Draw New Business With This CMMC Compliance Checklist

If you work with the Department of Defense (DoD), meeting Cybersecurity Maturity Model Certification (CMMC) requirements is a must. CMMC safeguards controlled unclassified information (CUI) and ensures defense contractors meet strict security standards to maintain DoD contracts. Our CMMC compliance checklist can help you get started.

“The final rule took effect on December 16, 2024, with contracts adopting these requirements by mid-2025. Missing the mark on compliance could jeopardize your standing in the Defense Industrial Base (DIB).”

In this blog post, we’ll cover:

• The differences between CMMC and CMMC 2.0
• Level 1 CMMC checklist
• Level 2 CMMC checklist
• Level 3 CMMC checklist

Differences Between CMMC and CMMC 2.0

CMMC 1.0 was the original iteration of the Cybersecurity Maturity Model Certification. It introduced five distinct levels of maturity to categorize defense contractors based on their cybersecurity readiness. Each level required a specific set of practices, with the expectation that companies would undergo third-party audits to validate compliance.

CMMC 2.0 simplifies the compliance process while maintaining rigorous cybersecurity standards. By consolidating the five maturity levels into three (Foundational, Advanced, and Expert), it streamlines the framework and aligns more closely with established NIST standards.

CMMC 2.0 Levels Explained

When looking at your CMMC checklist, you need to keep the different levels in mind:

• Level 1 covers basic safeguarding for Federal Contract Information (FCI). It includes foundational practices aligned with 48 CFR 52.204-21, also known as the FAR Clause.
• Level 2 focuses on protecting Controlled Unclassified Information (CUI) and incorporates the 110 controls outlined in NIST SP 800-171.
• Level 3 targets organizations with highly sensitive data, requiring a subset of advanced practices from NIST SP 800-172.

CMMC Level 1 Checklist

CMMC Level 1 compliance focuses on basic safeguarding of FCI. To help you navigate this critical step, here’s a checklist covering key areas and practical actions.

Access Control

Control Access to Authorized Users, Processes, and Devices

• Identify and authorize users with access to systems.
• Verify processes acting on behalf of authorized users.
• Limit access to approved devices and systems.
• Maintain records of active and inactive accounts, ensuring access is disabled for terminated employees.
• Regularly audit access controls to ensure compliance.

Define and Limit Transaction and Function Access

• Specify which transactions and functions authorized users can execute.
• Restrict access to defined activities based on job roles.
• Review access logs and configuration settings to ensure alignment with policies.
• Conduct regular testing of access enforcement mechanisms.

Manage Connections to External Systems

• Identify all external system connections and their purpose.
• Verify and limit access to external systems, ensuring they comply with security requirements.
• Maintain clear terms and conditions for external system usage.
• Test systems to confirm proper controls are in place for external access.

Protect Publicly Accessible Information

• Identify individuals authorized to post content on public platforms.
• Develop and enforce procedures to prevent FCI from being posted on public systems.
• Establish a review process before content is published.
• Monitor publicly accessible systems regularly to ensure no FCI is present.
• Implement tools to remove improperly posted content quickly.

Document and Review Security Policies Regularly

• Maintain comprehensive access control and security policies.
• Ensure all relevant personnel are trained in security protocols.
• Perform regular reviews of policies, audit logs, and compliance records.

Identification and Authentication 

Identify System Users

• Maintain a clear and updated list of all authorized users.
• Verify that every user accessing your systems is uniquely identified.
• Audit user accounts regularly to ensure accuracy and prevent unauthorized access.

Identify Processes Acting on Behalf of Users

• Catalog and monitor all processes acting on behalf of users to ensure they align with authorized activities.
• Confirm that these processes operate within clearly defined roles and permissions.
• Regularly review and validate these processes to maintain system integrity.

Identify Devices Accessing Your Systems

• Keep an inventory of all devices connecting to your systems, including laptops, mobile devices, and servers.
• Verify that each device is authorized and meets your security standards.
• Monitor connections for unauthorized devices or anomalies that could indicate a breach.

