The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 2 Documentation Checklist: SSP, POA&M, Evidence & What Assessors Actually Require

By The Defense Compliance Report Editorial Team · Last reviewed · Source-checked against 32 CFR Part 170, NIST SP 800-171 Rev. 2, NIST SP 800-171A, DFARS 252.204-7012 / -7019 / -7020 / -7021, and the DoD CMMC Assessment Guide – Level 2.

Educational research, not legal, contractual, or compliance advice. The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

Bottom line up front:A complete CMMC Level 2 documentation checklist is built around two documents the security requirements name directly — a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M)— plus the scope artifacts, policies, procedures, and evidence you need to prove all 110 security requirements across 14 control families in NIST SP 800-171 Revision 2. There is no official master document pack. What else you need depends on your scoped environment, your assessment type, and your cloud and IT setup.

That last sentence is where most contractors lose months and money. We’ll show you exactly why in a minute. First, who this page is for.

Who this page is for — and who should leave

If your situation is…This page’s job
You handle CUI and need a Level 2 documentation packageBuild your SSP, scope package, POA&M, SPRS/affirmation records, and family-by-family evidence — start here
You handle only FCI (no CUI)This is overkill. You need Level 1, not Level 2 — see our CMMC levels guide to confirm
You need Level 3Use this as the Level 2 prerequisite layer. Level 3 is built on a current Final Level 2 (C3PAO) status plus 24 selected requirements from NIST SP 800-172
You already bought template packsUse this to check whether those templates describe the system you actually run — most don’t, and that’s a top failure point
You’re about to book a C3PAOUse this to pressure-test whether your package is assessment-ready before you spend the money

This is the documentation-and-evidence deep dive. For the complete Level 2 implementation walkthrough — all 110 controls, scoring, and provider categories — see our parent guide, the CMMC Level 2 Checklist.

Required vs. conditional vs. useful: the whole checklist at a glance

Every artifact falls into one of four tiers. Learn the tiers and the rest of the page clicks into place.

ArtifactTierThe one-line truth
System Security Plan (SSP)Required by ruleMust be in place at assessment. Missing it stops the assessment cold.
Asset inventory + network diagramRequired scoping artifactsNamed in 32 CFR 170.19. You can’t document controls until you know where CUI lives.
CUI data-flow diagramRequired by DoD scoping guidanceCalled for in DoD’s Level 2 Scoping Guide; your network diagram must show how CUI flows.
SPRS status record + annual affirmationRequired reporting/status artifactsThis is how DoD sees your status. No current status where your contract requires it, no award.
POA&MConditionalAllowed only for eligible gaps, under strict rules, with a 180-day clock.
Evidence index / artifact registerAssessor-useful, practically essentialTies every requirement to proof an assessor can find in seconds.
Policies, procedures, logs, tickets, configs, training recordsOperational evidenceMust be final, current, and match what you actually do.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

What documents does a CMMC Level 2 documentation checklist actually require?

The honest answer:The NIST SP 800-171 Rev. 2 Level 2 security requirements name only two planning documents directly — the System Security Plan (requirement 3.12.4) and the POA&M (requirement 3.12.2). 32 CFR Part 170 separatelyrequires or records other artifacts — your scope, asset inventory, network diagram, SPRS or eMASS status data, affirmations, and evidence retention — but there is no single, government-issued master document pack that guarantees you a pass.

We read the source. The DoD’s own CMMC Assessment Guide – Level 2 describes the documents an assessor might review, then says plainly that the list “is not exhaustive or prescriptive.” NIST goes further in SP 800-171 Rev. 2: for the SSP specifically, “there is no prescribed format or specified level of detail.” The government tells you what outcomes to prove and how the assessment works— it does not hand you a numbered folder and promise that filling it earns you a certificate.

So why does nearly every vendor page publish “the required CMMC documents”? Because a fixed list sells templates and reads easier than the truth. The truth is more useful: two documents are named in the requirements, a handful of scope and status artifacts are effectively mandatory under 32 CFR Part 170, and the rest is evidence that has to match a system you actually operate.

The DCR CMMC Level 2 Documentation Truth Table

Built by reading 32 CFR Part 170, the NIST SP 800-171 Rev. 2 requirements, and the DoD Assessment Guide side by side. Every artifact classified by tier, with the false assumption that costs you and the primary source that resolves it.

