Prime-Safe CMMC Proof Packet Checklist
A companion worksheet from The Defense Compliance Report — an independent trade publication on CMMC 2.0 and DIB compliance. Not legal, contractual, or compliance advice. Not affiliated with the Cyber AB, DoD, DCMA DIBCAC, NIST, or any U.S. government agency. Last reviewed: July 2026.
Before you begin: Do not enter or attach CUI, drawings, export-controlled technical data, passwords, system diagrams, or vulnerability details on anything you send to a prime.
Use this to assemble a response to a prime's CMMC evidence request. The goal: give the prime enough to confirm your status, and nothing sensitive it doesn't need.
Step 1 — Confirm what actually applies (before you send anything)
- I've read the DFARS clauses in my subcontract (look for 252.204-7012, 252.204-7021, and the CMMC notice provision 252.204-7025).
- I know whether FCI, CUI, or neither will be processed, stored, or transmitted on my systems.
- I know my required level: Level 1 (FCI only) / Level 2 Self / Level 2 C3PAO / Level 3 — set by the contract, not a guess.
- If anything is unclear, I've asked my buyer in writing to state the required level, assessment type, and data type.
Step 2 — Build the seven-part packet
1. Cover response
- Prime's request date + reference:
- What they asked for:
- My point of contact:
2. Information-handling statement
- FCI only ☐ CUI ☐ Neither ☐
- Covered data is / isn't on my own systems:
3. Current status summary
- Level + status (e.g., "Final Level 2 (Self)"):
- Assessment type + date:
- Affirmation status + date:
4. CAGE + scope mapping
- CAGE code: System boundary:
- What work this scope supports:
5. SPRS / CMMC proof
- SPRS score/status (self-assessment) OR CMMC UID + C3PAO/DIBCAC reference (certified):
6. SSP / POA&M evidence (summaries only)
- SSP name / version / date:
- Redacted table of contents or evidence index attached ☐
- POA&M summary by control family and status (not the full file) ☐
7. Limitations and non-claims (protect yourself)
- "This is [Level 2 Self / Level 2 C3PAO], not ."
- "This scope covers [system], not the entire company."
- "Full SSP/POA&M available only through a controlled review."
Step 3 — Share only as high as the request justifies
| Rung | Share | Use when |
| 1 | Status summary (level, status, date, CAGE, scope) | Every first response |
| 2 | SSP metadata (name, version, date) | Prime wants a documentation basis |
| 3 | Redacted SSP TOC / evidence index | Prime wants more than a number |
| 4 | POA&M summary by family + status | Conditional or in-progress status |
| 5 | Controlled review of selected artifacts (NDA / secure portal) | High-sensitivity program or documented diligence |
| 6 | Full SSP / POA&M | Only with a clear need, protective terms, and counsel |
Most prime requests are satisfied at rungs 1–4. If a prime demands your full SSP/POA&M by email, offer a controlled review instead.
Step 4 — Screenshot keep/redact list
| Keep visible | Redact or omit |
| CAGE code for the covered system | CAGE codes for unrelated business units |
| Assessment date + status date | Usernames, emails, personal contact details |
| CMMC status + (Level 2) score | Internal reviewer notes/comments |
| Scope / system boundary | Any other supplier's or customer's data on screen |
| Affirmation date + CMMC UID | Anything outside the prime's need-to-know |
- Screenshot is date-stamped and captioned with the CAGE + scope.
Before you hit send
- Every statement matches my actual SPRS record and documentation.
- I have not overstated my status (self-assessment ≠ certification).
- I have not attached CUI or sensitive security detail.
- I've stated clearly what I am not claiming.
A self-reported score is a legal record. If your evidence doesn't support the claim, respond honestly and fix the gap — don't round up. Need to map a gap to the right provider category? Use Find My CMMC Path: thedefensecompliancereport.com/find-my-path/
From thedefensecompliancereport.com — The Defense Compliance Report. Last reviewed July 2026. Not legal advice.