CMMC Level 2 Documentation Checklist: SSP, POA&M, Evidence & What Assessors Actually Require
Bottom line up front:A complete CMMC Level 2 documentation checklist is built around two documents the security requirements name directly — a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M)— plus the scope artifacts, policies, procedures, and evidence you need to prove all 110 security requirements across 14 control families in NIST SP 800-171 Revision 2. There is no official master document pack. What else you need depends on your scoped environment, your assessment type, and your cloud and IT setup.
That last sentence is where most contractors lose months and money. We’ll show you exactly why in a minute. First, who this page is for.
Who this page is for — and who should leave
| If your situation is… | This page’s job |
|---|---|
| You handle CUI and need a Level 2 documentation package | Build your SSP, scope package, POA&M, SPRS/affirmation records, and family-by-family evidence — start here |
| You handle only FCI (no CUI) | This is overkill. You need Level 1, not Level 2 — see our CMMC levels guide to confirm |
| You need Level 3 | Use this as the Level 2 prerequisite layer. Level 3 is built on a current Final Level 2 (C3PAO) status plus 24 selected requirements from NIST SP 800-172 |
| You already bought template packs | Use this to check whether those templates describe the system you actually run — most don’t, and that’s a top failure point |
| You’re about to book a C3PAO | Use this to pressure-test whether your package is assessment-ready before you spend the money |
This is the documentation-and-evidence deep dive. For the complete Level 2 implementation walkthrough — all 110 controls, scoring, and provider categories — see our parent guide, the CMMC Level 2 Checklist.
Required vs. conditional vs. useful: the whole checklist at a glance
Every artifact falls into one of four tiers. Learn the tiers and the rest of the page clicks into place.
| Artifact | Tier | The one-line truth |
|---|---|---|
| System Security Plan (SSP) | Required by rule | Must be in place at assessment. Missing it stops the assessment cold. |
| Asset inventory + network diagram | Required scoping artifacts | Named in 32 CFR 170.19. You can’t document controls until you know where CUI lives. |
| CUI data-flow diagram | Required by DoD scoping guidance | Called for in DoD’s Level 2 Scoping Guide; your network diagram must show how CUI flows. |
| SPRS status record + annual affirmation | Required reporting/status artifacts | This is how DoD sees your status. No current status where your contract requires it, no award. |
| POA&M | Conditional | Allowed only for eligible gaps, under strict rules, with a 180-day clock. |
| Evidence index / artifact register | Assessor-useful, practically essential | Ties every requirement to proof an assessor can find in seconds. |
| Policies, procedures, logs, tickets, configs, training records | Operational evidence | Must be final, current, and match what you actually do. |
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
What documents does a CMMC Level 2 documentation checklist actually require?
The honest answer:The NIST SP 800-171 Rev. 2 Level 2 security requirements name only two planning documents directly — the System Security Plan (requirement 3.12.4) and the POA&M (requirement 3.12.2). 32 CFR Part 170 separatelyrequires or records other artifacts — your scope, asset inventory, network diagram, SPRS or eMASS status data, affirmations, and evidence retention — but there is no single, government-issued master document pack that guarantees you a pass.
We read the source. The DoD’s own CMMC Assessment Guide – Level 2 describes the documents an assessor might review, then says plainly that the list “is not exhaustive or prescriptive.” NIST goes further in SP 800-171 Rev. 2: for the SSP specifically, “there is no prescribed format or specified level of detail.” The government tells you what outcomes to prove and how the assessment works— it does not hand you a numbered folder and promise that filling it earns you a certificate.
So why does nearly every vendor page publish “the required CMMC documents”? Because a fixed list sells templates and reads easier than the truth. The truth is more useful: two documents are named in the requirements, a handful of scope and status artifacts are effectively mandatory under 32 CFR Part 170, and the rest is evidence that has to match a system you actually operate.
