC ecosystem keep readiness work and formal assessment separated — the firm that prepares you for a Level 2 certification generally cannot be the C3PAO that performs it.

Your blocker	The category that helps	Why	What to verify before hiring
"We don't know what's in scope."	RPO / readiness consultant / vCISO	Scope, SSP, and the evidence plan are their core work	Defined deliverables; any compensation relationship; no certification guarantee
"CUI is everywhere — our scope is huge."	Readiness + enclave/cloud architecture	Scope-reduction (an enclave) can shrink cost dramatically	How the enclave is bounded; CSP responsibilities in the CRM
"We need the environment actually built."	MSP / MSSP / GCC High / AWS GovCloud implementer	Implementation and ongoing operations	Customer Responsibility Matrix; scope impact; FedRAMP/CSP posture where relevant
"We have tools but no evidence."	GRC / evidence-workflow software	Mapping controls to evidence and owners — a supporting layer	That it's sold as evidence tooling, not "compliance in a box"
"Our monitoring is weak."	MSSP / SOC / vCISO	Operational control maintenance over time	Who owns alerting, response, and the evidence it generates
"We're ready for formal validation."	C3PAO	The certification assessment itself	Current Cyber AB Marketplace status; conflict-of-interest separation from your readiness firm
"The clause language is unclear."	Contracting officer / counsel	Contract interpretation isn't a vendor question	—

RPO = Registered Provider Organization (a firm in the CMMC ecosystem that offers readiness/advisory help). MSP/MSSP = managed (security) service provider. GRC= governance, risk, and compliance. The conflict-of-interest separation is set by the Cyber AB’s CMMC Assessment Process (CAP) and Code of Professional Conduct, alongside 32 CFR Part 170. See our RPO vs. C3PAO guide.

Disclosure: The Defense Compliance Report may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

How a small contractor keeps this from becoming a money pit

The single best cost-control move is to refuse to do enterprise-wide remediation before you know your CUI scope. DoD’s regulatory cost estimate for a small entity is about $34,277 for a Level 2 (Self) assessment and initial affirmation, or roughly $37,196 over three years; for a Level 2 (C3PAO) certification, DoD estimated about $101,752 initially and roughly $104,670 over three years (about $117,690 for larger entities). Those estimates assume NIST SP 800-171 Rev. 2 is already implemented — they do not capture the cost of implementing the controls, which is usually the bigger and more variable number.

Line item	DoD regulatory estimate (small entity)	Notes
Level 1 (Self) assessment + affirmation	~$6,000	~$4,000 for larger entities
Level 2 (Self) assessment + initial affirmation	~$34,277 (≈ $37,196 over 3 years)	Assumes Rev. 2 already implemented
Level 2 (C3PAO) assessment + initial affirmation	~$101,752 (≈ $104,670 over 3 years)	~$117,690 for larger entities; includes a ~$31,234 C3PAO engagement line
Control implementation (MFA, FIPS encryption, logging, documentation)	Not in DoD's estimate	Usually the largest line; varies widely by maturity and scope
CUI enclave / GCC High / managed services	Requires a scoped quote	Can reduce scope and total cost, or add monthly cost
GRC / evidence tooling	Requires a scoped quote	Supporting layer, not a substitute for controls

Source: CMMC Program rule economic analysis (32 CFR Part 170; Federal Register, October 15, 2024). DoD’s model counts the cost of preparing for and conducting the assessment, reporting the score, and affirming. It explicitly does not count implementation. Treat these as DoD rulemaking estimates, not guaranteed market prices.

Scope before tools. Every dollar spent securing a system that doesn’t touch CUI is a dollar wasted.
Don’t buy GCC High reflexively. GCC High is the right answer for some CUI scenarios and overkill for others. Decide based on your CUI and your scope, not on a vendor’s urgency.
Don’t hire a C3PAO before you’re ready. Paying for an assessment you’re not prepared for is the most expensive way to find your gaps. See our C3PAO assessment cost guide.
Don’t prepare a Revision 3 package for a Revision 2 assessment.
Use the checklist to compare quotes. When a provider’s proposal maps to the phases and evidence here, you can tell whether you’re buying readiness or buying a logo.

