CMMC Level 2 Audit

Checklist -All 110

Required Controls

Built from NIST SP 800-171 to help

DoD contractors understand exactly

what C3PAO auditors require during

a Level 2 assessment.

If your organization handles Controlled Unclassified Information (CUI), this checklist shows what must be implemented, documented, and evidenced to remain contract-eligible.

This Checklist Is For DoD Contractors Who:

Handle or store Controlled Unclassified Information (CUI)
Are subject to DFARS 252.204-7012
Are preparing for CMMC Level 2 certification
Want to avoid failed audits, delays, or lost contracts

If CMMC Level 2 applies to your organization, guessing is no longer an option.

Why Most Companies Struggle With CMMC Level 2

CMMC Level 2 includes 110 mandatory security controls.
Passing requires more than policies — auditors look for verifiable evidence.

Common issues we see:

Controls are partially implemented but not auditable
Documentation does not match technical reality
Evidence is missing, outdated, or inconsistent
Teams misunderstand what auditors actually validate

This checklist exists to remove that uncertainty.

Certified by a DoD-authorized C3PAO with a perfect assessment score.

Trust Indicators

C3PAO Assessed & Certified
NIST SP 800-171 Aligned
Defense Contractor Focused

What Is CMMC Level 2?

CMMC Level 2 applies to organizations that handle Controlled Unclassified Information (CUI) while supporting the Department of Defense. Level 2:

Is based on NIST SP 800-171
Requires implementation of 110 security controls
Must be verified through a third-party assessment
Is required to maintain eligibility for certain DoD contracts

Is based on NIST SP 800-171

Requires implementation of 110 security controls

Must be verified through a third-party assessment

Is required to maintain eligibility for certain DoD contracts

What You’ll Get Inside the Checklist

This is not a generic overview. The checklist includes:

All 110 CMMC Level 2 audit controls
Control-by-control requirements
Alignment to NIST SP 800-171
Audit-focused language used during assessments
A practical reference for internal readiness reviews

It’s designed to help you prepare before an auditor is involved.

Who We Are

Brea Networks is a cybersecurity and compliance firm focused on supporting DoD contractors and regulated organizations. We help organizations

Prepare for CMMC assessments
Protect Controlled Unclassified Information (CUI)
Align systems, policies, and evidence with audit requirements
Maintain long-term compliance without guesswork

We operate with a compliance-first approach — not generic IT consulting.

No Obligation. No Pressure. No Spam.

The checklist is 100% free
Download instantly as a PDF
No obligation to work with us
Unsubscribe at any time

This resource is provided to help DoD contractors understand what is required — nothing more.

Download the CMMC Level 2 Audit Checklist

Get immediate access to the full checklist covering all 110 required controls.

First Name
Last Name
Company Name
Business Email

Instant PDF download. Sent immediately to your email.

Checklist created by a CMMC Level 2 certified organization assessed by a DoD-authorized C3PAO.

By checking this box, I consent to receive transactional messages related to my account, orders, or services I have requested. These messages may include appointment reminders, order confirmations, and account notifications among others. Message frequency may vary. Message & Data rates may apply.Reply HELP for help or STOP to opt-out.

By checking this box, I consent to receive marketing and promotional messages, including special offers, discounts, new product updates among others. Message frequency may vary. Message & Data rates may apply. Reply HELP for help or STOP to opt-out.

California HQ

(West Coast)

451 W. Lambert Rd Suite 214
Brea, CA 92821
714-592-0063

Virginia

(East Coast)

1750 Tysons Blvd, #1500
Tysons Corner, VA 22102
202-838-3111