Plain-English checklist · primary sources
CMMC compliance checklist for small defense contractors
A CMMC Level 2 compliance checklist for small defense contractors has two phases: (1) self-assessment readiness — complete a NIST SP 800-171 gap assessment, draft your SSP and POA&M, calculate and submit your SPRS score; (2) C3PAO readiness — close must-fix gaps, book your assessor (waitlists commonly run 6–9 months), and pass the formal assessment.
The checklist, phase by phase
The checklist splits cleanly into two phases. The first is self-assessment readiness — the gap assessment, your SSP and POA&M, and the SPRS score you can compute and submit today. The second is C3PAO readiness — closing the gaps you could not defer and passing a formal third-party assessment. Muster drafts the documents; you review and attest. A self-assessed SPRS score is not a certification.
| Phase | Step | What it means |
|---|---|---|
| Self-assessment readiness | Complete a NIST SP 800-171 gap assessment | Walk all 110 NIST SP 800-171 requirements against how your systems actually work today and record where you fall short. This is the baseline the rest of the checklist builds on — you cannot draft accurate documents or compute a real score without it. You can do this yourself in the browser; no files leave your machine. |
| Self-assessment readiness | Draft the System Security Plan (SSP) | Requirement 3.12.4 is the SSP. It is mandatory and never POA&M-eligible — without a current SSP, no assessment can be completed. The SSP is unscored itself, but it is the document that describes your boundary, your systems, and how each requirement is met. Draft it; you review and attest to it. |
| Self-assessment readiness | Build the POA&M for deferrable gaps | A Plan of Action & Milestones tracks open gaps you intend to close. To be conditional-Level-2 eligible (32 CFR 170.21) you need a score of at least 88 and only 1-point items on the POA&M (with the one 3.13.11 partial-credit exception), and you must close them within 180 days. Six requirements are never POA&M-eligible: 3.1.20, 3.1.22, 3.12.4, 3.10.3, 3.10.4, 3.10.5. |
| Self-assessment readiness | Calculate and submit your SPRS score | Score with the DoD Assessment Methodology — start at 110 and subtract the weighted point value of each unmet requirement (5, 3, or 1 points; floor −203). Then submit the self-assessment score to SPRS through the PIEE portal (piee.eb.mil) per DFARS 252.204-7019/7020. A self-assessed SPRS score is not a certification. |
| C3PAO readiness | Close the must-fix gaps | Remediate everything the POA&M cannot defer — the six never-eligible requirements and any 3- or 5-point items — and tighten your evidence so each requirement is genuinely met, not just documented. This is the work that moves you from a conditional posture to assessment-ready. |
| C3PAO readiness | Book a C3PAO and pass the assessment | For most Level 2 contracts involving CUI, an authorized C3PAO performs the assessment — only a C3PAO certifies; Muster does not. Schedule early, because assessor waitlists are commonly reported at 6–9 months. Then pass the formal assessment against the standard. |
Sources: scoring and the unscored SSP (3.12.4) follow the DoD Assessment Methodology and 32 CFR 170.24; POA&M eligibility — the ≥88 threshold, 1-point-only rule, six never-eligible requirements, and 180-day closeout — is 32 CFR 170.21; SPRS submission is DFARS 252.204-7019/7020 via the PIEE portal. C3PAO waitlist timing is a commonly reported practitioner estimate, not a regulation.
Working the documents? See the NIST SP 800-171 SSP template and the POA&M template, and compute your number with the SPRS score calculator.
How to work the checklist
Complete a NIST SP 800-171 gap assessment
Walk all 110 requirements against how your systems work today and record every gap. This baseline drives the SSP, the POA&M, and your score. The free Muster assessment runs entirely in your browser — no file upload, no data sent anywhere.
Draft the System Security Plan (SSP)
Requirement 3.12.4 is the SSP — mandatory and never POA&M-eligible; without a current SSP no assessment can be completed (32 CFR 170.24). Draft it to describe your boundary and how each requirement is met, then review and attest to it yourself.
Build the POA&M for deferrable gaps
List open gaps you intend to close. Under 32 CFR 170.21, conditional Level 2 requires a score of at least 88 with only 1-point items on the POA&M (plus the single 3.13.11 partial-credit case) and a 180-day closeout. Six requirements are never eligible: 3.1.20, 3.1.22, 3.12.4, 3.10.3, 3.10.4, 3.10.5.
