See how top teams stay future-ready for audits. 🚀
Go back to blogs

CMMC compliance checklist: Essential steps, documentation

Last updated on
December 16, 2025
5
min. read

If your organization is navigating the vast landscape of the Defense Industrial Base (DIB), you've likely encountered the gatekeeper of government contracts: the Cybersecurity Maturity Model Certification (CMMC). This isn't just another compliance hoop; it’s the Department of Defense’s (DoD’s) essential map for protecting highly sensitive data, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), from the sharpest threats out there. Think of it as gearing up for an expedition into secure territory.

The good news for fellow explorers? The CMMC 2.0 framework has significantly streamlined the journey. It trades the complexity of the original five levels for three clear, manageable tiers: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Level 2 implements all 110 requirements of NIST SP 800-171; Level 3 adds selected NIST SP 800-172 requirements and is assessed by the DoD’s DIBCAC. This framework shift invites us to move beyond mere checklists and adopt a truly mature, documented approach to security.

So, let's unpack this journey together. This guide is your essential field manual, drawn straight from official sources, to chart the essential steps and documentation required. We’ll delve into the core artifacts, the System Security Plan (SSP) and Plan of Action & Milestones (POA&M), that prove you haven't just visited the security controls, but have truly made them a part of your operational map. Let's begin our exploration!

CMMC compliance roadmap: The foundational steps

This checklist provides a structured, multi-step approach for defense contractors (DIB) seeking compliance with the CMMC 2.0 framework. Successfully navigating CMMC requires a clear strategy, precise documentation, and the systemic implementation of robust security practices as mandated by the DoD. These initial steps focus on defining your scope and regulatory requirements, which are essential prerequisites for any successful CMMC assessment.

I. Phase I: Initial planning and scoping 

These foundational steps define what you need to protect and where those protections must be applied.

Step 1: Identify and classify contract data (FCI and CUI)

The foundation of any CMMC compliance effort is the precise identification and classification of all sensitive data received from or created for the DoD. This classification determines the regulatory obligations and, subsequently, the required CMMC maturity level. Compliance begins with a precise identification of sensitive contract information.

Data classification Definition Applicable security requirements
Federal Contract Information (FCI) Information, not intended for public release, that is provided by or generated for the government under a contract. Subject to the 15 security controls of FAR Clause 52.204-21.
Controlled Unclassified Information (CUI) Government information requiring safeguarding or dissemination controls pursuant to law, regulation, or government policy. Subject to the 110 security requirements of NIST SP 800-171.

Data flow analysis: Document how CUI enters your environment, where it is stored, how it is processed, and where it is transmitted (the "CUI Flow"). This is essential for scoping the boundary in Step 3.

Step 2: Establish the required CMMC maturity level

Based directly on the data identified in Step 1, the organization must establish the required CMMC maturity level as defined in the contract solicitation. This defines the security practices required and the necessary assessment path.

CMMC level Security focus Assessment type Frequency
Level 1 (Foundational) Basic cyber hygiene to protect FCI. Self-assessment Annually (submission to SPRS)
Level 2 (Advanced) Protection of CUI based on NIST SP 800-171. C3PAO assessment
Self-assessment (contract dependent) 		Third-party certification every 3 years + annual affirmation
Self-assessment every 3 years + annual affirmation in SPRS
Level 3 (Expert) Protection of CUI against advanced persistent threats (APTs). Government-led assessment (by DIBCAC) Triennially + annual affirmation

Assessment path clarity for level 2: Organizations seeking Level 2 must verify the specific assessment type required by their contract. Contracts involving higher-priority or more sensitive CUI will mandate a triennial assessment by a Certified Third-Party Assessment Organization (C3PAO), while others may permit a self-assessment.

Step 3: Define the assessment boundary (scoping)

Once the required level is established, the next critical task is defining the CMMC Assessment Scope, a process often referred to as scoping. This strategic action formally defines the perimeter of your assessment, focusing evaluation solely on the systems, networks, and assets that process, store, or transmit CUI or FCI. Effective scoping is vital for concentrating resources precisely where they are needed, thereby optimizing the assessment process.

