CMMC Level 2 Readiness Checklist

Use this checklist to track your organization's readiness for a CMMC Level 2 assessment. Each item maps to a NIST 800-171 control family and includes what your C3PAO assessor will look for. Print it, share it with your compliance team, and check items off as you go.

0 of 30 complete

Access Control

Multi-factor authentication enforced for all users Your C3PAO will verify MFA is required, not optional. Role-based access controls defined and documented Map each role to specific permissions and keep it current. Remote access sessions encrypted and monitored All remote connections must use FIPS-validated encryption. Access revoked within 24 hours of personnel departure Document the offboarding process with timestamps. Least privilege enforced across all systems Users get only the access their role requires, nothing more.

Audit & Accountability

System events logged (login attempts, file access, permission changes) Logs must capture who, what, when, and where. Audit logs retained for the required period Most assessors expect a minimum of 90 days readily available. Logs protected from unauthorized modification Immutable or append-only storage for audit trails. Regular audit log review process documented Show your assessor a schedule and evidence of reviews.

Configuration Management

System baseline configurations documented Every system handling CUI needs a documented baseline. Change control process in place and followed Changes must be approved, tested, and logged. Unauthorized software restricted Allowlisting or deny policies enforced.

Identification & Authentication

FIPS 140-validated cryptographic modules in use Self-certified crypto does not count. Password complexity and rotation policies enforced Follow NIST SP 800-63B guidelines. Unique user accounts for every individual No shared or generic accounts for CUI systems. Replay-resistant authentication mechanisms Token-based or certificate-based authentication.

Media Protection

CUI encrypted at rest with FIPS 140-validated encryption AES-256 with validated modules. CUI encrypted in transit (TLS 1.2 or higher) Applies to email, file transfers, and API calls. Removable media usage restricted and documented USB policies must be enforced, not just written. Media sanitization procedures documented and followed NIST SP 800-88 guidelines.

Personnel Security

Background screening completed for all CUI-access personnel Screening must happen before access is granted. Security awareness training completed and documented Annual training with signed acknowledgments. Acceptable use agreements signed and on file Cover CUI handling, device usage, and incident reporting.

Physical Protection

Physical access to CUI systems restricted and logged Entry logs, badge access, or equivalent controls. Visitor access controlled and escorted in CUI areas Sign-in logs and escort requirements.

System & Communications Protection

Network boundaries defined and monitored Know where CUI flows and where it stops. Data loss prevention policies active Block sensitive content from leaving your organization. Email filtering and malware scanning in place Inbound and outbound scanning required. CUI systems separated from public-facing infrastructure Network segmentation or isolation. All CUI data stored on US-based infrastructure Your assessor will ask where every byte lives.

System & Information Integrity

Anti-malware deployed, active, and updated Signature and behavioral detection. Security patches applied within 30 days of release Document your patching cadence. Inbound and outbound communications monitored for threats Automated scanning, not manual review.

Incident Response

Incident response plan documented and tested Tabletop exercises count, but you need evidence. Incident reporting procedures defined and assigned Everyone should know who to call. DFARS 7012 72-hour reporting capability confirmed You must be able to report to the DoD within 72 hours.

Risk Assessment

System Security Plan (SSP) complete and current The single most important document your C3PAO reviews. Plan of Action & Milestones (POA&M) maintained Open items are fine if they are documented with timelines. Vulnerability scanning performed regularly Quarterly minimum, with remediation tracking.

IRONKEEP handles these for you

When you use IRONKEEP for email and file storage, the following controls are built in. No configuration required, no third-party tools, no extra cost.

Multi-factor authentication enforcement
Role-based access controls
Audit logging and retention
FIPS 140-validated encryption at rest and in transit
Data loss prevention and email filtering
Malware scanning on all files and email
US-only data storage
Per-tenant encryption keys

Stop checking boxes manually.

IRONKEEP builds compliance into your email and file storage from day one. Sign up for early access and let IRONKEEP handle the controls so you can focus on your contracts.