10 Steps to CMMC Level 2

Feeling overwhelmed by CMMC Level 2 compliance? Download our free CMMC Level 2 Checklist and conquer DoD cybersecurity requirements in 10 strategic steps. This comprehensive guide simplifies the process, helping you define goals, identify resources, understand controls, and address gaps. Don’t wait – gain a competitive edge in the Defense Industrial Base and prepare for the upcoming CMMC implementation today!

Below are the 10 Steps to Becoming CMMC Level 2 Compliant:

Step 1 – CUI

Document where CUI lives in your environment. Start with contracts and follow flows through your organization.

Step 2 – Scoping

Identify and document CUI, SPA, CRMA, SA and out of scope assets.

Step 3 – Boundaries

Use an understanding of CUI dataflows and assets to consider ways to reduce the footprint.

Step 4 – Identify

Identify tools/methods and stakeholders necessary to track and manage compliance with controls.

Step 5 – Contract Review

Review contracts and agreements with 3rd party vendors to ensure their control environments are compliant.

Step 6 – Authority

Ensure internal stakeholder has the authority to manage the cultural change.

Step 7 – Controls

Quickly check compliance for each of the 110 controls and 320 assessment objectives against your identified CUI boundary.

Step 8 – POAMs

Create plans of actions and milestones (POAMs) for anything not compliant.

Step 9 – Remediate

Assign authoritative stakeholders to remediate the easiest gaps with timelines.

Step 10 – Plan

Develop timelines and budgets for addressing more complex gaps such as replacing non-compliant 3rd party vendors.


Track and manage progress on POAMs until ready for assessment. Organizations delaying compliance may encounter obstacles due to the limited availability of Certified CMMC Assessors (CCAs). We advise proactively scheduling assessments to ensure timely compliance.