Meridian Compass

Free Download

CMMC Compliance Checklist: Every Requirement, Organized by Domain

15 questions to understand your compliance exposure — before you talk to a single vendor.

  • Identify if CUI is in scope — and what that means for your certification level
  • Map the NIST SP 800-171 security controls (the 110 requirements behind CMMC Level 2) that matter most
  • Avoid scoping mistakes that add cost and delay
  • Know when to engage a C3PAO (the organization that certifies you) vs. an RPO (an advisory firm that helps you prepare)
  • See the 4 documents every contractor needs before certification

Built for defense contractors navigating their first DoD award.

Wondering about cost? See real CMMC cost ranges by company size →

Get the checklist

Enter your email and we'll send it immediately — no signup wall, no sales call.

We'll also send you CMMC updates. Unsubscribe anytime.

What's inside

15 questions. One clear picture.

The checklist is organized into five sections — each one surfacing a different dimension of your compliance exposure.

01

CUI Scoping

Determine if Controlled Unclassified Information is in scope — the single most important factor in your certification level.

02

DFARS Clause Review

Identify which DFARS clauses appear in your contracts and what each one requires you to do right now.

03

Gap Prioritization

Surface the NIST SP 800-171 control families that create the most risk for first-time contractors.

04

Assessment Path

Determine whether you need a C3PAO (third-party) or RPO (advisory) based on your contract language.

05

Documentation Readiness

The 4 documents every contractor must have before their first assessment conversation.

Ready?

Takes 5 minutes to complete. Answers you can act on immediately.

Get the checklist →

Want a more complete picture of your requirements?

Take the 3-Minute Assessment →

8 questions. No signup required.

About This CMMC Compliance Checklist

CMMC compliance requires implementing a specific set of cybersecurity practices — 17 for Level 1, 110 for Level 2 — organized across 17 domains. Without a structured checklist, it's easy to lose track of what's done, what's in progress, and what's missing when an assessor walks in.

This checklist covers all CMMC Level 1 and Level 2 practices mapped to their NIST SP 800-171 control numbers. Each item includes a plain-English description of what the control requires, common implementation approaches, and evidence that assessors typically look for.

The 17 CMMC domains include: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI).

Use this checklist alongside your System Security Plan (SSP). As you implement each control, document it in your SSP — the SSP is the primary artifact assessors review during a C3PAO assessment. An undocumented control is treated as a missing control. Not sure where to start? Run the readiness assessment first to identify your highest-priority gaps.

Frequently Asked Questions: CMMC Compliance Checklist

How many controls does CMMC Level 1 require? +

CMMC Level 1 requires 17 basic cybersecurity practices across 6 domains: Access Control (4 practices), Identification and Authentication (3), Media Protection (1), Physical Protection (4), System and Communications Protection (2), and System and Information Integrity (3).

How many controls does CMMC Level 2 require? +

CMMC Level 2 requires 110 security practices aligned to NIST SP 800-171 Revision 2, organized across 14 domains. All 17 Level 1 practices are included within these 110.

What is a System Security Plan (SSP) and do I need one? +

An SSP documents how your organization implements each CMMC control. It's required for Level 2 and recommended for Level 1. The SSP is the primary artifact reviewed during a C3PAO assessment — if a control isn't in your SSP, assessors will treat it as not implemented.

What is a Plan of Action and Milestones (POA&M)? +

A POA&M documents controls that aren't yet fully implemented, with a plan and timeline to close gaps. A limited number of POA&M items are allowed in CMMC Level 2 assessments, but high-value practices (like MFA and encryption) cannot be on POA&M — they must be fully implemented.

How often do CMMC requirements change? +

CMMC 2.0 is based on NIST SP 800-171. The DoD updates CMMC requirements through rulemaking — major changes require notice-and-comment. NIST published 800-171 Revision 3 in 2024, which the DoD is expected to reference in future CMMC updates. Monitor the Cyber AB and DoD CMMC website for changes.

Can I use this checklist for a formal CMMC assessment? +

This checklist is a preparation tool, not a formal assessment artifact. For your official CMMC assessment, you'll work directly with a C3PAO using the DoD's CMMC Assessment Process (CAP) documentation. Use this checklist to prepare your SSP and POA&M.

Related Resources

Guidance How to Choose the Right CMMC Consultant Risk What Happens When a CMMC Audit Fails CMMC Guide What Is a C3PAO and Why Does It Matter?

Next Step

Track your progress as you implement. Start with a readiness signal.

Get an instant score across the most critical control domains before diving into the full checklist.

Check Your Readiness →