CMMC Level 2 Checklist

Your business must strictly control who can access systems containing CUI. This includes limiting access by job role, enforcing least privilege, and preventing unauthorized users from accessing sensitive systems. Remote access must be secured, monitored, and restricted. Shared accounts should be eliminated wherever possible, and session controls must be enforced to prevent unauthorized persistence.

Employees are one of the most common attack vectors. Your firm must implement a formal security awareness program that educates users on phishing, social engineering, and proper data handling. Training must be ongoing and well documented, not a one-time exercise. You must also demonstrate that employees understand their responsibilities when handling CUI.

You must be able to track, monitor, and investigate activity across your systems. This includes generating audit logs for user actions, system changes, and security events. Logs must be protected from tampering, retained appropriately, and reviewed regularly. If an incident occurs, your company must be able to reconstruct what happened.

Uncontrolled systems are one of the fastest ways to fail a CMMC audit. Your business must establish secure baseline configurations for all systems and enforce change control procedures. Unauthorized software must be restricted, and all system changes must be documented, approved, and tracked.

Every user and system must be uniquely identifiable. Your environment must enforce strong authentication mechanisms, including multi-factor authentication (MFA) for privileged and remote access. Default credentials must be eliminated by the IT team, and password policies must meet strict security standards.

CMMC requires more than reacting to incidents; it requires preparedness. Your firm must have a documented incident response plan that outlines detection, reporting, containment, and recovery procedures. Teams must be trained on their roles, and the plan must be tested periodically.

System maintenance activities must be controlled and secure. This includes managing tools used for maintenance, restricting who can perform maintenance, and ensuring remote maintenance sessions are monitored and authorized.

CUI must be protected wherever it exists, including physical media. Your business must control access to media, securely store it, and properly sanitize or destroy it when no longer needed. This process applies to hard drives, USB devices, backups, and printed materials.

Security starts before access is granted. You must screen employees appropriately and ensure that access to CUI is removed immediately when personnel leave or change roles. Insider threats are a major focus of CMMC assessments.

Physical access equals system access. Physical facilities that contain systems with CUI must be secured through access controls, monitoring, and visitor management. Your company must demonstrate that only authorized individuals can physically access sensitive systems.

You cannot protect what you don’t understand. Your firm must conduct regular risk assessments to identify vulnerabilities and threats to CUI. These assessments must drive remediation efforts and be updated as your environment changes.

Controls must be tested, not merely assumed to be effective. Your business must perform internal assessments to validate that controls are implemented correctly and operating effectively. This includes maintaining a System Security Plan (SSP) and Plan of Action & Milestones (POA&M).

Your network must be segmented and secured. This includes controlling data flow, encrypting CUI in transit, and implementing boundary protections such as firewalls and secure architectures. Improper network segmentation is one of the most common audit failures.

You must detect and fix vulnerabilities quickly. Your firm must implement vulnerability management, malware protection, and system monitoring. Patching must be timely, and you must demonstrate the ability to detect and respond to emerging threats.