The DCR CMMC Level 2 Documentation Truth Table
| Document / artifact | Tier | Why it matters | The false assumption that costs you | Primary source |
|---|---|---|---|---|
| System Security Plan (SSP) | Mandatory by rule | Describes your system boundary, environment, how each requirement is implemented, and your connections | “We can POA&M the SSP.” You can’t — it’s one of six controls barred from a Level 2 POA&M | NIST SP 800-171 §3.12.4; 32 CFR 170.21 |
| CUI scope definition | Mandatory foundation | Sets what gets assessed; everything else depends on it | “We’ll document controls before we map where CUI lives” | 32 CFR 170.19 |
| Asset inventory (by CMMC asset category) | Mandatory scoping | Shows what’s in scope, limited scope, or out of scope | “Only servers holding CUI matter” — security protection assets count too | 32 CFR 170.19 |
| Network diagram | Mandatory scoping | Shows boundaries, enclaves, segmentation, external connections, and how CUI flows | “Last year’s Visio is fine” | 32 CFR 170.19 |
| CUI data-flow diagram | Required by DoD scoping guidance | Traces how CUI enters, moves, and leaves your boundary | “We know it in our heads” | DoD CMMC Scoping Guide – Level 2 |
| Customer Responsibility Matrix (CRM) / ESP documentation | Conditional | Documents who operates which controls when a cloud or MSP is involved | “The provider’s compliance makes us compliant” | 32 CFR 170.19(c)(2) |
| POA&M | Conditional | Tracks only eligible unmet requirements for Conditional status | “Any open gap can go on a POA&M” | 32 CFR 170.21 |
| SPRS status record | Mandatory reporting | Records your CMMC level, status, scope, CAGE, score, and POA&M status | “SPRS is just a number” | 32 CFR 170.16; DFARS 252.204-7020 |
| Annual affirmation | Mandatory ongoing | A senior official attests continued compliance | “Assessment is one-and-done for three years” | 32 CFR 170.22 |
| Evidence index / artifact register | Assessor-useful, essential | Makes every artifact traceable and defensible | “A pile of screenshots is evidence management” | DoD CMMC Assessment Guide – L2 |
| Policies and procedures | Operational evidence | Show intended process — but must match reality | “A policy proves the control is implemented” | DoD CMMC Assessment Guide – L2 |
| Configs, logs, tickets, training, IR records | Operational evidence | Prove the control actually operates over time | “We can generate this the week before assessment” | NIST SP 800-171A |
Map your situation before you spend a dollar
Knowing what you need is half the problem. The other half is knowing what you need. A 12-person machine shop on commercial Microsoft 365 needs a different path than a mid-tier prime already running GCC High. Find My CMMC Path maps your required level, your FCI/CUI situation, your assessment type, cloud and IT environment, and timeline to the right provider category before you make any expensive decisions.
Map my situation to the right provider category →The System Security Plan: the one document you cannot skip or defer
The SSP is the center of gravity for CMMC Level 2 documentation.Under 32 CFR Part 170, you must have an up-to-date SSP in place at the time of assessment, and it cannot be deferred to a POA&M. If it’s missing or stale, the assessment doesn’t just go poorly — it can’t be completed.
We’re quoting the rule directly because the consequence language is that important. Per 32 CFR Part 170, an organization “must have a System Security Plan (SSP) (CMMC security requirement CA.L2-3.12.4) in place at the time of assessment,” and “the absence of an up to date SSP at the time of the assessment would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012.’”
Read that twice. No SSP means two failures at once: your assessment can’t finish, and you’re out of compliance with DFARS 252.204-7012 (the Safeguarding Covered Defense Information clause). This is not a document you draft last.
NIST SP 800-171 requirement 3.12.4 spells out what the SSP has to describe: your system boundaries, your environment of operation, how each security requirement is implemented, and your relationships with or connections to other systems. There’s no mandated format — but there are non-negotiable contents.
What your Level 2 SSP has to cover
At a minimum, build these into the SSP:
- System name, owner, and the CAGE code(s) it maps to
- Your CUI boundary and the in-scope locations, users, and assets
- A reference to your network diagram and CUI data-flow diagram
- Every external connection and every External Service Provider (ESP) relationship, with a Customer Responsibility Matrix where controls are shared or inherited
- A requirement-by-requirement implementation narrative for all 110 requirements, each with a named owner and a pointer to the evidence
- Cross-references to your POA&M for anything not yet met
- Version history and an approval record
The SSP mistakes that quietly sink assessments
The pattern we see over and over: the SSP describes the company someone wants to be, not the systems they actually run. Specifically:
- The SSP describes aspirational controls instead of implemented ones.
- The SSP contradicts the asset inventory or the network diagram.
- The SSP says “our cloud provider handles this” with no CRM to back it.
- The SSP is a template that still references systems the company doesn’t own.
- The SSP is stale and no longer matches the current environment.
Here’s the one thing we’ll admit that most checklist pages won’t: a documentation checklist — including this one — will not make you compliant. You can assemble every artifact on this page and still fail, because a CMMC assessment doesn’t score documents. It scores whether your documents describe a system you actually operate, verified by examination, interview, and testing.
