CMMC compliance checklist: Stay eligible for DoD contracts

Beginning in November 2025, all contractors and vendors who work with the Department of Defense (DoD) must begin to meet Cybersecurity Maturity Model Certification (CMMC) 2.0 standards in order to bid on new contracts. The DoD (informally referred to by the Trump administration as the Department of War) developed CMMC requirements to bolster cybersecurity among contractors and protect sensitive information from cyberattacks.

Keep reading to learn more about the CMMC compliance process, including a detailed CMMC compliance checklist to help you understand key requirements.

What is CMMC 2.0?

CMMC 2.0 is the latest iteration of the DoD’s ongoing effort to improve cybersecurity standards among its vendors and contractors. The rule aims to secure sensitive but unclassified information commonly shared with contractors, like federal contract information (FCI) and controlled unclassified information (CUI).

CMMC 2.0 requirements were finalized in late 2024 and will phase in over a three-year period from November 2025 through November 2028. Depending on the degree of sensitive information your business is exposed to, you will need to comply with either Level 1, Level 2 or Level 3 CMMC standards to bid on new DoD contracts.

Who needs CMMC certification?

CMMC applies to all third-party vendors that do business with the Department of Defense. As of November 10, 2025, all vendors (technically, the defense industrial base or DIB) must meet certain CMMC standards to obtain any new DoD contracts, as evaluated by either a self-assessment or a third-party assessment, depending on your business’s CMMC level.

What is the CMMC phase-in period?

CMMC will phase in over a three-year period. There are four phases, each kicking off one year apart, beginning on November 10, 2025.

During the first phase, DoD can begin including CMMC requirements in new contracts, and contractors will have to complete CMMC self-assessments to become eligible to bid. In later phases, some contractors may also be required to pass third-party assessments.

How long does it take to achieve CMMC compliance?

The CMMC compliance process is lengthy, with the DoD estimating it may take as long as 18 months to achieve compliance, depending on your level and the size of your organization. A CMMC audit checklist can help you understand more about what’s involved and organize your compliance process.

What are the essential CMMC 2.0 compliance requirements?

CMMC compliance is an ongoing effort. To navigate the initial compliance process, consult with a third-party cybersecurity advisory firm that is also a Registered Provider Organization (RPO) with specific CMMC experience. Your advisor can help you assess your organizational needs and implement solutions to bring you up to speed.

However, to help you begin to understand where you’ll need to make improvements, consider this CMMC compliance checklist:

CMMC 2.0 initial audit checklist

Here’s a CMMC checklist to help you start to plan out your CMMC compliance process:

• You understand the types of federal contract information (FCI)and controlled unclassified information (CUI) that you process, store, or transmit.
• You have identified your expected CMMC maturity level.
• You understand how your organization handles CUI and have documented the data flow.
• You have prepared a system security plan (SSP) that includes clearly defined system boundaries.
• Your business case for Department of Defense (DoD) work supports the compliance costs.
• You have defined and minimized the scope and business processes requiring certification.

Additional key CMMC steps for any organization that maintains CUI

Businesses that don’t maintain CUI face fewer requirements than those that do. If your business falls into the latter category, consider these additional steps:

• You have completed the NIST 800-171 self-assessment and submitted the score in the Supplier Performance Risk System (SPRS).
• The contracting office has communicated how CUI will be marked and delivered.
• The contracting office has communicated when they expect CMMC certification will be required.
• All vendors, contractors and subcontractors servicing DoD contracts have CMMC certification (or communicated a plan to become certified).
• All cloud service providers are Federal Risk and Authorization Management Program (FedRAMP) certified.
• Your incident response process for reporting to the DoD is aligned with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.
• Your CMMC gap assessment is complete.
• You have prepared budgets for CMMC control implementation and operation.
• You have documented and are making progress on your CMMC remediation plan.
• You have identified your short list of certified CMMC assessors.

How do you start implementing your CMMC compliance checklist?

Here’s how to begin implementing a CMMC compliance plan:

1. Find an advisor

An advisory firm can make your compliance journey smoother and quicker by delivering outside experience to complement your internal team. Choose an advisor that understands both cybersecurity and your specific industry.

2. Evaluate your needs

Working with your advisor, evaluate the gaps in your existing cybersecurity protocols from a CMMC perspective. These gaps will depend on your CMMC level and current approach to cybersecurity.

3. Implement additional governance, controls and safeguards

Once you’ve identified your needs, address them. This may look like introducing new governance structures, internal controls, safeguards or other measures to strengthen your ability to protect CUI and FCI.

4. Pass a self-assessment or third-party assessment

To remain eligible to bid on new DoD contracts, you’ll need to pass regular CMMC assessments. Depending on your level of exposure to CUI, these may be self-assessed or conducted by a third party.

How Wipfli can help

We help your business strengthen cybersecurity and meet CMMC requirements. Let’s talk about your needs and develop a plan to help your organization achieve and maintain compliance so you can remain eligible to bid on DoD contracts. Start a conversation.

Read more

• From compliance to confidence: Mastering the new CMMC requirements
• How to prepare for CMMC readiness
• The 3 pillars of smarter cybersecurity program management