The Complete CMMC Level 2 Assessment Checklist for 2026

Access Control is the largest domain and typically carries the most SPRS weight. Key areas:

• Account management (3.1.1-3.1.2). Limit system access to authorized users, processes, and devices. Readiness tip: Export your IAM principal list with last-login dates. Any account not used in 90 days should be disabled or justified.
• Access enforcement (3.1.3-3.1.5). Control CUI flow and enforce separation of duties. Readiness tip: Map every CUI data flow and show the enforcement mechanism (firewall rule, IAM policy, DLP rule) for each.
• Least privilege (3.1.5-3.1.8). Non-privileged accounts for non-security functions, privileged access restricted. Readiness tip: Show that admins use separate accounts for administrative vs. daily-use tasks.
• Remote access (3.1.12-3.1.15). Monitor, control, encrypt, and route remote access. Readiness tip: VPN logs showing encrypted tunnels, MFA enforcement, and session termination policies.
• Wireless access (3.1.16-3.1.17). Authorize, monitor, and protect wireless. Readiness tip: Wireless network configuration showing WPA3/WPA2-Enterprise, rogue AP detection.
• Mobile devices (3.1.18-3.1.19). Control and encrypt CUI on mobile devices. Readiness tip: MDM enrollment evidence, device encryption verification, remote wipe capability.
• External connections (3.1.20-3.1.22). Control connections to external systems. Readiness tip: Documented and approved external system connections with data flow descriptions.

All personnel must understand their security responsibilities. Evidence is usually training records.

• Security awareness (3.2.1). Readiness tip: Signed training acknowledgments with dates, covering CUI handling, phishing, and incident reporting.
• Role-based training (3.2.2). Readiness tip: Specialized training for admins, developers, and security personnel beyond general awareness.
• Insider threat awareness (3.2.3). Readiness tip: Training records showing insider threat indicators, reporting procedures, and annual refresher completion.

Create, protect, and review audit logs. This is where your SIEM deployment matters.

• Audit events (3.3.1-3.3.2). Readiness tip: Show your SIEM collecting login events, privilege escalation, CUI access, and failed authentication across all in-scope systems.
• Audit log protection (3.3.3-3.3.4). Readiness tip: Demonstrate that audit logs are immutable (write-once storage) and access to log management is restricted to authorized admins.
• Audit review and reporting (3.3.5-3.3.6). Readiness tip: Weekly or daily log review procedures with documented findings and escalation records.
• Time synchronization (3.3.7). Readiness tip: NTP configuration across all systems with evidence of synchronized timestamps in logs.
• Audit reduction (3.3.8-3.3.9). Readiness tip: SIEM dashboards or queries that demonstrate audit reduction, analysis, and reporting capability.

• Baseline configurations (3.4.1-3.4.2). Readiness tip: Documented system baselines (CIS benchmarks or equivalent) and change control procedures with approval records.
• Change tracking (3.4.3-3.4.5). Readiness tip: Change management system showing security impact analysis for each change and approved configuration settings.
• Least functionality (3.4.6-3.4.8). Readiness tip: Evidence of disabled unnecessary services, ports, and protocols. Application whitelisting or blacklisting policies.
• User-installed software (3.4.9). Readiness tip: Policy restricting user-installed software with technical enforcement (AppLocker, Group Policy).

• User identification (3.5.1-3.5.2). Readiness tip: Unique user IDs for all accounts, no shared credentials, authentication required before access.
• Multi-factor authentication (3.5.3). Readiness tip: MFA enforced for all privileged and remote access. Hardware tokens or authenticator apps, not SMS. Show enrollment records.
• Replay-resistant authentication (3.5.4). Readiness tip: Authentication mechanisms that resist replay attacks (FIDO2, certificate-based, challenge-response).
• Identifier management (3.5.5-3.5.6). Readiness tip: Process for disabling identifiers after inactivity period, preventing identifier reuse.
• Password management (3.5.7-3.5.11). Readiness tip: Password complexity requirements meeting NIST guidelines, encrypted password storage, and obscured password display.