Free primary-source starting point: NIST publishes a free CUI System Security Plan template and a free CUI Plan of Action template alongside SP 800-171 Rev. 2 on the NIST Computer Security Resource Center (csrc.nist.gov). They’re the closest thing to an official starting structure. Just remember NIST’s own planning note: a template gives you structure, not compliance.
Scope first: the asset inventory, network diagram, and CUI data-flow diagram
Scope comes before documentation, not after.For Level 2, 32 CFR 170.19 requires you to define your assessment scope before the assessment and to categorize every asset — because the category determines what evidence an assessor will expect and what falls outside the boundary. Get the boundary wrong and you either overpay for compliance on systems that never needed it, or under-scope and fail.
The five CMMC Level 2 asset categories
| Asset category | What to document | Why it matters |
|---|---|---|
| CUI Assets | Inventory, SSP treatment, network diagram; assessed against all 110 requirements | These process, store, or transmit CUI — full scope |
| Security Protection Assets | Inventory, SSP treatment, network diagram | These provide security functions for CUI assets — in scope even if they never touch CUI |
| Contractor Risk Managed Assets | Inventory, SSP treatment, network diagram, plus a written rationale | Could handle CUI but aren’t intended to, per your policy and practice |
| Specialized Assets | Inventory, SSP treatment, network diagram, risk-based handling | IoT, OT, government-furnished equipment, test equipment, restricted systems |
| Out-of-Scope Assets | A defensible justification for why they can’t process, store, or transmit CUI | These must be genuinely, provably outside the boundary — and carry no documentation requirement otherwise |
Build the scope package first: a CUI inventory, a CUI data-flow diagram, an asset inventory tagged by category, a network diagram, a user-and-location list, an external-connection list, an ESP/CSP list, a Customer Responsibility Matrix, and — if you’re shrinking scope — enclave boundary documentation. Do this and the family-by-family evidence work below gets dramatically smaller.
CUI usually touches more than the file server. Email systems, endpoints used for multi-factor authentication, and cloud collaboration tools frequently pull themselves into scope. If that’s you, use the CMMC Scoping Guide to understand asset categories and boundary reduction, or use Find My CMMC Path to determine whether your next step is RPO/RP scoping help, an MSSP, a GRC platform, or a CUI enclave.
The CMMC Level 2 documentation checklist, family by family
CMMC Level 2 maps to all 110 requirements in NIST SP 800-171 Rev. 2, organized into 14 control families.Each family generally needs a documented policy, documented procedures, and evidence that the applicable requirements are met — but the exact artifacts depend on your scoped environment, not a universal list.
| # | Family (code, reqs) | Documentation typically expected | Evidence an assessor can examine or test |
|---|---|---|---|
| 1 | Access Control (AC, 22) | Access control policy; account lifecycle procedure; remote-access & mobile-device policy | Account request/review records, directory group listings, MFA config, VPN config, session-lock settings |
| 2 | Awareness & Training (AT, 3) | Security awareness policy; role-based training procedure; insider-threat materials | Training completion logs, CUI-handling acknowledgments |
| 3 | Audit & Accountability (AU, 9) | Audit/logging policy; logged-events list; log-review procedure | SIEM config, log samples, review tickets, time-sync settings |
| 4 | Configuration Management (CM, 9) | CM policy/plan; baseline configurations; change-control procedure; allow/deny-list policy | Hardware/software inventory, baseline exports, change tickets |
| 5 | Identification & Authentication (IA, 11) | Identification/authentication & password/authenticator policy | MFA reports, password policy settings, account identifier records |
| 6 | Incident Response (IR, 3) | Incident Response Plan; escalation & reporting procedures; test records | Tabletop after-action reports, incident tickets, DFARS 7012 reporting evidence |
| 7 | Maintenance (MA, 6) | Maintenance policy/procedures; remote-maintenance rules | Maintenance logs, tool control, sanitization-before-offsite records |
| 8 | Media Protection (MP, 9) | Media protection policy; marking/sanitization/transport procedures | Sanitization/destruction records, media inventory, CUI markings |
| 9 | Personnel Security (PS, 2) | Personnel security policy; screening & termination/transfer procedures | Screening records, offboarding/access-removal checklists |
| 10 | Physical Protection (PE, 6) | Physical & environmental protection policy; visitor-control procedure | Visitor logs, badge/escort records, access lists |
| 11 | Risk Assessment (RA, 3) | Risk assessment policy; vulnerability-management procedure | Risk register, scan reports, remediation tickets |
| 12 | Security Assessment (CA, 4) | SSP (3.12.4) + POA&M (3.12.2) + control-assessment (3.12.1) + continuous-monitoring (3.12.3) | SSP, POA&M, self-assessment results, monitoring records |
| 13 | System & Communications Protection (SC, 16) | SC policy; boundary-protection & encryption policy | Firewall rules, network + data-flow diagrams, FIPS-validated cryptographic module certificates |
| 14 | System & Information Integrity (SI, 7) | SI policy; flaw-remediation/patch procedure; malicious-code protection | Patch reports, endpoint protection config, scan-remediation records |
How your CMMC Level 2 documentation is actually assessed
Assessors don’t just read your policies — they examine, interview, and test. NIST SP 800-171A, the companion assessment methodology, breaks the 110 requirements into 320 assessment objectives, and every objective for a requirement must be MET (or Not Applicable) for that requirement to count. Documentation that doesn’t match what your people say and your systems show will fail, no matter how polished it looks.
