Valtik Studios
Free Resource · CMMC 2.0 Level 2

CMMC 2.0 Level 2 Self-Assessment Checklist

All 110 NIST 800-171 Rev. 2 practices organized by domain. Use this to score your posture before engaging a C3PAO — every gap found now is one less exception in the formal audit.

Get a Free Security CheckSee Services

How to use this checklist

For each practice, score your implementation using the DoD Assessment Methodology scoring:

  • Fully Implemented — control is in place and operating
  • Partially Implemented — some aspects in place, others missing
  • Not Implemented — control not yet in place
  • Not Applicable — genuinely does not apply (document the reason)

Your CMMC Level 2 score must be 110 out of 110 at the time of the C3PAO assessment. Limited Plan of Action and Milestones (POA&M) items are allowed post-assessment for specific lower- risk practices; most practices cannot be deferred via POA&M.

Access Control (AC) — 22 practices

  • 3.1.1 — Limit system access to authorized users, processes, devices
  • 3.1.2 — Limit transactions and functions to authorized uses
  • 3.1.3 — Control CUI flow per approved authorizations
  • 3.1.4 — Separate duties to reduce collusion risk
  • 3.1.5 — Principle of least privilege
  • 3.1.6 — Use non-privileged accounts for non-security functions
  • 3.1.7 — Prevent non-privileged users from executing privileged functions
  • 3.1.8 — Limit unsuccessful logon attempts
  • 3.1.9 — System use notification
  • 3.1.10 — Session lock with pattern-hiding display after inactivity
  • 3.1.11 — Terminate sessions after defined conditions
  • 3.1.12 — Remote access sessions monitored and controlled
  • 3.1.13 — Cryptographic protection of remote access sessions
  • 3.1.14 — Route remote access through managed access control points
  • 3.1.15 — Authorize remote execution of privileged commands
  • 3.1.16 — Authorize wireless access connections
  • 3.1.17 — Protect wireless access with authentication and encryption
  • 3.1.18 — Control connection of mobile devices
  • 3.1.19 — Encrypt CUI on mobile devices and mobile computing platforms
  • 3.1.20 — Verify and control connections to external systems
  • 3.1.21 — Limit portable storage device use on external systems
  • 3.1.22 — Control CUI posted on publicly accessible systems

Awareness and Training (AT) — 3 practices

  • 3.2.1 — Ensure users aware of security risks
  • 3.2.2 — Ensure personnel trained for their roles
  • 3.2.3 — Provide insider threat awareness training

Audit and Accountability (AU) — 9 practices

  • 3.3.1 — Create and retain system audit logs
  • 3.3.2 — Trace actions to individual users
  • 3.3.3 — Review and update logged events
  • 3.3.4 — Alert on audit logging process failures
  • 3.3.5 — Correlate audit record review, analysis, and reporting
  • 3.3.6 — Provide audit record reduction and report generation
  • 3.3.7 — Provide system capability to synchronize internal system clocks
  • 3.3.8 — Protect audit information and tools from unauthorized access
  • 3.3.9 — Limit management of audit logging to privileged users

Configuration Management (CM) — 9 practices

  • 3.4.1 — Establish and maintain baseline configurations
  • 3.4.2 — Establish and enforce security configuration settings
  • 3.4.3 — Track, review, approve, and log changes to systems
  • 3.4.4 — Analyze security impact of changes before implementation
  • 3.4.5 — Define, document, approve, and enforce physical and logical access restrictions
  • 3.4.6 — Employ principle of least functionality
  • 3.4.7 — Restrict nonessential programs, functions, ports, protocols
  • 3.4.8 — Apply deny-by-exception policy for unauthorized software
  • 3.4.9 — Control and monitor user-installed software

Identification and Authentication (IA) — 11 practices

  • 3.5.1 — Identify users, processes, and devices
  • 3.5.2 — Authenticate identities as prerequisite to system access
  • 3.5.3 — Use MFA for local and network access to privileged accounts and network access to non-privileged accounts
  • 3.5.4 — Replay-resistant authentication mechanisms for privileged and non-privileged network access
  • 3.5.5 — Prevent reuse of identifiers for a defined period
  • 3.5.6 — Disable identifiers after a defined period of inactivity
  • 3.5.7 — Enforce password complexity (minimum strength when passwords are used)
  • 3.5.8 — Prohibit password reuse for a specified number of generations
  • 3.5.9 — Permit temporary password with immediate change
  • 3.5.10 — Store and transmit only cryptographically protected passwords
  • 3.5.11 — Obscure feedback of authentication information

Incident Response (IR) — 3 practices

  • 3.6.1 — Operational incident-handling capability
  • 3.6.2 — Track, document, and report incidents
  • 3.6.3 — Test incident response capability

Remaining domains (summary)

  • Maintenance (MA) — 6 practices covering system maintenance, maintenance tools, non-local maintenance, personnel conducting maintenance
  • Media Protection (MP) — 9 practices covering CUI on digital and non-digital media, access, marking, transport, sanitization
  • Personnel Security (PS) — 2 practices covering personnel screening and protection of CUI during personnel actions
  • Physical Protection (PE) — 6 practices covering physical facility access, visitor access, physical access logs, equipment siting and protection
  • Risk Assessment (RA) — 3 practices covering risk assessment, vulnerability scanning, mitigation of vulnerabilities
  • Security Assessment (CA) — 4 practices covering security control assessment, plan of action, system security plan, continuous monitoring
  • System and Communications Protection (SC) — 16 practices covering boundary protection, subnetwork separation, denial-of-service protection, cryptographic key management, collaborative computing devices, mobile code
  • System and Information Integrity (SI) — 7 practices covering flaw remediation, malicious code protection, system monitoring, security alerts and advisories, email forgery protection, sandbox

POA&M eligibility

Under CMMC 2.0, a limited set of NIST 800-171 practices can be POA&M items at the time of the C3PAO assessment. The most critical practices (MFA, encryption, boundary protection, audit logging) must be implemented. The Cyber AB publishes a POA&M eligible practices list — check the current version before relying on POA&M for any specific practice.

The single biggest cost lever in CMMC readiness: CUI scope. If CUI is everywhere, everything is in scope. A well-designed CUI enclave reduces the assessment boundary to a fraction of your environment.

Related resources

Ready to start?

Free website security check — no obligation, no sales pitch. Delivered as a plain-English findings report in 48 hours.

Request Free Check