CMMC Readiness Checklist for Small and Mid-Sized Government Contractors

CMMC readiness is no longer something government contractors can push into the future. For companies that support DoD programs, defense primes, intelligence missions, or federal supply chains, cybersecurity compliance now affects bid eligibility, subcontracting opportunities, customer trust, and revenue continuity.

The Cybersecurity Maturity Model Certification program is designed to give the Department increased assurance that contractors and subcontractors have implemented required cybersecurity standards for nonfederal systems that process, store, or transmit Federal Contract Information or Controlled Unclassified Information. The program is implemented through contracts, and contractors entrusted with FCI or CUI must achieve the required CMMC level as a condition of contract award.

As of May 31, 2026, CMMC Phase 1 implementation is underway. Phase 1 began on November 10, 2025, and runs through November 9, 2026, with primary focus on CMMC Level 1 and Level 2 self-assessments and affirmations in SPRS.

Small and mid-sized contractors should not wait until an RFP appears. By then, there may not be enough time to identify FCI and CUI, define the assessment boundary, remediate gaps, prepare evidence, update SPRS, and manage subcontractor requirements.

This checklist is designed to help GovCon leaders understand what needs to be in place before a solicitation, prime contractor, contracting officer, or assessor asks for proof.

Why CMMC Readiness Matters Now

CMMC is not just a cybersecurity framework. It is becoming a contract gate.

DFARS 252.204-7025 states that the required CMMC level, or higher, is required prior to award for each contractor information system that will process, store, or transmit FCI or CUI during contract performance. It also states that an offeror will not be eligible for award if it does not have the required current CMMC status and a current affirmation of continuous compliance entered in SPRS.

That is why CMMC readiness needs to be treated as a business development issue, not only an IT issue. If your company cannot demonstrate the required status when the opportunity arrives, the technical team may never get a chance to compete.

CMMC Level Quick Reference

Before using the checklist, confirm which CMMC level applies to your company, contract, or target opportunity.

Checklist 1: Identify the Contract Drivers

The first step is to understand what is actually driving your cybersecurity requirement. Too many contractors start with tools before reading the contract.

Review current and target contracts for FAR 52.204-21, DFARS 252.204-7012, DFARS 252.204-7019, DFARS 252.204-7020, DFARS 252.204-7021, DFARS 252.204-7025, agency-specific CUI instructions, DD Form 254 requirements where applicable, prime contractor flow-downs, and cloud or incident reporting obligations.

For defense work, DFARS 252.204-7012 is especially important because it defines Covered Defense Information, covered contractor information systems, controlled technical information, and the requirement to provide adequate security.

• Do we know which clauses apply to each contract?
• Do we know which CMMC level is required for each target opportunity?
• Do we know whether the requirement applies at proposal, award, option period, or subcontract award?
• Do we know which systems will support performance?
• Do we know whether our prime contractor has additional cybersecurity flow-down requirements?

Checklist 2: Identify FCI, CUI, and Covered Defense Information

CMMC scoping depends on data. If your company does not know what information it handles, it cannot accurately define the assessment boundary.

Start by identifying where FCI, CUI, Covered Defense Information, controlled technical information, export-controlled information, source selection information, PII, government-furnished information, and customer-sensitive materials enter your business.

The CUI Registry includes categories across areas such as Defense, Export Control, Intelligence, Privacy, Procurement and Acquisition, Critical Infrastructure, and Proprietary Business Information. Contractors should use the registry, contract markings, customer instructions, and agency guidance to determine what must be protected.

• Do we know which contracts involve FCI only?
• Do we know which contracts involve CUI or Covered Defense Information?
• Do we know where CUI enters, moves through, and leaves the company?
• Do we know whether CUI appears in email, collaboration tools, file shares, laptops, ticketing systems, cloud storage, CRM tools, proposal repositories, or subcontractor systems?
• Do employees understand how to recognize CUI markings and handling requirements?

Checklist 3: Define the CMMC Assessment Scope

Scoping is where many contractors get into trouble. If the scope is too broad, compliance becomes expensive and hard to manage. If it is too narrow, the company may exclude systems that actually process, store, transmit, or protect FCI or CUI.

For Level 1, systems that process, store, or transmit FCI are in scope. For Level 2, CUI assets, security protection assets, contractor risk managed assets, and specialized assets must be handled according to CMMC scoping rules.

External service providers matter too. Contractors need to document whether providers process, store, or transmit CUI or Security Protection Data, how they support the environment, and what responsibilities are inherited by the contractor.

