Why You Need a Readiness Checklist Before Your C3PAO Assessment
Walking into a CMMC Level 2 assessment without thorough preparation is like taking a final exam without studying — the stakes are too high and the consequences of failure too significant to leave anything to chance. A comprehensive self-assessment checklist allows you to evaluate your readiness across all dimensions of the CMMC framework before your Certified Third-Party Assessment Organization arrives, identify remaining gaps while there is still time to address them, and enter your assessment with confidence.
This 50-point readiness checklist covers the critical areas that C3PAO assessors evaluate during a CMMC Level 2 assessment. It is organized into logical sections that mirror the assessment process, from documentation and governance through technical controls and operational procedures. Use this checklist as a systematic tool to verify your preparedness and identify any areas that need last-minute attention.
Each item in this checklist represents an area where deficiencies commonly cause problems during assessments. By working through each point methodically and addressing any shortcomings you discover, you significantly increase your probability of achieving certification on your first attempt and avoid the cost and delay of reassessment.
Section 1: Documentation and Governance (Points 1-10)
1. System Security Plan completeness. Verify that your System Security Plan accurately describes your current environment, including all system boundaries, network architecture, data flows, and interconnections. The SSP should address how each of the 110 NIST SP 800-171 requirements is implemented in your specific environment. Review every section to ensure descriptions match your actual implementations and that no requirements have been overlooked or inadequately described.
2. System Security Plan currency. Confirm that your SSP has been reviewed and updated within the last 12 months and that it reflects any changes made to your environment since the last review. The SSP should have a clear version history, a designated document owner, and an approval signature from senior management. Assessors will check the revision date and compare descriptions against your actual systems.
3. Plan of Action and Milestones status. Review your POA&M to ensure all entries are current, with realistic remediation timelines and assigned responsible parties. Verify that completed items have been properly closed with supporting evidence. Under CMMC 2.0 rules, confirm that any open items are eligible for POA&M treatment and that your closure timelines fall within the 180-day window.
4. Security policies for all 14 control families. Verify that you have written, approved security policies covering each of the 14 NIST SP 800-171 control families. Each policy should clearly state its purpose, scope, roles and responsibilities, and the specific requirements it addresses. Policies should be approved by senior management and accessible to all relevant personnel.
5. Standard operating procedures. Confirm that you have documented procedures for all security-related activities including account management, incident response, backup and recovery, vulnerability scanning, patch management, media sanitization, and visitor management. Procedures should be detailed enough for personnel to follow consistently without relying on institutional knowledge.
6. Network diagrams and data flow documentation. Ensure your network diagrams are current and accurately depict all network segments, boundary devices, connections to external systems, and the location of CUI processing, storage, and transmission. Data flow diagrams should show how CUI enters, moves through, and exits your environment, including all transmission paths and storage locations.
7. Hardware and software inventory. Verify that you maintain a current, complete inventory of all hardware assets and software within your assessment boundary. The inventory should include device names, types, operating systems, IP addresses, physical locations, and asset owners. Software inventories should include version numbers and licensing information.
8. Risk assessment documentation. Confirm that you have conducted a formal risk assessment within the last 12 months and that the results are documented. The risk assessment should identify threats and vulnerabilities relevant to your environment, evaluate the potential impact and likelihood of each risk, and describe the controls in place to mitigate identified risks.
9. Interconnection agreements and authorizations. Review all connections between your systems and external systems to verify that each connection is authorized, documented, and protected with appropriate security controls. This includes connections to cloud services, business partners, subcontractors, and any other external entities that may access or exchange CUI with your systems.
10. Roles and responsibilities documentation. Verify that security roles and responsibilities are clearly defined and documented, including the designation of a security official responsible for overseeing your information security program. All personnel should understand their security responsibilities, and this understanding should be documented through signed acknowledgment forms or similar records.
Section 2: Access Control and Identity Management (Points 11-20)
11. User account management procedures. Verify that you have formal procedures for creating, modifying, disabling, and removing user accounts. Test that disabled or terminated employee accounts have actually been deactivated in all systems. Check for any shared accounts or generic credentials that violate individual accountability requirements.
12. Least privilege implementation. Confirm that user access rights are limited to the minimum necessary for each individual’s job function. Review access control lists and group memberships to identify any instances of excessive privilege. Pay particular attention to administrative access, which should be restricted to a small number of authorized individuals with a documented need.
13. Multi-factor authentication deployment. Verify that multi-factor authentication is implemented for all network access to privileged accounts and for all remote network access. Test MFA functionality on all access paths including VPN connections, remote desktop sessions, cloud application access, and any web-based administrative interfaces. Confirm that MFA cannot be bypassed through alternative access methods.
14. Remote access controls. Test all remote access methods to confirm they require MFA, use encrypted connections, and are logged. Verify that remote access sessions automatically terminate after a defined period of inactivity. Confirm that remote access is limited to authorized users and that access methods are documented in your System Security Plan.
