PUBLIC-SIGNAL INTELLIGENCE12–24 MONTHS EARLY · EVIDENCE CITED

Free CMMC tool · browser only

CMMC compliance checklist

Review all 110 NIST SP 800-171 Rev. 2 requirements by family, mark Met, Not met, or N/A, track gaps, and print your illustrative CMMC readiness checklist.

Educational checklist — not a C3PAO assessment

Overall readiness0%

0 met of 110 applicable · 0 reviewed

Met0
Not met0
N/A0
Not reviewed110
AC · Access Control0/22 met
3.1.1

Limit system access to authorized users, processes, and devices.

Not reviewed
3.1.2

Limit access to the types of transactions and functions authorized users may execute.

Not reviewed
3.1.3

Control the flow of CUI in accordance with approved authorizations.

Not reviewed
3.1.4

Separate duties of individuals to reduce risk of malevolent activity.

Not reviewed
3.1.5

Employ least privilege, including for specific security functions and privileged accounts.

Not reviewed
3.1.6

Use non-privileged accounts when accessing non-security functions.

Not reviewed
3.1.7

Prevent non-privileged users from executing privileged functions; capture in audit logs.

Not reviewed
3.1.8

Limit unsuccessful logon attempts.

Not reviewed
3.1.9

Provide privacy and security notices consistent with applicable CUI rules.

Not reviewed
3.1.10

Use session lock with pattern-hiding displays after inactivity.

Not reviewed
3.1.11

Terminate user sessions after a defined condition.

Not reviewed
3.1.12

Monitor and control remote access sessions.

Not reviewed
3.1.13

Use cryptographic mechanisms to protect remote access sessions.

Not reviewed
3.1.14

Route remote access via managed access control points.

Not reviewed
3.1.15

Authorize remote execution of privileged commands and remote access to security info.

Not reviewed
3.1.16

Authorize wireless access prior to allowing connections.

Not reviewed
3.1.17

Protect wireless access using authentication and encryption.

Not reviewed
3.1.18

Control connection of mobile devices.

Not reviewed
3.1.19

Encrypt CUI on mobile devices and mobile computing platforms.

Not reviewed
3.1.20

Verify and control/limit connections to and use of external systems.

Not reviewed
3.1.21

Limit use of portable storage devices on external systems.

Not reviewed
3.1.22

Control CUI posted or processed on publicly accessible systems.

Not reviewed
AT · Awareness & Training0/3 met
3.2.1

Ensure managers and users are aware of security risks and policies.

Not reviewed
3.2.2

Ensure personnel are trained to carry out their security duties.

Not reviewed
3.2.3

Provide security awareness training on recognizing insider threat.

Not reviewed
AU · Audit & Accountability0/9 met
3.3.1

Create and retain system audit logs and records.

Not reviewed
3.3.2

Ensure actions of individual users can be uniquely traced.

Not reviewed
3.3.3

Review and update logged events.

Not reviewed
3.3.4

Alert in the event of an audit logging process failure.

Not reviewed
3.3.5

Correlate audit record review, analysis, and reporting for investigation.

Not reviewed
3.3.6

Provide audit record reduction and report generation.

Not reviewed
3.3.7

Provide a system capability to compare and synchronize time sources.

Not reviewed
3.3.8

Protect audit information and logging tools from unauthorized access.

Not reviewed
3.3.9

Limit management of audit logging to a subset of privileged users.

Not reviewed
CM · Configuration Management0/9 met
3.4.1

Establish and maintain baseline configurations and inventories.

Not reviewed
3.4.2

Establish and enforce security configuration settings.

Not reviewed
3.4.3

Track, review, approve/disapprove, and log changes to systems.

Not reviewed
3.4.4

Analyze the security impact of changes prior to implementation.

Not reviewed
3.4.5

Define, document, and enforce access restrictions for changes.

Not reviewed
3.4.6

Employ the principle of least functionality.

