A CMMC compliance checklist is the fastest way for a small defense contractor to see where it stands before the rules bite. If you sell to the Department of Defense, CMMC is no longer optional. Without it, you lose the contract.
However, most checklists online come from compliance-software vendors and skip the parts that matter to a small shop. This guide is different. Specifically, it shows which level you actually need, the controls behind it, and how much of it your Microsoft 365 already covers. As a result, you walk in knowing the real work and the real cost.
Above all, this is written for a small business, not a Fortune 500 security team. So it keeps the language plain and the steps practical. By the end, you will know your level, your gaps, and where to start this month. Crucially, treat this as a list you return to, not a single read, because contracts change and the rules are still rolling out.
Not sure where your business stands on CMMC?
Wintive gets US small defense contractors CMMC-ready on the Microsoft 365 they already own. We confirm your level, map the controls to your tenant, find the gaps, and document the evidence an assessor will ask to see. The price is a flat monthly fee per user, with no long contract and no setup cost.
📅 Book a Free 30-Min Call | 💬 Chat on WhatsApp | See Our Plans →
๐งญ CMMC compliance checklist: the short answer
A CMMC compliance checklist covers the security practices a defense contractor must meet to keep DoD work. CMMC has levels: Level 1 protects basic Federal Contract Information with 17 practices and an annual self-assessment, while Level 2 protects Controlled Unclassified Information with the 110 NIST 800-171 controls and a third-party audit. Most small subcontractors are Level 1. Much of the work already lives in the Microsoft 365 you own, so the real job is finding the gaps and closing them before the deadline.
Here is the plain version. CMMC is the Department of Defense programme that checks whether a contractor protects sensitive information. It builds on the NIST 800-171 standard.
The level you need depends on the data you handle, not your size. Therefore, the first job is to work out whether you touch Controlled Unclassified Information at all.
Crucially, the CMMC compliance checklist turns a vague mandate into a concrete list. As a result, you stop worrying about CMMC in the abstract and start fixing the specific things an assessor will check.
๐ What CMMC is, in plain English
So, the basics without the jargon. CMMC stands for Cybersecurity Maturity Model Certification, and the Department of Defense runs it. Its rules are published at the official DoD CMMC program site.
Think of it as a chain. The NIST 800-171 standard sets the controls, CMMC is the certification that proves you meet them, and your contract tells you which level applies.
Importantly, this is about revenue, not just security. A growing share of DoD contracts now require CMMC, so for a small supplier it is often the difference between keeping the work and losing it.
Importantly, CMMC is not a certificate you simply buy. Instead, you implement the controls, document them, and then prove it, either to yourself at Level 1 or to an assessor at Level 2. So the work is real, but it is finite and well defined.
Notably, the standard is also stable. The controls come from NIST 800-171, which changes slowly. Therefore, the effort you put in now keeps paying off, rather than resetting every year.
In short, the chain is what makes CMMC manageable. NIST 800-171 gives you the controls, CMMC gives you the bar to clear, and your contract sets the level. As a result, three intimidating letters come down to a finite, checkable list.
๐ช Which CMMC level applies to you
Next, the question that decides everything: which level do you need? It comes down to the type of information you hold.
Specifically, if you only handle Federal Contract Information, you are Level 1: 17 basic practices and an annual self-assessment, with no outside auditor. If you handle Controlled Unclassified Information, you are Level 2: the full 110 controls and a third-party assessment.
Notably, most small subcontractors are Level 1, which is far lighter than the headlines suggest. Therefore, do not assume the worst before you check. The chart shows how the two compare.
In practice, the answer is usually in your contract language or your prime can tell you. When in doubt, assume Level 1 until controlled information is confirmed. As a result, you avoid over-building for a level you may never need.
In short, getting the level right is the single most valuable decision in the whole project. Pick too high and you waste months; pick too low and you fail an audit. Therefore, confirm it in writing before you spend a penny.
โ The CMMC compliance checklist itself
Here is the heart of it. A practical CMMC compliance checklist works through the areas an assessor will test, in plain terms.
Specifically, it covers who can access what, multi-factor sign-in, encryption, a record of activity, threat protection, media and device handling, physical access, incident response, and staff awareness. Each one maps to a control you can check off.
