CMMC 2.0 Level 2 Readiness Checklist

Idril Cybersecurity Services All 14 NIST 800-171 Control Families 110 Security Requirements Self-Scoring Guide
Phase 2 Deadline: November 10, 2026

How to Use This Checklist

This checklist covers all 14 NIST SP 800-171 Rev 2 control families required for CMMC Level 2 certification. For each domain, you’ll find the key requirements, common mid-market gaps, and the evidence your C3PAO assessor will expect.

Self-Scoring Guide

Score each control family using the status framework below.

Score Status Definition
✅ 3 Implemented Control fully in place with documentation and evidence available
⚠️ 1 Partial Some implementation exists but gaps remain — remediation needed
❌ 0 Not Implemented Control is missing or not documented — priority remediation

Scoring Target & Priority

Target: A perfect score across all 14 families is 42. Organizations scoring below 28 should prioritize remediation before scheduling a C3PAO assessment.

Focus first on: Access Control (AC), System & Communications Protection (SC), and Audit & Accountability (AU) — these three domains account for nearly half of all requirements.

CMMC 2.0 Phase Timeline

Phase Date Requirement
Phase 1 Nov 10, 2025 Level 1 & Level 2 self-assessments in select contracts (active now)
Phase 2 Nov 10, 2026 Third-party C3PAO certification assessments required for Level 2
Phase 3 Nov 10, 2027 Level 3 DIBCAC assessments for highly sensitive programs
Phase 4 Nov 10, 2028 Full CMMC implementation for all covered contracts

The 14 Control Families

Each card below covers the key requirements, common mid-market gaps, and evidence your C3PAO assessor will expect. Use the scoring row at the bottom of each card to track your status, owner, and target remediation date.

  • AC — Access Control

    22 requirements
    Key Requirements
    • Enforce least privilege and separation of duties
    • Control remote access sessions via managed access points
    • Limit unsuccessful logon attempts
    • Terminate sessions after defined conditions
    • Authorize wireless access before connection
    • Control CUI flow per approved authorizations
    • Use non-privileged accounts for non-security functions
    Common Mid-Market Gaps

    Shared accounts, no session timeouts, uncontrolled remote access, missing role-based access controls

    Evidence Your Assessor Will Expect

    Access control policies, RBAC matrix, session config screenshots, VPN/remote access logs, wireless access authorization records

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • AT — Awareness & Training

    3 requirements
    Key Requirements
    • Security awareness training for all users
    • Role-based training for privileged users
    • Insider threat awareness program
    Common Mid-Market Gaps

    No documented training program, missing completion records, no insider threat component

    Evidence Your Assessor Will Expect

    Training curriculum, completion records with dates, insider threat briefing materials

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • AU — Audit & Accountability

    9 requirements
    Key Requirements
    • Create and retain system audit logs
    • Review and update logged events
    • Alert on audit logging process failure
    • Correlate audit records across systems
    • Protect audit information from unauthorized access
    • Reduce audit records to support analysis
    Common Mid-Market Gaps

    Logging not enabled on all CUI systems, missing required data elements (user ID, timestamp, action, success/failure), no log review cadence

    Evidence Your Assessor Will Expect

    Sample audit logs from all CUI boundary systems, log review procedures and evidence, log retention configuration, SIEM dashboard screenshots

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • CM — Configuration Management

    9 requirements
    Key Requirements
    • Establish and maintain baseline configurations
    • Track and control changes to systems
    • Analyze security impact of changes before implementation
    • Enforce least functionality (disable unnecessary services)
    • Restrict and monitor user-installed software
    Common Mid-Market Gaps

    No documented baselines, no formal change control process, unnecessary services running on CUI systems

    Evidence Your Assessor Will Expect

    Baseline configuration documents, change control board records, configuration scan results, software whitelist policy

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • IA — Identification & Authentication

    11 requirements
    Key Requirements
    • Enforce multi-factor authentication for all network access
    • Use replay-resistant authentication for privileged accounts
    • Enforce minimum password complexity and change requirements
    • Identify and authenticate devices before connection
    • Disable identifiers after defined inactivity period
    Common Mid-Market Gaps

    MFA not enforced for all access types, weak password policies, no device authentication, inactive accounts not disabled

    Evidence Your Assessor Will Expect

    MFA configuration screenshots, password policy settings, device authentication logs, account review records

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • IR — Incident Response

    3 requirements
    Key Requirements
    • Establish incident handling capability
    • Track, document, and report incidents
    • Test incident response capability
    Common Mid-Market Gaps

    Plan exists but never tested, no documented tabletop exercises, unclear escalation procedures

    Evidence Your Assessor Will Expect

    Incident response plan, tabletop exercise records with findings, incident log/tracker, after-action reports