Not reviewed
3.4.7

Restrict, disable, or prevent nonessential programs, functions, ports, protocols.

Not reviewed
3.4.8

Apply deny-by-exception (blacklist) or permit-by-exception (whitelist) policy.

Not reviewed
3.4.9

Control and monitor user-installed software.

Not reviewed
IA · Identification & Authentication0/11 met
3.5.1

Identify system users, processes acting on behalf of users, and devices.

Not reviewed
3.5.2

Authenticate identities as a prerequisite to system access.

Not reviewed
3.5.3

Use multifactor authentication for privileged and network access.

Not reviewed
3.5.4

Employ replay-resistant authentication mechanisms.

Not reviewed
3.5.5

Prevent reuse of identifiers for a defined period.

Not reviewed
3.5.6

Disable identifiers after a defined period of inactivity.

Not reviewed
3.5.7

Enforce a minimum password complexity and change of characters.

Not reviewed
3.5.8

Prohibit password reuse for a specified number of generations.

Not reviewed
3.5.9

Allow temporary password use with immediate change to permanent.

Not reviewed
3.5.10

Store and transmit only cryptographically-protected passwords.

Not reviewed
3.5.11

Obscure feedback of authentication information.

Not reviewed
IR · Incident Response0/3 met
3.6.1

Establish an operational incident-handling capability.

Not reviewed
3.6.2

Track, document, and report incidents to designated officials.

Not reviewed
3.6.3

Test the organizational incident response capability.

Not reviewed
MA · Maintenance0/6 met
3.7.1

Perform maintenance on organizational systems.

Not reviewed
3.7.2

Provide controls on tools, techniques, mechanisms, and personnel for maintenance.

Not reviewed
3.7.3

Sanitize equipment removed for off-site maintenance of any CUI.

Not reviewed
3.7.4

Check media containing diagnostic/test programs for malicious code.

Not reviewed
3.7.5

Require multifactor authentication to establish nonlocal maintenance sessions.

Not reviewed
3.7.6

Supervise maintenance activities of personnel without required access.

Not reviewed
MP · Media Protection0/9 met
3.8.1

Protect system media containing CUI, both paper and digital.

Not reviewed
3.8.2

Limit access to CUI on system media to authorized users.

Not reviewed
3.8.3

Sanitize or destroy media containing CUI before disposal or reuse.

Not reviewed
3.8.4

Mark media with necessary CUI markings and distribution limitations.

Not reviewed
3.8.5

Control access to and account for media during transport.

Not reviewed
3.8.6

Implement cryptographic mechanisms to protect CUI on transported media.

Not reviewed
3.8.7

Control the use of removable media on system components.

Not reviewed
3.8.8

Prohibit use of portable storage devices with no identifiable owner.

Not reviewed
3.8.9

Protect the confidentiality of backup CUI at storage locations.

Not reviewed
PS · Personnel Security0/2 met
3.9.1

Screen individuals prior to authorizing access to CUI systems.

Not reviewed
3.9.2

Protect CUI during and after personnel actions (terminations, transfers).

Not reviewed
PE · Physical Protection0/6 met
3.10.1

Limit physical access to systems, equipment, and operating environments.

Not reviewed
3.10.2

Protect and monitor the physical facility and support infrastructure.

Not reviewed
3.10.3

Escort visitors and monitor visitor activity.

Not reviewed
3.10.4

Maintain audit logs of physical access.

Not reviewed
3.10.5

Control and manage physical access devices.

Not reviewed
3.10.6

Enforce safeguarding measures for CUI at alternate work sites.

Not reviewed
RA · Risk Assessment0/3 met
3.11.1

Periodically assess risk to operations, assets, and individuals.

Not reviewed
3.11.2

Scan for vulnerabilities in systems and applications periodically.

Not reviewed
3.11.3

Remediate vulnerabilities in accordance with risk assessments.