Document / artifactTierWhy it mattersThe false assumption that costs youPrimary source
System Security Plan (SSP)Mandatory by ruleDescribes your system boundary, environment, how each requirement is implemented, and your connections“We can POA&M the SSP.” You can’t — it’s one of six controls barred from a Level 2 POA&MNIST SP 800-171 §3.12.4; 32 CFR 170.21
CUI scope definitionMandatory foundationSets what gets assessed; everything else depends on it“We’ll document controls before we map where CUI lives”32 CFR 170.19
Asset inventory (by CMMC asset category)Mandatory scopingShows what’s in scope, limited scope, or out of scope“Only servers holding CUI matter” — security protection assets count too32 CFR 170.19
Network diagramMandatory scopingShows boundaries, enclaves, segmentation, external connections, and how CUI flows“Last year’s Visio is fine”32 CFR 170.19
CUI data-flow diagramRequired by DoD scoping guidanceTraces how CUI enters, moves, and leaves your boundary“We know it in our heads”DoD CMMC Scoping Guide – Level 2
Customer Responsibility Matrix (CRM) / ESP documentationConditionalDocuments who operates which controls when a cloud or MSP is involved“The provider’s compliance makes us compliant”32 CFR 170.19(c)(2)
POA&MConditionalTracks only eligible unmet requirements for Conditional status“Any open gap can go on a POA&M”32 CFR 170.21
SPRS status recordMandatory reportingRecords your CMMC level, status, scope, CAGE, score, and POA&M status“SPRS is just a number”32 CFR 170.16; DFARS 252.204-7020
Annual affirmationMandatory ongoingA senior official attests continued compliance“Assessment is one-and-done for three years”32 CFR 170.22
Evidence index / artifact registerAssessor-useful, essentialMakes every artifact traceable and defensible“A pile of screenshots is evidence management”DoD CMMC Assessment Guide – L2
Policies and proceduresOperational evidenceShow intended process — but must match reality“A policy proves the control is implemented”DoD CMMC Assessment Guide – L2
Configs, logs, tickets, training, IR recordsOperational evidenceProve the control actually operates over time“We can generate this the week before assessment”NIST SP 800-171A

Map your situation before you spend a dollar

Knowing what you need is half the problem. The other half is knowing what you need. A 12-person machine shop on commercial Microsoft 365 needs a different path than a mid-tier prime already running GCC High. Find My CMMC Path maps your required level, your FCI/CUI situation, your assessment type, cloud and IT environment, and timeline to the right provider category before you make any expensive decisions.

Disclosure: The Defense Compliance Report may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis or provider-category guidance.

Map my situation to the right provider category →

The System Security Plan: the one document you cannot skip or defer

The SSP is the center of gravity for CMMC Level 2 documentation.Under 32 CFR Part 170, you must have an up-to-date SSP in place at the time of assessment, and it cannot be deferred to a POA&M. If it’s missing or stale, the assessment doesn’t just go poorly — it can’t be completed.

We’re quoting the rule directly because the consequence language is that important. Per 32 CFR Part 170, an organization “must have a System Security Plan (SSP) (CMMC security requirement CA.L2-3.12.4) in place at the time of assessment,” and “the absence of an up to date SSP at the time of the assessment would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012.’”

Read that twice. No SSP means two failures at once: your assessment can’t finish, and you’re out of compliance with DFARS 252.204-7012 (the Safeguarding Covered Defense Information clause). This is not a document you draft last.

NIST SP 800-171 requirement 3.12.4 spells out what the SSP has to describe: your system boundaries, your environment of operation, how each security requirement is implemented, and your relationships with or connections to other systems. There’s no mandated format — but there are non-negotiable contents.

What your Level 2 SSP has to cover

At a minimum, build these into the SSP:

The SSP mistakes that quietly sink assessments

The pattern we see over and over: the SSP describes the company someone wants to be, not the systems they actually run. Specifically:

Here’s the one thing we’ll admit that most checklist pages won’t: a documentation checklist — including this one — will not make you compliant. You can assemble every artifact on this page and still fail, because a CMMC assessment doesn’t score documents. It scores whether your documents describe a system you actually operate, verified by examination, interview, and testing.

Free primary-source starting point: NIST publishes a free CUI System Security Plan template and a free CUI Plan of Action template alongside SP 800-171 Rev. 2 on the NIST Computer Security Resource Center (csrc.nist.gov). They’re the closest thing to an official starting structure. Just remember NIST’s own planning note: a template gives you structure, not compliance.

