CMMC Compliance Checklist for Small Business: Level 1 & 2 Requirements (2026)

If your company works with the U.S. Department of Defense — or wants to — CMMC compliance is no longer optional. The Cybersecurity Maturity Model Certification (CMMC) 2.0 determines whether you can bid on DoD contracts.

The problem for small businesses: CMMC documentation is dense, confusing, and written for organizations with dedicated security teams. This guide cuts through the noise and gives you the actual checklist of what you need — mapped to what most small businesses already have versus where the gaps usually are.

What Is CMMC 2.0?

CMMC 2.0, finalized in December 2024, applies to all contractors in the Defense Industrial Base (DIB). If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you need CMMC certification.

Three levels:

• Level 1: 17 practices. For contractors handling FCI. Annual self-assessment permitted.
• Level 2: 110 practices. For contractors handling CUI. Third-party assessment required for critical programs; self-assessment for others.
• Level 3: 134+ practices. For highest-priority CUI programs. Government-led assessment.

Most small businesses need Level 1 or Level 2. This checklist covers both.

CMMC Level 1 Checklist (17 Practices)

Level 1 aligns with FAR Clause 52.204-21 — the basic safeguarding of FCI. These are the minimum controls every DoD contractor must have.

Access Control (AC)

• Limit information system access to authorized users, processes, and devices
• Limit information system access to types of transactions and functions that authorized users are permitted to execute

In practice: Role-based access controls, least privilege, no shared accounts for critical systems.

Common gap: Shared login credentials across employees, no formal access review process.

Identification and Authentication (IA)

• Identify information system users, processes, and devices; authenticate those users before allowing access

In practice: Strong passwords and MFA on critical systems. No default passwords anywhere.

Common gap: Default vendor credentials still in use on network devices and servers.

Media Protection (MP)

• Sanitize or destroy information system media before disposal or reuse

In practice: Documented process for wiping hard drives, USB drives, and other storage media before disposal.

Common gap: No documented disposal procedure; old drives donated or discarded with data intact.

Physical Protection (PE)

• Limit physical access to organizational systems to authorized individuals
• Escort visitors and monitor visitor activity
• Maintain audit logs of physical access
• Control and manage physical access devices

In practice: Locked server rooms, visitor sign-in, badge access or key card logs.

Common gap: Server rooms unlocked, no visitor log, physical access not audited.

System and Communications Protection (SC)

• Monitor, control, and protect communications at external boundaries and key internal boundaries
• Implement subnetworks for publicly accessible system components that are separated from internal networks

In practice: Firewall at network perimeter, DMZ for public-facing systems, monitored egress traffic.

Common gap: Flat network with no segmentation between public-facing systems and internal data.

System and Information Integrity (SI)

• Identify, report, and correct information system flaws in a timely manner
• Provide protection from malicious code at appropriate locations
• Update malicious code protection when new releases are available

In practice: Patch management process, managed antivirus/EDR with auto-update, documented vulnerability response.

Common gap: No formal patch management, antivirus out of date, no tracking of open vulnerabilities.

CMMC Level 2 Checklist (Key Requirements by Domain)

Level 2 aligns with NIST SP 800-171 — 110 practices across 14 domains. This is what most DoD subcontractors handling CUI must achieve.

Access Control (AC) — 22 Practices

Beyond Level 1, key additions:

• Enforce the principle of least privilege, including for specific security functions
• Use non-privileged accounts when accessing non-security functions
• Prevent non-privileged users from executing privileged functions and audit such actions
• Limit unsuccessful logon attempts
• Use session lock with pattern-hiding displays after a defined period of inactivity
• Terminate sessions automatically after defined inactivity conditions

Common gap: No session timeout enforcement, no privilege separation, shared admin accounts used for daily tasks.

Awareness and Training (AT) — 3 Practices

• Ensure managers, administrators, and users are aware of security risks
• Ensure personnel are trained to carry out assigned security responsibilities
• Provide security awareness training on recognizing and reporting threats such as phishing

Common gap: No documented security training program, no phishing awareness exercises.

Audit and Accountability (AU) — 9 Practices

Key requirements:

• Create and retain audit logs that enable monitoring, analysis, and reporting
• Ensure that individual user actions can be traced to those users
• Alert on audit logging failures
• Protect audit information from unauthorized access or modification

Common gap: No centralized log management, logs not retained beyond 30 days, no alerting on log failures.