Calculate and submit your SPRS score
Score with the DoD Assessment Methodology: start at 110 and subtract the weighted value of each unmet requirement. Submit the self-assessment score to SPRS via the PIEE portal (piee.eb.mil) under DFARS 252.204-7019/7020. A self-assessed score is not a certification.
Close the must-fix gaps
Remediate everything the POA&M cannot defer — the six never-eligible requirements and any 3- or 5-point items — and shore up evidence so each requirement is actually met. This moves you from a conditional posture to assessment-ready.
Book a C3PAO and pass the assessment
For most Level 2 work involving CUI, an authorized C3PAO performs the assessment — only a C3PAO certifies. Schedule early; assessor waitlists are commonly reported at 6–9 months. Then pass the formal assessment against the standard.
CMMC Phase 1 is live now under DFARS 252.204-7021; CMMC Phase 2 starts November 10, 2026, when C3PAO-assessed Level 2 becomes the default for contracts involving CUI, applied per-solicitation at contracting-officer discretion (32 CFR 170.3(e)). Because that is a rollout rather than a single cliff, the safe move is to work the self-assessment phase well ahead of any solicitation that requires a C3PAO.
Straight answers
What is on a CMMC Level 2 compliance checklist?
A Level 2 checklist runs in two phases. Self-assessment readiness: complete a NIST SP 800-171 gap assessment across all 110 requirements, draft your System Security Plan (3.12.4), build a POA&M for any deferrable gaps, then calculate your score with the DoD Assessment Methodology and submit it to SPRS via the PIEE portal. C3PAO readiness: close the must-fix gaps the POA&M cannot defer, book an authorized C3PAO (waitlists are commonly reported at 6–9 months), and pass the formal assessment. Muster drafts the documents; you review and attest.
Do I need both an SSP and a POA&M?
You always need a current SSP — requirement 3.12.4. It is mandatory and never POA&M-eligible; without it, no assessment can be completed (32 CFR 170.24). A POA&M is optional and only matters if you have open gaps you want to defer. To be conditional-Level-2 eligible under 32 CFR 170.21, your score must be at least 88, only 1-point items may sit on the POA&M (with the lone 3.13.11 partial-credit exception), and they must close within 180 days. Six requirements can never go on a POA&M: 3.1.20, 3.1.22, 3.12.4, 3.10.3, 3.10.4, 3.10.5.
When do I need to be ready?
CMMC Phase 1 is live now: self-assessment requirements appear in new DoD solicitations under DFARS 252.204-7021. CMMC Phase 2 starts November 10, 2026, when C3PAO-assessed Level 2 becomes the default for contracts involving CUI — applied per-solicitation at the contracting officer’s discretion, so it is a rollout rather than a single cliff (32 CFR 170.3(e)). Because C3PAO waitlists are commonly reported at 6–9 months, working the checklist well ahead of any solicitation that requires third-party assessment is the safe path.
Can I do the gap assessment myself for free?
Yes. The first phase — the NIST SP 800-171 gap assessment and your SPRS score calculation — can be done yourself, and the free Muster assessment runs entirely in your browser with no file upload and nothing sent anywhere, so your information never leaves your machine. The self-assessment and the score you submit to SPRS are not a certification; only an authorized C3PAO certifies, which is the second phase of the checklist.
This is compliance information, not legal advice. Muster drafts documents and computes a self-assessment score; you review and attest, and only an authorized C3PAO certifies. For eligibility or contract-interpretation questions, consult qualified counsel.
Related guides
What is a CMMC gap assessment?
What a gap assessment covers, how it differs from the C3PAO assessment, self-serve vs. consultant honestly compared — and how to run one free against all 110 requirements.
How long does CMMC Level 2 take?
A realistic 12–24 month timeline, phase by phase (gap assessment, remediation, the C3PAO waitlist, the assessment, conditional closeout) — and what actually sets your finish date.
How to submit your SPRS score
The step-by-step PIEE → SPRS submission walkthrough, the email alternative, and why the score you post is a representation to the government you have to stand behind.
What counts as CUI?
What CUI actually is for a defense contractor — technical data, drawings, export-controlled material — the three questions everyone asks, CUI vs. classified, and what to do when you receive it.
Tools: SPRS score calculator · scoring methodology · CMMC Phase 2 deadline
Start the checklist with your number in hand.
The free assessment walks all 110 NIST SP 800-171 requirements in your browser and computes your SPRS score with the exact DoD methodology — phase one of the checklist, done today.
Get your free Muster ScoreThe free score is live now. Join the waitlist for early access to the done-for-you Level 2 Readiness Sprint and founding-cohort pricing.