iQuasar Cyber

Request a Callback

CMMC Compliance Checklist 2025: Your Step-by-Step Guide to CMMC 2.0 Readiness

cmmc compliance checklist

With the Cybersecurity Maturity Model Certification (CMMC) 2.0 rule becoming fully effective in early 2025, defense contractors are under increasing pressure to prepare their cybersecurity programs before requirements begin appearing in solicitations. Whether you handle Controlled Unclassified Information (CUI), Federal Contract Information (FCI), or work as a subcontractor supporting a prime, understanding what CMMC 2.0 requires—and how to prepare—is essential for maintaining eligibility in the DoD ecosystem. This guide provides a clear, practical CMMC compliance checklist, updated for 2025, to help contractors get CMMC-ready without confusion.

What Is CMMC 2.0? (2025 Snapshot)

CMMC 2.0 is the Department of Defense’s cybersecurity framework designed to safeguard FCI and CUI across the defense industrial base. It simplifies the previous model and aligns more closely with existing federal standards, especially NIST SP 800-171.

As of 2025, CMMC 2.0 includes three levels:

  • Level 1: Foundational
    – For contractors handling only FCI
    – 17 basic safeguarding requirements (based on FAR 52.204-21)
    – Annual self-assessment

  • Level 2: Advanced
    – For contractors handling CUI
    – 110 controls from NIST SP 800-171
    – Third-Party Assessment Organization (C3PAO) certification required for “prioritized acquisitions.”
    – Annual self-attestation for non-prioritized programs

  • Level 3: Expert
    – For contractors supporting critical national security programs
    – Based on NIST SP 800-172
    – Government-led assessments only

CMMC 2.0 Compliance Checklist for 2025

Use this checklist to evaluate your current cybersecurity posture and identify gaps before final rule enforcement begins.

1. Identify Your CMMC Level

Before implementing controls, determine:

  • Do you handle FCI only → Level 1

  • Do you receive or generate CUI under your contract → Level 2

  • Are you supporting the highest-priority DoD programs → Level 3

Tip: Check your contract sections (especially DD254 for classified programs) and consult with your prime contractor if unclear.

2. Perform a Current State Assessment (Gap Analysis)

Review your existing cybersecurity environment against the required controls for your level.

For Level 1:

  • Evaluate compliance with the 17 FAR/Safeguarding controls.

For Level 2:

  • Assess all 110 NIST SP 800-171 controls.

  • Score your compliance using the DoD Assessment Methodology (NIST 800-171 scoring) in SPRS.

For Level 3:

  • Prepare for NIST SP 800-172 enhanced requirements.

3. Create a System Security Plan (SSP)

A current and accurate SSP is mandatory. It must include:

  • Description of the IT environment

  • System boundaries

  • Architecture diagrams

  • Control implementation details

  • Hardware/software inventories

  • Cloud service architecture (FedRAMP status)

Tip: Outdated SSPs are a top reason for audit findings—update quarterly.

4. Build a Plan of Action and Milestones (POA&M)

Identify gaps and detail:

  • The specific control not met

  • Actions required to fix it

  • Assigned owner

  • Due dates

  • Budget/resource needs

Under CMMC 2.0, some POA&M items are allowed—but must be closed within defined timeframes for certification.

5. Enforce Multi-Factor Authentication (MFA) Everywhere

Required for:

  • Local and remote accounts

  • Cloud environments

  • Privileged access users

DoD assessors heavily emphasize MFA compliance due to high breach risk.

6. Implement Access Control & Least Privilege

  • Limit user access to the minimum necessary

  • Review permissions every 90 days

  • Disable unused accounts immediately

  • Use RBAC (Role-Based Access Control) where possible

7. Secure All Endpoints and Networks

Ensure:

  • Full-disk encryption

  • Anti-malware/EDR

  • Automated patching

  • Firewalls configured with least permissive rules

  • Secure wireless access and segmentation

Cloud environments must meet FedRAMP Moderate (for CUI).

8. Strengthen Audit & Monitoring Practices

Contractors must:

  • Enable logging across systems that handle CUI/FCI

  • Retain logs for at least 90 days active and 12 months searchable

  • Monitor security incidents

  • Alert for unauthorized access attempts

This is one of the highest-weighted NIST controls.

9. Protect Data in Transit and at Rest

  • Use FIPS-validated encryption

  • Apply TLS 1.2+ for all data transfers

  • Encrypt CUI stored in databases, file shares, backups

  • Avoid consumer-grade cloud tools (e.g., Dropbox, free Gmail)

10. Maintain a Robust Incident Response Plan

CMMC assessors require evidence of:

  • Documented IR procedures

  • 24/7 incident reporting workflow

  • Incident logging

  • After-action reports

  • Annual tabletop exercises

For Level 2+, you must report cyber incidents to DoD within 72 hours.

11. Implement Personnel Security Controls

  • Background checks (Tier 1 at minimum)

  • Termination/transfer procedures

  • Training for employees handling CUI/FCI

  • Annual security awareness training

12. Secure Physical Facilities

  • Badge system or access cards

  • Visitor logbooks

  • Locked server/network rooms

  • CUI storage cabinets with limited access

Remote employees must follow the same protocols—including encrypted devices and secure home networks.

13. Validate with a Pre-Assessment (Internal or External)

Before your formal C3PAO audit (Level 2), conduct a readiness review:

  • Validate SSP completeness

  • Confirm evidence availability

  • Conduct interview simulations

  • Ensure artifacts match control descriptions

14. Prepare for Continuous Monitoring

CMMC 2.0 isn’t a one-time certification.

In 2025, contractors must:

  • Conduct annual self-assessments (Levels 1 & 2 non-prioritized)

  • Maintain digital evidence and logs

  • Keep documentation updated

  • Review third-party vendor compliance

  • Reassess after system/environment changes

Final Thoughts: Start Early—CMMC Will Affect All DoD Contractors

By 2025, CMMC will be fully incorporated into DoD solicitations, making early preparation essential to avoid disruptions in contract eligibility. Whether you’re a small subcontractor or a prime contractor handling sensitive CUI, following this CMMC compliance checklist can help you build a reliable, audit-ready cybersecurity program that aligns with CMMC 2.0’s expectations.

 At iQuasar Cyber, our CMMC-certified consultants have a vast knowledge of frameworks, including CMMC, NIST 800-171, FedRamp, NYDFS, HIPAA, PCI, etc. We can prepare you for CMMC compliance levels and provide recommendations for better self or external assessment preparation. Stay ahead of the curve and begin your journey to secure your business today.