Navigating the requirements for the different levels of CMMC 2.0 can feel overwhelming. With rigorous technical controls and documentation requirements, it’s easy to miss a step. That’s where a checklist can make a real difference.

Whether you’re pursuing a self-assessment for Level 1 or preparing for a formal third-party assessment at Level 2 or 3, a CMMC compliance checklist helps you clearly understand what’s required, track your progress, and stay organized throughout the process.

At Secureframe, we’ve developed detailed yet easy-to-follow checklists for CMMC Levels 1, 2, and 3 created in collaboration with our in-house federal compliance experts. These checklists clearly delineate the requirements of FAR 52.204-21 for Level 1, NIST 800-171 Revision 2 for Level 2, and NIST 800-172 with assigned ODP values so compliance teams know exactly what requirements they need to meet to achieve compliance.

Below, we break down what to expect in each level’s checklist, so you can understand where to start and how to move forward.

CMMC Level 1 Compliance Checklist

CMMC Level 1 is focused on safeguarding Federal Contract Information (FCI) and is required for contractors who do not handle Controlled Unclassified Information (CUI). It involves 17 basic cybersecurity practices based on 15 requirements from FAR 52.204-21.

The practices are grouped into six core domains:

• Access Control
• Identification and Authentication
• Media Protection
• Physical Protection
• System and Communications Protection
• System and Information Integrity

How our checklist helps: Level 1 practices may seem simple, but they're essential for ensuring a basic level of safeguarding for any contractor system with Federal information. Our checklist helps you verify that each practice is implemented, documented, and maintained.

CMMC Level 2 Compliance Checklist

Level 2 is a significant leap in complexity. It aligns with NIST SP 800-171 Rev. 2 and applies to contractors that store, process, or transmit Controlled Unclassified Information (CUI).

It includes 110 security requirements across 14 domains:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System Integrity

How our checklist helps: With so many requirements to track, it’s easy to lose sight of progress. Our Level 2 checklist clearly spells out each requirement, organized into each domain, so you can more easily see what has been or still needs to be implemented, documented, and maintained.

CMMC Level 3 Compliance Checklist

CMMC Level 3 is designed for a small subset of contractors—approximately 1% of the Defense Industrial Base (DIB)—handling high-value CUI critical to national security. It builds on Level 2 by adding 24 advanced requirements drawn from NIST SP 800-172, with values for Organization-Defined Parameters (ODPs) that have been assigned by the DoD.

While Level 1 and 2 are designed to verify compliance with existing security requirements from regulations that have been around for years, Level 3 focuses on new requirements that emphasize resilience and advanced cyber maturity, such as:

• Enhanced system monitoring and anomaly detection
• Robust incident response and threat hunting
• Stronger access control using behavioral analytics
• Greater segmentation and isolation of critical systems

These requirements are organized into 10 of the 14 domains from Level 2, excluding:

• Audit & Accountability
• Maintenance
• Media Protection
• Physical Protection

How our checklist helps: Unlike CMMC Level 1 and Level 2 which are based on FAR and DFARS clauses that have been in effect for years, CMMC Level 3 introduces a new set of requirements drawn from a subset of NIST SP 800-172 that are not currently mandated by any other federal regulation. This means many contractors will be encountering these security controls for the first time. Our checklist helps accelerate the learning curve by clearly listing all 24 CMMC Level 3 requirements, along with the specific values for Organization-Defined Parameters (ODPs) that the Department of Defense has assigned. These predefined values eliminate guesswork and ensure your implementation aligns with DoD expectations, reducing the risk of inconsistent interpretations across programs.

Why use a CMMC compliance checklist?

While a checklist can be a helpful tool, achieving CMMC compliance isn’t just about checking boxes—it’s about building and demonstrating a security program that meets federal expectations. This checklist helps by:

• Clarifying scope: Know which level applies and what’s required.
• Organizing your process: Keep track of completed items, in-progress tasks, and remediation efforts.
• Reducing risk of audit findings: Stay ahead of missing documentation or incomplete implementations.
• Accelerating timelines: Speed up internal reviews and third-party assessments.

Ready to simplify your path to CMMC certification? Secureframe can help you automate documentation, manage evidence, and monitor compliance—all in one platform built for federal frameworks. Talk to an expert about how we can support your CMMC readiness.