CMMC certification checklist: get started (quick start)

Photo: Unsplash

CMMC Certification: A checklist to get you started

If you plan to compete for Department of Defense (DoD) contracts, now is the time to get serious about CMMC certification.

After several years of updates, the Cybersecurity Maturity Model Certification (CMMC) program was finalized in October 2024 to strengthen DoD cybersecurity requirements.

Related guides:

• The ultimate guide to NIST 800-171
• Government contracting compliance 101
• CMMC certification checklist (full guide)

The DFARS acquisition rule took effect on November 10, 2025, kicking off a phased rollout of CMMC requirements across contracts over the next three years.

This checklist breaks down what CMMC means, which level you may need, and how to get certified without turning it into a last-minute scramble.

GIF via GIPHY

---

Key takeaways

• CMMC has three levels based on the sensitivity of data you handle (FCI vs CUI).
• Scope comes first: boundary, asset inventory, and data flows will shape your timeline and evidence burden.
• Level 2 work maps to NIST SP 800-171 (110 requirements) and typically drives most programs.
• POA&M is a plan, not a loophole: Level 1 generally requires full compliance at assessment; Level 2/3 may allow limited items that must close fast.
• Maintenance is mandatory: annual affirmations and periodic assessments mean “point-in-time compliance” won’t hold.

---

What CMMC means for you

CMMC is a program designed to ensure defense contractors and subcontractors in the Defense Industrial Base (DIB) have cybersecurity controls in place to handle sensitive unclassified information safely.

What is the DIB?

The Congressional Research Service describes the DIB as the network of organizations, facilities, and resources that provides the U.S. government—especially the Department of Defense (DoD)—with defense-related materials, products, and services.

---

The three CMMC levels (and what data they protect)

Each CMMC level is tied to the type of data you process, store, or transmit—and the type of assessment you’ll need.

Level 1: Basic safeguarding of FCI

Level 1 focuses on protecting Federal Contract Information (FCI).

FCI is not intended for public release and can include contract details, work orders, communication records, or information created for a contractor to deliver a product or service.

Level 1 requires:

• Annual affirmation and compliance with the 15 safeguarding requirements in FAR 52.204-21
• Annual self-assessment entered in the Supplier Performance Risk System (SPRS)

Level 2: Broad protection of CUI

Level 2 focuses on protecting Controlled Unclassified Information (CUI).

CUI is sensitive government information that isn’t classified. What counts as CUI can vary, but common examples include PII, critical technology, software documentation, and performance evaluations.

Level 2 requires:

• Annual affirmation and compliance with the 110 requirements in NIST SP 800-171 Rev. 2
• A self-assessment or C3PAO assessment (depending on contract needs) every three years, recorded in SPRS or eMASS as applicable

Level 3: Higher-level protection of CUI against APTs

Level 3 is for organizations handling extremely sensitive CUI and facing advanced persistent threats (APTs).

Level 3 requires:

• Maintaining final Level 2 status via a C3PAO assessment every three years
• A DCMA DIBCAC assessment every three years
• Annual affirmation and compliance with 24 identified requirements from NIST SP 800-172

Note: Knowing the level you need is ultimately contract-driven. Your contracting officer can clarify expectations for current work—and solicitations will increasingly specify CMMC requirements as rollout phases progress.

---

CMMC rollout timeline (phases)

The DoD is rolling out CMMC in four phases. The goal is to reduce disruption by adding requirements incrementally.

• Phase 1 (Nov. 10, 2025 – Nov. 9, 2026): applicable solicitations may require Level 1 or Level 2 self requirements
• Phase 2 (Beginning Nov. 10, 2026): applicable solicitations may require Level 2 C3PAO certification
• Phase 3 (Beginning Nov. 10, 2027): applicable solicitations may require Level 3 certification
• Phase 4 / Full implementation (Beginning Nov. 10, 2028): CMMC becomes the default requirement for covered solicitations and contracts involving contractor systems that process, store, or transmit FCI or CUI, excluding COTS-only contracts

Even if you meet other federal requirements (for example, FedRAMP), that doesn’t automatically mean you meet CMMC requirements for DoD contracts.

---

Checklist: How to become CMMC certified

Use this checklist to plan your work from scoping to assessment to maintenance.

1. Confirm which CMMC level your business needs
2. Establish your CUI and FCI boundaries
3. Perform a gap assessment
4. Document your POA&M and SPRS score
5. Execute remediation and collect evidence
6. Conduct the assessment
7. Maintain certification

---

Step 1: Confirm which CMMC level you need

Your first job is to determine which level and assessment type apply based on whether you handle FCI or CUI.

If you handle a mix of FCI and CUI, you must certify at the level that covers the most sensitive data in scope.

Checklist

1. Inventory contracts and flows: where do FCI/CUI appear in your delivery?
2. Confirm requirements with your contracting officer (for active contracts).
3. Plan for solicitations to specify CMMC as rollout phases expand.
4. If you’re pre-contract: run a self-assessment anyway to reduce future friction.

---

Step 2: Establish your FCI and CUI boundaries

After level selection, define what’s in scope. DoD calls this establishing your CMMC assessment boundaries.

Level 1 FCI boundaries

Any asset that processes, stores, or transmits FCI is in scope, including people, technology, facilities, and external service providers (ESPs).

Assets outside that boundary are out of scope. Specialized assets are generally out of scope at Level 1.

Examples of specialized assets include government furnished equipment (GFE), operational technology (OT), and test equipment.