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • MA — Maintenance

    6 requirements
    Key Requirements
    • Perform maintenance on organizational systems
    • Control maintenance tools and media
    • Ensure remote maintenance sessions are monitored
    • Supervise maintenance personnel without access authorization
    Common Mid-Market Gaps

    No maintenance logging, uncontrolled remote maintenance sessions, maintenance tools not inventoried

    Evidence Your Assessor Will Expect

    Maintenance logs, remote session monitoring records, tools inventory, maintenance personnel authorization records

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • MP — Media Protection

    9 requirements
    Key Requirements
    • Protect and control CUI media during transport
    • Mark CUI media with required distribution limitations
    • Sanitize media before disposal or reuse
    • Control access to media containing CUI
    • Encrypt CUI on digital media during transport
    Common Mid-Market Gaps

    No media labeling policy, incomplete sanitization procedures, unencrypted portable media

    Evidence Your Assessor Will Expect

    Media handling policy, sanitization records, encryption verification, media inventory log

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • PS — Personnel Security

    2 requirements
    Key Requirements
    • Screen individuals prior to authorizing access to CUI systems
    • Protect CUI during personnel actions (termination, transfer)
    Common Mid-Market Gaps

    No screening documented, access not revoked upon termination/transfer

    Evidence Your Assessor Will Expect

    Screening policy, background check records, access revocation procedures and evidence, termination checklists

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • PE — Physical Protection

    6 requirements
    Key Requirements
    • Limit physical access to authorized individuals
    • Escort visitors and monitor visitor activity
    • Maintain audit logs of physical access
    • Control and manage physical access devices
    Common Mid-Market Gaps

    No visitor logs, uncontrolled access to server rooms, missing physical access logs

    Evidence Your Assessor Will Expect

    Physical access policy, visitor sign-in logs, badge access records, physical access device inventory

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • RA — Risk Assessment

    3 requirements
    Key Requirements
    • Conduct periodic risk assessments
    • Scan for vulnerabilities periodically and when new threats emerge
    • Remediate vulnerabilities in accordance with risk assessments
    Common Mid-Market Gaps

    No formal risk assessment on file, vulnerability scans not covering full CUI boundary, no remediation tracking

    Evidence Your Assessor Will Expect

    Risk assessment report, vulnerability scan results, remediation tracker with timelines, risk register

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • CA — Security Assessment

    4 requirements
    Key Requirements
    • Assess security controls periodically
    • Develop and implement plans of action to address deficiencies
    • Monitor security controls on an ongoing basis
    • Develop and update system security plans
    Common Mid-Market Gaps

    SSP incomplete or outdated, no security control testing schedule, POA&M not maintained

    Evidence Your Assessor Will Expect

    Current SSP, assessment results, POA&M tracker, continuous monitoring plan

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • SC — System & Communications Protection

    16 requirements
    Key Requirements
    • Monitor and control communications at system boundaries
    • Employ architectural designs with security as a principle
    • Separate user and system management functionality
    • Encrypt CUI in transit
    • Encrypt CUI at rest
    • Protect session authenticity
    • Implement subnetwork isolation for publicly accessible components
    Common Mid-Market Gaps

    CUI not encrypted at rest, boundary protection gaps, no network segmentation, missing session encryption

    Evidence Your Assessor Will Expect

    Network architecture diagrams, encryption configuration evidence, firewall/IDS/IPS rules, TLS/SSL certificates

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

  • SI — System & Information Integrity

    7 requirements
    Key Requirements
    • Identify, report, and correct system flaws in a timely manner
    • Provide protection from malicious code
    • Update malicious code mechanisms regularly
    • Monitor systems for unauthorized connections and access
    • Identify unauthorized use of organizational systems
    Common Mid-Market Gaps

    Patch management gaps, AV/EDR not on all CUI endpoints, no unauthorized connection monitoring

    Evidence Your Assessor Will Expect

    Patch management records, AV/EDR deployment evidence, system monitoring dashboards, alerting configuration

    Status: ✅ Implemented (3) ⚠️ Partial (1) ❌ Not Implemented (0)
    Notes / Remediation
    Owner Target Date

Need Help Getting CMMC Ready?

Idril Cybersecurity Services helps mid-market defense contractors achieve CMMC Level 2 certification through a structured, efficient compliance program.

Our CMMC Readiness Assessment includes:

  • CUI boundary scoping across your full environment
  • Gap assessment against all 110 NIST 800-171 controls
  • Prioritized remediation roadmap with timelines and owners
  • SSP development or review
  • Evidence preparation guidance for C3PAO assessment
  • Ongoing advisory through certification
Request a CMMC Readiness Assessment

8(a) Certified • WOSB • CMMI Level 3 • idrilservices.io • info@idrilservices.io