As your countdown to CMMC Level 2 readiness continues, contractors handling CUI are now operating under a new reality: CMMC has moved from policy to procurement. With the final DFARS rule in Title 48 of the CFR now in effect, contracting officers can include CMMC requirements in new solicitations and verify eligibility in SPRS before award per Phase 1 of the rollout. This high-level 12-day guide highlights key considerations organizations should keep in mind as they work toward meeting the evolving requirements. Whether you are early in your compliance efforts or refining existing practices, these reminders can help you stay aligned, stay eligible, and stay prepared for what comes next.
12 Must-haves you need in place for CMMC Readiness
1. Documented System Security Plan (SSP)
A clear description of your environment, boundaries, technologies, and how each NIST 800-171 assessment objective is met.
2. Network Boundary & CUI Scoping Defined
You must know exactly where CUI exists, how it flows, and what systems fall inside your CMMC scope.
3. Access Control Policies & Enforcement
Role-based access, MFA, unique accounts, least privilege, and documented account management procedures.
4. Fully Implemented Multi-Factor Authentication (MFA)
MFA everywhere CUI is accessed — including remote access, privileged accounts, and local administrative logins.
5. Logging, Monitoring & Audit Trail Retention
Centralized logging (e.g., SIEM), log reviews, and retention that meets CMMC/NIST requirements.
6. Vulnerability Management Program
Regular scanning, patching timelines, documented remediation, and risk acceptance procedures.
7. Incident Response Plan & Tested Procedures
A written IR plan and evidence of exercises/tests. Not just a document — proof you’ve practiced.
8. Secure Configuration Baselines
Hardened system configurations, removal of defaults, and documentation of your secure baselines.
9. Encryption for CUI at Rest & In Transit
Validated cryptographic modules (FIPS-validated or NIST-approved algorithms) must be employed in all locations where CUI is transmitted or stored.
10. Vendor & Service Provider Assurance
Documented process for vetting and monitoring external service providers, especially those touching CUI.
11. Personnel Security Measures
Screening, onboarding/offboarding procedures, and training specific to CUI handling and cybersecurity.
12. POA&M & Continuous Monitoring
A manageable, prioritized Plan of Action & Milestones and proof that you’re tracking progress.
Prepare for CMMC 2.0: Watch “Blueprint to CMMC Level 2” On-Demand
Staying ahead of CMMC 2.0 requires more than checklists—it demands a clear understanding of NIST 800-171 and how each control impacts your environment. To ensure your team is fully prepared, don’t miss the on-demand presentation, “Blueprint to CMMC Level 2: Understanding NIST 800-171 Controls,” led by Andrew Zoppi, CyberSheath’s Director of Compliance. Prepare for CMMC 2.0 with expert guidance and actionable strategies that set you up for success.
Since 2008, CyberSheath has helped Department of Defense (DOD) contractors and suppliers achieve, maintain, and prove compliance with DFARS, NIST 800-171, and CMMC 2.0. We deliver end-to-end managed compliance through our Assess, Implement, and Manage (AIM™) methodology, ensuring every customer remains audit-ready and eligible for DOD contracts.
Contact our team to understand your actual obligations and develop a plan that keeps you eligible for the contracts that sustain your business and audit-ready.