Configuration Management (CM) — 9 Practices

Key requirements:

• Establish and maintain baseline configurations and inventories of systems
• Enforce security configuration settings for all IT products employed
• Track, review, approve, and log changes to systems
• Employ the principle of least functionality — configure systems to provide only essential capabilities

Common gap: No asset inventory, no change management process, default configurations not hardened.

Identification and Authentication (IA) — 11 Practices

Key requirements:

• Use multifactor authentication for local and network access to privileged accounts AND for network access to non-privileged accounts
• Employ replay-resistant authentication for all network access
• Enforce minimum password complexity and change requirements
• Prohibit password reuse for a specified number of generations
• Disable identifiers after a defined period of inactivity

Common gap: MFA only on admin accounts; non-privileged users authenticate with passwords only; dormant accounts never disabled.

Incident Response (IR) — 3 Practices

• Establish an operational incident-handling capability covering preparation, detection, analysis, containment, recovery, and user response
• Track, document, and report incidents to designated officials internally and externally
• Test the incident response capability

Common gap: No written incident response plan, no external reporting procedures for DoD incidents, no annual testing.

Important: DoD contractors must report incidents involving CUI within 72 hours to US-CERT (DIBNet portal).

Maintenance (MA) — 6 Practices

Key requirements:

• Provide controls on tools, techniques, mechanisms, and personnel for system maintenance
• Ensure equipment removed for maintenance is sanitized before returning to service
• Require MFA for remote maintenance sessions

Common gap: Maintenance vendors given standing access; no MFA for remote support sessions; no sanitization when hardware leaves premises.

Media Protection (MP) — 9 Practices

Key requirements beyond Level 1:

• Protect system media containing CUI, both paper and digital
• Limit access to CUI on media to authorized users
• Mark media with necessary CUI markings and distribution limitations
• Prohibit use of portable storage devices of unknown origin
• Protect portable storage devices containing CUI during transport

Common gap: No media classification policy, no USB device control, undocumented CUI data flows.

Risk Assessment (RA) — 3 Practices

• Periodically assess risk to operations, assets, and individuals from systems processing CUI
• Scan for vulnerabilities in systems periodically and when new vulnerabilities are identified
• Remediate vulnerabilities in accordance with risk assessments

Common gap: No formal risk assessment, no vulnerability scanning, remediation ad hoc and undocumented.

Security Assessment (CA) — 4 Practices

• Periodically assess security controls to determine effectiveness
• Develop and implement plans of action (POA&M) to correct deficiencies
• Monitor security controls on an ongoing basis
• Develop, document, and periodically update a System Security Plan (SSP)

Common gap: No System Security Plan, no POA&M, no recurring assessment cadence.

The SSP is the most important document for Level 2. Without it, you cannot pass a C3PAO assessment.

System and Communications Protection (SC) — 16 Practices

Key requirements:

• Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission (TLS 1.2+)
• Protect CUI at rest
• Employ FIPS-validated cryptography to protect CUI
• Establish and manage cryptographic keys for required cryptography
• Implement network segmentation between production and non-production environments

Common gap: CUI stored in plaintext at rest, no key management procedures, flat network with no segmentation.

System and Information Integrity (SI) — 7 Practices

Key requirements beyond Level 1:

• Monitor security alerts and advisories from external sources
• Identify unauthorized use of systems
• Implement email protections including spam filtering and phishing detection

Common gap: No threat intelligence feed, no monitoring for unauthorized access patterns, no email security gateway.

Your Level 1 vs. Level 2 Readiness Quick-Check

Level 1 (17 practices) — check each:

• Role-based access controls with documented least privilege
• MFA on all critical accounts
• No default credentials on any device or service
• Documented media disposal procedure
• Physical access controls with audit log
• Network perimeter firewall with DMZ for public systems
• Managed antivirus/EDR with auto-update enforcement
• Documented patch management process

Additional Level 2 requirements — check each:

• System Security Plan (SSP) covering all CUI systems
• Plan of Action and Milestones (POA&M) for open gaps
• Centralized log management with 90+ day retention
• MFA enforced on ALL accounts (not just admins)
• Documented vulnerability scanning (monthly minimum)
• Written incident response plan with 72-hour DoD reporting procedure
• Change management process with documented approvals
• Vendor risk assessment process

Scoring: If you checked 7-8 Level 1 items, you're close to Level 1 ready. If you checked fewer than 5 Level 2 items, plan 6-9 months of remediation before a C3PAO engagement.

