Most defense contractors fail CMMC assessments not because their security controls are weak, but because they can't prove those controls exist. Documentation is evidence. Here's the complete checklist of what a C3PAO assessor expects to see.
The technical controls for CMMC Level 2, MFA, encryption, endpoint protection, vulnerability scanning, are well understood. Most IT professionals who work with defense contractors know how to implement them. The harder problem is documentation.
A C3PAO assessor cannot accept verbal explanations. Not even really compelling ones. They need written policies that define the rules, written procedures that explain how those rules are implemented, and evidence that the controls are actually operating as described. When any of those three elements is missing, a practice is marked as non-compliant, regardless of what's actually running in your environment.
The result: organizations with genuinely strong security postures fail assessments because their documentation didn't keep pace with their controls. This checklist exists to close that gap.
The assessor's perspective: A C3PAO reads your System Security Plan before they set foot in your environment. That document tells them what to test, what to look for, and where to dig. A strong SSP narrows the scope of scrutiny. A weak one, or no SSP, means everything gets examined at maximum depth.
The SSP is the cornerstone of your entire CMMC documentation package. It defines your system boundary, describes your architecture, lists your authorized users, and documents how your organization implements every one of the 110 NIST SP 800-171 Rev 2 practices. Assessors read the SSP first and use it as their roadmap for everything that follows.
Covers: All 14 domains, 110 practices total · Required by DFARS 252.204-7012
If you only have one document before your assessment, it needs to be the SSP. Everything else, your policies, procedures, and evidence, should be referenced from the SSP and consistent with what it says.
A complete SSP must include: system identification and ownership, a defined authorization boundary with a network diagram, a component inventory, system interconnections with authorization status, authorized user table, and for each of the 110 practices: implementation status (Implemented / Planned / N/A), a narrative description of how the practice is satisfied, the responsible role, and the evidence that can be produced on demand.
Our CMMC Level 2 SSP template covers all 110 practices across all 14 domains, with implementation status tracking, example language, and an evidence column for every practice. The structure C3PAO assessors expect, ready to fill in.
CMMC Level 2 spans 14 security domains. Each domain requires at minimum a written policy that defines your organization's rules for that area. Assessors treat the absence of a written policy as a gap, even when technical controls are in place.
Below are the core policy documents that map to the 14 CMMC domains. Some organizations combine related domains into a single policy (e.g., an Identification and Authentication Policy that also covers aspects of Access Control). Either approach is acceptable as long as all practice areas are addressed.
The largest domain with the most assessment failures. Must cover account provisioning and deprovisioning, least privilege, separation of duties, system use notifications, session lock and timeout, remote access authorization and encryption, wireless access, mobile device management, and CUI information flow controls.
Practices: 3.1.1–3.1.22 (22 total)
Our Access Control Policy template maps formally to all 22 AC domain practices, including account lifecycle, least privilege, remote access, wireless, MFA, mobile devices, and CUI flow controls. Includes a practice-to-policy mapping appendix so assessors can find exactly what they need.
Defines what events are logged, how long logs are retained (minimum 90 days active, 1 year total is best practice), who has access to audit logs, how logs are protected, and how audit failures are detected and alerted. Must reference your SIEM (Security Information and Event Management, software that collects and correlates logs from across your environment to detect threats and support investigation) or log aggregation solution and your log review cadence.
Practices: 3.3.1–3.3.9 (9 total)
Defines training requirements for all users (annual minimum), role-based training for IT and security personnel, and phishing simulation requirements. Must be paired with training completion records as evidence. Assessors will ask to see who has been trained and when.
Practices: 3.2.1–3.2.3 (3 total)
Covers asset inventory and baseline configurations, change management (request, approval, testing, implementation), security impact analysis, and application allowlisting / least functionality. Must reference your asset management tool and your hardening baselines (CIS Benchmarks or DISA STIGs).
Practices: 3.4.1–3.4.9 (9 total)
Covers unique user identification, MFA requirements (non-negotiable at CMMC Level 2 for all remote and privileged access), password complexity, account inactivity lockout, and authentication of devices. This policy is closely tested, assessors will verify MFA enforcement technically, not just by policy.
Practices: 3.5.1–3.5.11 (11 total)
Must cover all six IR phases (Preparation, Detection, Analysis, Containment, Eradication, Recovery, Post-Incident), define the IR team and escalation chain, include the DFARS 72-hour reporting obligation to DoD/DIBNet, and be tested via tabletop exercise at least annually. Exercise records are evidence.
