Insights

Cybersecurity Compliance | | 24 min read

CMMC Readiness Checklist for Small and Midsized Government Contractors

Secure server hardware and network infrastructure for CMMC readiness
Photo by Philipp Katzenberger on Unsplash

Key Takeaways

AI adoption has to move fast and stay controlled.

01

Start With Mission Value

Prioritize use cases tied to measurable business, delivery, or mission outcomes.

02

Protect the Data Boundary

Define what data AI tools can touch before selecting vendors or architectures.

03

Keep Humans Accountable

Use AI to support workflows while retaining trained review and escalation paths.

04

Document the Controls

Maintain inventories, testing evidence, monitoring plans, and risk decisions.

CMMC readiness is not a paperwork exercise. It is contract readiness.

Small and midsized contractors should not wait for a solicitation, prime request, contracting officer, or assessor to ask for proof. By then, the hard work should already be done: identify FCI and CUI, define the assessment boundary, update the SSP, validate SPRS, close serious gaps, organize evidence, review cloud and AI tools, and confirm subcontractor flow downs.

The companies that handle CMMC well will not be the ones with the thickest policy binder. They will be the ones that can explain what data they handle, which systems are in scope, what controls are implemented, what evidence exists, and who is accountable for the affirmation.

The Cybersecurity Maturity Model Certification program is designed to give the Department increased assurance that contractors and subcontractors have implemented required cybersecurity standards for nonfederal systems that process, store, or transmit Federal Contract Information or Controlled Unclassified Information. The program is implemented through contracts, and contractors entrusted with FCI or CUI must achieve the required CMMC level as a condition of contract award.

As of May 31, 2026, CMMC Phase 1 implementation is underway. Phase 1 began on November 10, 2025, and runs through November 9, 2026, with primary focus on CMMC Level 1 and Level 2 self assessments and affirmations in SPRS.

Do not wait for the solicitation to find out you are not ready.

GS Consulting helps government contractors identify FCI and CUI, define CMMC scope, review SSPs and POA&Ms, validate SPRS readiness, evaluate cloud, SaaS, MSP, and AI tool risk, and prepare evidence packages aligned to contract requirements.

Request a CMMC Readiness Assessment

CMMC readiness is no longer something contractors can push into the future.

For small and midsized government contractors, the risk is practical: the opportunity appears, the prime asks for status, the solicitation requires a CMMC level, the contracting officer checks SPRS, or leadership is asked to affirm compliance, and the company realizes the SSP is stale, the CUI boundary is unclear, the evidence is scattered, the cloud responsibilities are undocumented, and subcontractor status is unknown.

That is not a cybersecurity nuisance. That is a business problem.

CMMC readiness should answer five basic questions before the pressure hits: What contracts drive the requirement? Where do FCI and CUI live? Which systems and providers are in scope? What evidence proves the controls are implemented and operating? Who is willing to affirm that the status is accurate?

If those answers are not ready, the company is not ready.

GS Consulting guide showing a CMMC readiness checklist roadmap for small and midsized contractors including contract drivers, FCI and CUI data flow, assessment scope, SSP updates, evidence packages, and POA&M remediation
A practical CMMC readiness checklist starts with contract drivers and FCI/CUI data flows, then moves through scope definition, SSP updates, evidence packages, POA&M remediation, and affirmation readiness.

Why CMMC Readiness Matters Now

CMMC is not just a cybersecurity framework. It is becoming a contract gate.

DFARS 252.204-7025 states that the required CMMC level, or higher, is required prior to award for each contractor information system that will process, store, or transmit FCI or CUI during contract performance. It also states that an offeror will not be eligible for award if it does not have the required current CMMC status and a current affirmation of continuous compliance entered in SPRS.

That changes how contractors should manage cybersecurity. CMMC readiness is not something the IT team can clean up after the bid or no bid decision. It has to be part of capture, contracts, program delivery, vendor management, subcontracting, cloud architecture, AI tool governance, and executive risk management.

If the company cannot show the required current CMMC status, current affirmation, and supporting evidence when the opportunity requires it, the technical solution may never matter. The company may not get to compete.

Original Research: The CMMC Evidence Burden

The hardest part of CMMC readiness is not reading the control list. It is proving implementation in a way that matches the scope, the SSP, the evidence, and the actual environment.