Biggest CMMC Gaps for Small Businesses

Gap 1: No System Security Plan (SSP)

The SSP documents what CUI you have, where it lives, and how it's protected. Many small businesses have no such document. Without it, Level 2 certification is impossible.

Fix: Map your CUI data flows and document controls in a structured SSP. NIST SP 800-171A provides templates and assessment procedures.

Gap 2: MFA on User Accounts (Not Just Admins)

Level 2 requires MFA for ALL accounts with access to CUI systems — not just privileged ones. Most small businesses only enforce MFA on admin accounts.

Fix: Enable MFA on all user accounts with CUI system access. Use authenticator apps over SMS where possible. Takes 2-4 hours to roll out across a team.

Gap 3: No Audit Log Retention

Level 2 requires retained, protected audit logs. Many businesses have logging enabled but don't retain it long enough, protect it from modification, or review it.

Fix: Centralize logs in an immutable store with 90-day minimum retention. Review weekly. Alert on failures.

Gap 4: No Vulnerability Scanning

Level 2 requires periodic vulnerability scanning and documented remediation timelines. Most small businesses run no formal scans.

Fix: Run monthly vulnerability scans using tools like Nessus Essentials or a managed scanning service. Document findings and track remediation in your POA&M.

Gap 5: No Incident Response Plan with DoD Reporting

Level 2 requires a documented, tested IR plan — and DoD contractors must report CUI incidents within 72 hours. Most small businesses have no written plan at all.

Fix: Write a 2-page incident response plan. Include the DIBNet reporting procedure. Test it with an annual tabletop exercise.

What to Do First

Getting CMMC-ready doesn't require doing everything at once. Start here:

Step 1: Take CyberStackHub's free CMMC readiness assessment to map your current controls against Level 1 and Level 2 requirements. Takes 5 minutes, identifies your specific gaps.

Step 2: Build your System Security Plan. This is the foundation of Level 2. NIST provides templates; your C3PAO will want to review it before the formal assessment.

Step 3: Close your top 3 gaps first. MFA everywhere, audit logging, and a written incident response plan are the most common and most impactful quick wins.

Step 4: Engage a C3PAO (Certified Third-Party Assessment Organization) 6 months before your contract requirement date. They'll identify remaining gaps and conduct your formal assessment.

Frequently Asked Questions

How long does CMMC Level 2 certification take?

Plan 6-12 months for remediation and 60-90 days for the third-party assessment process. Start well before your contract deadline — not when the solicitation arrives.

How much does CMMC certification cost?

Level 2 third-party assessment: $75,000-$200,000 depending on scope. Internal remediation for a 20-50 person company starting from scratch: $50,000-$150,000. Annual maintenance: significantly less once controls are established.

What happens if I miss my CMMC deadline?

You won't qualify for DoD contracts requiring your CMMC level. For existing contracts, your prime contractor may have to find a compliant subcontractor.

Do I need CMMC if I only handle FCI, not CUI?

Level 1 is sufficient for FCI-only contracts. Level 2+ applies when you handle CUI. Review your contract carefully — misclassification of data is common and costly.

What is a C3PAO?

A Certified Third-Party Assessment Organization — an independent auditor certified by the CMMC Accreditation Body to conduct Level 2 assessments. You cannot self-assess for critical Level 2 contracts.

Next Steps

CMMC is a hard requirement for Defense Industrial Base contractors — not optional, not deferrable. The good news: most Level 1 controls are security basics that every business should have regardless of DoD work.

Start by knowing where you stand. Take CyberStackHub's free assessment to map your controls against every Level 1 and Level 2 practice — then get a prioritized action plan.

Related Resources

• CMMC Compliance Framework Guide — Full CMMC framework overview with all domains mapped


• NIST CSF Framework Guide — The foundational framework underlying CMMC Level 2