When does CMMC 2.0 become mandatory for DoD contracts?

CMMC 2.0 requirements are being phased into DoD contracts throughout 2025-2026. Level 1 self-assessments are already required, and Level 2 assessments by C3PAOs will be mandatory for contracts handling CUI starting in late 2026.

What's the difference between CMMC Level 1 and Level 2?

Level 1 (Foundational) covers 17 basic safeguarding requirements for Federal Contract Information (FCI) and allows self-assessment. Level 2 (Advanced) covers 110 practices aligned with NIST SP 800-171 for Controlled Unclassified Information (CUI) and requires third-party assessment for critical contracts.

Can I achieve CMMC compliance on my own?

While Level 1 can be self-assessed, most contractors benefit from professional guidance for Level 2. The technical requirements are complex, and a failed assessment can jeopardize your contract eligibility.

CMMC 2.0 Compliance Checklist: A Step-by-Step Guide for Government Contractors

# CMMC 2.0 Compliance Checklist: A Step-by-Step Guide for Government Contractors If your business handles Department of Defense contracts, CMMC 2.0 isn't something you can put off anymore. The Cybersecurity Maturity Model Certification is now a firm requirement in DFARS clauses, and contractors across Northern Virginia and the greater DMV are racing to achieve compliance before their next contract award. This guide breaks down every CMMC 2.0 requirement into an actionable checklist. Whether you're pursuing Level 1 self-assessment or preparing for a Level 2 C3PAO audit, this is your roadmap. ## CMMC 2.0 at a Glance The updated framework streamlined the original five levels into three: | Level | Name | Practices | Assessment | Who Needs It | |-------|------|-----------|------------|-------------| | 1 | Foundational | 17 | Self-assessment | Contractors handling FCI | | 2 | Advanced | 110 | C3PAO (or self for select) | Contractors handling CUI | | 3 | Expert | 110+ | Government-led | High-value CUI programs | The vast majority of DMV contractors will need Level 2. Let's walk through the 14 domains that make up the 110 practices. ## Domain 1: Access Control (AC) **Purpose**: Limit system access to authorized users and processes. - [ ] Implement role-based access control (RBAC) across all systems handling CUI - [ ] Require unique user identification—no shared accounts - [ ] Enforce least privilege principles for all user and service accounts - [ ] Implement MFA for all local and network access to CUI systems - [ ] Control remote access sessions with encryption and session timeouts - [ ] Review and re-certify access rights at least annually - [ ] Implement automated session lock after 15 minutes of inactivity - [ ] Restrict wireless access to CUI systems with WPA3 or equivalent - [ ] Control mobile device access to CUI with MDM policies **Common gap**: Many contractors have MFA on email but not on VPN, RDP, or internal applications hosting CUI. All access paths to CUI require MFA. ## Domain 2: Awareness and Training (AT) **Purpose**: Ensure personnel are trained to carry out their IT security duties. - [ ] Develop a security awareness training program covering CUI handling requirements - [ ] Conduct training at hire and annually thereafter - [ ] Include role-based training for IT staff, system administrators, and security personnel - [ ] Train all users on recognizing and reporting phishing and social engineering - [ ] Document training completion and maintain records for assessment - [ ] Update training content when significant threats or policy changes occur ## Domain 3: Audit and Accountability (AU) **Purpose**: Create, protect, and retain audit logs for monitoring and investigation. - [ ] Configure audit logging on all systems processing CUI - [ ] Log successful and failed login attempts, privilege use, and system changes - [ ] Centralize log collection in a SIEM or log management platform - [ ] Protect audit logs from unauthorized access and modification - [ ] Retain audit logs for at least 90 days online and 12 months archived - [ ] Review audit logs at least weekly—automated alerting preferred - [ ] Correlate audit events across systems to detect coordinated attacks **Pro tip**: Your SIEM doesn't have to be expensive. Solutions like Microsoft Sentinel (pay-per-ingest), Wazuh (open source), or managed SIEM services all satisfy this requirement. ## Domain 4: Configuration Management (CM) **Purpose**: Establish and maintain secure configurations. - [ ] Develop and document baseline configurations for all CUI systems - [ ] Implement change control procedures for system modifications - [ ] Restrict authorized software—maintain an approved software list - [ ] Apply security-relevant software restrictions and version controls - [ ] Document and control all changes to CUI system configurations - [ ] Scan for unauthorized software and configuration drift monthly ## Domain 5: Identification and Authentication (IA) **Purpose**: Verify user identity before granting access. - [ ] Authenticate all users accessing CUI systems with unique credentials - [ ] Enforce password policies: minimum 12 characters, complexity, 60-day rotation (or move to passwordless) - [ ] Implement MFA for all CUI system access (local, network, and remote) - [ ] Centrally manage identities through Active Directory or equivalent - [ ] Implement account lockout after 3-5 failed attempts - [ ] Disable accounts within 24 hours of employee termination or role change ## Domain 6: Incident Response (IR) **Purpose**: Detect, respond to, and recover from cybersecurity incidents. - [ ] Develop a documented incident response plan covering CUI system breaches - [ ] Define roles and responsibilities for the incident response team - [ ] Implement automated incident detection through SIEM, EDR, and NDR - [ ] Establish procedures for reporting incidents to the DoD within 72 hours - [ ] Conduct annual incident response