• Incident handling (3.6.1). Readiness tip: Documented IR plan covering preparation, detection, analysis, containment, eradication, and recovery. Must include DIB-specific reporting to DC3.
• Incident reporting (3.6.2). Readiness tip: Evidence of incident tracking and reporting procedures, including 72-hour notification requirements for cyber incidents affecting CUI.
• Incident response testing (3.6.3). Readiness tip: Tabletop exercise records from the past 12 months with lessons learned and plan updates.

• System maintenance (3.7.1-3.7.2). Readiness tip: Maintenance schedules, patch management records, and maintenance personnel authorization lists.
• Equipment sanitization (3.7.3). Readiness tip: Procedures for sanitizing equipment removed for off-site maintenance, with media sanitization records.
• Maintenance tools (3.7.4-3.7.5). Readiness tip: Approved tools list, inspection procedures for tools brought on-site, and media inspection before use.
• Remote maintenance (3.7.6). Readiness tip: Supervised remote maintenance sessions with logging and session termination when complete.

• Media protection (3.8.1-3.8.3). Readiness tip: CUI marking procedures, physical and digital media access controls, and media sanitization records (NIST 800-88).
• Media marking (3.8.4-3.8.5). Readiness tip: CUI marking on media and controlled areas, with distribution limitation markings.
• Media transport (3.8.6-3.8.7). Readiness tip: Encryption of CUI on portable media, controlled transport procedures with accountability records.
• Media disposal (3.8.8-3.8.9). Readiness tip: Sanitization and destruction records per NIST SP 800-88 for all media that contained CUI.

• Personnel screening (3.9.1). Readiness tip: Background check procedures and records for all personnel with CUI access.
• Personnel termination/transfer (3.9.2). Readiness tip: Offboarding checklists showing access revocation within required timeframes, with dates and responsible parties.

• Physical access (3.10.1-3.10.2). Readiness tip: Access control lists for facilities handling CUI, visitor logs, and escort procedures.
• Physical access monitoring (3.10.3-3.10.4). Readiness tip: Badge reader logs, camera footage retention policies, and tamper-evident measures for physical access devices.
• Facility protection (3.10.5-3.10.6). Readiness tip: Alternative work site security measures and CUI positioning/shielding to limit unauthorized viewing.

• Risk assessments (3.11.1). Readiness tip: Annual risk assessment covering CUI systems, threat identification, and risk prioritization.
• Vulnerability scanning (3.11.2-3.11.3). Readiness tip: Regular vulnerability scan results (Nessus, Qualys, etc.) with remediation tracking and scan-to-fix timelines.

• Security control assessment (3.12.1). Readiness tip: Self-assessment results or third-party assessment against all 110 practices with findings documented.
• Plan of action (3.12.2). Readiness tip: Current POA&M with specific milestones, responsible parties, and target completion dates for each open finding.
• Continuous monitoring (3.12.3-3.12.4). Readiness tip: Security control monitoring procedures and system-level security plans updated per changes.

This is the second-largest domain. Key focus areas:

• Boundary protection (3.13.1-3.13.2). Readiness tip: Network diagrams showing authorization boundary, firewall rules, DMZ architecture, and CUI data flow paths.
• Encryption (3.13.8, 3.13.11). Readiness tip: FIPS 140-2/140-3 validated encryption for CUI in transit and at rest. Show certificate configurations and encryption module details.
• Network segmentation (3.13.5-3.13.6). Readiness tip: VLAN configurations, firewall rules, and evidence of subnetwork isolation for publicly accessible components.
• Communication integrity (3.13.9-3.13.10). Readiness tip: TLS 1.2+ enforcement, certificate management, and DNS security measures.
• Session management (3.13.15-3.13.16). Readiness tip: Session lock after inactivity, session termination policies, and cryptographic session management.

• Flaw remediation (3.14.1). Readiness tip: Patch management records showing timely remediation of identified vulnerabilities with defined SLAs.
• Malicious code protection (3.14.2-3.14.5). Readiness tip: Endpoint protection deployment records, signature update logs, and malicious code scanning at network entry/exit points.
• Security alerts (3.14.3). Readiness tip: Process for monitoring security advisories (CISA KEV, vendor bulletins) and implementing relevant patches.
• System monitoring (3.14.6-3.14.7). Readiness tip: IDS/IPS deployment evidence, monitoring procedures for unauthorized access attempts, and alert response records.