15. Wireless access restrictions. Verify that wireless access to systems containing CUI is protected with enterprise-grade encryption and authentication. Confirm that guest wireless networks are logically or physically separated from networks that process CUI. Test that unauthorized wireless access points cannot connect to your CUI environment.
16. Mobile device management. If mobile devices are used to access CUI, verify that they are managed through a mobile device management solution that enforces encryption, screen lock, remote wipe capability, and application restrictions. Confirm that personal devices used for CUI access meet the same security requirements as organization-issued devices.
17. Session lock and termination. Test that all systems automatically lock after a period of inactivity appropriate to the risk level. Verify that sessions are terminated after conditions defined in your security policy, such as end of workday or extended inactivity. Confirm that session lock requires re-authentication to resume.
18. Unsuccessful logon attempt handling. Verify that systems enforce a limit on consecutive unsuccessful logon attempts and automatically lock accounts or delay subsequent attempts after the limit is reached. Test this functionality on all system types including workstations, servers, network devices, and applications that access CUI.
19. System use notification. Confirm that all systems display an approved system use notification banner before granting access. The banner should inform users that the system is for authorized use only, that usage may be monitored, and that unauthorized access may result in disciplinary or legal action. Verify the banner appears before authentication on all access methods.
20. CUI flow control. Review your data flow controls to verify that CUI cannot be transmitted to unauthorized recipients or systems. Test email data loss prevention rules, USB device restrictions, cloud sharing controls, and any other mechanisms used to prevent unauthorized CUI dissemination. Verify that print controls are in place for areas where CUI should not be printed.
Section 3: Technical Security Controls (Points 21-35)
21. FIPS-validated encryption for data in transit. Verify that all transmission of CUI uses FIPS 140-2 or FIPS 140-3 validated cryptographic modules. This includes email encryption, VPN tunnels, web application traffic, and file transfers. Check encryption configurations to confirm they use approved algorithms and key lengths.
22. FIPS-validated encryption for data at rest. Confirm that CUI stored on all media including hard drives, removable media, and cloud storage is encrypted using FIPS-validated cryptographic modules. Verify that full disk encryption is enabled on all laptops and workstations that may contain CUI, and that encryption keys are properly managed.
23. Boundary protection devices. Review firewall rules, intrusion detection and prevention configurations, and other boundary protection mechanisms. Verify that rules follow a deny-all, permit-by-exception methodology. Confirm that boundary devices are logging all traffic and that logs are forwarded to your centralized log management system.
24. Network segmentation. Verify that publicly accessible systems are separated from internal networks, and that CUI processing enclaves are appropriately segmented from general business networks. Test segmentation controls to confirm that traffic between segments is properly controlled and monitored.
25. Vulnerability scanning. Confirm that vulnerability scans are conducted regularly across your assessment boundary. Review recent scan results and verify that identified vulnerabilities have been addressed or documented in your POA&M with appropriate risk ratings. Verify that scanning covers all system types including servers, workstations, network devices, and web applications.
26. Patch management. Verify that your patch management program addresses all software and firmware within your assessment boundary. Review patch compliance reports to confirm that critical patches are applied within your policy-defined timeframes. Check for any systems that have been missed by your patching process.
27. Antivirus and anti-malware. Confirm that endpoint protection solutions are deployed on all workstations and servers, that signature databases are current, and that real-time protection is enabled. Verify that users cannot disable or circumvent endpoint protection. Review recent detection logs for any indicators of compromise.
28. Audit logging configuration. Verify that audit logging is enabled on all systems within your assessment boundary and that logs capture the required events including user logons, failed authentication attempts, privilege use, object access, and policy changes. Confirm that logs include sufficient detail to support investigation including timestamps, user identifiers, event types, and outcomes.
29. Log management and retention. Confirm that logs from all systems are forwarded to a centralized log management platform, that log integrity is protected against tampering, and that logs are retained according to your policy requirements. Verify that log storage capacity is adequate and that retention periods meet the minimum requirement.
30. Security alert monitoring. Verify that your security monitoring systems are configured to generate alerts for suspicious activities including failed authentication attempts, unauthorized access attempts, malware detections, and anomalous network traffic. Confirm that alerts are reviewed and investigated in a timely manner and that the review process is documented.
31. DNS filtering. Confirm that Domain Name System filtering is implemented to block access to known malicious domains. Verify that the filtering solution is applied to all systems within your assessment boundary and that it is updated regularly with current threat intelligence.
32. Email protections. Verify that email security controls are in place including spam filtering, malware scanning, phishing detection, and attachment sandboxing. Confirm that email containing CUI is encrypted in transit and that data loss prevention rules prevent unauthorized transmission of CUI via email.