- Examine — the assessor reviews your documentation: SSP, policies, procedures, configurations, logs.
- Interview — the assessor talks to the people who do the work to confirm the documents describe reality.
- Test — the assessor verifies the technical controls actually behave as described.
That’s why practitioners talk about a triad: documentation (is it written down?), implementation (is it deployed?), and institutionalization (is it performed, repeatable, and evidenced over time?). A policy satisfies the first. It does nothing for the other two.
A quick note on versions: 32 CFR 170.2 incorporates NIST SP 800-171 Rev. 2 and the June 2018version of SP 800-171A by reference for Level 2 assessments. Until DoD amends the rule, those are the controlling versions. If you build your package around Rev. 3, you’re building to the wrong standard.
Build an evidence index — it’s the difference between passing and scrambling
The single most useful artifact the rule doesn’t name is an evidence index: a register that maps every requirement and objective to a specific artifact. For a C3PAO assessment, you must hash your evidence files and hand the assessor the artifact names, hash values, and hashing algorithm — so traceability isn’t optional in practice; it’s how the assessment runs.
Requirement ID · assessment objective · control family · artifact name · artifact type · owner · system/component · evidence date · refresh interval · storage location · CUI/sensitive flag · status (MET / NOT MET / N/A) · POA&M link · reviewer
And a hard rule from the assessment guidance: evidence must be final, not draft. Unapproved SOPs, undated screenshots, “the tool supports this” claims, one-time screenshots for recurring activities, and anything outside your assessed boundary do not count. If it isn’t final, current, and owned, an assessor can disregard it.
POA&M rules for Level 2: what you can defer, and what you can’t
A POA&M is not a “we’ll fix it later” escape hatch. Under 32 CFR 170.21, you can only earn a Conditional Level 2 status if your score is at least 80% (a minimum of 88 out of the 110-point maximum), every deferred item is a 1-point requirement (with one narrow encryption exception), none of six specific controls is deferred, and you close everything within 180 days.
The score gate. Your score must be at least 88 on the 110 scale. The DoD scoring methodology weights requirements at 1, 3, or 5 points and subtracts from 110, so scores can even go negative.
The point-value gate. Only requirements worth 1 point may go on the POA&M. The single exception: CUI Encryption (SC.L2-3.13.11) can be deferred only if encryption is in use but not yet FIPS-validated, which scores it at 3 points instead of 5. Everything worth 3 or 5 points — MFA, most access and audit controls — must be fully MET at assessment.
The clock. If you earn Conditional status, you have 180 days from the Conditional CMMC Status Date to close every POA&M item and pass a closeout assessment. Miss it, and Conditional status expires. See our full Conditional Level 2 & POA&M Closeout guide.
The six controls you can never defer
Per 32 CFR 170.21(a)(2)(iii), these are barred from a Level 2 POA&M. If any is unmet, you cannot earn Conditional status — full stop:
| Requirement | Name |
|---|---|
| AC.L2-3.1.20 | External Connections (CUI Data) |
| AC.L2-3.1.22 | Control Public Information (CUI Data) |
| CA.L2-3.12.4 | System Security Plan |
| PE.L2-3.10.3 | Escort Visitors (CUI Data) |
| PE.L2-3.10.4 | Physical Access Logs (CUI Data) |
| PE.L2-3.10.5 | Manage Physical Access (CUI Data) |
Write each POA&M entry like an assessor will read it: requirement ID, assessment objective, the finding, root cause, remediation action, owner, start date, target close date, the evidence needed to close it, an eligibility check, and the risk if it isn’t closed.
Pressure-test your package before you pay for an assessment
If your open gaps include the SSP, external connections, public-information control, or any of the physical-access controls above, your package may not support Conditional Level 2 — and paying a C3PAO before you know that is an expensive mistake. Tell us your level, scope, and timeline and we’ll point you to the category that stress-tests the package first.