Importantly, you tick each item honestly, because an assessor checks the same list. As a result, an honest first pass shows you exactly how far you have to go.
โ The ten-point CMMC compliance checklist
Here is the list itself, ten checkpoints that map to what an assessor will actually verify. Work down it honestly and tick each item only when it is genuinely in place.
- Identify your Federal Contract Information and any Controlled Unclassified Information.
- Limit who can access that information, and enforce least privilege.
- Require multi-factor authentication for every user.
- Encrypt data at rest and in transit.
- Keep an audit log of activity and review it.
- Run anti-malware and threat protection on email and devices.
- Control removable media and how devices are handled.
- Write an incident response plan and test it.
- Train staff on handling sensitive information.
- Document everything in a System Security Plan.
Notably, none of these is exotic. Each is a normal part of running a secure business, and most are settings rather than new purchases.
Therefore, print the list and tick it off honestly. As a result, an honest first pass shows you exactly how far you have to go, and how much of it is already done in the tools you own.
In short, the value of the list is the order it brings. Instead of a vague sense of risk, you get a sequence of concrete, checkable items. As a result, even a non-technical owner can track progress and know what is left.
๐๏ธ The 14 families behind Level 2
If you are Level 2, the work groups into 14 families of controls. Knowing them keeps the project organised rather than overwhelming.
Specifically, the 110 NIST 800-171 controls split across areas such as access control, identification, audit, configuration, incident response, and system protection. Each family is a theme, not a mountain.
Crucially, you do not tackle all 110 at once. You work family by family, scoring where you stand. The chart lays out all 14 at a glance.
As a result, a daunting standard becomes a structured list. So even a small team can work through it steadily, one family at a time.
Importantly, many families overlap with everyday Microsoft 365 administration. Access control, identification, and audit logging are things you may already do. So the standard feels far less foreign once you map it to your own tenant.
Therefore, do not let the number 110 scare you. Grouped into 14 themes and mapped to your tenant, it becomes a manageable list. As a result, a small team can close most of it without a dedicated security hire.
๐ข Map your CMMC compliance checklist to Microsoft 365
This is the part the compliance-software vendors skip. If you run Microsoft 365, you already own the tools behind a large share of these controls. Therefore, you may not need an expensive new platform at all.
Specifically, Microsoft 365 already handles multi-factor sign-in, access control, encryption, an activity log, and threat protection. So a big chunk of both Level 1 and Level 2 is already on, or one setting away.
However, there is one catch worth planning for. If you handle Controlled Unclassified Information, you usually need Microsoft 365 GCC High, the government cloud, rather than the commercial version. The chart shows which fits which level.
๐ข Counting what your CMMC checklist already covers
Wintive insight. The costliest CMMC mistake we see is a small contractor buying a standalone compliance platform before anyone has checked what their Microsoft 365 already covers. For Level 1, commercial Microsoft 365 Business Premium handles most of the safeguards out of the box. For Level 2 with controlled information, the real decision is GCC High, and moving there early avoids a painful migration later. A focused readiness review of the tenant usually closes the genuine gaps for a fraction of a new platform, and it is exactly what our Master Audit delivers.
Therefore, do the mapping before you spend. Count what your tenant already satisfies, then price only the genuine gaps. As a result, you often find the distance to ready is far shorter, and cheaper, than the vendors suggest.
๐ฃ๏ธ The road to CMMC certification
With the controls clear, picture the path. Getting CMMC-ready follows the same milestones for almost every small contractor.
Specifically, you scope where your sensitive information lives, write a System Security Plan, self-assess against the controls, build a Plan of Action and Milestones for the gaps, then complete the assessment.
Importantly, Level 1 stops at the self-assessment, which you do yourself each year. Level 2 adds a third-party audit by a certified assessor. The roadmap shows the milestones in order.
As a result, the longest part is usually closing the gaps, not the paperwork. So starting early is the single best thing a small contractor can do for its timeline.
Notably, the System Security Plan is the document that ties it all together. It records what you do for each control and what is still open. Therefore, keeping it current is what makes an assessment, or a self-assessment, go smoothly.