For Level 2, all in-scope assets must be categorized as follows:

  1. CUI assets: Systems and devices that directly handle CUI. These systems must meet all applicable CMMC requirements.
  2. Security protection assets (SPAs): Assets that provide security services to CUI assets, such as authentication servers, firewalls, and SIEM tools. They are in scope.
  3. Contractor risk managed assets (CRMAs): Assets that connect to the CUI environment but are not intended to process CUI. CRMAs are documented and typically receive limited checks; they’re not required to be physically or logically separated from CUI assets.
  4. Out-of-scope assets: Assets that are physically or logically separated from all in-scope assets and CUI data flow. For Out-of-Scope assets, there’s no set documentation requirement, but be prepared to justify why they cannot handle CUI.

Key action: A robust Data Flow Diagram (DFD) that visually maps how FCI or CUI is received, stored, processed, and transmitted is the indispensable starting point. Leveraging this diagram allows you to build the technical foundation for all subsequent administrative documentation.

With the foundational scope now clearly defined, the strategic phase is complete. The next critical stage on this compliance journey involves diving into the core administrative documentation. This mandatory requirement transforms your defined scope into an auditable reality for the CMMC assessment.

CMMC compliance checklist: Phase II (Documentation to certification)

This checklist begins immediately after your organization has:

  1. Identified CUI/FCI.
  2. Defined the required CMMC Level (e.g., Level 2).
  3. Scoped the compliance boundary.

Step 4: Develop the documentation suite

Documentation is the foundation of your compliance effort. An assessor will use these documents to understand how your system operates before ever looking at a technical control.

A. System Security Plan (SSP)

The SSP is the most critical document. It provides a formal overview of your CUI environment, detailing how you meet each of the CMMC practices.

  • Structure: Ensure the SSP explicitly addresses all 110 NIST SP 800-171/CMMC Level 2 practices.
  • Narrative: For each practice, describe the specific policies, procedures, tools, and processes you use within your scope to satisfy the requirement.
  • Roles and responsibilities: Clearly define who is responsible for maintaining the security of the system (e.g., the System Owner, Information System Security Manager).

B. Policies and procedures

These documents formalize your security stance and guide employee actions.

  • Policies: High-level statements of management intent (e.g., "All users shall use multi-factor authentication").
  • Procedures: Detailed, step-by-step instructions for employees on how to execute a specific task (e.g., "Procedure for resetting a password using MFA").
  • Review & approval: Ensure all policies are reviewed and formally approved by management.

Step 5: Adopt and implement a secure platform

This is the technical phase where you deploy and configure the necessary controls within your defined compliance boundary.

A. Platform selection

  • Secure environment: Utilize platforms that meet DoD requirements for handling CUI, such as Microsoft GCC High or an equivalent dedicated cloud environment.
  • Configuration: Ensure all in-scope systems (servers, workstations, cloud services) are configured according to security baselines (e.g., CIS Benchmarks).

B. Technical controls implementation

  • Full deployment: Deploy tools and services that enforce the 110 CMMC practices, including:
    • Multi-Factor Authentication (MFA) for remote and privileged access.
    • Security Information and Event Management (SIEM) for log aggregation.
    • Advanced endpoint detection and response (EDR).
  • Continuous monitoring: Establish processes to continuously audit and monitor system activity, ensuring that security controls remain operational and effective over time.

Step 6: Conduct a comprehensive gap assessment (Self-assessment/Mock audit)

Before involving a C3PAO, you must internally validate your security posture against the NIST SP 800-171A assessment methodology.

A. The assessment methodology

For every single CMMC practice, the assessment must confirm three critical maturity factors:

  1. Documentation: Is the control formally described in the SSP, policies, and procedures?
  2. Implementation: Has the control been deployed across the in-scope systems?
  3. Institutionalization: Is the control actively performed, repeatable, and consistently documented with sufficient evidence (artifacts)?

B. Validation and scoring

The self-assessment's output determines your official score.