Find My CMMC Path →Self-assessment vs. C3PAO: does the documentation change?
The 110 requirements are identical for a Level 2 self-assessment and a C3PAO assessment. What changes is who reviews the evidence, how hard they scrutinize it, and where the results are recorded: self-assessment results go into SPRS, while C3PAO results go into the CMMC instantiation of eMASS. Your contract clause tells you which path applies. See our self-assessment vs. C3PAO guide for the full breakdown.
| Item | Level 2 Self | Level 2 C3PAO |
|---|---|---|
| Requirement set | Same 110 requirements | Same 110 requirements |
| Who assesses | Your organization | An authorized or accredited C3PAO |
| Where results go | SPRS | CMMC eMASS → SPRS |
| Evidence depth | Must be defensible | Must be assessor-ready and hashed |
| Affirmation | Required in SPRS (annually) | Required in SPRS (annually) |
| POA&M rules | Same conditional-status limits | Same conditional-status limits |
| Best use of this checklist | Build a defensible self-assessment package | Build a pre-assessment evidence package |
DFARS 252.204-7021 (the contract clause that makes CMMC binding) took effect November 10, 2025, which started Phase 1 of the rollout. Phase 2 begins November 10, 2026, when DoD intends to include Level 2 (C3PAO) for applicable solicitations as a condition of award. If you’re documenting for a self-assessment today, build the evidence to a C3PAO standard anyway. It’s the same package, and your path can change with your next contract.
What goes in SPRS — and what must never go in a web form
SPRS (the Supplier Performance Risk System) stores your assessment record, not your evidence.For a CMMC Level 2 self-assessment, 32 CFR 170.16 requires you to record, at minimum, your CMMC level and status, the CMMC Status Date, the assessment scope, your CAGE code(s), your Level 2 self-assessment score, and POA&M status if applicable. A lead-routing or contact form is not SPRS, and it should never collect sensitive information.
There’s a related-but-separate posting people conflate with this. The legacy NIST SP 800-171 DoD Assessment under DFARS 252.204-7020 posts its own record — the NIST version assessed, the organization that ran it, CAGE code(s), a brief SSP architecture description, the assessment date, the summary score, and the expected full-implementation date. DFARS 252.204-7019 requires an offeror to have a currentassessment on file — generally not more than three years old — with the summary score posted in SPRS. Two systems, two records; know which one your solicitation is asking about.
How long do you have to keep CMMC Level 2 evidence?
Six years. For a Level 2 self-assessment, 32 CFR 170.16 requires you to retain the artifacts used as evidence for six years from the CMMC Status Date. For a Level 2 C3PAO assessment, 32 CFR 170.17 requires the same six-year retention — but the artifacts must be hashed with a NIST-approved algorithm, and you provide the C3PAO with the artifact names, the hash values, and the hashing algorithm for upload into eMASS.
Your evidence library isn’t a one-time assessment prop. It’s a six-year record you have to preserve intact — which is one more reason the evidence index earns its keep. If you can’t produce a named, dated, unaltered artifact two years after your assessment, you don’t really have evidence; you have a memory.
How to organize your CMMC documentation library
Organize by scope, requirement, owner, and evidence date — and make everything trace back to the SSP. An assessor should be able to follow any requirement to its proof without asking you where it lives.