In practice, the assessment itself is the shortest part. The months go into closing gaps and gathering the evidence. So the contractors who start early are the ones who hit their deadline calmly.
๐ท What CMMC costs and how long it takes
Of course, owners want the numbers. Costs vary widely, so treat these as rough US ranges for a small business.
Specifically, Level 1 is mostly your own time over a few weeks, since there is no auditor. Level 2 is heavier: the controls take months, and you pay a certified assessor on top, plus any move to GCC High.
Notably, the biggest hidden cost is leaving it late. A looming contract deadline forces rushed, expensive choices. The table sets out the rough picture.
| Level | Rough timeline | Rough cost |
|---|---|---|
| Level 1 (FCI) | A few weeks | Low โ mostly your own time |
| Level 2 (CUI) | Several months | Higher โ controls, assessor, and GCC High |
However, that is exactly why preparation pays off. Every control you confirm yourself before an assessment is one the assessor does not bill you to find. Therefore, an early, honest self-check is the best-value money in the whole project. So the contractors who self-check honestly before the assessor arrives almost always pay less and pass sooner than the firms that wait for a deadline to force their hand.
๐ค Who needs CMMC, and when
Of course, not every business needs CMMC. So decide by your contracts, not by fear. Specifically, if you sell or hope to sell to the Department of Defense, expect a CMMC requirement to appear in the contract terms.
Importantly, the requirement flows down the supply chain. A prime contractor passes it to its subcontractors, so even a small shop two tiers down can be in scope. Therefore, if you supply a company that supplies the DoD, check whether it reaches you.
Notably, the timing is set by the contract, and the rules are rolling out in phases. As a result, the safest move is to be ready before a bid asks for it, not after.
However, if you have no defense work and none planned, CMMC is not your priority yet. In that case, the broader security best practices still apply, but the certification clock has not started.
๐ When your CMMC checklist clock starts
In short, let the contract decide. The moment a prospect or a prime mentions CMMC, the clock has started, and a CMMC compliance checklist gives you a head start. Therefore, treat that first mention as a green light to begin, not a problem to dread.
In short, the moment a contract mentions it, your CMMC compliance checklist is the first thing to pull out. It shows the prime you are serious and organised. As a result, compliance becomes a reason to win work, not just a cost.
Therefore, watch your pipeline, not just your current contracts. A single new defense opportunity can make readiness urgent overnight. As a result, the contractors who prepare ahead win the work the unprepared cannot bid for.
๐ ๏ธ Do it yourself, or bring in help
So, how should a small contractor actually get ready? Broadly, there are two routes. You either work the controls yourself, or you bring in a readiness partner who knows both CMMC and Microsoft 365.
Importantly, for Level 1 many small businesses can self-assess with a guide like this one. The practices are basic, and most live in settings you already own. Therefore, the do-it-yourself route is realistic for the lighter level.
However, Level 2 is harder, because the 110 controls and the GCC High decision carry real consequences. Specifically, a mistake there can mean a failed audit or a costly migration. As a result, many contractors bring in help for Level 2 readiness.
Notably, a good partner does not just hand you a tool. They map the controls to your tenant, tell you honestly what you already cover, and scope only the real gaps. So you avoid paying for a platform that duplicates your Microsoft 365.
In short, match the route to your level and your time. A lean Level 1 shop can self-assess, while a Level 2 contractor usually gains from a guided readiness review. As a result, the cheapest path is the one that fits your actual obligation.
Above all, the goal is the same either way: a clear, honest picture of your gaps. Whether you self-assess or bring in help, you want the truth, not a glossy report. Therefore, judge any partner by how plainly they explain what you already cover.
๐ชค Common CMMC compliance checklist mistakes
Meanwhile, a few mistakes derail small contractors again and again. First, many assume they are Level 2 when their contract only needs Level 1, and over-build for no reason.
Furthermore, some buy a compliance platform before checking what Microsoft 365 already does, then pay twice. Others leave it until a contract is on the line, then scramble and overpay.
Finally, a common trap is treating the System Security Plan as a one-time document. In truth, an assessor expects it to be current, so the plan has to stay alive.
Therefore, check your level first, use what you own, and start before a deadline forces your hand. As a result, you avoid the three most expensive mistakes in one move.