  • Scoring: Assessors verify that each requirement is implemented correctly, works as intended, and meets the NIST 800-171A assessment objectives. Requirements are weighted at 1, 3, or 5 points based on criticality. A perfect score is 110 points (zero deficiencies). Missed requirements deduct points from that score. Conditional status allows a limited POA&M, but it must be closed within 180 days.
  • SPRS submission: The final score must be entered into the Supplier Performance Risk System (SPRS). This submission is mandatory for bidding on DoD contracts.
  • Gap documentation: All practices that score less than 100% must be formally documented in your Plan of Action and Milestones (POA&M).

Step 7: Create and execute the POA&M

The POA&M is the remediation plan for the gaps identified in your self-assessment.

A. Prioritization and remediation

  • Focus: Prioritize closing gaps related to the most critical requirements first.
  • CMMC rule: While most CMMC Level 2 requirements must be fully implemented to pass the final certification, a limited number of non-FAR controls can be left on the POA&M provided they are addressed within 180 days after the C3PAO assessment.

B. Artifact Collection

  • Evidence: As you close out each item on the POA&M, capture new evidence (e.g., screenshots of configuration changes, updated procedures, training logs) to demonstrate that the control is now fully operational.

Step 8: Select C3PAO and prepare for assessment

This step focuses on selecting your assessor and ensuring you are audit-ready to avoid delays and extra costs.

  • Selection: Select a C3PAO. This organization is responsible for conducting your official audit.
  • Readiness review: A successful final internal or mock audit (often performed by a C3PAO-affiliated Registered Practitioner) is strongly advised before the official engagement. This preemptive audit helps identify and close any remaining gaps to prevent costly audit failures.

Step 9: Complete CMMC Assessment and Certification

This is the final push, the official audit, and the issuance of your CMMC certificate.

  • The audit: The C3PAO performs the official audit, reviewing all documentation (SSP, POA&M), examining systems, and conducting interviews with personnel.
  • Submission: Upon successful completion, the C3PAO submits the official results to the CMMC Accreditation Body (Cyber AB).
  • Certification status: If successful, you will receive a CMMC certification, typically valid for three years. If minor, acceptable gaps remain on the POA&M, you may receive a Conditional Certification first, which requires full remediation within 180 days.

What are some common CMMC compliance challenges?

Navigating CMMC compliance can present several hurdles for DIB companies, particularly those new to federal cybersecurity requirements. While the roadmap provides the steps, these are the three most common sticking points organizations encounter when moving toward certification.

Challenge 1: Defining the compliance boundary (Scoping)

Many organizations struggle to accurately identify and segment the precise portion of their IT environment that stores, processes, or transmits CUI. Failing to tightly define the CUI Enclave (SSP Boundary) results in "scope creep," where an organization unnecessarily includes large parts of its network (like HR, marketing, or general business systems) in the audit. This significantly increases the cost, time, and complexity of implementing 110 security controls.

Challenge 2: Documentation and institutionalization

It is often easier to buy and deploy a security tool (technical implementation) than it is to document the process and provide evidence that the control is consistently followed (institutionalization). Assessors require comprehensive documentation, including the SSP and detailed Policies and Procedures, to prove that security practices are embedded, repeatable, and regularly reviewed by the organization, not just a one-time setup.

Challenge 3: Resource allocation and cost

CMMC Level 2 compliance is a significant, resource-intensive effort, especially for small and medium-sized businesses. The cost challenge encompasses not only the expense of new technologies (such as implementing MFA everywhere or upgrading to GCC High, which are commonly chosen) but also the internal labor required for documentation, continuous monitoring, and training, followed by the significant external cost of engaging a C3PAO.

Can we automate CMMC certification?

Yes, CMMC Certification can be effectively automated, not the final human audit decision itself, but the entire 9-step preparation and evidence-generation journey that leads to a successful outcome.

The goal of automation is to transform your organization from periodically scrambling for artifacts (Step 7) to a state of Continuous Audit Readiness (Step 5 and Step 6).

The Scrut advantage: Automating the journey

Scrut simplifies your journey to CMMC compliance by automating what’s repetitive and guiding you through what’s complex. From the first gap assessment to continuous monitoring, Scrut helps you build and sustain a compliant environment, without the chaos of spreadsheets or the cost of consultants.