The mistakes that cause Level 2 checklist failures

Most Level 2 failures are sequence failures, not knowledge failures: checking controls before defining CUI scope, using a template SSP, treating tools as evidence, confusing annual affirmation with annual assessment, or assuming a readiness firm can also be your assessor. The checklist exists to surface these before money is spent or a senior official signs.

Mistake	Why it fails	The artifact that prevents it	Category if blocked
Using the Revision 3 structure	CMMC Level 2 is tied to Rev. 2 (32 CFR § 170.14)	A 110-row tracker built on Rev. 2	RPO / GRC
Marking controls MET without evidence	Assessors grade objectives with examine/interview/test	An evidence file per requirement	GRC / readiness
Ignoring ESP/CSP responsibilities	Your MSP and cloud can be in scope	A Customer Responsibility Matrix in the SSP	MSP/MSSP / readiness
Assuming GCC High = compliance	An environment is not a certification	A scoped SSP that maps controls to the environment	Enclave / readiness
Treating a POA&M as a shortcut	Only 1-point items qualify; six are barred	The POA&M decision logic above	RPO / vCISO
Confusing Self with C3PAO	Same 110 requirements, different validation	The self-vs-C3PAO branch	Readiness
Routing readiness to your assessor	Conflict-of-interest rules separate the lanes	Independence check on the C3PAO	C3PAO (separate firm)
Letting evidence go stale	Affirmation is annual; controls must keep running	A refresh cadence and change log	MSSP / GRC

How we built and verified this

We built this checklist by reading the primary sources directly, then translating them into operational fields — and we separate regulatory fact from editorial judgment.

We read 32 CFR Part 170 for the Level 2 requirements, scoping, scoring, POA&M rules, affirmation, subcontractor flow-down, and conflict-of-interest framing; the DFARS clauses (252.204-7012, -7019, -7020, -7021, and the solicitation provision -7025) on Acquisition.gov and in the Federal Register; NIST CSRC for SP 800-171 Revision 2 and SP 800-171A; the DoD CIO’s CMMC Assessment Guide – Level 2 and CMMC Scoping Guide – Level 2; SPRS documentation; and the DOJ press releases for the enforcement settlements cited above.

What we verified — June 12, 2026

Level 2 = NIST SP 800-171 Revision 2, 110 requirements across 14 families. (32 CFR § 170.14)
Phase 1 runs Nov. 10, 2025 – Nov. 9, 2026; Phase 2 begins Nov. 10, 2026. (32 CFR § 170.3(e))
The six requirements that can never be on a Level 2 POA&M (AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, PE.L2-3.10.5), the 1-point eligibility rule, and the SC.L2-3.13.11 FIPS exception. (32 CFR § 170.21)
Scoring: 110 maximum, −203 minimum, 88/110 for Conditional, 180-day closeout. (32 CFR §§ 170.21, 170.24)
DFARS 252.204-7021 defines a current Conditional Level 2 status as not older than 180 days with a corresponding affirmation; a current Final status as not older than 3 years; affirmations no older than 1 year.
DoD regulatory cost estimates for Level 2 (Self) and Level 2 (C3PAO), which exclude control implementation. (32 CFR Part 170 economic analysis; Federal Register, Oct. 15, 2024)
The four DOJ Civil Cyber-Fraud Initiative settlements cited above, each from the DOJ press release.

This page is educational. It is not legal, contractual, or official assessment advice. Verify every requirement against your specific solicitation, contract, flow-down language, CUI markings, and qualified advisors. Last verified: June 12, 2026. Next scheduled review: September 2026, with a hard re-check before Phase 2 begins on November 10, 2026.

Read more in our editorial standards, methodology, and corrections policy.