GS Consulting analyzed the DoD CMMC Level 2 Assessment Guide and mapped all 110 Level 2 requirements to 320 assessment objectives and 1,557 potential assessment evidence object references. Level 2 readiness creates an evidence burden across requirements, assessment objectives, interviews, tests, diagrams, configurations, logs, tickets, provider responsibilities, and recurring operating records.

110 CMMC Level 2 requirements analyzed from the assessment guide.
320 Assessment objectives mapped across Level 2 requirements.
1,557 Potential evidence object references used as a planning proxy.
48% Assessment objective load concentrated in Access Control, Configuration Management, and System and Communications Protection.
CMMC Level 2 evidence burden by domain chart showing Access Control, Configuration Management, and System and Communications Protection carrying the largest assessment objective load
Access Control, Configuration Management, and System and Communications Protection account for nearly half of the Level 2 assessment objective load in this GS Consulting analysis.

Methodology and caveat

The CMMC Evidence Burden Score is a GS Consulting derived planning metric. It is not an official CMMC score, legal conclusion, certification result, or C3PAO assessment determination. The 1,557 evidence object references are an analytical proxy derived from potential assessment object lists in the DoD guide and should not be interpreted as a required artifact count.

The practical takeaway is simple: do not build evidence after the assessment is scheduled. Build the evidence system while you define the scope, update the SSP, close gaps, and prepare leadership to affirm.

CMMC Level Quick Reference

Before building a checklist, confirm the level.

A company that handles only FCI has a different readiness path than a company that processes, stores, or transmits CUI. A company targeting Level 2 C3PAO assessed work has a different evidence burden than a company preparing for Level 1 self assessment.

Level 1 Basic safeguarding of FCI.

Annual self assessment and annual affirmation against the 15 requirements in FAR 52.204-21. POA&Ms are not permitted.

Level 2 Broad protection of CUI.

Self assessment or C3PAO assessment every three years, as specified in the solicitation, plus annual affirmation against the 110 NIST SP 800 171 Revision 2 requirements.

Level 3 Higher protection against advanced threats.

Final Level 2 status is required first, followed by a DIBCAC assessment every three years and annual affirmation against selected NIST SP 800 172 requirements.

What CMMC Is Not

CMMC is not a tool purchase.

It is not a one time policy project. It is not a score in SPRS that nobody has reviewed in two years. It is not an SSP that was accurate before the company moved to a new cloud environment. It is not a POA&M that keeps slipping. It is not a subcontractor spreadsheet nobody updates.

CMMC readiness means the company can connect the contract requirement to the data, the data to the systems, the systems to the controls, the controls to the evidence, and the evidence to the affirmation.

That is the work.

Checklist 1: Identify the Contract Drivers

The first step is to understand what is actually driving your cybersecurity requirement. Too many contractors start with tools before reading the contract.

That is backwards. The contract tells you what data matters, which clauses apply, what level may be required, when status must be current, and what obligations flow to subcontractors.

Review current and target contracts for FAR 52.204-21, DFARS 252.204-7012, DFARS 252.204-7019, DFARS 252.204-7020, DFARS 252.204-7021, DFARS 252.204-7025, agency specific CUI instructions, DD Form 254 requirements where applicable, prime contractor flow downs, and cloud or incident reporting obligations.

For defense work, DFARS 252.204-7012 is especially important because it defines Covered Defense Information, covered contractor information systems, controlled technical information, and the requirement to provide adequate security.

The goal is to connect each target opportunity to the actual cybersecurity requirement before anyone buys another tool or updates the wrong SSP.

  • Do we know which clauses apply to each contract?
  • Do we know which CMMC level is required for each target opportunity?
  • Do we know whether the requirement applies at proposal, award, option period, or subcontract award?
  • Do we know which systems will support performance?
  • Do we know whether our prime contractor has additional cybersecurity flow down requirements?

Checklist 2: Identify FCI, CUI, and Covered Defense Information

CMMC scoping starts with data. If the company cannot find FCI and CUI, it cannot scope the environment honestly.

This is where many contractors get exposed. CUI may not live only in the obvious secure folder. It may show up in email, Teams or Slack, SharePoint, Google Drive, file shares, laptops, ticketing systems, CRM tools, proposal repositories, engineering folders, subcontractor exchanges, cloud backups, or AI prompts and outputs.

