Blue Mantle Technology
Blue Mantle
Back to Blog

CMMC Compliance Checklist for Compliance & Security Directors

The 2025 CMMC 2.0 rulemaking cycle finally nailed down what Level 2 assessors will demand, yet most compliance leaders are still juggling legacy spreadsheets, vendor promises, and impatient executives. This checklist distills the 110 practices, DFARS 252.204-7012 overlays, and Cyber AB assessment...

The 2025 CMMC 2.0 rulemaking cycle finally nailed down what Level 2 assessors will demand, yet most compliance leaders are still juggling legacy spreadsheets, vendor promises, and impatient executives. This checklist distills the 110 practices, DFARS 252.204-7012 overlays, and Cyber AB assessment guidance into nine moves you can run this quarter. Treat it like an operating plan: scope accurately, assign evidence owners, prove control performance, then let BMT’s readiness sprint remove the final variables.

1. Define Scope, Contracts, and Risk Appetite

Inventory every DoD contract that flows CUI or FCI, map their clause language (7012, 7021, upcoming 7025), and document which business units touch that data. Use procurement logs, CRM exports, and subcontractor rosters to surface shadow environments. Declare the acceptable risk appetite in writing—what systems can stay out-of-scope, which enclaves demand isolation, and how much downtime executives will tolerate during remediation. Without this signed baseline, your SSP will drift within weeks.

Checklist:

  • List contracts, contract values, and clause mappings.
  • Document people/process/technology boundaries for each enclave.
  • Capture leadership-approved risk appetite statement tied to revenue impact.

2. Build a Living Asset & Identity Inventory

Assessors fail programs because no one can prove where CUI actually lives. Aggregate CMDB data, M365/Azure AD exports, EDR agents, badge systems, and SaaS admin panels into a single sheet. Tag each asset with owner, patch group, data classification, and MFA posture. Extend the inventory to identities—human, service, and vendor—and mark which ones access CUI. BMT pairs this exercise with a segmentation diagram so that procurement, IT, and engineering finally argue from the same facts.

Checklist:

  • Consolidate asset feeds (CMDB, EDR, MDM) into one schema.
  • Tag every asset/identity with data classification + control ownership.
  • Publish enclave diagrams that show trusted/guest/production zones.

3. Align System Security Plan & POA&M Cadences

A pristine SSP without a living POA&M is useless. Rewrite SSP narratives so that every control cites: (1) implementation description, (2) evidence folder, (3) control owner, and (4) refresh cadence. Mirror those IDs inside the POA&M so remediation tasks share the same numbering the assessor will use. Run a weekly POA&M standup with IT, engineering, HR, and facilities; close amber tasks in the meeting and mark blockers that require executive air cover. BMT clients typically cut open action items by 35% once SSP + POA&M share IDs.

Checklist:

  • Standardize SSP control narratives with owner + evidence path.
  • Sync POA&M IDs/dates with the same numbering scheme.
  • Host weekly POA&M reviews with decision-makers in the room.

4. Operationalize the 110 Practices Into Workstreams

Stop tackling controls alphabetically. Group practices into 8–10 workstreams (identity, logging, configuration management, incident response, etc.) and assign a technical lead plus an executive sponsor to each. For every workstream, document success criteria, leading indicators, tooling dependencies, and budget requirements. Convert Cyber AB Assessment Guide language into engineer-friendly acceptance tests so teams know what “implemented” means. This closes the gap between policy writers and the admins that actually deploy MFA, SIEM, and backup guardrails.

Checklist:

  • Cluster practices into workstreams with named owners.
  • Draft acceptance tests tied to the Assessment Guide.
  • Link each workstream to required tooling/licensing decisions.

5. Build Evidentiary Packets Before the Auditor Asks

Auditors want layered proof: system configuration exports, monitoring screenshots, ticket IDs, and signed procedures. Create Drive folders per practice (e.g., “AC.1.001 – MFA Enforcement – 2026-02-10”) containing (1) raw evidence, (2) narrative context, and (3) change history. Require control owners to refresh artifacts every 30–60 days, and track freshness in your dashboard. When BMT runs mock interviews, we reference these packets live so directors can see where evidence is brittle before the assessor calls it out.

