CMMC Level 2 Readiness Checklist

Find out where your organization stands in 10 minutes. Score yourself across 30 key practices and get your risk level instantly.

30 PracticesAcross 6 CMMC domains
Instant ScoreKnow your risk level now
10 MinutesQuick, honest self-check
Action ItemsWhat to fix and in what order
Please fill in all required fields with a valid work email.

We respect your privacy. No spam, no sharing. Just useful information about CMMC readiness.

Cadra Logo

CMMC Level 2 Readiness Checklist

A 10-minute self-check for defense contractors and software vendors. See where you stand and what to fix first.

Welcome, — let’s see where you stand.

How to Score Yourself

For each statement below, select the score that best describes your organization today. Be honest — this is a starting point, not a test.

2
We do this consistently
and can prove it
1
We do this sometimes
or can’t easily prove it
0
We don’t do
this yet

Governance & Accountability

0 / 10
1
We have a named person who is accountable for CMMC readiness and reports progress to leadership.
2
Leadership understands which contracts or opportunities depend on CMMC Level 2 certification.
3
We have a documented information security policy that is reviewed at least annually.
4
We maintain an up-to-date inventory of in-scope systems that store, process, or transmit CUI.
5
We have a system security plan (SSP) or equivalent that describes our security architecture and controls.

Access Control & Identity

0 / 12
6
All user accounts are unique (no shared logins), and access is assigned based on role and need-to-know.
7
Multi-factor authentication (MFA) is required for all remote access and privileged accounts.
8
We have a process for promptly revoking access when employees or contractors leave or change roles.
9
Administrative and privileged access is restricted to authorized personnel and monitored.
10
We enforce password complexity and rotation policies in line with NIST guidance.
11
User access is reviewed periodically (at least annually) to ensure it is still appropriate.

Data Protection & Encryption

0 / 10
12
CUI is encrypted when stored on laptops, mobile devices, and removable media.
13
CUI is encrypted in transit (e.g., TLS/SSL for web traffic, VPNs for remote access).
14
We have documented procedures for handling, marking, and storing CUI.
15
Backup data containing CUI is encrypted and stored securely.
16
We sanitize or destroy media and devices containing CUI before disposal or reuse.

Monitoring, Logging & Incident Response

0 / 12
17
We log security-relevant events (logins, failed access attempts, privilege changes) on key systems.
18
Logs are reviewed regularly, and alerts are investigated promptly.
19
We have a documented incident response plan that includes roles, communication, and escalation.
20
Key staff know their roles in the incident response process and have been trained.
21
We conduct periodic incident response drills or tabletop exercises.
22
We report cyber incidents to appropriate parties (e.g., DoD, primes) as required by contract.

Vendor & Supply Chain Risk

0 / 8
23
We assess third-party providers (cloud, SaaS, contractors) that store, process, or transmit CUI on our behalf.
24
Contracts with third parties include security and compliance requirements.
25
We review vendor security posture periodically (questionnaires, audits, certifications).
26
We limit CUI access to only those vendors and partners who need it.

Maintenance, Configuration & Patching

0 / 8
27
Systems are configured using security baselines (e.g., CIS benchmarks, vendor hardening guides).
28
We apply security patches and updates to operating systems and applications in a timely manner.
29
Unnecessary services, accounts, and software are disabled or removed.
30
Remote maintenance and diagnostic sessions are logged, controlled, and approved.

Your Readiness Score

0
out of 60
High Risk

Complete the checklist above to see your readiness assessment. Score each item honestly to get the most useful result.

Governance
0/10
Access Control
0/12
Data Protection
0/10
Monitoring
0/12
Vendor Risk
0/8
Maintenance
0/8

Your score is a starting point, not a grade.

If your organization is facing CMMC requirements in the next 6–12 months, a professional gap assessment can save you months of guesswork, reduce the risk of failed audits, and help you protect current and future federal contracts.

Book a 20-Minute Readiness Review Learn More at cadra.com
This checklist is a planning tool, not a formal CMMC assessment. Actual certification requires a third-party C3PAO audit.
© 2026 Cadra, LLC. All rights reserved.  |  cadra.com  |  info@cadra.com