[OUTLINE — expand before publishing]
CMMC Level 2 is where the defense industrial base does its heavy lifting: all 110 security requirements of NIST SP 800-171, applied to every system in scope for CUI, and verified for most contractors by a triennial C3PAO assessment. What defeats people is rarely a single control — it is the volume, and not knowing what order to tackle it in. This checklist breaks the journey into seven ordered steps, so you always know what comes next and what "done" looks like at each stage.
Before the Checklist: Confirm Level 2 Applies
- You handle CUI, or DFARS 252.204-7012 appears in your contracts → plan for Level 2.
- Most contracts require a triennial C3PAO assessment; a small subset permit annual self-assessment — explain how to tell which you are.
Step 1 — Scope Your CUI Environment
- Map where CUI enters, moves, and rests; categorize assets per the CMMC scoping guidance.
- Decision point with the biggest cost impact: enterprise-wide compliance vs. a CMMC secure enclave.
Step 2 — Write (or Repair) Your System Security Plan
- Boundary, network and data-flow diagrams, asset inventory, and an implementation statement for each of the 110 requirements.
- Remember: without an SSP, an assessment cannot be completed at all.
Step 3 — Implement the 110 Practices
- Overview of the 14 NIST 800-171 requirement families, two or three sentences each.
- Sequence by DoD point weight: the 5-point items (MFA, FIPS-validated encryption among them) first.
Step 4 — Build the Evidence Library
- Policies alone are not proof: collect configurations, logs, records, and screenshots mapped to each requirement and assessment objective.
- Note what assessors sample: artifacts plus interviews plus demonstrations.
Step 5 — Score Yourself and Submit to SPRS
- Apply the DoD assessment methodology (scores run -203 to +110); submit through PIEE.
- Record POA&M and projected full-implementation date alongside the score.
Step 6 — Decide Your POA&M Strategy
- Level 2 limits: lower-weight items only, minimum score threshold applies, 180-day closeout window.
- Goal on assessment day: arrive with few open items — or none.
Step 7 — Prepare for the C3PAO Assessment
- Run a mock assessment or CMMC readiness assessment; rehearse evidence walkthroughs and staff interviews.
- Logistics: scheduling the C3PAO, assembling the assessment team, artifact delivery.
How Essendis Helps