You are preparing a proposal for a DoD contract worth $12 million. The Statement of Work references CUI handling requirements. The evaluation criteria awards bonus points for CMMC Level 3 certification. You have six weeks to submit. You are not sure whether your current environment meets the minimum requirements, and you do not know whether the contract will require a self-assessment or a full third-party audit.
This is the reality for thousands of DoD contractors today. The Cybersecurity Maturity Model Certification (CMMC) program has moved from a pilot concept to a contractual requirement, and the DoD is actively including CMMC level requirements in new solicitations. If you are bidding on unclassified DoD contracts, CMMC compliance is no longer optional due diligence — it is a gating requirement that determines whether you can even be considered for award.
Understanding the Five CMMC Levels
CMMC consists of five maturity levels, each building on the requirements of the level below it. Understanding which level applies to your business and your contracts is the first and most critical step in compliance planning.
1 Level 1 — Foundational
Requires 17 practices from FAR 52.204-21 (basic safeguarding requirements). This level is for contractors that handle only Federal Contract Information (FCI) and do not create, receive, or transmit CUI. Annual self-assessment required, submitted to SPRS. This is the minimum floor for any DoD contract.
2 Level 2 — Advanced
Requires all 110 practices from NIST SP 800-171 Rev 2, plus documentation, policy, and procedural requirements. This is the baseline for most contractors handling CUI. Self-assessment or third-party assessment depending on contract value and criticality. This is the level most DoD contractors need to target.
3 Level 3 — Expert
Requires the 110 NIST 800-171 practices plus a subset of practices from NIST SP 800-172 (Enhanced). Government-led assessment (DIBCAC) required. For contractors working on high-value programs and critical national security systems.
4–5 Levels 4–5 — Proactive / Emerging
Rarely required in current DoD contracts. Level 4 adds 15 practices focused on reducing advanced persistent threats (APT). Level 5 requires 13 additional practices for organizations facing sophisticated APTs. Primarily relevant for prime contractors on the most sensitive programs.
CMMC Level 1 Compliance Checklist
Level 1 is the entry point for all DoD contractors. If your company only handles FCI and never touches CUI, Level 1 self-assessment may be your only requirement. Complete this checklist annually and submit results to SPRS.
Complete FAR 52.204-21 self-assessment. Review all 15 FAR safeguarding requirements and map them to your current information systems and business processes.
Submit assessment to SPRS. Document your Level 1 compliance status in the Supplier Performance Risk System (SPRS) at https://www.sprs.pmrti.com. Your SPRS score is a prerequisite for contract award.
Identify FCI handling boundaries. Document which systems, people, and processes handle FCI. Ensure FCI is not commingled with CUI on the same systems.
Train all employees on basic cybersecurity awareness. Level 1 requires awareness training for all personnel who handle FCI. Document training completion dates.
Implement basic access controls. Ensure systems that store or process FCI have unique account identification, password requirements, and physical access controls.
CMMC Level 2 Compliance Checklist
Level 2 is where most DoD contractors face the real compliance burden. This requires implementing all 110 NIST SP 800-171 Rev 2 controls across 14 domains. If you handle CUI — which most DoD contractors do — this is your target level.
Documentation and Policy Requirements
Develop a System Security Plan (SSP). Document all 110 NIST 800-171 controls, their implementation status, and the responsible parties. The SSP is the primary artifact assessors will review.
Create Plans of Action & Milestones (POA&Ms). For any control not fully implemented, document the gap, remediation steps, resource requirements, and completion dates. Assessors will score you on how many POA&Ms you have and how close you are to closing them.
Establish written cybersecurity policies. Document policies for access control, incident response, media protection, personnel security, and physical protection. Policies must be approved by leadership and communicated to all relevant personnel.
Define and document CUI boundaries. Identify all systems, networks, and storage locations where CUI is created, processed, stored, or transmitted. This is your CUI Authorization Boundary — the scope of your CMMC assessment.
Access Control and Identity Management
Implement role-based access control (RBAC). Limit system access to authorized users based on their role. CUI access should be granted on a least-privilege basis.
Enforce multi-factor authentication (MFA). MFA is required for all accounts that can access CUI, including both local and network access. This is one of the most commonly cited deficiencies in failed assessments.
Control remote access. Any remote access to CUI systems must use approved encryption, VPN, and access control mechanisms. Document all remote access paths in your SSP.
