The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path
Free download

The 32-point CMMC Level 2 readiness checklist

A field-tested checklist that walks small DoD contractors through scope, SSP, SPRS, enclave, MSP, and pre-assessment evidence. We email you the PDF.

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.
Get the checklist

Email me the readiness checklist

One email. No contract uploads, no CUI, no sensitive files — ever. See our privacy policy.

The full checklist arrives as a printable PDF. The eight sections below preview what is covered.

Scope & data classification

  • ·All contracts reviewed for FCI vs CUI markings
  • ·Authoritative CUI inventory documented
  • ·CUI enclave boundary drawn and reviewed
  • ·Asset categorization (CUI, security protection, contractor risk-managed)

SSP & POA&M

  • ·Current System Security Plan covering all 110 controls
  • ·POA&M with owners and target dates for every open item
  • ·Annual SSP review cadence scheduled
  • ·Senior official affirmation process documented

SPRS posting

  • ·Most recent NIST 800-171 basic-assessment score posted
  • ·Score recalculated whenever a control moves
  • ·Affirming official identified in SPRS

Enclave & tooling

  • ·Identity provider with phishing-resistant MFA across the enclave
  • ·Endpoint protection meeting 800-171 audit requirements
  • ·Centralized log retention satisfying continuous monitoring
  • ·Backup and recovery tested against ransomware scenarios

MSP / MSSP alignment

  • ·MSP contract reflects defense-specific scope
  • ·MSSP responsibility matrix for incident response and reporting
  • ·DFARS 7012 cyber-incident reporting workflow tested

Pre-assessment evidence

  • ·Evidence locker organized by control family
  • ·Sample artifacts collected for each domain
  • ·Internal mock assessment completed
  • ·C3PAO shortlist evaluated and engaged for scoping call

Vendor & supply chain

  • ·Subcontractor CMMC flow-down language in place
  • ·Supplier risk register maintained
  • ·External service provider (ESP) controls documented

Governance

  • ·Information security policy suite approved by leadership
  • ·Annual awareness training delivered and tracked
  • ·Incident response plan exercised at least annually
  • ·Change management ties to 800-171 control impacts

Working through the checklist and finding more gaps than you expected? That is the signal to engage a readiness consultant before a C3PAO. The 7-question routing engine takes about two minutes.

Find your CMMC path