33. Backup and recovery. Test your backup systems to verify that CUI data is backed up regularly, that backups are encrypted, and that recovery procedures work as documented. Conduct a test restoration of critical data and systems to confirm your recovery time objectives can be met.
34. Configuration management baselines. Verify that security configuration baselines have been established for all system types including servers, workstations, network devices, and applications. Confirm that systems are configured in accordance with these baselines and that deviations are documented and authorized.
35. Change management process. Review recent system changes to verify that they followed your documented change management process, including security impact analysis, testing, approval, and documentation. Confirm that unauthorized changes are detected and investigated.
Section 4: Physical and Personnel Security (Points 36-40)
36. Physical access controls. Verify that physical access to facilities and areas containing CUI is limited to authorized individuals through mechanisms such as badge readers, locked doors, and visitor management procedures. Test that access control mechanisms are functioning properly and that access logs are maintained.
37. Visitor management. Confirm that visitor procedures are in place and followed, including sign-in and sign-out requirements, escort requirements for sensitive areas, and visitor badge issuance. Review recent visitor logs for completeness and verify that escorts are provided as required.
38. Personnel screening. Verify that background checks or other appropriate screening measures have been completed for all personnel with access to CUI before access was granted. Confirm that screening records are maintained and that the screening process is documented in your security policies.
39. Personnel termination procedures. Review your termination checklist to confirm it includes disabling system access, retrieving credentials and equipment, recovering CUI materials, and revoking physical access. Test by reviewing recent termination cases to verify the procedures were followed completely and in a timely manner.
40. Clean desk and screen practices. Verify that personnel follow clean desk practices in areas where CUI is processed, and that screens displaying CUI are positioned to prevent unauthorized viewing. Confirm that printers in CUI areas have pickup procedures that prevent documents from being left unattended.
Section 5: Operational Readiness (Points 41-50)
41. Incident response plan testing. Confirm that your incident response plan has been tested within the last 12 months through a tabletop exercise, functional exercise, or actual incident response. Document the test results and any improvements made to the plan based on lessons learned.
42. Incident reporting procedures. Verify that all personnel know how to report a suspected security incident and that your reporting procedures address the 72-hour DoD notification requirement under DFARS 252.204-7012. Test the reporting chain by conducting an unannounced drill.
43. Security awareness training completion. Confirm that all personnel with access to CUI have completed security awareness training within the last 12 months and that training records are maintained. Verify that training content covers all required topics including CUI handling, phishing recognition, incident reporting, and acceptable use policies.
44. Specialized role-based training. Verify that personnel with significant security responsibilities, such as system administrators and security officers, have received specialized training appropriate to their roles. Confirm that training records document the specific training provided and the date of completion.
45. Media sanitization procedures. Confirm that media sanitization procedures are documented and that personnel responsible for media disposal understand the approved methods. Verify that sanitization records are maintained for all media that has been sanitized or destroyed, including the method used and the individual who performed the sanitization.
46. Maintenance procedures and records. Verify that system maintenance is performed according to manufacturer specifications and your organizational procedures. Confirm that maintenance records are maintained, that maintenance tools are controlled, and that equipment removed for maintenance has CUI properly handled.
47. Supply chain and subcontractor compliance. If you flow CUI to subcontractors, verify that appropriate flow-down clauses are included in your subcontracts and that subcontractors have acknowledged their compliance responsibilities. Confirm that you have a process for verifying subcontractor compliance.
48. Continuous monitoring activities. Verify that you have established a continuous monitoring program that includes regular vulnerability scanning, log review, configuration compliance checking, and security control effectiveness assessment. Confirm that monitoring results are documented and that identified issues are tracked to resolution.
49. Evidence package preparation. Organize all evidence artifacts that demonstrate compliance with each of the 110 requirements. Create an evidence matrix mapping each requirement to the specific documents, screenshots, configurations, and records that demonstrate your implementation. Having this package ready before the assessment significantly streamlines the evaluation process.
50. Assessment team logistics. Prepare for the C3PAO assessment by arranging workspace for the assessment team, scheduling key personnel for interviews, ensuring all documentation is accessible, confirming that system administrators are available for technical demonstrations, and communicating the assessment schedule to all involved parties.
Using This Checklist Effectively
Work through this checklist systematically, documenting your findings for each point. Where you identify gaps or areas needing improvement, add them to your POA&M with specific remediation actions and timelines. Prioritize gaps based on their risk to CUI protection and their potential impact on your assessment outcome.
Consider engaging a Registered Practitioner to review your checklist findings and provide an independent perspective on your readiness. A fresh set of experienced eyes can often identify issues that internal teams overlook due to familiarity with their own environment.
At Easy Compliances, we offer this readiness checklist as part of our comprehensive CMMC Compliance Toolkit, along with templates for all required documentation, training courses for your entire team, and expert guidance to help you navigate the assessment process with confidence. Begin your assessment preparation today and take the guesswork out of CMMC certification.