tabletop exercises - [ ] Test the IR plan with simulated incidents at least annually - [ ] Document lessons learned after each incident and update the plan accordingly ## Domain 7: Maintenance (MA) **Purpose**: Perform system maintenance securely. - [ ] Schedule and document all system maintenance activities - [ ] Control and monitor remote maintenance sessions - [ ] Verify maintenance personnel have appropriate authorization and clearances - [ ] Sanitize media before and after maintenance involving CUI - [ ] Require maintenance personnel to follow your security policies ## Domain 8: Media Protection (MP) **Purpose**: Protect CUI on physical and digital media. - [ ] Control access to CUI on all media types (USB, HDD, optical, paper) - [ ] Sanitize or destroy media before disposal or reuse (NIST SP 800-88 standards) - [ ] Mark CUI media with appropriate handling labels - [ ] Track and account for all CUI media throughout its lifecycle - [ ] Encrypt CUI on portable media and mobile devices ## Domain 9: Personnel Security (PS) **Purpose**: Screen personnel before granting CUI access. - [ ] Conduct background screening appropriate to the CUI classification level - [ ] Verify employment history and references for personnel with CUI access - [ ] Implement personnel security policies for contractors and third-party staff - [ ] Re-screen personnel when circumstances warrant (e.g., position change) - [ ] Ensure terminated personnel lose all CUI system access within 24 hours ## Domain 10: Physical Protection (PE) **Purpose**: Limit physical access to CUI systems. - [ ] Control physical access to facilities and rooms housing CUI systems - [ ] Escort visitors and maintain visitor logs in CUI areas - [ ] Secure CUI output devices (printers, displays) from unauthorized viewing - [ ] Monitor physical access with logging and CCTV where appropriate - [ ] Implement emergency power and environmental controls for CUI systems ## Domain 11: Risk Assessment (RA) **Purpose**: Assess and manage cybersecurity risks. - [ ] Conduct a formal risk assessment of CUI systems at least annually - [ ] Scan for vulnerabilities at least monthly and after significant changes - [ ] Remediate critical and high vulnerabilities within 30 and 90 days respectively - [ ] Document risk assessments and track risk remediation to closure - [ ] Monitor for new threats and vulnerabilities affecting your environment ## Domain 12: Security Assessment (CA) **Purpose**: Periodically assess security controls. - [ ] Develop and implement a security assessment plan - [ ] Assess all 110 security practices at least annually - [ ] Produce a Plan of Action and Milestones (POA&M) for any gaps - [ ] Track POA&M items to closure with target dates and responsible parties - [ ] Validate remediated controls through re-assessment ## Domain 13: System and Communications Protection (SC) **Purpose**: Protect CUI during transmission and at rest. - [ ] Encrypt CUI in transit using TLS 1.2+ or IPsec - [ ] Encrypt CUI at rest using AES-256 or equivalent - [ ] Implement network boundaries and traffic filtering between CUI and non-CUI systems - [ ] Protect against denial-of-service attacks with redundancy and rate limiting - [ ] Separate public-facing systems from CUI systems architecturally - [ ] Implement boundary protection with next-generation firewalls ## Domain 14: System and Information Integrity (SI) **Purpose**: Identify and correct system flaws. - [ ] Update systems with security-relevant patches within 30 days of release - [ ] Implement malware protection on all systems with CUI access - [ ] Scan for and remove malicious code (EDR preferred over traditional AV) - [ ] Monitor system security alerts and advisories - [ ] Perform code review and vulnerability testing for custom applications ## Preparing for Your C3PAO Assessment For Level 2, you'll face a formal assessment by a CMMC Third-Party Assessment Organization. Here's how to prepare: 1. **Conduct a gap assessment first**: Hire a Registered Practitioner (RP) to evaluate your current posture against all 110 practices before the formal assessment. 2. **Document everything**: Assessors want to see policies, procedures, configurations, training records, and audit logs. If it's not documented, it didn't happen. 3. **Remediate all gaps before scheduling**: Failed assessments are visible to the DoD and can affect contract eligibility. 4. **Practice the assessment process**: Walk through each domain with your IT and security teams. Can they demonstrate each practice when asked? ## DMV-Specific Considerations Government contractors in Northern Virginia face unique challenges: - **Speed of requirement changes**: With the Pentagon and defense agencies nearby, compliance requirements shift quickly. Stay connected with your contracting officer. - **Hybrid workforce security**: Many cleared personnel work from home in NoVA. Ensure home networks meet the same security standards as office environments. - **Supply chain risk**: Your subcontractors also need to meet CMMC requirements. Include flow-down clauses in your vendor agreements. ## Next Steps CMMC 2.0 compliance is a significant undertaking, but it's also an opportunity to build a genuinely secure environment. The 110 practices aren't arbitrary—they represent the minimum standard for protecting sensitive government information. If you need help navigating the compliance process—from gap assessments to remediation to assessment preparation—SecureMe247 specializes in helping DMV contractors achieve and maintain CMMC certification. [Schedule a CMMC readiness assessment](/book/) and take the first step toward compliance with confidence.

CMMC 2.0 Compliance Checklist: A Step-by-Step Guide for Government Contractors

Related Articles

HIPAA Compliance and Cybersecurity: What Healthcare Practices Need to Know

The Complete Ransomware Protection Guide for Small Businesses in 2026

Ready to Secure Your Business?