Scope first: the asset inventory, network diagram, and CUI data-flow diagram

Scope comes before documentation, not after.For Level 2, 32 CFR 170.19 requires you to define your assessment scope before the assessment and to categorize every asset — because the category determines what evidence an assessor will expect and what falls outside the boundary. Get the boundary wrong and you either overpay for compliance on systems that never needed it, or under-scope and fail.

The five CMMC Level 2 asset categories

Asset categoryWhat to documentWhy it matters
CUI AssetsInventory, SSP treatment, network diagram; assessed against all 110 requirementsThese process, store, or transmit CUI — full scope
Security Protection AssetsInventory, SSP treatment, network diagramThese provide security functions for CUI assets — in scope even if they never touch CUI
Contractor Risk Managed AssetsInventory, SSP treatment, network diagram, plus a written rationaleCould handle CUI but aren’t intended to, per your policy and practice
Specialized AssetsInventory, SSP treatment, network diagram, risk-based handlingIoT, OT, government-furnished equipment, test equipment, restricted systems
Out-of-Scope AssetsA defensible justification for why they can’t process, store, or transmit CUIThese must be genuinely, provably outside the boundary — and carry no documentation requirement otherwise

Build the scope package first: a CUI inventory, a CUI data-flow diagram, an asset inventory tagged by category, a network diagram, a user-and-location list, an external-connection list, an ESP/CSP list, a Customer Responsibility Matrix, and — if you’re shrinking scope — enclave boundary documentation. Do this and the family-by-family evidence work below gets dramatically smaller.

CUI usually touches more than the file server. Email systems, endpoints used for multi-factor authentication, and cloud collaboration tools frequently pull themselves into scope. If that’s you, use the CMMC Scoping Guide to understand asset categories and boundary reduction, or use Find My CMMC Path to determine whether your next step is RPO/RP scoping help, an MSSP, a GRC platform, or a CUI enclave.

The CMMC Level 2 documentation checklist, family by family

CMMC Level 2 maps to all 110 requirements in NIST SP 800-171 Rev. 2, organized into 14 control families.Each family generally needs a documented policy, documented procedures, and evidence that the applicable requirements are met — but the exact artifacts depend on your scoped environment, not a universal list.

Read the “documentation” column as “what an assessor will typically look for to confirm you’ve met the objectives in this family.” Not “the documents the rule requires.” Watch the freshness — the artifacts that fail most are the ones built once and never updated.

#Family (code, reqs)Documentation typically expectedEvidence an assessor can examine or test
1Access Control (AC, 22)Access control policy; account lifecycle procedure; remote-access & mobile-device policyAccount request/review records, directory group listings, MFA config, VPN config, session-lock settings
2Awareness & Training (AT, 3)Security awareness policy; role-based training procedure; insider-threat materialsTraining completion logs, CUI-handling acknowledgments
3Audit & Accountability (AU, 9)Audit/logging policy; logged-events list; log-review procedureSIEM config, log samples, review tickets, time-sync settings
4Configuration Management (CM, 9)CM policy/plan; baseline configurations; change-control procedure; allow/deny-list policyHardware/software inventory, baseline exports, change tickets
5Identification & Authentication (IA, 11)Identification/authentication & password/authenticator policyMFA reports, password policy settings, account identifier records
6Incident Response (IR, 3)Incident Response Plan; escalation & reporting procedures; test recordsTabletop after-action reports, incident tickets, DFARS 7012 reporting evidence
7Maintenance (MA, 6)Maintenance policy/procedures; remote-maintenance rulesMaintenance logs, tool control, sanitization-before-offsite records
8Media Protection (MP, 9)Media protection policy; marking/sanitization/transport proceduresSanitization/destruction records, media inventory, CUI markings
9Personnel Security (PS, 2)Personnel security policy; screening & termination/transfer proceduresScreening records, offboarding/access-removal checklists
10Physical Protection (PE, 6)Physical & environmental protection policy; visitor-control procedureVisitor logs, badge/escort records, access lists
11Risk Assessment (RA, 3)Risk assessment policy; vulnerability-management procedureRisk register, scan reports, remediation tickets
12Security Assessment (CA, 4)SSP (3.12.4) + POA&M (3.12.2) + control-assessment (3.12.1) + continuous-monitoring (3.12.3)SSP, POA&M, self-assessment results, monitoring records
13System & Communications Protection (SC, 16)SC policy; boundary-protection & encryption policyFirewall rules, network + data-flow diagrams, FIPS-validated cryptographic module certificates
14System & Information Integrity (SI, 7)SI policy; flaw-remediation/patch procedure; malicious-code protectionPatch reports, endpoint protection config, scan-remediation records

Add the counts and you get the number that anchors the whole standard: 22 + 3 + 9 + 9 + 11 + 3 + 6 + 9 + 2 + 6 + 3 + 4 + 16 + 7 = 110 requirements across 14 families. For the full requirement text and evidence mapping see our NIST 800-171 Requirements Checklist.