• Have we defined our CMMC assessment boundary?
• Do we have an asset inventory for in-scope systems?
• Do we know which systems provide security protection for CUI assets?
• Have we documented cloud providers, managed service providers, SaaS tools, AI tools, and other external service providers?
• Can we justify which systems are out of scope?

Checklist 4: Build or Update the System Security Plan

The System Security Plan is one of the most important CMMC readiness documents. It should explain the system boundary, architecture, asset categories, data flows, users, security controls, inherited controls, cloud services, external service providers, and how each requirement is implemented.

A weak SSP creates assessment risk because it leaves too much for the assessor, prime, or customer to infer. A strong SSP shows that the company understands its environment and can explain how security requirements are implemented in practice.

• Do we have a current SSP?
• Does the SSP match the real operating environment?
• Does it include cloud services and external service providers?
• Does it describe inherited controls and customer responsibilities?
• Does it include CUI data flows and network diagrams?
• Has leadership reviewed the SSP before making any affirmation?

Checklist 5: Review SPRS, Scores, and Affirmations

SPRS is a critical part of CMMC readiness. Contractors need to know what is already in SPRS, whether the information is current, and who is authorized to submit or affirm information.

Summary-level NIST SP 800-171 DoD Assessment scores are posted in SPRS to provide DoD Components visibility into those scores. CMMC status is also tied to affirmations of continuous compliance. For Final Level 1, status and the corresponding affirmation must not be older than one year. For Final Level 2 self-assessments and Final Level 2 C3PAO assessments, status can be valid for three years when conditions are met, with affirmations not older than one year.

• Do we know what is currently posted in SPRS?
• Are our CAGE codes accurate?
• Is our score tied to the correct SSP and system boundary?
• Do we know who is authorized to submit and affirm?
• Do affirmations match the company's actual compliance posture?
• Do we have evidence supporting the score or status submitted?

Checklist 6: Close High-Risk Technical Gaps

CMMC readiness is not only documentation. Controls need to be implemented and working.

For many small and mid-sized contractors, the most common gaps include weak multifactor authentication coverage, incomplete asset inventory, unmanaged endpoints, inadequate logging, inconsistent vulnerability scanning, undocumented configuration baselines, weak access reviews, poor incident response testing, uncontrolled cloud storage, and unclear separation between business data and CUI.

• Is multifactor authentication implemented where required?
• Are endpoints protected and monitored?
• Are vulnerabilities scanned, prioritized, and remediated?
• Are audit logs collected and reviewed?
• Are backups protected and tested?
• Are unauthorized cloud, file-sharing, and AI tools blocked or governed?

Checklist 7: Prepare Evidence Before the Assessment

A company may have decent security practices and still fail readiness because it cannot prove implementation. CMMC readiness requires evidence that is organized, current, and tied to the correct requirement.

Your evidence repository should include policies, procedures, screenshots, configuration exports, access reviews, training records, vulnerability scan results, remediation tickets, incident response exercise records, cloud responsibility matrices, logs, diagrams, asset inventories, and proof of recurring security activities.

• Do we have evidence mapped to each applicable requirement?
• Is the evidence current?
• Does the evidence match the SSP?
• Can we show that controls are operating, not just documented?
• Can we explain inherited controls from cloud or managed service providers?
• Is evidence stored securely and organized for review?

Checklist 8: Manage POA&Ms Correctly

POA&Ms can be useful, but they are not a substitute for readiness. Contractors should understand when POA&Ms are allowed, which requirements cannot be placed on a POA&M, and how quickly remediation must be closed.

Level 1 POA&Ms are not permitted. Level 2 and Level 3 allow limited use of POA&Ms, but the closeout assessment must confirm closure within 180 days of the Conditional CMMC Status Date; otherwise, the conditional status expires.

• Do we know which gaps are eligible for POA&M treatment?
• Do we know which gaps must be remediated before assessment?
• Do we have owners, due dates, and budget assigned to each POA&M item?
• Can we close POA&M items within the 180-day window?
• Are we avoiding overreliance on POA&Ms as a substitute for implementation?

Checklist 9: Review Cloud, SaaS, MSP, and AI Tools

Cloud and outsourced services are often the biggest hidden CMMC risk. Many contractors rely on Microsoft 365, AWS, Azure, Google Workspace, file-sharing tools, CRM systems, ticketing platforms, managed service providers, AI tools, endpoint management tools, and security monitoring providers.

