CMMC 2.0 Checklist

The Department of Defense has mandated contractors and subcontractors who handle Controlled Unclassified Information achieve Cybersecurity Maturity Model Certification (CMMC). Navigating the process of readiness and achieving DOD cybersecurity maturity model certification can pose significant challenges, as it often entails complexities and intimidations for many organizations. Our CMMC Checklist can help you start taking steps in the right direction!

CMMC 2.0 checklist with green box.





green check box

Do you have a System Security Plan (SSP)?

The SSP is meant to be a document that contains all the implemented security controls relevant to your organization.

You will want to have evidence & documentation/policies for each control that is implemented.


green check box

Have you established a Plan of Action & Milestones (POAM)?

The POAM is a working document of your controls that still need to be completed.  You can view this as your “to-do list” or “roadmap”.


green check box

Have you created a Disaster Recovery Plan?

The DR plan is your documented procedures around how your organization will respond to unplanned events.  These events could be IT or cyber-related and pertain to natural disasters, power outages, etc.


green check box

Have you created an Incident Response Plan?

Your incident response plan is a document containing the tools and procedures that your security team can use to identify, eliminate, and recover from cybersecurity incidents.


green check box

Do you have policies & procedures around handling sensitive information?

You should have documentation regarding all the CMMC controls. Part of this is defining how you store, transmit, and process CUI and FCI.


green check box

Are you using Endpoint Detection Response software?

Basic anti-virus might have been good enough ten years ago; however, proper endpoint detection and response software will better protect your organization and help check off more controls.


green check box

Are you utilizing Multi Factor Authentication (MFA) for all remote connections (VPN) and privileged accounts (admins)?

This is a requirement of NIST 800-171 and CMMC, but it is also good practice within any business. Most cyber liability insurances are starting to require these practices.


green check box

Have you assessed your organization for vulnerabilities?

Determine when the last time (if ever) you performed a vulnerability assessment of your organization. Also, put together a plan to remediate vulnerabilities and document them.


green check box

Are patches and updates performed regularly and audited to confirm status?

Are you doing patches and updates manually? Are you using a RMM software to perform these tasks?  There are many ways to automate this and make the auditing process more manageable.


green check box

Are you actively reviewing event logs, or have you deployed a SIEM?

Do you have a Syslog server set up to collect all event logs?  Who is responsible for reviewing them and checking for anomalies if you are doing this?  Another way to accomplish this is by using a SIEM backed by a 3rd party SOC (security operations center).  Some SIEM tools use Artificial Intelligence to correlate the logs stored safely in a central repository.  If anything is anomalous, it will put an alert in to have a security engineer look into the logs for you.

Stay a while. We have plenty to read.

Defense Contractors, Sub-Contractors and CMMC Compliance

  Cybersecurity has become a top priority for governments, businesses, and individuals alike. New cyber-attacks are launched daily across all sectors, public and private. Cybersecurity has become a necessity for defense contractors, tasked with handling sensitive...

read more

CUI- Controlled Unclassified Information and CMMC

Understanding CUI: A Vital Component of Information Security The Department of Defense (DoD) defines CUI as “Government-created or owned Unclassified information that allows for, or requires, safeguarding and dissemination controls in accordance with laws,...

read more

Department of Defense and CMMC

The Department of Defense (DoD) and CMMC Digital vulnerabilities have made robust cybersecurity measures indispensable, especially within sectors handling sensitive information critical to national security. Recognizing this imperative, the Department of Defense (DoD)...

read more

Control AC L2-3.1.3 and Your CMMC Journey

Control AC L2-3.1.3: Safeguarding the Flow of CUI Safeguarding Controlled Unclassified Information (CUI) is paramount. As organizations navigate the complexities of compliance frameworks like the Cybersecurity Maturity Model Certification (CMMC) 2.0, Control AC...

read more