Audit account activity. Log all access to CUI systems, retain logs for at least 90 days, and review logs regularly for anomalous activity.
Media Protection and Incident Response
Mark and label all CUI media. All portable media (USB drives, external hard drives, laptops) that contain CUI must be marked, labeled, and tracked. Implement a checkout/check-in process for CUI media.
Sanitize or destroy CUI media before disposal. Use approved sanitization methods (NIST 800-88 Guidelines for Media Sanitization) before disposing of any media that has stored CUI.
Develop and test an Incident Response Plan. Document procedures for identifying, reporting, containing, and recovering from cybersecurity incidents. Conduct tabletop exercises annually to test your plan.
Report incidents to DoD. For cyber incidents involving CUI, follow the incident reporting requirements in DFARS 252.204-7012. DoD requires rapid reporting for incidents affecting CUI on contractor systems.
Technical Controls for CUI Protection
Encrypt CUI at rest and in transit. All CUI stored on systems, networks, or portable media must be encrypted using FIPS 140-2 validated cryptographic modules. This is another area where contractors commonly fall short.
Implement boundary protection. Use firewalls, intrusion detection/prevention systems, and network segmentation to protect CUI systems from unauthorized access and exfiltration.
Control configuration settings. Implement DoD-approved security configuration baselines (STIGs or CIS Benchmarks) for all systems in your CUI boundary. Document deviations in your SSP with compensating controls.
Enable audit logging for CUI systems. Generate, store, and protect audit logs for all CUI systems. Ensure logs cannot be modified or deleted by unauthorized users.
Preparing for a Third-Party Assessment
If your contract requires a C3PAO assessment (Level 2 or Level 3), the assessment process is rigorous. A certified assessor will review your SSP, POA&Ms, policies, and supporting evidence — then test a sample of your technical controls through interviews, documentation review, and in some cases, hands-on system testing.
The most important preparation step is to conduct a self-assessment before your C3PAO assessment. Score yourself against the CMMC Assessment Guide for your target level. Identify gaps early and create a realistic remediation plan. Bring in external expertise if needed — a pre-assessment gap analysis from a qualified firm can save you from a failed assessment, which delays contract award and damages your reputation.
What Assessors Look For
Evidence of operational implementation. Having a policy document is not enough. Assessors want to see that controls are actually operating as documented — logs being reviewed, access being enforced, media being tracked. Gather evidence artifacts before the assessment.
Consistent scoping. Your CUI boundary must be clearly defined and consistently applied across all 14 domains. Assessors will check that you have not inadvertently scoped CUI out of your boundary to reduce compliance burden.
POA&M quality and progress. Assessors will look at your POA&Ms as a measure of your organizational commitment to full compliance. Having excessive open POA&Ms at a high-dollar, critical-program contract will raise concerns.
Personnel awareness. Assessors will interview your staff to verify they understand your cybersecurity policies and know how to handle CUI. Everyone who touches CUI should be able to explain your media handling, incident response, and access control procedures.
How CMMC Affects Your Proposals
CMMC requirements do not appear only in contracts at high dollar values. The DoD is including CMMC level requirements in solicitations across all dollar thresholds. Before pursuing any opportunity, you need to answer three questions:
What CMMC level does this contract require?
The solicitation will specify a CMMC level (typically Level 1, 2, or 3) as either a pass/fail requirement or a scored evaluation factor. You cannot win a contract requiring Level 3 if you only hold Level 2 certification.
Do I hold the required CMMC level today?
Check your SPRS score for Level 1 self-assessment. For Level 2 and above, verify your assessment status with your C3PAO or the CMMC eMASS portal. If you are in a POA&M period, you may be eligible for a lower-level contract while you remediate.
Can I achieve the required level before proposal submission?
For Level 1, you can often complete self-assessment in 2–4 weeks. For Level 2 with C3PAO assessment, start the process 6–12 months before you expect to need certification. C3PAO availability is still constrained in many regions.
If you cannot meet the required CMMC level, do not bid. Proposing without the required certification is grounds for contract termination and can trigger False Claims Act liability if you misrepresented your compliance status. ProposalFirewall's compliance tracking can help you monitor your CMMC posture across all active opportunities and identify gaps before they become proposal disqualifiers.
Track your CMMC posture across every opportunity in one place.
Start your compliance checklist free