Primary sources we read

32 CFR Part 170 — CMMC Program rule: ecfr.gov
32 CFR § 170.21 — POA&M requirements: ecfr.gov
DFARS 252.204-7021: ecfr.gov
DFARS final rule (Nov. 10, 2025) — Federal Register, Sept. 10, 2025: federalregister.gov
CMMC Program rule (Dec. 16, 2024) — Federal Register, Oct. 15, 2024: federalregister.gov
NIST SP 800-171 Rev. 2: csrc.nist.gov
NIST SP 800-171A: csrc.nist.gov
DoD CIO CMMC Assessment Guide – Level 2 and CMMC Scoping Guide – Level 2 (dodcio.defense.gov)
DOJ settlements: Georgia Tech · MORSECORP · Raytheon/Nightwing

CMMC Level 2 checklist FAQ

What is included in a CMMC Level 2 checklist?: A complete Level 2 checklist covers CUI scoping and asset categorization, the System Security Plan and POA&M, all 110 NIST SP 800-171 Revision 2 requirements with evidence and owners, the SPRS or eMASS reporting path, and the annual affirmation. A list of controls alone isn't a checklist — the evidence and sequence are what get you ready.
How many controls are in CMMC Level 2?: There are 110 security requirements in CMMC Level 2, drawn directly from NIST SP 800-171 Revision 2 and organized into 14 control families. NIST SP 800-171A breaks those 110 into 320 assessment objectives that assessors verify.
Is CMMC Level 2 based on NIST SP 800-171 Revision 2 or Revision 3?: CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 under the active CMMC rule. NIST published Revision 3 in 2024, but it does not become the CMMC baseline unless and until DoD changes the rule through formal rulemaking.
Is CMMC Level 2 the same as NIST 800-171?: They're tightly linked but not identical. NIST SP 800-171 is the requirement set for protecting CUI; CMMC is the DoD program that verifies you meet it through assessment and SPRS reporting, with defined levels and assessment types.
Do I need a CMMC Level 2 self-assessment or a C3PAO assessment?: Your contract decides. During Phase 1 (since November 10, 2025), most applicable contracts require a self-assessment as a condition of award; from November 10, 2026 (Phase 2), DoD begins requiring C3PAO certification for applicable Level 2 contracts. Either way, the 110 requirements are the same.
Can you use a POA&M for CMMC Level 2?: Yes, but narrowly. Only 1-point requirements are eligible, with one exception for CUI encryption that's in place but not FIPS-validated, and six specific requirements can never be on a POA&M. You then have 180 days to close the POA&M and reach Final status.
What score do I need for a Conditional Level 2?: At least 88 out of 110 (80%), with only eligible items on the POA&M. A Final Level 2 requires all 110 requirements to be met or properly marked not applicable.
What evidence counts for CMMC Level 2?: Final, dated, in-scope evidence — policies, system configurations, logs, screenshots, tickets, training and HR records, owner interviews, and test results. Drafts, unapproved policies, and 'the tool can do it' do not count.
What goes into SPRS, and what goes into CMMC eMASS?: For a self-assessment, your organization enters the score, SSP details, and any POA&M into SPRS. For a C3PAO assessment, the assessor enters results into CMMC eMASS, which transmits to SPRS.
How long does a Level 2 status last?: Level 2 assessments run on a three-year cycle, with an annual affirmation of continued compliance in between. The cadence is assess every three years, affirm every year.
Who signs the annual affirmation?: A senior official — the Affirming Official — who is responsible for the organization's CMMC compliance and has authority to attest on its behalf. Affirmations are stored in SPRS, must be no older than one year, and are required from both primes and subcontractors.
Can my MSP or MSSP satisfy some of the controls?: Often yes — but the assets and services they provide can be in scope for your assessment, and the split of responsibilities should be documented in a Customer Responsibility Matrix and reflected in your SSP. Their work supports your compliance; it doesn't automatically transfer it.
Does GCC High automatically make me CMMC compliant?: No. Microsoft GCC High can be an appropriate environment for handling certain CUI, but an environment is not a certification. You still have to implement, evidence, and assess the controls.
Can a C3PAO help me prepare and then assess me?: Generally not for the same engagement. Conflict-of-interest rules in the CMMC ecosystem keep readiness/remediation and formal assessment in separate lanes, so the firm that prepares you typically cannot certify you.
I'm a small contractor — what should I do first?: Confirm whether you actually handle CUI and what your contract requires, then scope where CUI lives before you implement or buy anything. Scope first, evidence second, remediation third, assessment last.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Get matched →Compare provider categories →Download the CMMC Level 2 checklist →