Prime-Safe CMMC Proof Packet Checklist

A companion worksheet from The Defense Compliance Report — an independent trade publication on CMMC 2.0 and DIB compliance. Not legal, contractual, or compliance advice. Not affiliated with the Cyber AB, DoD, DCMA DIBCAC, NIST, or any U.S. government agency. Last reviewed: July 2026.

Before you begin: Do not enter or attach CUI, drawings, export-controlled technical data, passwords, system diagrams, or vulnerability details on anything you send to a prime.

Use this to assemble a response to a prime's CMMC evidence request. The goal: give the prime enough to confirm your status, and nothing sensitive it doesn't need.


Step 1 — Confirm what actually applies (before you send anything)


Step 2 — Build the seven-part packet

1. Cover response

2. Information-handling statement

3. Current status summary

4. CAGE + scope mapping

5. SPRS / CMMC proof

6. SSP / POA&M evidence (summaries only)

7. Limitations and non-claims (protect yourself)


Step 3 — Share only as high as the request justifies

RungShareUse when
1Status summary (level, status, date, CAGE, scope)Every first response
2SSP metadata (name, version, date)Prime wants a documentation basis
3Redacted SSP TOC / evidence indexPrime wants more than a number
4POA&M summary by family + statusConditional or in-progress status
5Controlled review of selected artifacts (NDA / secure portal)High-sensitivity program or documented diligence
6Full SSP / POA&MOnly with a clear need, protective terms, and counsel

Most prime requests are satisfied at rungs 1–4. If a prime demands your full SSP/POA&M by email, offer a controlled review instead.


Step 4 — Screenshot keep/redact list

Keep visibleRedact or omit
CAGE code for the covered systemCAGE codes for unrelated business units
Assessment date + status dateUsernames, emails, personal contact details
CMMC status + (Level 2) scoreInternal reviewer notes/comments
Scope / system boundaryAny other supplier's or customer's data on screen
Affirmation date + CMMC UIDAnything outside the prime's need-to-know

Before you hit send

A self-reported score is a legal record. If your evidence doesn't support the claim, respond honestly and fix the gap — don't round up. Need to map a gap to the right provider category? Use Find My CMMC Path: thedefensecompliancereport.com/find-my-path/


From thedefensecompliancereport.com — The Defense Compliance Report. Last reviewed July 2026. Not legal advice.