If your company holds — or hopes to win — Department of Defense contracts, CMMC 2.0 is no longer something you can defer. As the Cybersecurity Maturity Model Certification program phases into DoD solicitations, primes are flowing requirements down to subcontractors, and a missing or low compliance score increasingly removes you from consideration before a proposal is ever read.
This checklist walks Northern Virginia and Washington DC contractors through what CMMC 2.0 actually requires and the concrete steps to get assessment-ready. It is a practical companion to our government contractor IT and CMMC services overview.
First, confirm which CMMC level applies to you
CMMC 2.0 has three levels, and most of the confusion contractors face starts here. Your level depends on the type of information your contracts require you to handle:
- Level 1 (Foundational) — For contractors that handle only Federal Contract Information (FCI). It covers 17 basic safeguarding practices and is met through an annual self-assessment.
- Level 2 (Advanced) — For contractors that handle Controlled Unclassified Information (CUI). It aligns with the 110 controls of NIST SP 800-171. Depending on the contract, it is met through self-assessment or a third-party assessment by a certified C3PAO.
- Level 3 (Expert) — For the highest-priority programs. It builds on Level 2 with a subset of NIST SP 800-172 controls and a government-led assessment.
Start here: Read the DFARS clauses in your current and target contracts. If you see DFARS 252.204-7012 and your work involves CUI, plan for Level 2. When in doubt, ask your contracting officer or prime which level the contract requires — guessing low is the costly mistake.
The CMMC 2.0 readiness checklist
1. Scope your environment
Identify every system, application, cloud service, and device that stores, processes, or transmits CUI. The smaller and more clearly bounded your CUI environment, the cheaper and faster compliance becomes. Many contractors reduce scope dramatically by moving CUI into a dedicated enclave rather than securing their entire network to the same standard.
2. Run a NIST 800-171 gap assessment
Evaluate your current posture against all 110 controls. For each control you will land in one of three states: implemented, partially implemented, or not implemented. Document the evidence for everything you claim to have in place — assessors verify, they do not take your word for it.
3. Build your System Security Plan (SSP)
The SSP is the foundational document of CMMC compliance. It describes your environment, system boundaries, and how each of the 110 controls is implemented. An incomplete or missing SSP is one of the most common reasons contractors fail an assessment, so treat it as a living document, not a one-time form.
4. Create a Plan of Action and Milestones (POA&M)
For every gap, the POA&M records what you will fix, how, and by when. CMMC 2.0 allows a limited POA&M for certain non-critical controls at Level 2, but the highest-weighted controls must be fully implemented before assessment. Be realistic about timelines — an assessor can tell the difference between a credible plan and a wish list.
5. Implement the technical and administrative controls
This is the heaviest lift. At minimum, expect to address:
- Access control and least privilege — unique accounts, role-based access, session controls
- Multi-factor authentication on all remote and privileged access
- Encryption of CUI at rest and in transit (FIPS-validated where required)
- Audit logging and monitoring with retention and review
- Configuration management and a documented baseline
- Incident response with a tested plan and reporting procedures
- Security awareness training for everyone who touches CUI
6. Stand up a compliant CUI environment
For most Northern Virginia contractors handling CUI — and especially anything ITAR-controlled — this means Microsoft 365 GCC High or an equivalent environment with the access control, encryption, and audit logging CMMC requires. Getting the enclave right early prevents an expensive re-architecture later.
7. Calculate and submit your SPRS score
Using the DoD Assessment Methodology, score your self-assessment and submit it to the Supplier Performance Risk System (SPRS). A perfect score is 110; deductions are weighted, so missing a few high-value controls drops you fast. Primes routinely check SPRS before issuing purchase orders, so an accurate, defensible score matters even before a formal assessment.
8. Prepare for your C3PAO assessment
If your contract requires third-party certification, assemble your evidence package — policies, procedures, screenshots, configurations, and logs mapped to each control — and conduct a mock assessment. By the time a Certified Third-Party Assessment Organization (C3PAO) arrives, the assessment should confirm what you already know, not surface surprises.
Common pitfalls we see: treating the SSP as a checkbox, underestimating GCC High migration effort, leaving MFA gaps on legacy systems, no evidence retention, and a POA&M full of critical controls that should have been implemented before assessment.
How long does CMMC compliance take?
For a small or mid-size contractor starting from a typical commercial IT baseline, expect three to nine months to reach Level 2 readiness, depending on environment complexity, how much CUI you handle, and how quickly leadership prioritizes the work. The single biggest accelerant is scoping CUI tightly so you are not securing systems that never needed to be in scope.
Where contractors get stuck
Large defense firms have internal security teams to carry this; most subcontractors do not. The work is cross-disciplinary — policy, cloud architecture, identity, logging, and documentation — and it competes with delivering on the contracts that pay the bills. That is exactly where a partner who has done it before earns their keep: closing the gaps, writing the SSP and POA&M, standing up the enclave, and getting you to a defensible SPRS score without pulling your team off billable work.
If you would like a second set of eyes on where you stand, our cybersecurity team can run a NIST 800-171 gap assessment and map a realistic path to assessment-readiness.