Level 2 CUI boundaries

Any asset that processes, stores, or transmits CUI is in scope, including people, technology, facilities, and ESPs.

Level 2 expands in-scope assets to:

• Specialized assets (from Level 1)
• Security protection assets (firewalls, EDR, vulnerability scanners, SIEM/logging, identity/MFA)
• Contractor risk-managed assets (assets that shouldn’t handle CUI but technically could, like laptops on networks with CUI systems)

Level 3 CUI boundaries

Level 3 expands scope further. Specialized assets, security protection assets, and contractor risk-managed assets are in scope whether or not they process, store, or transmit CUI.

Pro tip: diagram boundary + data flows

• Create a boundary diagram (network and environment boundaries)
• Build an asset inventory (label each asset category)
• Map FCI/CUI data flows (where it enters, where it lives, where it exits)

This reduces pre-assessment thrash and makes evidence easier to defend.

---

Step 3: Perform a gap assessment

With boundaries defined, run a gap assessment to find what won’t pass—and what to prioritize.

Checklist

• Document existing controls and map them to CMMC objectives (including SSP treatment).
• Identify controls not yet satisfied and capture why (missing design vs missing operation vs missing evidence).
• Prioritize gaps by risk and dependency (identity + access and asset visibility usually unblock everything else).

Output to produce

• A gap register (requirement → status → owner → remediation action → evidence expectation)
• An updated SSP that matches your scope and boundary diagrams

---

Step 4: Document your POA&M and SPRS score

Your POA&M turns gaps into a plan with owners, deadlines, and measurable completion criteria.

Checklist

1. Write a POA&M that includes priority, owner, resources, due date, and “done” definition.
2. Track dependencies (policy before training; tooling before evidence; identity before access reviews).
3. Prepare your SPRS scoring work as part of readiness.

Supplier Performance Risk System (SPRS)

SPRS helps the government understand how well a contractor protects sensitive data.

The score ranges from -203 to +110 and is entered as part of assessment reporting expectations.

---

Step 5: Execute remediation (and collect evidence)

Remediation succeeds when you treat it like delivery—not a vague intention.

Checklist

1. Work in waves: close the highest-risk, highest-dependency controls first.
2. Operationalize controls: ensure controls run continuously, not “configured once.”
3. Collect evidence as you go: exports, tickets, logs, approvals, training records, and review artifacts.
4. Validate “done” as implemented + operating + evidenced.

GIF via GIPHY

---

Step 6: Conduct the assessment

If steps 1–5 are complete, the assessment should be a confirmation—not a surprise.

Level 1 assessment (self-assessment)

Checklist

• Compile evidence (policies, procedures, training, planning docs).
• Interview and test to confirm controls match reality.
• Enter results in SPRS and ensure all requirements are met or not applicable.

Level 2 assessment (self-assessment or C3PAO)

Checklist

• Confirm contract assessment type (self vs C3PAO).
• Prepare sampling (users, systems, tickets, and recurring reviews).
• Manage conditional status carefully if POA&M items are permitted.

Level 3 assessment (C3PAO + DIBCAC)

Checklist

• Achieve final Level 2 via a C3PAO assessment.
• Prepare for DIBCAC assessment and deeper SecureSlateiny tied to Level 3 requirements.
• Close any permitted POA&M items quickly (commonly within 180 days).

---

Step 7: Maintain certification

CMMC isn’t “one and done.” Annual affirmations and recurring assessments mean programs must stay healthy.

Checklist

1. Run annual affirmations on schedule.
2. Keep evidence fresh (access reviews, vuln scans, patch reports, logging, incident workflows).
3. Monitor control drift as environments change.
4. Plan the next assessment cycle early (scope changes are where teams get surprised).

Assessment cadence

• Level 1: annual self-assessment in SPRS + annual affirmation
• Level 2: annual affirmation; assessment every three years (self or C3PAO per contract)
• Level 3: annual affirmation; C3PAO (Level 2) every three years + DIBCAC every three years

---

FAQ: CMMC certification checklist

How do I know whether I need Level 1, 2, or 3?

Start with the data you handle: FCI pushes you toward Level 1, while CUI usually requires Level 2 or 3 depending on contract sensitivity and requirements.

What’s the biggest mistake teams make?

Skipping scope work. Without boundaries, asset inventory, and data flows, evidence becomes inconsistent and assessments drag.

Can we “inherit” controls from vendors or cloud providers?

Sometimes. You’ll still need to document what you inherit, what remains your responsibility, and how you verify it over time.

How long does CMMC prep take?

It depends on maturity and scope size. Teams with strong identity, device management, logging, and policies move faster than teams doing foundational work.

What should we do first if we’re starting from scratch?

Define scope, build an asset inventory, map data flows, and assign owners. Those four steps reduce rework more than any tool purchase.

---

Streamline CMMC readiness with SecureSlate

The hardest part of CMMC is rarely “knowing the controls.” It’s keeping scope, owners, evidence, and timelines aligned as the business changes.

SecureSlate helps you move faster by:

• Centralizing controls and evidence so artifacts are easy to find, refresh, and defend
• Tracking POA&M items with owners and deadlines so remediation doesn’t stall
• Keeping compliance visible so leadership can see gaps and progress in one place
• Staying audit-ready year-round to reduce pre-assessment fire drills

A note from SecureSlate: SecureSlate is not a law firm, and this article does not constitute legal advice. Consult a licensed attorney for legal guidance.

---

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.