CMMC 2.0 is no longer on the horizon — it's here. The Department of Defense began including CMMC requirements in new contracts in 2024, and by 2026, any contractor handling Controlled Unclassified Information (CUI) without certification risks losing contract eligibility. The challenge for most mid-sized contractors isn't understanding CMMC — it's executing against 110 controls without overwhelming their team.
This checklist gives you the exact process, in the right order, to achieve CMMC 2.0 Level 2 compliance — and automate its ongoing maintenance so you don't need a full-time compliance staff to sustain it.
CMMC Level 2 requires a third-party assessment by a DoD-authorized C3PAO for most defense contractors. Self-assessments are only allowed for Levels 1 and certain Level 2 contracts — confirm your contract requirements before assuming self-attestation is sufficient.
What Is CMMC 2.0 And Who Needs It?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD's framework for ensuring defense contractors protect sensitive federal information. It has three levels:
| Level | Framework Basis | Assessment Type | Who Needs It |
|---|---|---|---|
| Level 1 — Foundational | FAR 52.204-21 (17 practices) | Annual self-assessment | Contractors handling FCI only |
| Level 2 — Advanced | NIST SP 800-171 (110 practices) | C3PAO third-party assessment | Most CUI-handling contractors |
| Level 3 — Expert | NIST SP 800-172 (110+ practices) | DCSA government assessment | Critical infrastructure / classified |
The vast majority of defense industrial base (DIB) contractors require Level 2 certification. This checklist focuses entirely on Level 2.
The 17 CMMC 2.0 Practice Domains
CMMC Level 2's 110 practices span 17 domains. Automation can address monitoring and evidence collection across most of them — but several require policy and administrative work that cannot be fully automated:
Access Control (AC) 22 practices
Least privilege, multi-factor authentication, remote access controls, CUI access restrictions.
Audit & Accountability (AU) 9 practices
Event logging, log protection, review and reporting of audit records.
Configuration Management (CM) 9 practices
Baseline configs, change control, security configuration enforcement.
Identification & Authentication (IA) 11 practices
Multi-factor authentication, password management, privileged account controls.
Incident Response (IR) 3 practices
Incident response plan, testing, and post-incident reporting to DoD.
Risk Assessment (RA) 3 practices
Periodic risk assessment, remediation of discovered vulnerabilities.
System & Communications Protection (SC) + Others 53 practices
Network segmentation, encryption, media protection, personnel security, physical protection, system integrity, and more.
The 7-Step CMMC 2.0 Automated Compliance Checklist
Scope Your CUI Environment
The CMMC assessment boundary is the most critical — and most often mis-scoped — step. Map every system, network segment, cloud environment, and third-party connection that processes, stores, or transmits CUI. Use your contracts to identify what information is designated CUI. Anything outside this boundary does not need to meet CMMC controls. Scoping too broadly wastes resources; scoping too narrowly creates certification risk.
Run Your NIST 800-171 Gap Assessment
Use NIST's official assessment methodology or a commercial GRC tool to evaluate your current state against all 110 practices. Score each control: 1 (fully implemented), 0.5 (partially implemented), 0 (not implemented). Calculate your total SPRS (Supplier Performance Risk System) score — the maximum is 110, and while there is no official pass threshold, DoD primes and contracting officers are increasingly scrutinizing scores below 105.
Create Your System Security Plan (SSP)
The SSP is your primary compliance artifact. It documents: (1) your system boundary, (2) how each of the 110 controls is implemented, (3) responsible personnel, and (4) system interconnections. Automation tools can pre-populate large sections of the SSP from your infrastructure scan data — but narrative descriptions of policies and procedures require human authorship.
Build Your Plan of Action & Milestones (POA&M)
For every control scored below 1.0 in your gap assessment, create a POA&M entry that includes: the control reference, the identified deficiency, the remediation action, the responsible owner, the resources required, and the target completion date. Automated compliance platforms can generate draft POA&M entries from gap assessment results and track remediation status in real time.
Automate Control Monitoring & Evidence Collection
This is where automation delivers the most value. Deploy a continuous compliance monitoring stack that: tracks control status against your SSP in real time, alerts when controls drift from their documented state, auto-collects audit evidence (log exports, configuration screenshots, access reviews), and maintains a compliance posture dashboard you can share with contracting officers. Next MIP's compliance platform automates evidence collection for over 80 of the 110 NIST 800-171 controls.
Conduct a Pre-Assessment (Mock C3PAO Audit)
Before engaging a C3PAO, perform an internal pre-assessment using the official CMMC Assessment Process (CAP) methodology. Walk through each practice domain as if you were the assessor. Document evidence for every control. Identify any remaining gaps and add them to your POA&M with aggressive remediation timelines. The goal is to score 108–110 before the official assessment, giving you buffer for assessor interpretation differences.
Engage Your C3PAO for Official Certification
Select a DoD-authorized Certified Third-Party Assessment Organization (C3PAO) from the CMMC-AB marketplace. Prepare your assessment evidence package: SSP, POA&M, network diagrams, policy documents, and platform access for automated evidence review. The formal assessment typically takes 1–2 weeks. Upon passing, your organization is listed in the CMMC-AB eMASS system and your certification is valid for 3 years.
Automation Coverage by Domain
Here is which areas benefit most from automated compliance tooling:
| Domain | Automation Coverage | What Still Requires Humans |
|---|---|---|
| Audit & Accountability | High (85%) | Quarterly review sign-offs |
| Configuration Management | High (80%) | Approvals for config changes |
| Access Control | Medium (60%) | Least-privilege policy decisions |
| Risk Assessment | Medium (55%) | Risk acceptance decisions |
| Incident Response | Low (30%) | Plan creation, tabletop exercises, DoD reporting |
| Personnel Security | Low (20%) | Background checks, training records |
Common CMMC 2.0 Compliance Mistakes
- Scoping too broadly. Including non-CUI systems in your assessment boundary adds unnecessary controls and cost. Work with your contracting officer to precisely define what information is CUI.
- Confusing self-attestation with third-party assessment. Most Level 2 contracts require a C3PAO assessment. Self-attestation is only permitted for a subset of Level 2 contracts.
- Treating POA&M as permanent. A POA&M item is a temporary remediation plan, not an indefinite exception. C3PAOs will evaluate whether your POA&M items show credible progress.
- Not maintaining evidence between assessments. CMMC certification is valid for 3 years, but continuous monitoring is required. A gap in evidence collection discovered during a renewal assessment can result in certification suspension.
- Ignoring supply chain obligations. If you flow CUI to subcontractors, they must also meet CMMC requirements. Include supply chain compliance verification in your SSP.
How Next MIP Manages CMMC 2.0 Compliance for Defense Contractors
Next MIP's CMMC 2.0 Automated Compliance Service handles the full lifecycle: gap assessment, SSP authorship, POA&M management, continuous control monitoring, evidence collection, and C3PAO pre-assessment preparation. Our platform automates evidence collection for 80+ of the 110 controls — dramatically reducing the staff hours required to sustain compliance over the 3-year certification period.
Get Your CMMC 2.0 Gap Assessment
Know exactly where you stand against all 110 NIST 800-171 controls. Free for qualified defense contractors — results delivered in 5 business days.
Start Your Free Gap Assessment