Your Step-by-Step CMMC Level 2 Checklist for 2026

Quick Answer:

CMMC Level 2 requires meeting 110 NIST SP 800-171 controls across 14 domains. Key steps include scoping your CUI environment, performing a gap analysis, building an SSP, completing security training and preparing for either self-assessment or a C3PAO audit by November 10, 2026.

The window of opportunity is closing fast for organizations tasked with completing their Cybersecurity Maturity Model Certification (CMMC) audit. In November 2025, the U.S. Department of Defense put all Level 1 outfits on notice that self-assessment metrics were a requirement to work in the military industrial base. On Nov. 10, 2026, Level 2 CMMC controls must be aligned with the mandate. Companies that don’t measure up or fail an audit conducted by a Certified Third-Party Assessment Organization (C3PAO) could be summarily sidelined.

November may seem like a long way off. However, truth be told, a backlog of companies requesting CMMC services has already begun. And, there are reportedly more than 100,000 military contractors and supply chain operations that all need to upgrade or totally reinvent their cyber-hygiene to stay in the good graces of the federal government. Given that completing every item on a CMMC Level 2 checklist is a lengthy process and waitlists are fast-exceeding six months, the sands of time are already running out.

CMMC Level 2 Decision-Making

Relentless cyberattacks by the likes of Russia, China, Iran and North Korea, among others, prompted the federal government to develop a comprehensive data security measure. In 2019, CMMC was initiated and announced the following year. After reviewing public and industry feedback, the cybersecurity program was reduced from five to three tiers. One of the more controversial aspects of CMMC 2.0 involves the Level 2 requirements. Some companies can self-attest, while others need an impartial C3PAO audit conducted. These are things to consider when deciding whether your outfit falls into the self-test or external audit category, according to the Department of War.

Level 2 (Self-Test)

Must adhere to 110 NIST SP 800-171 requirements and file results with the CMMC Enterprise Mission Assurance Support Service. Companies will need to refile their results every three years if they meet the standard. If not, you can file a Plan of Action & Milestones (POA&M) request. The Department of Defense has some latitude if the vulnerabilities do not pose an imminent threat to sensitive data. An approved POA&M allows for a maximum grace period of 180 days.

Level 2 (C3PAO)

Companies that need to schedule a C3PAO audit must also adopt 110 NIST SP 800-171 controls. Organizations required to undergo a C3PAO assessment must repeat the process annually. It’s possible to secure a POA&M extension if the gaps are not directly related to protecting Controlled Unclassified Information (CUI).

After failing an evaluation, asking for a POA&M extension is not guaranteed. That’s why it’s crucial to enlist the assistance of a CMMC consultant with Registered Provider Organization (RPO) certification. Such firms have demonstrated the expertise necessary to effectively complete the items on a CMMC compliance checklist and prepare your operation for self-assessment or a C3PAO audit. It’s essential to work closely with an accredited CMMC consulting firm when determining whether your operation falls into the Level 2 self-assessment or C3PAO category.

How to Know if You Possess CUI

The term CUI in military defense circles seems to imply a relatively narrow type of digital information. In reality, CUI is defined more broadly than you might anticipate.

Controlled unclassified information includes wide-reaching data that is relevant to the military contracts, products, supply chains and personnel, among others. For example, personally identifiable information (PII) and protected health information (PHI) may not seem like they fall into the CUI category. However, when they involve the people who work in the military industrial base, it’s entirely likely that this sensitive information doubles as CUI. The same holds true for data related to infrastructure, cybersecurity, trade secrets and even law enforcement in some cases.

One of the key reasons the Department of Defense considers these and other items CUI stems from the methods used by America’s adversaries. It’s not uncommon for cybercriminals, working for rogue nations, to gather small bits of information and piece them together. Patient and well-funded, threat actors try to connect the dots and glean national defense strategies. Classifying a variety of digital assets as CUI under CMMC results in better protection.

CMMC Level 2 Checklist

Once your Level 2 requirements have been identified, upwards of 14 domains will need to be addressed. Each calls for specific NIST controls to be integrated and maintained. Let’s run through the CMMC compliance checklist and circle back to discuss domains and controls later.

1: Scope Your CUI Environment

The first step in establishing a determined cybersecurity posture is limiting access to critical and sensitive information. For CMMC compliance, that means anything that may be deemed CUI by the federal government. This process starts by asking and answering questions that go to the heart of data security.

• Who enjoys access to CUI?
• Which devices can be used to access CUI?
• How is CUI processed within the company?
• Where is CUI being stored?

The federal government places tremendous value on zero trust cybersecurity. This strategy only allows those who need CUI as part of their regular duties to access it. The cybersecurity measure goes further by limiting network movement based on user profiles, leveraging multi-factor authentication and micro-segregating CUI as a fallback defense. An appropriate zero trust cybersecurity program can help resolve a variety of cybersecurity vulnerabilities.

2: Perform a Gap Analysis

A gap analysis is a procedure that tests a given network to determine its strengths and weaknesses. By identifying security shortcomings, the information can be used to understand the current state of an organization’s data protection. Using a gap analysis report, leadership teams and CMMC consultants gain a clear understanding of what changes need to occur to achieve CMMC compliance. An actionable plan is then crafted to move the cybersecurity needle to a place that keeps CUI safe and passes CMMC muster.

