CMMC Level 2 Audit Checklist All 110 Required Controls

Built from NIST SP 800-171 to help DoW contractors understand exactly what CMMC Level 2 C3PAO auditors require during a CMMC Level 2 assessment.

If your organization handles Controlled Unclassified Information (CUI), this checklist shows what must be implemented, documented, and evidenced to remain contract-eligible.

Do Not Lose Your Defense Contracts

If you handle Controlled Unclassified Information (CUI), CMMC Level 2 is required to protect sensitive data and qualify for federal contracts. We help you implement the 110 required security practices, strengthen your cybersecurity posture, and prepare for a successful assessment with confidence.

what is level 2?

It applies to contractors handling CUI who are allowed to self-verify instead of using a C3PAO. Even as a self-assessment, every one of the 110 controls must be documented to professional standards.

is this right for you?

This path is for non-prioritized acquisitions. If your contract doesn't explicitly require a third-party audit, our guided self-assessment is the fastest, most cost-effective route to compliance.

how we guide you

We don't just give you a checklist. We provide expert gap identification, remediation strategies, and the evidence-gathering framework needed to submit your assessment with 100% confidence.

Download the free CMMC Level 2 audit checklist and learn what you must fix now to stay eligible.

CMMC LEVEL 2 FAQ

Critical insights for DoW contractors regarding the Foundational compliance level.

How does a Level 2 Self Assessment differ from a C3PAO Audit?

While both evaluate the same 110 security controls based on NIST SP 800-171, the “CMMC level 2 Self Assessment” path is reserved for non-prioritized acquisitions. It allows contractors to verify their own compliance and have a senior official affirm it in the SPRS. A C3PAO Audit, conversely, requires a certified third-party organization to conduct the assessment for prioritized, high-sensitivity contracts.

Can we achieve CMMC Level 2 Self assessment compliance if we have open POAMs?

Negative. We execute a “Zero-Downtime” migration strategy. Data synchronization occurs in the background while your team continues to work. The final “cutover” is executed during off-hours (nights or weekends) to ensure seamless continuity for your workforce.

How is data integrity maintained during transit to the new enclave?

You must maintain a comprehensive System Security Plan (SSP) that details how each of the 110 controls is implemented. Additionally, you are required to gather “artifacts” or objective evidence such as configuration logs, policy screenshots, and training records to prove the effectiveness of your security posture during a government validation or spot check.

How is the SPRS Score calculated and what is the minimum required?

The scoring system starts at a maximum of 110 points (one for each NIST 800-171 control). However, CMMC Level 2 Self Assessment uses a weighted subtraction method: failing to meet critical controls can result in a negative score (as low as -203). To be competitive and compliant for Level 2, your goal should be a perfect 110. Any score below that requires a documented POAM and a clear 180-day timeline for full remediation.

What You’ll Get Inside the Audit Checklist

This is not a generic overview. The checklist includes:

  • All 110 CMMC Level 2 audit controls

  • Control-by-control requirements

  • Alignment to NIST SP 800-171

  • Audit-focused language used during assessments

  • A practical reference for internal readiness reviews

California HQ (West Coast)

471 W. Lambert Rd Suite 105
Brea, CA 92821
714-592-0063

Virginia (East Coast)

1750 Tysons Blvd, #1500
Tysons Corner, VA 22102
202-838-3111

© Copyright 2026. Brea Networks, LLC. All Rights Reserved.