Here’s a folder structure that mirrors how a Level 2 assessment actually flows:
/00_Read_Me_and_Index /01_Scope /Asset_Inventory /Network_Diagrams /CUI_Data_Flows /ESP_CSP_CRM /02_SSP /Current_Approved_SSP /Version_History /03_POAM /Current_POAM /Closeout_Evidence /04_SPRS_and_Affirmation /05_Policies_and_Procedures /06_Evidence_By_Family /AC_Access_Control /AT_Awareness_and_Training /AU_Audit_and_Accountability /CM_Configuration_Management /IA_Identification_and_Authentication /IR_Incident_Response /MA_Maintenance /MP_Media_Protection /PS_Personnel_Security /PE_Physical_Protection /RA_Risk_Assessment /CA_Security_Assessment /SC_System_and_Communications_Protection /SI_System_and_Information_Integrity /07_Assessment_Workpapers /08_Archive
Name files so the requirement, artifact, date, and status are visible before anyone opens them:
AC.L2-3.1.1_User_Access_Review_Q2-2026_APPROVED.pdf CM.L2-3.4.1_Baseline_Config_Windows_Workstations_2026-06-15.pdf IR.L2-3.6.2_Incident_Response_Test_After_Action_Report_2026-05.pdf
The documentation mistakes that make you look ready when you’re not
The most dangerous documentation mistake is mistaking intent for proof.CMMC evidence has to show requirements that are implemented and operating — not policies that say you plan to. These are common upkeep failures to check before your assessment:
| Mistake | Why it fails | The fix |
|---|---|---|
| Template SSP doesn’t match the environment | The SSP must describe the real system | Rewrite by scope, asset, and implementation reality |
| Scope is undefined | Evidence can’t be judged without a boundary | Build the CUI map, inventory, and diagram first |
| POA&M includes barred or high-point items | Conditional rules are narrow (see the six controls above) | Check 32 CFR 170.21 before relying on a POA&M |
| SSP built once, never updated (objective 3.12.4[h]) | A frequently cited failure — a stale SSP scores against you | Maintain a change log; review at least annually |
| System inventory drifts (objective 3.4.1[f]) | A frequently cited failure — inventory must stay current | Reconcile inventory to reality on a cadence |
| Incident response plan never tested (requirement 3.6.3) | A frequently cited failure — a plan on paper isn’t enough | Run and document a tabletop |
| Policies exist but logs/tickets don’t | Policy doesn’t prove operation | Add recurring operational evidence |
| Provider responsibility is assumed | Shared responsibility must be documented | Add a CRM and reflect it in the SSP |
| Evidence is draft or unapproved | Final evidence must be final | Approve and version-control every artifact |
| Package built around NIST 800-171 Rev. 3 | CMMC Level 2 currently maps to Rev. 2 | Use Rev. 2 mapping until DoD amends the rule |
Which provider category do you actually need?
A documentation gap means different things depending on where it sits — and the fix is a different category of provider each time.No SSP or POA&M usually points to readiness help; controls that aren’t operated day-to-day point to managed IT/security; disorganized evidence points to a GRC platform; too much CUI in scope points to an enclave; and a ready package on a C3PAO-required contract points to an assessment. Matching the problem to the category is the whole game.
| If the documentation problem is… | Likely category | Why | What to verify before you hire |
|---|---|---|---|
| “We don’t know our scope” | RPO/RP or CUI enclave | Scope drives every downstream document and cost | CMMC experience with your environment type; a scoping methodology, not just a tool |
| “We have no SSP or POA&M” | RPO/RP (readiness) | Readiness and documentation structure come before assessment | Whether they build docs that match your real operations, not templates |
| “Our tools aren’t configured or monitored” | MSSP (Managed Security Service Provider) | Documentation can’t substitute for operated controls | Who operates evidence, and how shared responsibility is documented (CRM) |
| “Evidence exists but it’s scattered” | GRC platform | Workflow and evidence mapping is the bottleneck | That it exports real, dated evidence — not just dashboards |
| “CUI touches too much of the company” | CUI enclave | Shrinking scope shrinks the documentation burden | That separation is enforced (segmentation), since encryption alone isn’t isolation |
| “Everything is implemented and evidenced” | C3PAO | Formal assessment is appropriate when the clause requires it | Current Cyber AB Marketplace status; conflict-of-interest separation from your readiness firm |
One independence rule you have to respect.Under the Cyber AB’s conflict-of-interest requirements referenced in 32 CFR 170.8, a member of the CMMC ecosystem generally cannot participate in your Level 2 certification assessmentif they served as a consultant to prepare you for that assessment within the prior three years. Keep readiness and remediation help appropriately separated from formal assessment. Don’t hire the same firm to build your program and then certify it where that’s prohibited.
Get matched with source-checked provider options
A C3PAO, an RPO, an MSSP, a GRC platform, and a CUI enclave solve genuinely different problems, and hiring the wrong one is how six-figure budgets evaporate. Tell us your level, scope, assessment path, environment, and timeline, and we’ll map you to source-checked provider options by category.
Find My CMMC Path →Your next 7 days
Don’t start by buying every template or booking a C3PAO.Start by confirming your assessment path, locking scope, updating the SSP, and building an evidence index — in that order.
| Day | Action |
|---|---|
| 1 | Confirm the contract clause, required level, and self vs. C3PAO path |
| 2 | Map CUI and define your preliminary scope |
| 3 | Build or update the asset inventory, network diagram, and CUI data-flow diagram |
| 4 | Review SSP completeness against the scoped environment |
| 5 | Build the evidence index by requirement and objective |
| 6 | Check POA&M eligibility and remove any barred assumptions |
| 7 | Decide your provider category: readiness, managed controls, GRC, enclave, or assessment |
Do the seven days, and you’ll know exactly what you have, what you’re missing, and who to call. That’s the whole point of a documentation checklist — not to collect paper, but to make your next expensive decision an informed one.