If a contractor uses an external cloud service provider to store, process, or transmit Covered Defense Information in contract performance, the contractor must require and ensure that the provider meets security requirements equivalent to the FedRAMP Moderate baseline and complies with applicable incident reporting and related requirements.

AI tools need the same level of scrutiny. If an AI tool processes CUI, summarizes CUI, indexes controlled repositories, stores prompts or outputs containing CUI, analyzes vulnerability data, or supports security monitoring, it may affect the CMMC boundary and evidence package.

• Do we know which cloud and SaaS tools process FCI or CUI?
• Do we have customer responsibility matrices?
• Do agreements address security, incident reporting, access, retention, and data handling?
• Do AI tools process contract data, CUI, security data, or customer-sensitive information?
• Are prompts, outputs, logs, and embeddings controlled if they contain CUI?
• Have we documented inherited controls in the SSP?

Checklist 10: Train Employees on CMMC, CUI, and Safe Workflows

CMMC readiness fails when employees do not understand what is expected of them. Security controls need to be supported by behavior.

Training should cover FCI, CUI, approved systems, prohibited tools, phishing, password and MFA expectations, incident reporting, removable media, cloud storage, AI tool restrictions, remote work, visitor handling, physical security, and subcontractor communication.

• Do employees know what FCI and CUI are?
• Do employees know where CUI may and may not be stored?
• Do employees know how to report suspected incidents?
• Do employees know which AI tools are approved and prohibited?
• Do program managers and proposal teams understand when CMMC status may affect bid eligibility?
• Do executives understand what they are affirming in SPRS?

Checklist 11: Flow Requirements to Subcontractors

CMMC readiness does not stop with the prime contractor. If subcontractors process, store, or transmit FCI or CUI, they may need the appropriate CMMC status before subcontract award.

• Do we know which subcontractors receive FCI or CUI?
• Do subcontracts include the right cybersecurity flow-downs?
• Do subcontractors have the required CMMC status before award?
• Do we verify subcontractor SPRS or CMMC status when required?
• Do subcontractors use cloud, SaaS, MSP, or AI tools with our contract data?
• Do we have a process to reassess subcontractors during performance?

Checklist 12: Create a Continuous Compliance Rhythm

CMMC is not a one-time project. It requires continuous readiness.

A practical continuous compliance rhythm should include monthly vulnerability reviews, quarterly access reviews, recurring SSP updates, annual policy reviews, incident response exercises, subcontractor reviews, cloud provider reviews, AI tool reviews, and leadership-level compliance reporting before any affirmation is submitted.

• Do we have recurring control owners?
• Do we review compliance monthly or only before proposals?
• Do we update the SSP when systems or providers change?
• Do we track evidence continuously?
• Does leadership receive clear reporting before affirming compliance?
• Do we know what would cause our current status to lapse or become inaccurate?

Red Flags That Your Company Is Not CMMC Ready

Your company may not be ready if the basic facts are still unclear or the evidence does not match the environment.

These red flags do not mean the company is beyond repair. They mean the company needs a structured readiness effort before the next bid, prime request, or assessment.

A 30-60-90 Day CMMC Readiness Plan

By the end of 90 days, your company should be able to answer five questions: What CMMC level do we need? Where do FCI and CUI live? Which systems are in scope? What is our current SPRS and CMMC posture? What evidence supports our compliance claim?

The Bottom Line

CMMC readiness is not just about passing an assessment. It is about protecting contract eligibility, reducing cyber risk, strengthening customer trust, and making cybersecurity compliance part of how the business operates.

Small and mid-sized contractors that prepare early will be better positioned to bid, win, subcontract, and perform. Companies that wait for a solicitation to force the issue may find themselves trying to solve scoping, documentation, technical control, cloud, AI, SPRS, and subcontractor problems all at once.

GS Consulting helps government contractors assess CMMC readiness, identify FCI and CUI, define assessment scope, review SSPs and POA&Ms, evaluate cloud and AI tool risk, prepare SPRS and evidence packages, and build practical remediation roadmaps aligned to contract requirements.

Suggested Future Reading

• GovCon Cybersecurity & Compliance Hub: CMMC, NIST, CUI, Cloud, and AI-Enabled Readiness
• How DoD Contractors Can Use AI Without Putting CUI at Risk
• AI Disclosure in Federal Contracts: What GovCon Firms Should Prepare For
• NIST SP 800-171 Compliance: What GovCon Leaders Need to Know
• Secure Cloud Architecture for Federal Contractors Handling CUI