By Tom Hermstad, President of HD Tech | Founded 1995 | 30+ Years in IT & Cybersecurity for Defense Contractors

CMMC Compliance Checklist 2026: All 110 NIST 800-171 Controls + AI-Ready Guide

CMMC Compliance Checklist: Your Top Questions Answered

What Should a CMMC Compliance Checklist Include?

A complete CMMC compliance checklist must cover all 110 security controls from NIST SP 800-171 Revision 2, organized across the 14 control families, plus the documentation and process requirements that assessors actually verify during a C3PAO audit.

A genuinely useful CMMC compliance checklist includes every control mapped to its NIST 800-171 identifier, your current implementation status for each control, the evidence artifacts required to prove compliance, your System Security Plan (SSP) mapping, and your Plan of Action & Milestones (POA&M) for any gaps.

What Is the CMMC Level 1 Checklist?

The CMMC Level 1 checklist covers 15 basic cybersecurity practices derived from FAR 52.204-21, focused on protecting Federal Contract Information (FCI).

Level 1 requires only an annual self-assessment, making it the entry point for contractors who handle FCI but not Controlled Unclassified Information (CUI).

How Do AI Tools Like Copilot Fit Into a CMMC Compliance Checklist?

AI tools must be explicitly addressed in your CMMC compliance checklist because any AI platform that processes, stores, or has access to CUI must operate within your FedRAMP High / GCC High authorization boundary.

Your CMMC audit checklist should include an AI Usage Policy that defines which AI tools are authorized, how they are provisioned, what data they can access, and who approves new deployments.

The Complete CMMC Compliance Checklist: All 110 NIST 800-171 Controls

This is the working CMMC audit checklist that HD Tech uses with defense contractors preparing for C3PAO assessments.

CMMC 2.0 Level Comparison: Which Checklist Do You Need?

1. Access Control (AC)

Define who can access CUI, under what conditions, and from which devices or locations.

• Limit system access to authorized users and devices.
• Limit access to the types of transactions and functions authorized users are permitted to execute.
• Control remote access and enforce separation of duties where required.

Key evidence artifacts: Access control policy, account management procedures, network diagrams showing CUI boundaries, conditional access policies, MFA settings, VPN logs, and MDM policies.

2. Awareness and Training (AT)

Training should go beyond annual phishing simulations and include role-based security awareness.

• Ensure users understand security risks and applicable policies.
• Train staff to perform information security duties.
• Provide insider threat awareness training.

Key evidence artifacts: Training records, curriculum, insider threat program documentation, and role-based admin training.

3. Audit and Accountability (AU)

If you cannot prove it happened, it did not happen. Logging is central to audit readiness.

• Create and retain audit logs for monitoring and investigation.
• Ensure actions can be uniquely traced to users.
• Protect audit records from unauthorized access or deletion.

Key evidence artifacts: SIEM retention settings, audit samples, NTP synchronization records, and access control for audit tools.

4. Configuration Management (CM)

Configuration management prevents drift and keeps systems aligned with secure baselines.

• Maintain baseline configurations and inventories.
• Track, review, approve, and log system changes.
• Restrict nonessential software, ports, protocols, and services.

Key evidence artifacts: Hardware and software inventories, baseline documentation, change logs, CIS benchmark reports, and GPO or Intune exports.

5. Identification and Authentication (IA)

Every access decision starts with confirming identity.

• Identify users, devices, and processes.
• Authenticate before granting access.
• Use MFA for privileged and non-privileged access where required.

Key evidence artifacts: MFA enrollment records, Conditional Access policies, password policy settings, service account inventory, and cryptographic credential protections.

6. Incident Response (IR)

The DoD breach reporting window is short, so preparation is essential.

• Establish an incident handling capability.
• Track, document, and report incidents.
• Test the incident response capability regularly.

Key evidence artifacts: IR plan, incident team roster, tabletop exercises, DIBNet procedures, and incident logs.

The CMMC Compliance Roadmap: 8 Steps From Gap Assessment to Certification

1. Scope your CUI environment. Identify every system, user, and data flow that touches CUI.
2. Conduct a gap assessment. Map your current security posture against all 110 controls.
3. Calculate your SPRS score. Determine your current Supplier Performance Risk System score.
4. Build your System Security Plan. Document how each control is implemented.
5. Create your POA&M. Document gaps, owners, and remediation timelines.
6. Remediate and implement. Deploy controls, write policies, and train personnel.
7. Run a readiness review. Validate every control as if you were the assessor.
8. Schedule your C3PAO assessment. Demonstrate compliance and close remaining gaps.

CMMC Compliance by the Numbers