Key takeaways

Understand the core concepts and terminology behind CMMC certification checklist (Levels 1–3): full guide.
Learn practical steps to apply the guidance and stay audit-ready.
See where SecureSlate can help centralize evidence, ownership, and ongoing compliance workflows.

If you’re planning to compete for U.S. Department of Defense (DoD) contracts, now is the time to get serious about CMMC certification.

After several years of updates, the Cybersecurity Maturity Model Certification (CMMC) program was finalized in October 2024 to strengthen DoD cybersecurity requirements.

Related guides:

The DFARS acquisition rule took effect on November 10, 2025, kicking off a phased rollout of CMMC requirements across contracts over the next three years.

This checklist breaks down what CMMC is, which level applies to you, and the practical steps to get certified—and stay certified.

Checklist energy

GIF via GIPHY

What CMMC means for you

CMMC is a program designed to ensure defense contractors and subcontractors in the Defense Industrial Base (DIB) can responsibly handle sensitive unclassified information and government data.

The DIB is “the network of organizations, facilities, and resources that provides the U.S. government—particularly the Department of Defense (DoD)—with defense-related materials, products, and services.”

To help the DoD verify that contractors meet cybersecurity standards, CMMC has three levels.

Each level has requirements based on the type and sensitivity of data you handle.

The key question is simple: do your systems process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)?

CMMC Levels 1–3 (what changes at each level)

Level 1: Basic safeguarding of FCI

Level 1 is focused on basic cyber hygiene to protect Federal Contract Information (FCI).

FCI isn’t intended for public release, such as contract details, communication records, and information the government creates, uses, or shares for contract performance.

Level 1 requires:

Annual affirmation and compliance with the 15 basic safeguarding requirements in FAR clause 52.204-21
Annual self-assessment entered in the Supplier Performance Risk System (SPRS)

Level 2: Broad protection of CUI

Level 2 focuses on protecting Controlled Unclassified Information (CUI).

CUI is sensitive government information that isn’t classified, and what counts as CUI can vary by law and regulation.

Common examples include personally identifiable information (PII), technical data, software documentation, and contractor performance evaluations.

Level 2 requires:

Annual affirmation and compliance with the 110 requirements in NIST SP 800-171 Rev. 2
A self-assessment or a C3PAO certification assessment (depending on contract requirements) performed every three years, recorded in SPRS or eMASS, as applicable

Level 3: Higher-level protection of CUI against advanced persistent threats

Level 3 applies to organizations handling extremely sensitive CUI and facing risks from advanced persistent threats (APTs).

If you’re supporting a high-priority program, you may be expected to meet Level 3.

Level 3 requires:

Maintaining final Level 2 status through a C3PAO assessment every three years
A separate assessment by the Defense Contract Management Agency’s DIBCAC every three years
Annual affirmation and compliance with 24 identified requirements from NIST SP 800-172

Your contracting officer can clarify which level and assessment type apply to your current contract.

As CMMC phases in, solicitations and contracts will increasingly specify CMMC requirements explicitly.

CMMC rollout phases (2025–2028)

The DoD is rolling out CMMC in four phases to reduce disruption, avoid overwhelming contractors, and give organizations time to implement controls.

Phase 1 (Nov. 10, 2025 – Nov. 9, 2026): Applicable solicitations may require Level 1 or Level 2 self requirements.

Phase 2 (Beginning Nov. 10, 2026): Applicable solicitations may require Level 2 C3PAO certification.

Phase 3 (Beginning Nov. 10, 2027): Applicable solicitations may require Level 3 certification.

Phase 4 / Full implementation (Beginning Nov. 10, 2028): CMMC becomes the default requirement for covered solicitations and contracts involving contractor systems that process, store, or transmit FCI or CUI, excluding COTS-only contracts.

Even if you already meet requirements from other programs, that doesn’t automatically mean you satisfy CMMC for DoD contracts.

Checklist: How to become CMMC certified

Below are the seven steps most organizations follow to get certified—and stay ready for re-affirmations and re-assessments.

Step 1: Confirm which CMMC level your business needs
Step 2: Establish your CUI and FCI boundaries
Step 3: Perform a gap assessment
Step 4: Document a POA&M and SPRS score
Step 5: Execute your POA&M (and collect evidence)
Step 6: Conduct the assessment
Step 7: Maintain certification

Step 1 — Confirm which CMMC level you need

Start by determining which CMMC level and assessment type apply to your organization.

This depends on whether you handle FCI or CUI, and what your contract (or target contracts) require.

If you handle a mix of FCI and CUI, you must be certified at the level that covers the most sensitive data you handle.

If you already have a DoD contract, your contracting officer is your fastest path to clarity.

If you don’t have a contract yet, use this checklist to run a self-assessment and build a credible readiness posture before you bid.

Step 2 — Establish your CUI and FCI boundaries

Next, define what systems, processes, people, facilities, and service providers are in scope.

This is your CMMC assessment boundary.

Level 1 (FCI) boundary basics

For Level 1, any asset that processes, stores, or transmits FCI is in scope.

This includes people, technology, facilities, and external service providers (ESPs).

Assets outside the boundary are out of scope and won’t be assessed.

Specialized assets are generally out of scope at Level 1.

Examples include government furnished equipment (GFE), operational technology (OT), and test equipment.

