CMMC 2.0 Level 2
Readiness Checklist

What’s inside

The checklist mirrors the working document we walk every CMMC client through before any implementation work begins. It’s the version we use internally, not a marketing sanitization.

• →Pre-assessment scoping — identifying CUI, mapping data flows, defining the assessment boundary
• →All 14 NIST SP 800-171 control families with the items SMB DIB contractors most often get wrong
• →Common gotchas — service accounts without MFA, baselines that drift, training records that don't reconstruct
• →Documentation deliverables — what the SSP, POA&M, data-flow diagram, and asset inventory actually need to contain
• →Pre-assessment activities — self-assessment scoring, SPRS posting, mock-audit framework
• →What "ready" actually looks like — the 90-day rule, prioritization when the deadline accelerates

Who it’s for

Owners, operators, and IT leads at SMB Defense Industrial Base contractors who:

• Subcontract to DoD primes and have received a CMMC Level 2 requirement (or expect one in the next 12 months)
• Handle Controlled Unclassified Information (CUI) in any form — engineering drawings, technical specs, program documentation, export-controlled data
• Operate in the Utah DIB ecosystem around Hill Air Force Base or the East Tennessee ecosystem around Oak Ridge National Laboratory
• Want to score themselves internally before paying for a C3PAO assessment

Related