Cyberuptive
Contact Us

CMMC Readiness Checklist

A 47-point CMMC 2.0 readiness checklist.

Mapped to NIST 800-171 control families, written for medium and large Pacific defense subcontractors. Use it as a self-assessment, a remediation roadmap, or a conversation starter with your prime.

Email me the PDF CMMC services

How to use this

Walk this list with your IT lead. For each item, mark In place / Partial / Gap. Anything not "In place" goes onto the POA&M with an owner, a target date, and a budget estimate. Most medium and large Pacific subcontractors come into this with 25–35 of 47 partial or gap. That's normal. The 9–12 month remediation runway exists to close the rest.

Scope & Boundary

  • CUI boundary diagrammed and approved by leadership
  • In-scope users, systems, and data flows inventoried
  • Federal Contract Information (FCI) vs CUI classification confirmed
  • GCC High (or equivalent FedRAMP-Mod) tenant in place for CUI in M365
  • Network segmentation between CUI enclave and general business systems

Access Control (AC)

  • Multi-factor authentication on all CUI-adjacent accounts
  • Conditional Access policies enforce device + location restrictions
  • Privileged Identity Management (PIM) for admin roles
  • Quarterly user access review documented
  • Session controls and automatic logoff configured

Audit & Accountability (AU)

  • Centralized SIEM with all CUI system logs ingested
  • Audit log retention of at least 1 year (longer where contract requires)
  • Audit failure alerting configured and tested
  • Time synchronization (NTP) hardened across all systems
  • Audit record review on a documented cadence

Identification & Authentication (IA)

  • No shared accounts in the CUI environment
  • Password complexity + history + lockout policies enforced
  • Service accounts managed under PIM or equivalent
  • PIV / smartcard / FIDO2 support where DoW contract requires

Incident Response (IR)

  • Written incident response plan, signed by leadership
  • Annual tabletop exercise completed and documented
  • 72-hour DFARS 252.204-7012 reporting workflow operational
  • IR retainer or in-house IR capability in place
  • Post-incident review process with corrective action tracking

System & Information Integrity (SI)

  • Endpoint detection and response (EDR) on all CUI-handling endpoints
  • Continuous vulnerability scanning with prioritized remediation
  • Malware protection updated and centrally monitored
  • System monitoring for unauthorized changes
  • Flaw remediation tracked through ticketing with SLAs

Configuration Management (CM)

  • Documented baseline configurations for all CUI systems
  • Change management process with approvals and rollback
  • Asset inventory current and reconciled to scans
  • Software whitelisting / allowlisting where feasible

Personnel & Physical (PE / PS)

  • US-persons access controls documented in personnel handling section
  • Background checks for personnel with CUI access
  • Physical access controls to CUI-processing facilities
  • Visitor logs and escort procedures
  • Media handling and sanitization procedures

Documentation & Governance

  • System Security Plan (SSP) authored and current
  • Plan of Action & Milestones (POA&M) live and reviewed quarterly
  • Annual NIST 800-171 self-assessment scored in SPRS
  • Evidence library organized and assessor-ready
  • C3PAO mock assessment completed

Aloha, let's talk

Want this as a working POA&M instead of a checklist?

A 30-minute scoping call gives you a fixed-scope CMMC plan — every gap with an owner, a date, and a remediation cost.

Schedule a discovery call Call 833-92-CYBER