Authenticate User Identities Before Granting Access

• Implement robust authentication protocols, such as multi-factor authentication, for all users.
• Ensure users verify their identity as a prerequisite to system access.
• Maintain logs of all authentication attempts to track access and detect potential threats.

Authenticate Processes Acting on Behalf of Users

• Verify the identity of processes acting on behalf of users before they execute system transactions.
• Utilize monitoring tools to ensure these processes align with authorized permissions.
• Test systems periodically to confirm authentication mechanisms are functioning effectively.

Authenticate Devices Before System Access

• Require all devices to verify their identity before connecting to organizational systems.
• Use secure mechanisms, such as certificates or device-specific tokens, for authentication.
• Conduct regular device audits to identify and address vulnerabilities.

Media Disposal

Securely handle FCI on physical and digital media.

• Sanitize or destroy media before disposal or reuse to eliminate sensitive data.
• Implement and document media sanitization policies aligned with industry best practices.
• Regularly verify that personnel responsible for media sanitization are trained and processes are followed.
• Maintain records of sanitization activities for audits and reviews.

Physical Protection 

Control and monitor physical access to critical systems and equipment.

• Limit access: Ensure only authorized individuals have access to systems, equipment, and operating environments.
• Visitor escorting: Always escort visitors and actively monitor their activities within restricted areas.
• Access logs: Maintain comprehensive logs of physical access events, including entry and exit data.
• Manage access devices: Identify and control access tools like keys, badges, and cards. Implement clear policies for issuing, returning, and revoking them.

Boundary Protection

Monitor and safeguard data exchanges at system boundaries.

• Define boundaries: Clearly identify external and key internal system boundaries.
• Control communication: Protect and control data flow at these boundaries with firewalls and other security tools.
• Public access separation: Physically or logically separate publicly accessible systems from internal networks using secure subnetworks.
• Regularly audit boundary protection mechanisms to ensure effectiveness.

System and Information Integrity

Maintain system security with robust integrity controls.

• Flaw remediation: Identify, report, and fix system flaws promptly. Set clear timelines for detection and resolution.
• Malicious code protection: Deploy protection mechanisms at designated locations to block harmful code.
• Update protection systems: Regularly update antivirus and other security tools to stay ahead of evolving threats.
• File scanning: Conduct frequent system scans and implement real-time scanning for files from external sources during downloads, execution, or transfer.

CMMC Level 2 Checklist

Here’s what you need to keep in mind for achieving Level 2 CMMC compliance. 

Access Control 

Ensure only authorized users and devices can access your systems.

• Identify and authenticate all system users and processes.
• Limit system access to approved devices and processes.
• Monitor and manage access continuously to maintain compliance.

Awareness and Training

Educate your team on security risks and policies.

• Provide role-based training to managers, admins, and users.
• Raise awareness of security risks tied to their responsibilities.
• Reinforce understanding of organizational policies and procedures.

Audit and Accountability

Monitor system activity and maintain logs for analysis.

• Define the types of events to be logged and their required content.
• Create and retain audit logs for unlawful or unauthorized system activity.
• Regularly review and analyze logs to identify potential risks.

Configuration Management

Keep systems secure with clear baselines.

• Establish and maintain baseline configurations for hardware, software, and firmware.
• Regularly review and update system configurations.
• Maintain an inventory of system components and ensure they align with baselines.

Identification and Authentication

Verify identities before granting system access.

• Identify users, processes, and devices accessing the system.
• Require authentication for all system users and connected devices.
• Regularly review authentication mechanisms for effectiveness.

Incident Response

Prepare for and respond to incidents effectively.

• Establish incident-handling processes, including preparation, detection, analysis, containment, and recovery.
• Train staff on incident response protocols.
• Regularly test and update response plans to ensure readiness.

Maintenance

Perform regular maintenance on systems.

• Schedule and document all maintenance activities.
• Use authorized personnel and secure tools to perform updates.
• Monitor maintenance activities for compliance with organizational policies.

Media Protection 

Safeguard sensitive information on all media.

• Physically control and securely store both paper and digital media containing CUI.
• Establish policies for media storage and handling.
• Regularly review storage practices for compliance.