Practices: 3.6.1–3.6.3 (3 total)
Covers patching schedules, controls on maintenance tools and personnel, equipment sanitization before off-site repair, media scanning before use, and MFA requirements for remote maintenance sessions. Patching evidence (compliance reports) should be linked as supporting evidence in the SSP.
Practices: 3.7.1–3.7.6 (6 total)
Covers physical and digital media handling, access controls, transport encryption, removable media restrictions, CUI marking on media, and sanitization/destruction procedures aligned to NIST SP 800-88. Must include a documented sanitization procedure and records of destruction for retired hardware.
Practices: 3.8.1–3.8.9 (9 total)
Covers pre-employment background screening requirements and termination/transfer procedures, including immediate account deactivation, device return, and CUI access revocation. The offboarding checklist is key evidence. HR and IT must have a documented handoff procedure.
Practices: 3.9.1–3.9.2 (2 total)
Covers physical access controls to CUI processing areas, visitor escort and logging, physical access audit logs, and remote work / alternate work site requirements for CUI. For small offices, even basic controls (locked server closet, badged entry, visitor sign-in) need to be documented.
Practices: 3.10.1–3.10.6 (6 total)
Requires an annual formal risk assessment with documented methodology (NIST SP 800-30 is the reference), a risk register, vulnerability scanning with documented results and remediation SLAs, and evidence that vulnerabilities are tracked to closure. The risk assessment report itself is the primary artifact.
Practices: 3.11.1–3.11.3 (3 total)
The POA&M is a critical document that lists every known gap, who owns remediation, and the target completion date. Assessors expect a current, actively maintained POA&M, not one created the week before the assessment. The CA domain also requires evidence of continuous monitoring (SIEM dashboards, vulnerability scan schedules).
Practices: 3.12.1–3.12.4 (4 total)
Covers perimeter and boundary protection (firewalls, DMZ, network segmentation), encryption in transit (TLS 1.2+ required, FIPS-validated cryptography for CUI), encryption at rest, VPN configuration, no split tunneling, session timeout, and key management. Network diagrams showing segmentation are critical evidence here.
Practices: 3.13.1–3.13.16 (16 total)
Covers malware protection (EDR, Endpoint Detection and Response, which monitors device behavior in real time and goes well beyond traditional antivirus, on all endpoints, real-time scanning), security alerting and advisory subscriptions (CISA alerts), vulnerability remediation SLAs, intrusion detection configuration, and unauthorized use detection. EDR coverage reports and patch compliance evidence are the artifacts assessors want.
Practices: 3.14.1–3.14.7 (7 total)
Beyond domain policies, assessors commonly look for these supporting artifacts, documents that are referenced in the SSP but often don't exist in practice.
One of the most common documentation mistakes is treating each document as standalone. Assessors look for consistency across documents, and inconsistencies create findings. A few rules to keep in mind:
The fastest path to assessment readiness: Start with the SSP to understand your full scope, then build each domain policy to match what the SSP claims. The SSP sets the expectation, the policies explain the rules, the evidence proves the rules are followed. All three layers have to exist and agree.
If you're reading this with no documentation in place, the order of operations matters. Don't try to write everything at once, that's how you end up with inconsistent documents that contradict each other.
The CMMC Level 2 Documentation Pack includes both the System Security Plan (all 110 practices) and the Access Control Policy (all 22 AC practices), the two documents that set the foundation for every other assessment conversation. Together at $89, or available separately.
CMMC Level 2 documentation is not a one-time project, it's an ongoing program. Your SSP needs to be updated when your architecture changes. Your policies need to be reviewed annually. Your evidence artifacts accumulate over time as proof that your controls are operating as documented.
The good news is that once the foundation is built, SSP, core policies, a maintained POA&M, the ongoing maintenance is manageable. The hard part is the initial build. Starting from professionally written templates that already have the right structure and practice coverage cuts that initial effort significantly and reduces the risk of critical gaps that don't surface until an assessor finds them.
If you're pursuing CMMC Level 2, start your documentation now. The worst time to discover a documentation gap is during your assessment. The second worst time is the day after. Start now.
No spam. Just practical guidance on CMMC compliance and new resources when we publish them.