Not reviewed
CA · Security Assessment0/4 met
3.12.1

Periodically assess security controls for effectiveness.

Not reviewed
3.12.2

Develop and implement plans of action to correct deficiencies.

Not reviewed
3.12.3

Monitor security controls on an ongoing basis.

Not reviewed
3.12.4

Develop, document, and update system security plans.

Not reviewed
SC · System & Communications Protection0/16 met
3.13.1

Monitor, control, and protect communications at external and key internal boundaries.

Not reviewed
3.13.2

Employ architectural designs and principles that promote effective security.

Not reviewed
3.13.3

Separate user functionality from system management functionality.

Not reviewed
3.13.4

Prevent unauthorized and unintended information transfer via shared resources.

Not reviewed
3.13.5

Implement subnetworks for publicly accessible components (DMZ).

Not reviewed
3.13.6

Deny network traffic by default and allow by exception.

Not reviewed
3.13.7

Prevent remote devices from split tunneling into external networks.

Not reviewed
3.13.8

Use cryptographic mechanisms to prevent disclosure of CUI in transit.

Not reviewed
3.13.9

Terminate network connections at end of session or after inactivity.

Not reviewed
3.13.10

Establish and manage cryptographic keys.

Not reviewed
3.13.11

Employ FIPS-validated cryptography to protect CUI.

Not reviewed
3.13.12

Prohibit remote activation of collaborative devices; indicate use to users.

Not reviewed
3.13.13

Control and monitor use of mobile code.

Not reviewed
3.13.14

Control and monitor use of Voice over Internet Protocol (VoIP).

Not reviewed
3.13.15

Protect the authenticity of communications sessions.

Not reviewed
3.13.16

Protect the confidentiality of CUI at rest.

Not reviewed
SI · System & Information Integrity0/7 met
3.14.1

Identify, report, and correct system flaws in a timely manner.

Not reviewed
3.14.2

Provide protection from malicious code at designated locations.

Not reviewed
3.14.3

Monitor system security alerts and advisories and take action.

Not reviewed
3.14.4

Update malicious code protection mechanisms when new releases are available.

Not reviewed
3.14.5

Perform periodic and real-time scans of files from external sources.

Not reviewed
3.14.6

Monitor systems, including inbound and outbound traffic, to detect attacks.

Not reviewed
3.14.7

Identify unauthorized use of organizational systems.

Not reviewed
Current gaps0

Nothing is marked Not met yet. Review each requirement and use this list as a planning aid.

How the checklist works

The checklist groups the 110 NIST SP 800-171 Rev. 2 requirements into their 14 control families. Overall and family percentages count Met controls divided by applicable controls; anything marked N/A is excluded from that denominator, and unreviewed controls remain visible.

What to verify before an assessment

The requirement titles here are concise paraphrases, not the full NIST text. Confirm applicability, scoping, evidence, and the current contract requirement against the official publication and your assessor. A status choice is a planning note, not proof that a requirement is satisfied.

Important

Illustrative control set condensed from NIST SP 800-171 Rev. 2 — verify the full requirement text and your scoping against the official publication before an assessment. This educational tool is not a substitute for a C3PAO assessment.

Published references

Open the source material and verify the requirements or values that apply to your situation.

NIST SP 800-171 Rev. 232 CFR Part 170 — CMMC Program

Questions to verify

Frequently asked questions

Does this checklist certify CMMC compliance?

No. It is an educational planning aid and cannot replace an assessment, the full NIST requirement text, or the evidence an assessor will review.

Why does this use NIST SP 800-171 Rev. 2?

The current CMMC program rule incorporates Rev. 2 for Level 2. NIST has published Rev. 3, so verify the requirements named in your contract before relying on any checklist.

Where is my checklist saved?

Selections stay in this browser's local storage. LongLead does not receive them, and this page makes no network request with your answers.

LongLead flags which upcoming DoD projects will trigger CMMC requirements 12–24 months early.

See LongLead Cyber