How your CMMC Level 2 documentation is actually assessed

Assessors don’t just read your policies — they examine, interview, and test. NIST SP 800-171A, the companion assessment methodology, breaks the 110 requirements into 320 assessment objectives, and every objective for a requirement must be MET (or Not Applicable) for that requirement to count. Documentation that doesn’t match what your people say and your systems show will fail, no matter how polished it looks.

That’s why practitioners talk about a triad: documentation (is it written down?), implementation (is it deployed?), and institutionalization (is it performed, repeatable, and evidenced over time?). A policy satisfies the first. It does nothing for the other two.

A quick note on versions: 32 CFR 170.2 incorporates NIST SP 800-171 Rev. 2 and the June 2018version of SP 800-171A by reference for Level 2 assessments. Until DoD amends the rule, those are the controlling versions. If you build your package around Rev. 3, you’re building to the wrong standard.

Build an evidence index — it’s the difference between passing and scrambling

The single most useful artifact the rule doesn’t name is an evidence index: a register that maps every requirement and objective to a specific artifact. For a C3PAO assessment, you must hash your evidence files and hand the assessor the artifact names, hash values, and hashing algorithm — so traceability isn’t optional in practice; it’s how the assessment runs.

Requirement ID · assessment objective · control family · artifact name · artifact type · owner · system/component · evidence date · refresh interval · storage location · CUI/sensitive flag · status (MET / NOT MET / N/A) · POA&M link · reviewer

And a hard rule from the assessment guidance: evidence must be final, not draft. Unapproved SOPs, undated screenshots, “the tool supports this” claims, one-time screenshots for recurring activities, and anything outside your assessed boundary do not count. If it isn’t final, current, and owned, an assessor can disregard it.

POA&M rules for Level 2: what you can defer, and what you can’t

A POA&M is not a “we’ll fix it later” escape hatch. Under 32 CFR 170.21, you can only earn a Conditional Level 2 status if your score is at least 80% (a minimum of 88 out of the 110-point maximum), every deferred item is a 1-point requirement (with one narrow encryption exception), none of six specific controls is deferred, and you close everything within 180 days.

The score gate. Your score must be at least 88 on the 110 scale. The DoD scoring methodology weights requirements at 1, 3, or 5 points and subtracts from 110, so scores can even go negative.

The point-value gate. Only requirements worth 1 point may go on the POA&M. The single exception: CUI Encryption (SC.L2-3.13.11) can be deferred only if encryption is in use but not yet FIPS-validated, which scores it at 3 points instead of 5. Everything worth 3 or 5 points — MFA, most access and audit controls — must be fully MET at assessment.

The clock. If you earn Conditional status, you have 180 days from the Conditional CMMC Status Date to close every POA&M item and pass a closeout assessment. Miss it, and Conditional status expires. See our full Conditional Level 2 & POA&M Closeout guide.

The six controls you can never defer

Per 32 CFR 170.21(a)(2)(iii), these are barred from a Level 2 POA&M. If any is unmet, you cannot earn Conditional status — full stop:

RequirementName
AC.L2-3.1.20External Connections (CUI Data)
AC.L2-3.1.22Control Public Information (CUI Data)
CA.L2-3.12.4System Security Plan
PE.L2-3.10.3Escort Visitors (CUI Data)
PE.L2-3.10.4Physical Access Logs (CUI Data)
PE.L2-3.10.5Manage Physical Access (CUI Data)

One more distinction the rule draws: an operational plan of action (the ongoing list of patches and reconfigurations you manage as threats evolve, referenced in requirement 3.12.2) is not the same as an assessment POA&M. Only the assessment POA&M triggers the 88-point gate and the 180-day clock.

Write each POA&M entry like an assessor will read it: requirement ID, assessment objective, the finding, root cause, remediation action, owner, start date, target close date, the evidence needed to close it, an eligibility check, and the risk if it isn’t closed.

