CMMC 2.0 checklist: Level 1 & Level 2 practices for CUI
CMMC isn’t a one-time certification — it’s evidence your controls operate continuously. This checklist walks every control an auditor examines, and flags which a platform can automate.
What CMMC requires
CMMC is assessed against 110 controls across 5 families: Access & identity, System protection, Audit & monitoring, Configuration mgmt, Documentation. Each must be both designed and operating — auditors want evidence it worked throughout the period, not just that it existed on paper.
The control checklist
All 14 CMMC 2.0 Level 2 domains (110 practices, built on NIST SP 800-171). Use the table below as your working checklist — 14 line items. Controls marked Auto can be monitored continuously by SBCMSP; Manual controls need a documented process and human evidence.
| Control | Requirement | Coverage |
|---|---|---|
| CMMC 2.0 Level 2 domains | ||
| AC | Access Control (22 practices) | Auto |
| AT | Awareness & Training (3) | Manual |
| AU | Audit & Accountability (9) | Auto |
| CA | Security Assessment (4) | Manual |
| CM | Configuration Management (9) | Auto |
| IA | Identification & Authentication (11) | Auto |
| IR | Incident Response (3) | Manual |
| MA | Maintenance (6) | Manual |
| MP | Media Protection (9) | Manual |
| PE | Physical Protection (6) | Manual |
| PS | Personnel Security (2) | Manual |
| RA | Risk Assessment (3) | Auto |
| SC | System & Communications Protection (16) | Auto |
| SI | System & Information Integrity (7) | Auto |
Evidence you must collect
For every control, an auditor expects evidence it operated throughout the review period. Common examples:
- Access reviews with timestamps and approver
- Change tickets linked to deployments
- Encryption and configuration snapshots
- Vendor / supplier risk assessments on file
Automating the checklist
Roughly two-thirds of CMMC controls can be monitored automatically. SBCMSP watches those continuously, collects timestamped evidence, and flags drift — so the audit becomes a review of a report you already have, not a month-long scramble.