1. Automated control mapping and readiness

Scrut automatically maps your existing controls to the CMMC requirements, so you can identify gaps early. With 1400+ pre-mapped controls aligned to frameworks like NIST 800-171, you can fast-track your readiness and avoid duplication across compliance efforts.

2. Policy and documentation support

The platform includes pre-built, expert-vetted policies tailored to CMMC practices. These templates ensure you have the foundational documentation ready, from system security plans (SSPs) to POA&Ms, and can easily customize them to fit your environment.

3. Continuous evidence collection and monitoring

Instead of collecting artifacts manually, Scrut automates evidence gathering through 100+ integrations with your cloud, identity, and endpoint systems. Every control is continuously monitored to ensure configurations stay aligned with CMMC’s cybersecurity maturity goals.

4. POA&M tracking and risk management

When compliance gaps are found, Scrut automatically logs them into your Plan of Action and Milestones tracker. You can assign owners, set remediation timelines, and track progress — all from a single dashboard that ties risks to compliance tasks.

5. Real-time audit collaboration

With built-in auditor access, you can share evidence directly on the platform, communicate in context, and track audit status in real time. This removes the back-and-forth of email threads and ensures transparency during assessments.

6. Continuous compliance maintenance

CMMC compliance isn’t a one-and-done exercise. Scrut continuously validates your security posture against benchmarks like CIS 2.0, alerts you to configuration drifts, and helps you stay audit-ready all year round.

In short, Scrut turns CMMC compliance from a paperwork marathon into a guided, automated process, helping you not just reach certification, but maintain it with confidence.

Frequently Asked Questions (FAQs)

What are the key differences between CMMC 1.0 and CMMC 2.0?

CMMC 2.0 simplifies the model from five maturity levels to three. The most significant change is the full alignment of CMMC Level 2 with the 110 security requirements of NIST SP 800-171. This removed CMMC-specific practices and maturity processes. Furthermore, CMMC 2.0 allows self-assessments for CMMC Level 1 and some non-prioritized Level 2 contracts.

How should organizations prepare for a CMMC Assessment?

Preparation should follow three main phases:

  1. Scoping: Accurately defining the CUI environment boundary.
  2. Implementation: Fully adopting all 110 NIST SP 800-171 controls within that boundary.
  3. Documentation: Creating the definitive SSP and an actionable Plan of Action and Milestones (POA&M), with associated evidence (artifacts).

How often does an organization need to be reassessed?

Official CMMC Level 2 (Certified) assessments conducted by a C3PAO are valid for three years, but require annual affirmation of compliance to the DoD in SPRS. Organizations that qualify for a self-assessment (CMMC Level 1 and certain CMMC Level 2) must perform and submit that assessment annually.

How will I determine the required CMMC level for a contract?

The required CMMC level is explicitly stated in the contract's solicitation and official DoD documentation. If the contract involves generating, processing, or storing Controlled Unclassified Information (CUI), CMMC Level 2 is required. If it only involves Federal Contract Information (FCI), CMMC Level 1 is typically sufficient.

What is the relationship between NIST and CMMC?

NIST SP 800-171 is the foundational cybersecurity standard, defining the specific 110 security requirements. CMMC is the Department of Defense’s compliance and verification program that ensures Defense Industrial Base (DIB) companies are meeting the NIST standard. CMMC Level 2 is, fundamentally, the DoD's required implementation of NIST SP 800-171.

Liked the post? Share on:
Megha Thakkar
Technical Content Writer at
Scrut Automation

Megha Thakkar is a Certified Information Systems Auditor (CISA) and technical content writer who loves turning complex cybersecurity and compliance topics into stories people actually want to read. With a background as an Associate CPA (Australia) and CA Intermediate (India), she blends her love for finance and technology to bring clarity to every piece she writes. She’s known for her sharp eye for editing and content management, making sure every word earns its place.

Authored by
Table of contents
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6
Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
I agree to receive marketing insights and other communications from Scrut Automation.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Risk Management
Compliance Essentials
Crafting a robust NIST disaster recovery policy and template
Scrut Updates
Scrut innovations: June 2025 snapshot
Compliance Essentials
Risk Management
5 ways to leverage AI for continuous compliance in GRC

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.