Level 2 (CUI) boundary basics

For Level 2, any asset that processes, stores, or transmits CUI is in scope.

Level 2 also expands in-scope assets to include:

Specialized assets from Level 1 (even if they can’t be fully secured)
Security protection assets (firewalls, EDR, vulnerability scanners, SIEM/logging, IdP/MFA)
Contractor risk-managed assets (devices that can technically access CUI environments, even if not intended to)

Level 3 boundary basics

Level 3 includes assets that process, store, or transmit CUI.

It also brings contractor risk-managed assets, security protection assets, and specialized assets into scope—whether or not they touch CUI directly.

Only assets that can’t process CUI and don’t provide security protections are generally out of scope.

Pro tip: diagram your boundary, data types, and data flows.

Maintain an asset inventory plus a boundary/network diagram and a data flow map for FCI and CUI.

Label each asset by category and whether it processes, stores, or transmits covered data.

Step 3 — Perform a gap assessment

With your boundary defined, run a gap assessment to identify what’s missing.

The goal is to avoid surprises during an official assessment.

To run a gap assessment:

Document existing controls and map them to CMMC objectives
Capture your asset treatment in a System Security Plan (SSP)
Identify controls not yet satisfied (and what evidence is missing)

Plan to collaborate across IT, security, compliance, and business stakeholders.

Step 4 — Document a POA&M and an SPRS score

Your Plan of Action and Milestones (POA&M) is your remediation roadmap.

It should list what you’ll fix, in what order, who owns it, what resources are needed, and when it will be completed.

For Level 1, you generally must meet all Level 1 requirements at the time of assessment.

For Level 2 and Level 3, limited POA&M items may be permitted during assessment for eligible non-critical requirements, and must generally be closed within 180 days.

Supplier Performance Risk System (SPRS)

SPRS includes a score (commonly referenced as ranging from -203 to +110) and helps the DoD gauge contractor readiness.

After an assessment, you’ll be required to enter results into SPRS, regardless of level.

Step 5 — Execute your POA&M (and collect evidence)

Now implement the controls and process changes in your POA&M.

Avoid trying to remediate everything at once.

Break the work into milestones you can track and validate.

As you implement, collect evidence continuously:

Policies and procedures
Configurations and screenshots (where appropriate)
Logs and alerts
Training materials and completion records
Tickets and approvals that show processes are followed

Step 6 — Conduct the assessment

Assessment type depends on your level and contract requirements.

Level 1 assessment

Level 1 requires a self-assessment, with results entered into SPRS.

You’ll typically submit evidence (policies, training, planning docs), complete interviews, and validate processes through testing.

To achieve Level 1, requirements must be met (or be not applicable) and entered into SPRS.

Level 2 assessment

Level 2 may require a self-assessment or a C3PAO certification assessment.

Assessments can result in conditional or final Level 2 status, depending on whether limited POA&M items are permitted.

Level 3 assessment

Level 3 typically requires two assessments:

Achieving final Level 2 with a C3PAO
Completing a Level 3 assessment by DCMA DIBCAC

Level 3 can also result in conditional vs final certification.

POA&M closure timelines are typically 180 days where permitted.

Step 7 — Maintain certification

Certification isn’t a one-time project.

The DoD requires CMMC-certified organizations to review controls and affirm compliance annually.

Assessments occur annually or every three years, depending on your level.

Maintenance by level:

Level 1: annual self-assessment in SPRS + annual affirmation
Level 2: annual affirmation + assessment every three years
Level 3: annual affirmation + Level 2 C3PAO assessment every three years + DIBCAC assessment every three years

If affirmations and assessments aren’t completed on time, you can lose certification.

How SecureSlate helps you get CMMC-ready

SecureSlate helps teams prepare for CMMC by centralizing the work that tends to sprawl across spreadsheets, shared drives, and ticketing tools.

Depending on your environment, SecureSlate can help you:

Organize controls and evidence in one place for audit readiness
Maintain an SSP and boundary documentation with consistent structure
Track POA&M items with owners, due dates, and supporting evidence
Monitor control health over time so drift is caught early
Standardize reporting for leadership and assessment preparation

If you’re planning to pursue CMMC, the goal is simple: make compliance repeatable, evidence-driven, and easier to maintain year after year.

FAQ

When does CMMC become mandatory for all covered DoD contracts?

The DoD is rolling out CMMC in phases, with full implementation beginning Nov. 10, 2028 for covered solicitations and contracts, excluding COTS-only contracts.

What’s the difference between FCI and CUI?

FCI is contract-related information not intended for public release.

CUI is sensitive but unclassified government information with specific handling requirements.

Do all Level 2 organizations need a C3PAO assessment?

Not always.

Some contracts may allow a Level 2 self-assessment, while others require a C3PAO certification assessment.

Contract language and contracting officer guidance are the deciding factors.

What’s the fastest way to fail a CMMC assessment?

The most common failures are unclear scope (bad boundaries), missing documentation (especially SSP), and lack of evidence that controls are operating (not just written policies).

How should we start if we’re early and don’t have a DoD contract yet?

Define where FCI/CUI would live, build an asset inventory and data flow, run a gap assessment against the likely level you’ll need, and prioritize foundational controls (identity, logging, patching, backups, vendor governance).

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.