How we built and verified this checklist
We built this from primary sources first, then translated the rule and assessment mechanics into a working documentation package. Every regulatory claim on this page is tied to the authority that established it, and we re-verify the volatile ones quarterly.
What we verified (July 2026), by section:
- CMMC Level 2 maps to NIST SP 800-171 Rev. 2 (110 requirements) — 32 CFR 170.14, incorporated by reference in 32 CFR 170.2.
- The only documents named in the Level 2 requirements are the SSP (3.12.4) and POA&M (3.12.2) — NIST SP 800-171 Rev. 2.
- The SSP must be in place at assessment, and its absence causes a finding of noncompliance with DFARS 252.204-7012 — 32 CFR Part 170, Subpart D.
- Scoping and asset categories (asset inventory, SSP, network diagram; ESP/CSP/CRM) — 32 CFR 170.19; CUI data-flow diagrams per the DoD CMMC Scoping Guide – Level 2.
- The six controls barred from a Level 2 POA&M and the 88-point / 180-day rules — 32 CFR 170.21.
- SPRS inputs for Level 2 Self — 32 CFR 170.16; legacy NIST assessment posting — DFARS 252.204-7019 / -7020.
- Six-year artifact retention (hashed for C3PAO) — 32 CFR 170.16 and 170.17.
- 320 assessment objectives, assessed by examine/interview/test — NIST SP 800-171A (June 2018 version, incorporated by reference).
- The document list is “not exhaustive or prescriptive” — DoD CMMC Assessment Guide – Level 2.
- Phase 1: Nov 10, 2025 – Nov 9, 2026; Phase 2 begins Nov 10, 2026 — 32 CFR 170.3 and the DFARS final rule.
This page is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you rely on any interpretation. See our editorial standards and corrections policy for how we source and update this work.
CMMC Level 2 documentation checklist: FAQ
What is a CMMC Level 2 documentation checklist?
A CMMC Level 2 documentation checklist is the working set of documents and evidence needed to prove implementation of the 110 NIST SP 800-171 Rev. 2 requirements — anchored by a System Security Plan and a POA&M, plus scope artifacts, SPRS and affirmation records, and family-by-family policies, procedures, and evidence. The requirements name only two documents directly; the rest is evidence sized to your environment.
Is an SSP required for CMMC Level 2?
Yes. Under 32 CFR Part 170, an up-to-date System Security Plan (requirement CA.L2-3.12.4) must be in place at the time of assessment. Its absence results in a finding that the assessment can’t be completed and that you’re noncompliant with DFARS 252.204-7012.
Can the SSP be on a POA&M?
No. CA.L2-3.12.4 (System Security Plan) is one of six requirements explicitly barred from a Level 2 POA&M under 32 CFR 170.21(a)(2)(iii). You must have the SSP in place to earn any Level 2 status.
Can you use a template SSP?
A template helps with structure, but it doesn’t prove implementation. NIST publishes a free CUI SSP template — a reasonable starting point — but the SSP has to describe your actual scoped environment, assets, providers, and control implementation, or it will fail an assessment.
Is a POA&M allowed for CMMC Level 2?
Yes, but only under strict conditions: your score must be at least 88 of 110 (0.8), only 1-point requirements may be deferred (with a narrow encryption exception for SC.L2-3.13.11), none of the six barred controls may be open, and everything must close within 180 days — per 32 CFR 170.21.
Which CMMC Level 2 requirements cannot go on a POA&M?
Per 32 CFR 170.21(a)(2)(iii): AC.L2-3.1.20 (External Connections), AC.L2-3.1.22 (Control Public Information), CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3 (Escort Visitors), PE.L2-3.10.4 (Physical Access Logs), and PE.L2-3.10.5 (Manage Physical Access). Requirements worth 3 or 5 points also generally cannot be deferred.
What evidence counts for CMMC Level 2?
Final, approved documentation plus configurations, logs, tickets, training records, diagrams, and the results of interviews and testing — all tied to a specific requirement and to your assessed scope. NIST SP 800-171A defines 320 assessment objectives, and your evidence must satisfy the objectives, not just exist.
How long do you have to retain CMMC Level 2 evidence?
Six years from the CMMC Status Date. For a self-assessment, you retain the evidence artifacts (32 CFR 170.16). For a C3PAO assessment, you retain the hashed artifacts for six years and provide the C3PAO with the artifact names, hash values, and hashing algorithm for upload into eMASS (32 CFR 170.17).