Checklist:

  • Establish evidence folder templates with naming conventions.
  • Capture screenshots/logs + short narrative for every practice.
  • Track evidence freshness and escalate anything older than 60 days.

6. Tighten Third-Party and Subcontractor Controls

CMMC 2.0 puts the prime on the hook for vendor gaps. Inventory every MSP, MSSP, temp agency, and manufacturing partner involved in CUI handling. Verify they have signed CMMC-aligned clauses, MFA enforced on shared systems, secure file transfer, and incident response SLAs that map to yours. Where proof is missing, issue a remediation letter with deadlines and escalation paths. BMT often inserts a vendor attestation package inside the readiness sprint so subcontractors sign off before the auditor samples their tickets.

Checklist:

  • List all vendors with CUI access + contract clauses in place.
  • Collect proof of MFA, logging, and incident response integration.
  • Require remediation plans or swap vendors that cannot comply.

7. Run a Four-Week Readiness Sprint

Compress the chaos into an executable timeline:

  • Week 1 – Triage & Gap Heatmap:** Confirm scoping, inventory gaps, and assign workstream owners.
  • Week 2 – Control Deep Dives:** Pair BMT engineers with your admins to fix MFA coverage, log retention, backup testing, and configuration baselines.
  • Week 3 – SSP/POA&M Refresh:** Rewrite narratives, link artifacts, and update POA&M burndown metrics.
  • Week 4 – Mock Audit + Executive Brief:** Simulate assessor interviews, capture residual risk, and present funding requests tied to contract exposure.

By the end, executives see a defensible burndown chart, not a hallway conversation.

8. Translate Progress Into Executive KPIs

Leadership funds what they can measure. Stand up a Looker Studio or Power BI board that tracks: % of practices with current evidence, mean days to close POA&M tasks, MFA coverage for privileged identities, backup immutability status, and vendor attestation completion. Tie every KPI to contract dollar value so the COO sees the revenue at risk when a metric slips. BMT delivers this dashboard alongside the readiness sprint so directors walk into every ELT meeting with concrete proof of momentum.

Checklist:

  • Publish KPI targets with red/yellow/green thresholds.
  • Automate data pulls from ticketing, SIEM, and evidence folders.
  • Map each KPI to contract revenue or recompete milestones.

9. Finalize Messaging, CTA, and Audit Day Logistics

CMMC success is as much storytelling as control hygiene. Draft executive talking points, customer-facing attestations, and capture content that names your readiness status. Lock audit day logistics now—war room location, decision tree for assessor findings, secure comms channel, and who can approve last-minute configuration changes. Close the loop with a CTA: invite stakeholders to book BMT’s Readiness Audit so they know expert help is queued if the mock audit surfaces gaps you cannot close internally.

Checklist:

  • Prep executive and customer-facing readiness statements.
  • Document audit day runbook (facilities, IT, legal, communications).
  • Publish CTA to schedule BMT’s Readiness Audit for external validation.

Recommended Internal Links

1. BMT Readiness Audit Services Overview
2. BMT Blog: Building a Living System Security Plan

Recommended External Links

1. DoD CIO – About CMMC (https://dodcio.defense.gov/cmmc/About/)
2. Cyber AB Assessment Process v2.0 (https://cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf)
3. PreVeil – System Security Plan Guide (https://www.preveil.com/blog/what-is-system-security-plan/)

SEO Title & Meta Description

  • SEO Title:** CMMC Compliance Checklist for Compliance & Security Directors | BMT
  • Meta Description:** Walk through BMT’s nine-step CMMC 2.0 Level 2 compliance checklist—scope contracts, align SSP + POA&M, refresh evidence packets, and run a four-week readiness sprint with executive-grade KPIs.

CTA

Book a BMT Readiness Audit to put your SSP, POA&M, and evidence library on a single 30-day track toward CMMC Level 2 success.