Pressure-test your package before you pay for an assessment

If your open gaps include the SSP, external connections, public-information control, or any of the physical-access controls above, your package may not support Conditional Level 2 — and paying a C3PAO before you know that is an expensive mistake. Tell us your level, scope, and timeline and we’ll point you to the category that stress-tests the package first.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

Self-assessment vs. C3PAO: does the documentation change?

The 110 requirements are identical for a Level 2 self-assessment and a C3PAO assessment. What changes is who reviews the evidence, how hard they scrutinize it, and where the results are recorded: self-assessment results go into SPRS, while C3PAO results go into the CMMC instantiation of eMASS. Your contract clause tells you which path applies. See our self-assessment vs. C3PAO guide for the full breakdown.

ItemLevel 2 SelfLevel 2 C3PAO
Requirement setSame 110 requirementsSame 110 requirements
Who assessesYour organizationAn authorized or accredited C3PAO
Where results goSPRSCMMC eMASS → SPRS
Evidence depthMust be defensibleMust be assessor-ready and hashed
AffirmationRequired in SPRS (annually)Required in SPRS (annually)
POA&M rulesSame conditional-status limitsSame conditional-status limits
Best use of this checklistBuild a defensible self-assessment packageBuild a pre-assessment evidence package

DFARS 252.204-7021 (the contract clause that makes CMMC binding) took effect November 10, 2025, which started Phase 1 of the rollout. Phase 2 begins November 10, 2026, when DoD intends to include Level 2 (C3PAO) for applicable solicitations as a condition of award. If you’re documenting for a self-assessment today, build the evidence to a C3PAO standard anyway. It’s the same package, and your path can change with your next contract.

What goes in SPRS — and what must never go in a web form

SPRS (the Supplier Performance Risk System) stores your assessment record, not your evidence.For a CMMC Level 2 self-assessment, 32 CFR 170.16 requires you to record, at minimum, your CMMC level and status, the CMMC Status Date, the assessment scope, your CAGE code(s), your Level 2 self-assessment score, and POA&M status if applicable. A lead-routing or contact form is not SPRS, and it should never collect sensitive information.

There’s a related-but-separate posting people conflate with this. The legacy NIST SP 800-171 DoD Assessment under DFARS 252.204-7020 posts its own record — the NIST version assessed, the organization that ran it, CAGE code(s), a brief SSP architecture description, the assessment date, the summary score, and the expected full-implementation date. DFARS 252.204-7019 requires an offeror to have a currentassessment on file — generally not more than three years old — with the summary score posted in SPRS. Two systems, two records; know which one your solicitation is asking about.

Do not submit CUI, drawings, technical data, export-controlled information, credentials, network diagrams, contract-sensitive details, incident details, or proprietary architecture through any web form— including ours. Use generic descriptions only.

How long do you have to keep CMMC Level 2 evidence?

Six years. For a Level 2 self-assessment, 32 CFR 170.16 requires you to retain the artifacts used as evidence for six years from the CMMC Status Date. For a Level 2 C3PAO assessment, 32 CFR 170.17 requires the same six-year retention — but the artifacts must be hashed with a NIST-approved algorithm, and you provide the C3PAO with the artifact names, the hash values, and the hashing algorithm for upload into eMASS.

Your evidence library isn’t a one-time assessment prop. It’s a six-year record you have to preserve intact — which is one more reason the evidence index earns its keep. If you can’t produce a named, dated, unaltered artifact two years after your assessment, you don’t really have evidence; you have a memory.

How to organize your CMMC documentation library

Organize by scope, requirement, owner, and evidence date — and make everything trace back to the SSP. An assessor should be able to follow any requirement to its proof without asking you where it lives.

Here’s a folder structure that mirrors how a Level 2 assessment actually flows:

/00_Read_Me_and_Index
/01_Scope
  /Asset_Inventory
  /Network_Diagrams
  /CUI_Data_Flows
  /ESP_CSP_CRM
/02_SSP
  /Current_Approved_SSP
  /Version_History
/03_POAM
  /Current_POAM
  /Closeout_Evidence
/04_SPRS_and_Affirmation
/05_Policies_and_Procedures
/06_Evidence_By_Family
  /AC_Access_Control
  /AT_Awareness_and_Training
  /AU_Audit_and_Accountability
  /CM_Configuration_Management
  /IA_Identification_and_Authentication
  /IR_Incident_Response
  /MA_Maintenance
  /MP_Media_Protection
  /PS_Personnel_Security
  /PE_Physical_Protection
  /RA_Risk_Assessment
  /CA_Security_Assessment
  /SC_System_and_Communications_Protection
  /SI_System_and_Information_Integrity
/07_Assessment_Workpapers
/08_Archive

