← Back to CMMC

CMMC 2.0 Compliance Checklist: 110 Practices

Complete checklist covering all CMMC Level 2 practices across 14 domains. Essential for DoD contractors protecting Controlled Unclassified Information (CUI).

Get Expert HelpTake Free Assessment
110
Practices
14
Domains
Level 2
Focus

CMMC Level 2 Practices (110 Controls)

Based on NIST 800-171 requirements for CUI protection

AC: Access Control (22 practices)

AC.L2-3.1.1: Limit system access to authorized users
AC.L2-3.1.2: Limit system access to authorized processes
AC.L2-3.1.3: Control CUI flow within systems
AC.L2-3.1.4: Separate duties of individuals
AC.L2-3.1.5: Employ least privilege principle
AC.L2-3.1.6: Use non-privileged accounts for non-privileged functions
AC.L2-3.1.7: Prevent non-privileged users from executing privileged functions
AC.L2-3.1.8: Limit unsuccessful logon attempts
AC.L2-3.1.9: Provide privacy and security notices
AC.L2-3.1.10: Use session lock with pattern-hiding displays
AC.L2-3.1.11: Terminate sessions after defined period
AC.L2-3.1.12: Monitor and control remote access sessions
AC.L2-3.1.13: Employ cryptographic mechanisms for remote access
AC.L2-3.1.14: Route remote access via managed access points
AC.L2-3.1.15: Authorize remote execution and access
AC.L2-3.1.16: Authorize wireless access
AC.L2-3.1.17: Protect wireless access using authentication
AC.L2-3.1.18: Control connection of mobile devices
AC.L2-3.1.19: Encrypt CUI on mobile devices
AC.L2-3.1.20: Control portable storage devices
AC.L2-3.1.21: Limit use of portable storage devices
AC.L2-3.1.22: Control CUI posted or processed on public systems

AT: Awareness & Training (9 practices)

AT.L2-3.2.1: Ensure managers, system admins, and users are trained
AT.L2-3.2.2: Provide security awareness training on recognizing threats
AT.L2-3.2.3: Provide training on responding to suspicious activity
AT.L2-3.2.4: Provide training on insider threat awareness
AT.L2-3.2.5: Provide role-based security training
AT.L2-3.2.6: Update training when organizational changes occur
AT.L2-3.2.7: Provide training on social engineering and phishing
AT.L2-3.2.8: Provide training on CUI handling
AT.L2-3.2.9: Document security awareness activities

AU: Audit & Accountability (12 practices)

AU.L2-3.3.1: Create and retain audit logs
AU.L2-3.3.2: Ensure actions can be traced to users
AU.L2-3.3.3: Review and update logged events
AU.L2-3.3.4: Alert on audit logging process failures
AU.L2-3.3.5: Correlate audit records across repositories
AU.L2-3.3.6: Provide audit reduction and report generation
AU.L2-3.3.7: Provide time-ordered audit record review
AU.L2-3.3.8: Protect audit information from unauthorized access
AU.L2-3.3.9: Limit audit log management to authorized users
AU.L2-3.3.10: Back up audit records
AU.L2-3.3.11: Protect system clocks
AU.L2-3.3.12: Monitor for unauthorized local connections

CM: Configuration Management (10 practices)

CM.L2-3.4.1: Establish and maintain baseline configurations
CM.L2-3.4.2: Establish and enforce security configuration settings
CM.L2-3.4.3: Track, review, approve/disapprove changes
CM.L2-3.4.4: Analyze security impact of changes
CM.L2-3.4.5: Define and document configuration settings
CM.L2-3.4.6: Employ least functionality principle
CM.L2-3.4.7: Restrict, disable, prevent use of nonessential programs
CM.L2-3.4.8: Apply deny-by-exception for software programs
CM.L2-3.4.9: Control and monitor user-installed software
CM.L2-3.4.10: Enforce software installation by privileged users only

IA: Identification & Authentication (13 practices)

IA.L2-3.5.1: Identify users, processes, and devices
IA.L2-3.5.2: Authenticate users, processes, and devices
IA.L2-3.5.3: Use multi-factor authentication for local access
IA.L2-3.5.4: Use multi-factor authentication for network access
IA.L2-3.5.5: Prevent reuse of identifiers
IA.L2-3.5.6: Disable identifiers after period of inactivity
IA.L2-3.5.7: Enforce minimum password complexity
IA.L2-3.5.8: Prohibit password reuse
IA.L2-3.5.9: Allow temporary password use for system logon
IA.L2-3.5.10: Store and transmit passwords in cryptographic form
IA.L2-3.5.11: Obscure feedback of authentication information
IA.L2-3.5.12: Implement replay-resistant authentication
IA.L2-3.5.13: Manage session authenticators

IR: Incident Response (9 practices)

IR.L2-3.6.1: Establish operational incident handling capability
IR.L2-3.6.2: Track, document, and report incidents
IR.L2-3.6.3: Test incident response capability
IR.L2-3.6.4: Develop and implement incident response plan
IR.L2-3.6.5: Identify, respond to, and report information spills
IR.L2-3.6.6: Provide security incident response training
IR.L2-3.6.7: Coordinate incident response with internal and external stakeholders
IR.L2-3.6.8: Perform root cause analysis
IR.L2-3.6.9: Incorporate lessons learned into incident response

MA: Maintenance (6 practices)

MA.L2-3.7.1: Perform maintenance on systems
MA.L2-3.7.2: Provide controls on tools for system maintenance
MA.L2-3.7.3: Ensure equipment removed for maintenance is sanitized
MA.L2-3.7.4: Check media for malicious code before use
MA.L2-3.7.5: Require multi-factor authentication for remote maintenance
MA.L2-3.7.6: Supervise maintenance activities by non-privileged users

