Valtik Studios
Free Resource · CMMC 2.0 Level 2

CMMC 2.0 Level 2 Self-Assessment Checklist

All 110 NIST 800-171 Rev. 2 practices organized by domain. Use this to score your posture before engaging a C3PAO. Every gap found now is one less exception in the formal audit.

Get a Free Security CheckSee Services

How to use this checklist

For each practice, score your implementation using the DoD Assessment Methodology scoring:

  • Fully Implemented. Control is in place and operating
  • Partially Implemented. Some aspects in place, others missing
  • Not Implemented. Control not yet in place
  • Not Applicable. Genuinely does not apply (document the reason)

Your CMMC Level 2 score must be 110 out of 110 at the time of the C3PAO assessment. Limited Plan of Action and Milestones (POA&M) items are allowed post-assessment for specific lower- risk practices; most practices cannot be deferred via POA&M.

Access Control (AC). 22 practices

  • 3.1.1. Limit system access to authorized users, processes, devices
  • 3.1.2. Limit transactions and functions to authorized uses
  • 3.1.3. Control CUI flow per approved authorizations
  • 3.1.4. Separate duties to reduce collusion risk
  • 3.1.5. Principle of least privilege
  • 3.1.6. Use non-privileged accounts for non-security functions
  • 3.1.7. Prevent non-privileged users from executing privileged functions
  • 3.1.8. Limit unsuccessful logon attempts
  • 3.1.9. System use notification
  • 3.1.10. Session lock with pattern-hiding display after inactivity
  • 3.1.11. Terminate sessions after defined conditions
  • 3.1.12. Remote access sessions monitored and controlled
  • 3.1.13. Cryptographic protection of remote access sessions
  • 3.1.14. Route remote access through managed access control points
  • 3.1.15. Authorize remote execution of privileged commands
  • 3.1.16. Authorize wireless access connections
  • 3.1.17. Protect wireless access with authentication and encryption
  • 3.1.18. Control connection of mobile devices
  • 3.1.19. Encrypt CUI on mobile devices and mobile computing platforms
  • 3.1.20. Verify and control connections to external systems
  • 3.1.21. Limit portable storage device use on external systems
  • 3.1.22. Control CUI posted on publicly accessible systems

Awareness and Training (AT). 3 practices

  • 3.2.1. Ensure users aware of security risks
  • 3.2.2. Ensure personnel trained for their roles
  • 3.2.3. Provide insider threat awareness training

Audit and Accountability (AU). 9 practices

  • 3.3.1. Create and retain system audit logs
  • 3.3.2. Trace actions to individual users
  • 3.3.3. Review and update logged events
  • 3.3.4. Alert on audit logging process failures
  • 3.3.5. Correlate audit record review, analysis, and reporting
  • 3.3.6. Provide audit record reduction and report generation
  • 3.3.7. Provide system capability to synchronize internal system clocks
  • 3.3.8. Protect audit information and tools from unauthorized access
  • 3.3.9. Limit management of audit logging to privileged users

Configuration Management (CM). 9 practices

  • 3.4.1. Establish and maintain baseline configurations
  • 3.4.2. Establish and enforce security configuration settings
  • 3.4.3. Track, review, approve, and log changes to systems
  • 3.4.4. Analyze security impact of changes before implementation
  • 3.4.5. Define, document, approve, and enforce physical and logical access restrictions
  • 3.4.6. Employ principle of least functionality
  • 3.4.7. Restrict nonessential programs, functions, ports, protocols
  • 3.4.8. Apply deny-by-exception policy for unauthorized software
  • 3.4.9. Control and monitor user-installed software

Identification and Authentication (IA). 11 practices

  • 3.5.1. Identify users, processes, and devices
  • 3.5.2. Authenticate identities as prerequisite to system access
  • 3.5.3. Use MFA for local and network access to privileged accounts and network access to non-privileged accounts
  • 3.5.4. Replay-resistant authentication mechanisms for privileged and non-privileged network access
  • 3.5.5. Prevent reuse of identifiers for a defined period
  • 3.5.6. Disable identifiers after a defined period of inactivity
  • 3.5.7. Enforce password complexity (minimum strength when passwords are used)
  • 3.5.8. Prohibit password reuse for a specified number of generations
  • 3.5.9. Permit temporary password with immediate change
  • 3.5.10. Store and transmit only cryptographically protected passwords
  • 3.5.11. Obscure feedback of authentication information

Incident Response (IR). 3 practices

  • 3.6.1. Operational incident-handling capability
  • 3.6.2. Track, document, and report incidents
  • 3.6.3. Test incident response capability

Remaining domains (summary)

  • Maintenance (MA). 6 practices covering system maintenance, maintenance tools, non-local maintenance, personnel conducting maintenance
  • Media Protection (MP). 9 practices covering CUI on digital and non-digital media, access, marking, transport, sanitization
  • Personnel Security (PS). 2 practices covering personnel screening and protection of CUI during personnel actions
  • Physical Protection (PE). 6 practices covering physical facility access, visitor access, physical access logs, equipment siting and protection
  • Risk Assessment (RA). 3 practices covering risk assessment, vulnerability scanning, mitigation of vulnerabilities
  • Security Assessment (CA). 4 practices covering security control assessment, plan of action, system security plan, continuous monitoring
  • System and Communications Protection (SC). 16 practices covering boundary protection, subnetwork separation, denial-of-service protection, cryptographic key management, collaborative computing devices, mobile code
  • System and Information Integrity (SI). 7 practices covering flaw remediation, malicious code protection, system monitoring, security alerts and advisories, email forgery protection, sandbox

POA&M eligibility

Under CMMC 2.0, a limited set of NIST 800-171 practices can be POA&M items at the time of the C3PAO assessment. The most critical practices (MFA, encryption, boundary protection, audit logging) must be implemented. The Cyber AB publishes a POA&M eligible practices list. Check the current version before relying on POA&M for any specific practice.

The single biggest cost lever in CMMC readiness: CUI scope. If CUI is everywhere, everything is in scope. A well-designed CUI enclave reduces the assessment boundary to a fraction of your environment.

Related resources

Ready to start?

Free website security check. No obligation, no sales pitch. Delivered as a plain-English findings report in 48 hours.

Request Free Check