Name files so the requirement, artifact, date, and status are visible before anyone opens them:

AC.L2-3.1.1_User_Access_Review_Q2-2026_APPROVED.pdf
CM.L2-3.4.1_Baseline_Config_Windows_Workstations_2026-06-15.pdf
IR.L2-3.6.2_Incident_Response_Test_After_Action_Report_2026-05.pdf

The documentation mistakes that make you look ready when you’re not

The most dangerous documentation mistake is mistaking intent for proof.CMMC evidence has to show requirements that are implemented and operating — not policies that say you plan to. These are common upkeep failures to check before your assessment:

MistakeWhy it failsThe fix
Template SSP doesn’t match the environmentThe SSP must describe the real systemRewrite by scope, asset, and implementation reality
Scope is undefinedEvidence can’t be judged without a boundaryBuild the CUI map, inventory, and diagram first
POA&M includes barred or high-point itemsConditional rules are narrow (see the six controls above)Check 32 CFR 170.21 before relying on a POA&M
SSP built once, never updated (objective 3.12.4[h])A frequently cited failure — a stale SSP scores against youMaintain a change log; review at least annually
System inventory drifts (objective 3.4.1[f])A frequently cited failure — inventory must stay currentReconcile inventory to reality on a cadence
Incident response plan never tested (requirement 3.6.3)A frequently cited failure — a plan on paper isn’t enoughRun and document a tabletop
Policies exist but logs/tickets don’tPolicy doesn’t prove operationAdd recurring operational evidence
Provider responsibility is assumedShared responsibility must be documentedAdd a CRM and reflect it in the SSP
Evidence is draft or unapprovedFinal evidence must be finalApprove and version-control every artifact
Package built around NIST 800-171 Rev. 3CMMC Level 2 currently maps to Rev. 2Use Rev. 2 mapping until DoD amends the rule

Which provider category do you actually need?

A documentation gap means different things depending on where it sits — and the fix is a different category of provider each time.No SSP or POA&M usually points to readiness help; controls that aren’t operated day-to-day point to managed IT/security; disorganized evidence points to a GRC platform; too much CUI in scope points to an enclave; and a ready package on a C3PAO-required contract points to an assessment. Matching the problem to the category is the whole game.

If the documentation problem is…Likely categoryWhyWhat to verify before you hire
“We don’t know our scope”RPO/RP or CUI enclaveScope drives every downstream document and costCMMC experience with your environment type; a scoping methodology, not just a tool
“We have no SSP or POA&M”RPO/RP (readiness)Readiness and documentation structure come before assessmentWhether they build docs that match your real operations, not templates
“Our tools aren’t configured or monitored”MSSP (Managed Security Service Provider)Documentation can’t substitute for operated controlsWho operates evidence, and how shared responsibility is documented (CRM)
“Evidence exists but it’s scattered”GRC platformWorkflow and evidence mapping is the bottleneckThat it exports real, dated evidence — not just dashboards
“CUI touches too much of the company”CUI enclaveShrinking scope shrinks the documentation burdenThat separation is enforced (segmentation), since encryption alone isn’t isolation
“Everything is implemented and evidenced”C3PAOFormal assessment is appropriate when the clause requires itCurrent Cyber AB Marketplace status; conflict-of-interest separation from your readiness firm

This table is our editorial guidance based on the regulatory separation between readiness work, evidence workflow, secure architecture, and formal assessment. It is not a CMMC score, a legal opinion, or a named-provider ranking.

One independence rule you have to respect.Under the Cyber AB’s conflict-of-interest requirements referenced in 32 CFR 170.8, a member of the CMMC ecosystem generally cannot participate in your Level 2 certification assessmentif they served as a consultant to prepare you for that assessment within the prior three years. Keep readiness and remediation help appropriately separated from formal assessment. Don’t hire the same firm to build your program and then certify it where that’s prohibited.

Source-checked means we’ve checked the provider’s category, public status where relevant, claimed role, any compensation relationship with us, and the routing destination as of a stated date. It does not mean a Cyber AB or DoD endorsement, and it is not a guarantee of certification.