3: Build-Out Your System Security Plan (SSP)

Considered a go-to resource when developing a cybersecurity posture that meets or exceeds CMMC Level 2 standards, a System Security Plan offers pertinent, detailed information. It documents the applicable NIST domains and controls that comprise the information security requirements.

It defines the boundaries for the access and use of CUI by staff members and vendors. The SSP highlights the roles and responsibilities of employees, leadership and key stakeholders. In short, it’s essentially a blueprint that ensures the protection, confidentiality and integrity of the CUI that your organization receives, stores and transfers.

4: Plan of Action & Milestones (POA&M)

The need for a CMMC Plan of Action and Milestones (POA&M) is typically the result of failing to successfully meet the items on the CMMC audit checklist conducted by a C3PAO. While it constitutes a setback, having a 180-day extensive approved is not the end of the world. The POA&M document provides definition regarding the state of your cybersecurity capabilities and where they need to be for a successful third-party assessment.

It may make sense to think of the POA&M extension as a grace period. You will have a specified amount of time to close cybersecurity gaps, tweak infrastructure and take other remediation steps to ensure compliance.

It’s also important for organizations working in the military defense sector to understand that not every business can request a POA&M. Those that fall under the Level 1 tier are not eligible. If you own or operate a Level 2 or Level 3 operation, POA&M requests are limited to low-risk control deficiencies. That means scoring at least 88 out of 110 NIST controls. Critical elements of a cybersecurity posture must be in place. If you recently fell short on a CMMC audit, it’s in your best interest to onboard a CMMC-credentialed RPO. The sooner you close those gaps and demonstrate that all the controls meet the standards, the sooner you can stop holding your breath.

5: Cybersecurity Awareness Training

Cybersecurity awareness training is mandated for companies in the CMMC Level 2 and 3 tiers. While that may sound like an additional burden, it’s actually not a bad thing. Studies indicate that employees are less likely to open a phishing email or click on a malicious link when involved in cybersecurity awareness training. Given that the average loss due to a data breach exceeded $10 million last year, the cost of educational training is a win.

6: Incident Response Training

A sophisticated hacker may be able to breach a system in under 48 minutes. Given the breakneck speed with which they attack, every second counts. That’s largely why the Department of Defense mandates Level 1 operations to design, document, implement and practice responding to threat actors in real time. These are incident response requirements.

• Create a formal incident response plan.
• Educate personnel and regularly revisit incident response training
• Perform random, unannounced testing drills.
• Report any incidents through official channels.

In many cases, companies outsource this and other cybersecurity responsibilities to experienced firms that possess CMMC-level credentials. Proactive business leaders invest in Security Information and Event Management (SIEM), allowing a third-party cybersecurity firm to provide ongoing monitoring and real-time incident response.

7: Physical Security Measures

Although the primary focus of CMMC 2.0 remains digital security, physical theft remains a constant threat. Things like hard copies of CUI or the ability to employ a USB drive to copy vital information are examples of how espionage occurs. As a Level 2 military defense organization, CMMC requires the following physical controls.

• Access Control: Limited physical access to equipment, endpoint devices and network systems.
• Visitor Oversight: Unauthorized people must be escorted inside the facility, wear ID lanyards and visitor logs must be kept.
• Media Management: Paper documents and digital storage equipment must be secure at all times and destroyed when no longer necessary.
• Monitoring: Security cameras and sensors are required to surveil the interior and exterior of buildings.
• Human Security: Security guards may be mandated during work hours and/or when the facility is unoccupied.
• Environmental Protection: Facilities must be reasonably prepared for fire, flood and severe weather incidents.

The point is that CUI can prove invaluable to our adversaries and must be protected in proportion to its worth. If someone owned a gold and jewelry business, many of these same physical protections would be common sense.

8: Document CMMC Readiness

After working diligently with a CMMC services provider, consider performing an unofficial in-house assessment. The results will help identify any security inadequacies before a C3PAO discovers them. One of the benefits of early preparedness and pre-testing is that you won’t suffer any consequences. It’s a smart way to avoid going through the POA&M process and being on edge for months. Better to demonstrate full CMMC compliance through the first formal evaluation than be remembered as the business that struggled to meet data protection standards.

9: Understanding Domains and Controls

Level 2 organizations are tasked with meeting a CMMC standard that calls for proficiency in 14 domains and 110 controls. Those terms tend to be a little abstract to professionals outside the managed IT cybersecurity field. For the purposes of better understanding exactly what they are, here is a list of the 14 domains and the corresponding number of CMMC controls, also known as practices.

• Access Control: 22 controls
• Audit and Accountability: 9 controls
• Awareness and Training: 3 controls
• Configuration Management: 9 controls
• Identification and Authentication: 11 controls
• Incident Response: 3 controls
• Maintenance: 6 controls
• Media Protection: 9 controls
• Personnel Security: 2 controls
• Physical Protection: 6 controls
• Risk Assessment: 3 controls
• Security Assessment: 4 controls
• System and Communications Protection: 16 controls
• System and Information Integrity: 7 controls

Contact Red River for CMMC Level 2 Checklist Readiness

At Red River, we recognize the challenges involved in becoming CMMC 2.0 compliant and passing an audit. Our experienced team of professionals has earned RPO and C3PAO accreditation from Cyber AB.

We work diligently to craft the determined cybersecurity protocols needed to detect, deter and expel threat actors and meet the standards established by CMMC. The cybersecurity experts at Red River are available to bring your organization into compliance before you miss CMMC deadlines. Contact us today by calling or filling out our online form. Let’s get the process started!