Personnel Security

Screen individuals accessing sensitive systems.

• Conduct thorough background checks before granting system access.
• Reassess clearances periodically to ensure ongoing trustworthiness.
• Document screening processes for compliance reviews.

Physical Protection

Limit physical access to sensitive environments.

• Identify authorized personnel for physical access.
• Restrict access to systems, equipment, and operating environments.
• Use logs to monitor and review physical access activities.

Risk Assessment

Continuously evaluate and mitigate risks.

• Define how frequently risk assessments will occur.
• Identify potential risks to organizational assets, operations, and individuals.
• Document findings and implement risk mitigation measures.

Security Assessment

Review security controls regularly.

• Define the frequency for security control assessments.
• Test the effectiveness of controls to ensure they meet compliance standards.
• Use findings to refine and enhance security measures.

System and Communications Protection

Monitor and secure system boundaries.

• Define and protect external and internal system boundaries.
• Monitor and control communications at these boundaries.
• Use encryption and firewalls to protect transmitted data.

System and Information Integrity

Address vulnerabilities promptly.

• Identify and remediate system flaws within defined timeframes.
• Update malicious code protection mechanisms as new threats emerge.
• Conduct regular system scans and monitor files from external sources.

CMMC Level 3 Checklist

To achieve the highest level of CMMC compliance, take a look at the following checklist.

Access Control

• Identify organizationally owned or provisioned resources.
• Limit system and component access to authorized organizational resources.
• Continuously review access controls to ensure compliance.

Awareness and Training

• Train employees on recognizing social engineering and advanced persistent threats.
• Provide initial training at hire, following cyber incidents, and annually.
• Update training materials annually or when threats evolve.

Configuration Management

• Define approved and implemented system components.
• Create a trusted repository for system components and ensure its accuracy.
• Maintain and regularly update the repository throughout the system lifecycle.

Identification and Authentication

• Use cryptographic, replay-resistant authentication for systems and components.
• Authenticate all connections before establishing network communication.
• Regularly test authentication mechanisms to ensure security.

Incident Response

• Set up and maintain a 24/7 SOC capability with remote or on-call staff options.
• Monitor system activity continuously to detect and respond to threats.
• Regularly evaluate SOC effectiveness and update protocols as needed.

Personnel Security

• Identify individuals with CUI access and monitor for adverse developments.
• Define protocols for addressing adverse information about personnel.
• Implement safeguards to protect systems if personnel risk is identified.

Risk Assessment

• Use threat intelligence from open, commercial, or DoD sources in assessments.
• Inform system development, security architectures, and solution selection.
• Guide monitoring, threat hunting, and recovery efforts using updated threat insights.

Security Assessment

• Perform penetration tests annually or after major security changes.
• Use automated tools and expert-led tests to uncover vulnerabilities.
• Document findings and implement mitigation strategies for discovered risks.

System and Communications Protection

• Use physical, logical, or combined isolation methods to secure systems.
• Define and implement isolation techniques suited to organizational needs.
• Regularly test isolation protocols for effectiveness against evolving threats.

System and Information Integrity

• Identify security-critical and essential software.
• Use cryptographic signatures or root-of-trust mechanisms for verification.
• Continuously monitor and validate software integrity to prevent compromise.

Take the First Step Toward CMMC Compliance

Streamline your path to CMMC compliance and position your company for success in securing DoD contracts.

Why partner with Silent Sector for CMMC compliance and checking off the essentials of your CMMC audit checklist?

• Simplify complexity: Say goodbye to overwhelming compliance dashboards. Our experts break down the process into clear, actionable steps.
• Proven expertise: With experience working alongside the Department of Defense, we make sure you meet CMMC requirements effectively and efficiently.
• Tailored to what you’re looking for: Whether you need a gap assessment, audit prep, or a custom compliance strategy, we align with your specific CMMC level.
• Sustainable success: Build a repeatable, cost-effective cybersecurity program that supports your compliance goals and fuels business growth.

Schedule your free CMMC compliance consultation today.