Get matched with source-checked provider options

A C3PAO, an RPO, an MSSP, a GRC platform, and a CUI enclave solve genuinely different problems, and hiring the wrong one is how six-figure budgets evaporate. Tell us your level, scope, assessment path, environment, and timeline, and we’ll map you to source-checked provider options by category.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

Your next 7 days

Don’t start by buying every template or booking a C3PAO.Start by confirming your assessment path, locking scope, updating the SSP, and building an evidence index — in that order.

DayAction
1Confirm the contract clause, required level, and self vs. C3PAO path
2Map CUI and define your preliminary scope
3Build or update the asset inventory, network diagram, and CUI data-flow diagram
4Review SSP completeness against the scoped environment
5Build the evidence index by requirement and objective
6Check POA&M eligibility and remove any barred assumptions
7Decide your provider category: readiness, managed controls, GRC, enclave, or assessment

Do the seven days, and you’ll know exactly what you have, what you’re missing, and who to call. That’s the whole point of a documentation checklist — not to collect paper, but to make your next expensive decision an informed one.

How we built and verified this checklist

We built this from primary sources first, then translated the rule and assessment mechanics into a working documentation package. Every regulatory claim on this page is tied to the authority that established it, and we re-verify the volatile ones quarterly.

What we verified (July 2026), by section:

  • CMMC Level 2 maps to NIST SP 800-171 Rev. 2 (110 requirements) — 32 CFR 170.14, incorporated by reference in 32 CFR 170.2.
  • The only documents named in the Level 2 requirements are the SSP (3.12.4) and POA&M (3.12.2) — NIST SP 800-171 Rev. 2.
  • The SSP must be in place at assessment, and its absence causes a finding of noncompliance with DFARS 252.204-7012 — 32 CFR Part 170, Subpart D.
  • Scoping and asset categories (asset inventory, SSP, network diagram; ESP/CSP/CRM) — 32 CFR 170.19; CUI data-flow diagrams per the DoD CMMC Scoping Guide – Level 2.
  • The six controls barred from a Level 2 POA&M and the 88-point / 180-day rules — 32 CFR 170.21.
  • SPRS inputs for Level 2 Self — 32 CFR 170.16; legacy NIST assessment posting — DFARS 252.204-7019 / -7020.
  • Six-year artifact retention (hashed for C3PAO) — 32 CFR 170.16 and 170.17.
  • 320 assessment objectives, assessed by examine/interview/test — NIST SP 800-171A (June 2018 version, incorporated by reference).
  • The document list is “not exhaustive or prescriptive” — DoD CMMC Assessment Guide – Level 2.
  • Phase 1: Nov 10, 2025 – Nov 9, 2026; Phase 2 begins Nov 10, 2026 — 32 CFR 170.3 and the DFARS final rule.

What we did not verify here: specific provider costs, named-provider credential status, and Cyber AB Marketplace listings. Those change constantly and belong on our provider-comparison pages.

This page is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you rely on any interpretation. See our editorial standards and corrections policy for how we source and update this work.

CMMC Level 2 documentation checklist: FAQ

What is a CMMC Level 2 documentation checklist?

A CMMC Level 2 documentation checklist is the working set of documents and evidence needed to prove implementation of the 110 NIST SP 800-171 Rev. 2 requirements — anchored by a System Security Plan and a POA&M, plus scope artifacts, SPRS and affirmation records, and family-by-family policies, procedures, and evidence. The requirements name only two documents directly; the rest is evidence sized to your environment.

Is an SSP required for CMMC Level 2?

Yes. Under 32 CFR Part 170, an up-to-date System Security Plan (requirement CA.L2-3.12.4) must be in place at the time of assessment. Its absence results in a finding that the assessment can’t be completed and that you’re noncompliant with DFARS 252.204-7012.

Can the SSP be on a POA&M?

No. CA.L2-3.12.4 (System Security Plan) is one of six requirements explicitly barred from a Level 2 POA&M under 32 CFR 170.21(a)(2)(iii). You must have the SSP in place to earn any Level 2 status.

Can you use a template SSP?

A template helps with structure, but it doesn’t prove implementation. NIST publishes a free CUI SSP template — a reasonable starting point — but the SSP has to describe your actual scoped environment, assets, providers, and control implementation, or it will fail an assessment.

Is a POA&M allowed for CMMC Level 2?