Do C3PAO assessment artifacts need to be hashed?
Yes. For a Level 2 certification assessment, 32 CFR 170.17 requires you to hash your evidence files using a NIST-approved algorithm and give the C3PAO the artifact names, hash values, and algorithm — which is how the assessment confirms the evidence hasn’t been altered.
Does Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?
Rev. 2. 32 CFR 170.2 incorporates NIST SP 800-171 Revision 2 by reference for CMMC, so Level 2 maps to the 110 Rev. 2 requirements — even though NIST has since published Rev. 3. Do not build your package around Rev. 3 unless and until DoD amends the rule.
What goes into SPRS for a Level 2 self-assessment?
Per 32 CFR 170.16, your CMMC Level 2 self-assessment record includes, at minimum, your CMMC level and status, the CMMC Status Date, the assessment scope, your CAGE code(s), your Level 2 self-assessment score, and POA&M status if applicable. That’s separate from the legacy NIST SP 800-171 DoD Assessment score posted under DFARS 252.204-7019/-7020.
How do DFARS 252.204-7019 and -7020 differ from CMMC Level 2 SPRS reporting?
DFARS 252.204-7019 and -7020 govern the legacy NIST SP 800-171 DoD Assessment — the self-scored 800-171 posting that must be current in SPRS. CMMC Level 2 reporting under 32 CFR 170.16/170.17 records your CMMC status itself. Both can apply; check which your solicitation requires.
Does a C3PAO assessment use different documentation?
No — the 110 requirements are the same for self-assessment and C3PAO assessment. What differs is who assesses, how rigorously they examine evidence, that C3PAO evidence must be hashed, and where results are recorded (self goes to SPRS; C3PAO goes to CMMC eMASS and then SPRS).
What changes if we use an ESP, CSP, or CUI enclave?
If you use an External Service Provider or Cloud Service Provider, 32 CFR 170.19 requires you to document the relationship and services in your SSP and to reflect shared responsibilities in a Customer Responsibility Matrix. A CUI enclave can shrink your scope — but only if separation is actually enforced; DoD guidance is explicit that encryption alone doesn’t create logical separation.
Do subcontractors need their own CMMC Level 2 documentation?
If a subcontractor processes, stores, or transmits FCI or CUI, flow-down applies and the subcontractor generally needs its own documentation and assessment at the required level. The CMMC rule includes flow-down obligations for primes and subcontractors at all tiers.
Can a GRC platform replace CMMC documentation?
No. A GRC platform can organize evidence, map controls, and streamline workflow, but it can’t replace the SSP, the implementation of controls, the assessment evidence, or the required SPRS reporting and affirmation. It’s a supporting layer, not the whole solution.
When should we hire a C3PAO?
When your contract requires a Level 2 C3PAO assessment and your documentation and evidence package is genuinely ready. If your scope, SSP, POA&M, or evidence are still unresolved, readiness support usually comes first — and remember the independence rule that keeps readiness help separate from the certification assessment.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Keep going
- CMMC Level 2 Checklist: 110 Controls, Evidence & SPRS — the full readiness sequence (parent guide)
- CMMC Levels Explained — confirm whether you need Level 1, 2, or 3
- CMMC Self-Assessment vs. C3PAO — which path your clause requires
- CMMC Scoping Guide — asset categories and boundary reduction
- NIST 800-171 Requirements Checklist — all 110 requirements in detail
- NIST 800-171A Assessment Objectives — the 320 checks behind the 110 requirements
- Conditional Level 2 & POA&M Closeout — the 180-day path
- CMMC Level 2 Cost — what readiness and assessment actually run
- The CMMC Final Rule, Explained — 32 CFR Part 170 background
- Find My CMMC Path — map your situation to the right provider category
Primary sources
- 32 CFR Part 170 (CMMC Program Rule) — ecfr.gov/current/title-32/…/part-170
- NIST SP 800-171 Rev. 2 — csrc.nist.gov/pubs/sp/800/171/r2/upd1/final (free CUI SSP and Plan of Action templates linked on publication page)
- NIST SP 800-171A (assessment methodology, June 2018) — csrc.nist.gov/pubs/sp/800/171/a/final
- CMMC Assessment Guide – Level 2 and CMMC Scoping Guide – Level 2 — dodcio.defense.gov/CMMC
- DFARS 252.204-7012 / -7019 / -7020 / -7021 — Acquisition.gov
- SPRS (Supplier Performance Risk System) — sprs.csd.disa.mil