In short, the pattern behind every mistake is the same. People treat CMMC as a panic instead of a project. Therefore, confirm the level, work the list, and the deadline stops being a threat.
Above all, do not wait for certainty before you start. The rules will keep evolving, but the underlying controls are stable. Therefore, work the list you have now, and adjust as the details firm up.
๐๏ธ Your first 30 days
Finally, here is how to begin without boiling the ocean. In the first month, you can move from confusion to a clear plan.
Specifically, start by confirming your level from your contract, then find where your sensitive information lives, then check what Microsoft 365 already covers. The table lays out a simple first month.
Notably, the goal of the first month is clarity, not completion. You will not be certified in thirty days, and that is fine. Therefore, aim to know your level, your gaps, and your budget.
| Week | Focus | Outcome |
|---|---|---|
| Week 1 | Confirm your CMMC level | Level 1 or Level 2, in writing |
| Week 2 | Map sensitive information | Where your FCI and CUI live |
| Weeks 3 to 4 | Check Microsoft 365 coverage | A list of the real gaps |
As a result, by the end of the month you know your level, your gaps, and your budget. So the rest of the project becomes execution, not guesswork.
Therefore, share that one-month plan with whoever signs the cheques. A costed, time-boxed plan is far easier to approve than a vague worry. As a result, you get the green light to actually start.
Notably, your CMMC compliance checklist is the backbone of that first month. It keeps the work focused on what an assessor actually checks. As a result, you spend the month on the controls that matter, not on busywork.
โ Your CMMC compliance checklist recap
Condensed, here is the CMMC compliance checklist to keep on hand.
- Confirm your level from your contract before anything else.
- Level 1 is 17 practices and a yearly self-assessment.
- Level 2 is the 110 NIST 800-171 controls plus an audit.
- Most small subcontractors are Level 1.
- Microsoft 365 already covers a large share of the controls.
- Controlled information usually means moving to GCC High.
- Write and maintain a System Security Plan.
- Start early, because closing gaps takes the most time.
Ultimately, at Wintive we get US small contractors CMMC-ready on the Microsoft 365 they already run, as part of our managed security services. So we check your level, map the controls to your tenant, and show you the gaps and the budget. As a result, you reach your CMMC deadline with a plan you can defend, not a last-minute panic. To get started, contact us for a free consultation. It is quick, and we do the rest.
📚 More for Growing Businesses
๐ See exactly where your Microsoft 365 stands for CMMC
The M365 Master Audit is a full Microsoft 365 security audit for a US small contractor. Specifically it reviews your identity, email, device, and data controls, maps them to the CMMC and NIST 800-171 requirements, finds every gap, and ranks the fixes by real risk. As a result you get a written report, a clear action plan, and the evidence to show assessors.
❓ Frequently Asked Questions
It is a practical list of the security practices a defense contractor must meet for CMMC, grouping the controls an assessor tests, such as access control, multi-factor sign-in, encryption, and logging, so you can see where you stand.
It depends on the data, not your size. Handle only Federal Contract Information and you are Level 1: 17 practices and a self-assessment. Handle Controlled Unclassified Information and you are Level 2: the 110 NIST 800-171 controls and an audit.
It covers a large share. Microsoft 365 already handles multi-factor authentication, access control, encryption, logging, and threat protection. For controlled information at Level 2, you usually need GCC High, the government cloud.
It varies widely. Level 1 is mostly your own time over a few weeks. Level 2 runs into months, plus a certified assessor and any move to GCC High. Closing gaps early keeps the total down.
NIST 800-171 is the standard of 110 controls for protecting Controlled Unclassified Information. CMMC is the Department of Defense certification that verifies you meet them, with a self-assessment at Level 1 and a third-party audit at Level 2.
Confirm your level from your contract, find where your sensitive information lives, then check what Microsoft 365 already covers. That first pass turns CMMC from a vague worry into a short, costed list of gaps.
๐งญ Your next step
Want to know exactly where your business stands on this CMMC compliance checklist? First, book a short call. Then we confirm your level, map the controls to your Microsoft 365, and show you the gaps and the budget. To start, contact Wintive. It is quick, and we do the rest.