Yes, but only under strict conditions: your score must be at least 88 of 110 (0.8), only 1-point requirements may be deferred (with a narrow encryption exception for SC.L2-3.13.11), none of the six barred controls may be open, and everything must close within 180 days — per 32 CFR 170.21.

Which CMMC Level 2 requirements cannot go on a POA&M?

Per 32 CFR 170.21(a)(2)(iii): AC.L2-3.1.20 (External Connections), AC.L2-3.1.22 (Control Public Information), CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3 (Escort Visitors), PE.L2-3.10.4 (Physical Access Logs), and PE.L2-3.10.5 (Manage Physical Access). Requirements worth 3 or 5 points also generally cannot be deferred.

What evidence counts for CMMC Level 2?

Final, approved documentation plus configurations, logs, tickets, training records, diagrams, and the results of interviews and testing — all tied to a specific requirement and to your assessed scope. NIST SP 800-171A defines 320 assessment objectives, and your evidence must satisfy the objectives, not just exist.

How long do you have to retain CMMC Level 2 evidence?

Six years from the CMMC Status Date. For a self-assessment, you retain the evidence artifacts (32 CFR 170.16). For a C3PAO assessment, you retain the hashed artifacts for six years and provide the C3PAO with the artifact names, hash values, and hashing algorithm for upload into eMASS (32 CFR 170.17).

Do C3PAO assessment artifacts need to be hashed?

Yes. For a Level 2 certification assessment, 32 CFR 170.17 requires you to hash your evidence files using a NIST-approved algorithm and give the C3PAO the artifact names, hash values, and algorithm — which is how the assessment confirms the evidence hasn’t been altered.

Does Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?

Rev. 2. 32 CFR 170.2 incorporates NIST SP 800-171 Revision 2 by reference for CMMC, so Level 2 maps to the 110 Rev. 2 requirements — even though NIST has since published Rev. 3. Do not build your package around Rev. 3 unless and until DoD amends the rule.

What goes into SPRS for a Level 2 self-assessment?

Per 32 CFR 170.16, your CMMC Level 2 self-assessment record includes, at minimum, your CMMC level and status, the CMMC Status Date, the assessment scope, your CAGE code(s), your Level 2 self-assessment score, and POA&M status if applicable. That’s separate from the legacy NIST SP 800-171 DoD Assessment score posted under DFARS 252.204-7019/-7020.

How do DFARS 252.204-7019 and -7020 differ from CMMC Level 2 SPRS reporting?

DFARS 252.204-7019 and -7020 govern the legacy NIST SP 800-171 DoD Assessment — the self-scored 800-171 posting that must be current in SPRS. CMMC Level 2 reporting under 32 CFR 170.16/170.17 records your CMMC status itself. Both can apply; check which your solicitation requires.

Does a C3PAO assessment use different documentation?

No — the 110 requirements are the same for self-assessment and C3PAO assessment. What differs is who assesses, how rigorously they examine evidence, that C3PAO evidence must be hashed, and where results are recorded (self goes to SPRS; C3PAO goes to CMMC eMASS and then SPRS).

What changes if we use an ESP, CSP, or CUI enclave?

If you use an External Service Provider or Cloud Service Provider, 32 CFR 170.19 requires you to document the relationship and services in your SSP and to reflect shared responsibilities in a Customer Responsibility Matrix. A CUI enclave can shrink your scope — but only if separation is actually enforced; DoD guidance is explicit that encryption alone doesn’t create logical separation.

Do subcontractors need their own CMMC Level 2 documentation?

If a subcontractor processes, stores, or transmits FCI or CUI, flow-down applies and the subcontractor generally needs its own documentation and assessment at the required level. The CMMC rule includes flow-down obligations for primes and subcontractors at all tiers.

Can a GRC platform replace CMMC documentation?

No. A GRC platform can organize evidence, map controls, and streamline workflow, but it can’t replace the SSP, the implementation of controls, the assessment evidence, or the required SPRS reporting and affirmation. It’s a supporting layer, not the whole solution.

When should we hire a C3PAO?

When your contract requires a Level 2 C3PAO assessment and your documentation and evidence package is genuinely ready. If your scope, SSP, POA&M, or evidence are still unresolved, readiness support usually comes first — and remember the independence rule that keeps readiness help separate from the certification assessment.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, technical data, credentials, sensitive contract details, or proprietary system diagrams. This is educational triage, not legal advice.

Find My CMMC Path →

Keep going

Primary sources

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.