MP: Media Protection (9 practices)

MP.L2-3.8.1: Protect and control system media
MP.L2-3.8.2: Limit access to CUI on system media
MP.L2-3.8.3: Sanitize or destroy system media
MP.L2-3.8.4: Mark media with CUI handling instructions
MP.L2-3.8.5: Control access to media containing CUI
MP.L2-3.8.6: Implement cryptographic mechanisms for CUI confidentiality
MP.L2-3.8.7: Control use of removable media on system components
MP.L2-3.8.8: Prohibit use of portable storage devices
MP.L2-3.8.9: Protect media during transport outside controlled areas

PS: Personnel Security (7 practices)

PS.L2-3.9.1: Screen individuals prior to authorizing access
PS.L2-3.9.2: Ensure CUI is protected during personnel actions
PS.L2-3.9.3: Define and review personnel transfer and termination
PS.L2-3.9.4: Address employee sanctions and discipline
PS.L2-3.9.5: Implement personnel security requirements
PS.L2-3.9.6: Terminate access following separation
PS.L2-3.9.7: Review and update access authorizations

PE: Physical Protection (6 practices)

PE.L2-3.10.1: Limit physical access to systems and facilities
PE.L2-3.10.2: Protect and monitor physical access
PE.L2-3.10.3: Escort visitors and monitor visitor activity
PE.L2-3.10.4: Maintain audit logs of physical access
PE.L2-3.10.5: Control and manage physical access devices
PE.L2-3.10.6: Enforce safeguarding measures for CUI at alternate sites

RE: Recovery (7 practices)

RE.L2-3.11.1: Regularly back up CUI and protect backups
RE.L2-3.11.2: Test backup information regularly
RE.L2-3.11.3: Provide backup storage alternative to system
RE.L2-3.11.4: Implement disaster recovery capability
RE.L2-3.11.5: Test and exercise disaster recovery capability
RE.L2-3.11.6: Implement continuity of operations planning
RE.L2-3.11.7: Test continuity of operations plan

RM: Risk Assessment (5 practices)

RM.L2-3.12.1: Periodically assess risk to systems and data
RM.L2-3.12.2: Scan for vulnerabilities and remediate
RM.L2-3.12.3: Perform security assessments during development
RM.L2-3.12.4: Employ threat intelligence and vulnerability management
RM.L2-3.12.5: Conduct penetration testing

CA: Security Assessment (8 practices)

CA.L2-3.12.1: Develop and manage security assessment plan
CA.L2-3.12.2: Assess security controls periodically
CA.L2-3.12.3: Monitor ongoing security posture
CA.L2-3.12.4: Remediate vulnerabilities and track status
CA.L2-3.12.5: Perform ongoing authorization
CA.L2-3.12.6: Review and update security authorization
CA.L2-3.12.7: Employ third-party assessors when required
CA.L2-3.12.8: Document assessment results

SC: System & Communications Protection (23 practices)

SC.L2-3.13.1: Monitor and control communications at external boundaries
SC.L2-3.13.2: Employ architectural designs and configurations
SC.L2-3.13.3: Separate user functionality from system management
SC.L2-3.13.4: Prevent unauthorized information transfer
SC.L2-3.13.5: Implement subnetworks for publicly accessible components
SC.L2-3.13.6: Deny network communications by default
SC.L2-3.13.7: Prevent remote devices from simultaneous connection
SC.L2-3.13.8: Implement cryptographic mechanisms for confidentiality
SC.L2-3.13.9: Terminate network connections after defined period
SC.L2-3.13.10: Establish secure communication channels
SC.L2-3.13.11: Employ FIPS-validated cryptography
SC.L2-3.13.12: Prohibit remote activation of collaboration devices
SC.L2-3.13.13: Control and monitor use of mobile code
SC.L2-3.13.14: Control and monitor use of VoIP
SC.L2-3.13.15: Protect authenticity of communications sessions
SC.L2-3.13.16: Protect confidentiality of CUI at rest
SC.L2-3.13.17: Employ architectural designs to limit attack surface
SC.L2-3.13.18: Implement domain name system security
SC.L2-3.13.19: Protect information in transit
SC.L2-3.13.20: Protect information at rest
SC.L2-3.13.21: Implement boundary protection
SC.L2-3.13.22: Control information sharing
SC.L2-3.13.23: Limit use of organizationally-defined functions

Documentation Requirements

Required documentation for CMMC assessment

System Security Plan (SSP)

Document system boundaries and architecture
List all systems processing CUI
Document security controls implementation
Include network diagrams and data flows
List all system interconnections
Document security requirements

Policies & Procedures

Information security policy
Incident response procedures
Access control procedures
Configuration management procedures
Personnel security policy
Physical security procedures
Media protection procedures
System and communications protection policy

How LowerPlane Automates CMMC Compliance

🎯

NIST 800-171 Mapping

Automatically map your existing security controls to all 110 CMMC Level 2 practices.

📋

Evidence Collection

Connect AWS, Azure, and security tools to automatically collect evidence for 50+ practices.

📄

SSP Generation

Generate your System Security Plan automatically based on your infrastructure and controls.

Download Your Free CMMC Checklist

Get the complete 110-practice checklist as a printable PDF. Track your progress toward CMMC certification.

Download PDF ChecklistOr Get Expert Help
No email required for PDF download. Start tracking your compliance progress today.

Related CMMC Resources

CMMC Requirements

Complete guide to CMMC 2.0 Level 2 requirements

View requirements →

NIST 800-171

CMMC is based on NIST 800-171 requirements

Learn more →

Defense Contractors

Complete guide for DoD contractors

View guide →