Start by identifying where FCI, CUI, Covered Defense Information, controlled technical information, export controlled information, source selection information, PII, government furnished information, and customer sensitive materials enter your business.

The CUI Registry includes categories across areas such as Defense, Export Control, Intelligence, Privacy, Procurement and Acquisition, Critical Infrastructure, and Proprietary Business Information. Contractors should use the registry, contract markings, customer instructions, and agency guidance to determine what must be protected.

The first useful CUI map will probably be messy. That is fine. A messy map is better than a clean fiction.

  • Do we know which contracts involve FCI only?
  • Do we know which contracts involve CUI or Covered Defense Information?
  • Do we know where CUI enters, moves through, and leaves the company?
  • Do we know whether CUI appears in email, collaboration tools, file shares, laptops, ticketing systems, cloud storage, CRM tools, proposal repositories, or subcontractor systems?
  • Do employees understand how to recognize CUI markings and handling requirements?

Checklist 3: Define the CMMC Assessment Scope

Scoping is where CMMC programs either become manageable or become expensive fiction.

If the scope is too broad, the company may spend money securing systems that do not need to be in scope. If the scope is too narrow, the company may exclude systems that actually process, store, transmit, or protect FCI or CUI.

For Level 1, systems that process, store, or transmit FCI are in scope. For Level 2, CUI assets, security protection assets, contractor risk managed assets, and specialized assets must be handled according to CMMC scoping rules.

External service providers are not a footnote. Cloud providers, MSPs, MSSPs, SaaS platforms, endpoint tools, AI tools, and security monitoring services can all affect the boundary, inherited controls, evidence package, and SSP narrative.

  1. 1Identify data and contracts.
  2. 2Map systems and providers.
  3. 3Classify asset categories.
  4. 4Document what is in and out of scope.
  • Have we defined our CMMC assessment boundary?
  • Do we have an asset inventory for in scope systems?
  • Do we know which systems provide security protection for CUI assets?
  • Have we documented cloud providers, managed service providers, SaaS tools, AI tools, and other external service providers?
  • Can we justify which systems are out of scope?

Checklist 4: Build or Update the System Security Plan

The SSP should describe the real environment, not the environment leadership wishes existed.

A weak SSP creates risk because it forces assessors, primes, customers, and executives to infer how the system works. A strong SSP shows the boundary, architecture, data flows, users, asset categories, controls, inherited responsibilities, cloud services, external providers, and how each requirement is implemented in practice.

If the SSP does not match the asset inventory, CUI flow map, network diagram, provider matrix, and evidence repository, fix the mismatch before anyone treats the document as ready.

  • Do we have a current SSP?
  • Does the SSP match the real operating environment?
  • Does it include cloud services and external service providers?
  • Does it describe inherited controls and customer responsibilities?
  • Does it include CUI data flows and network diagrams?
  • Has leadership reviewed the SSP before making any affirmation?

Checklist 5: Review SPRS, Scores, and Affirmations

SPRS is not a parking lot for old scores. It is part of the contract readiness record.

Contractors need to know what is posted, which CAGE codes are tied to the record, whether the score or status matches the correct SSP and boundary, and who is authorized to submit or affirm information.

Summary level NIST SP 800 171 DoD Assessment scores are posted in SPRS to provide DoD Components visibility into those scores. CMMC status is also tied to affirmations of continuous compliance. For Final Level 1, status and the corresponding affirmation must not be older than one year. For Final Level 2 self assessments and Final Level 2 C3PAO assessments, status can be valid for three years when conditions are met, with affirmations not older than one year.

  • Do we know what is currently posted in SPRS?
  • Are our CAGE codes accurate?
  • Is our score tied to the correct SSP and system boundary?
  • Do we know who is authorized to submit and affirm?
  • Do affirmations match the company's actual compliance posture?
  • Do we have evidence supporting the score or status submitted?

Checklist 6: Close High Risk Technical Gaps

CMMC readiness is not only documentation. Controls need to be implemented and working.

For many small and midsized contractors, the most common gaps include weak multifactor authentication coverage, incomplete asset inventory, unmanaged endpoints, inadequate logging, inconsistent vulnerability scanning, undocumented configuration baselines, weak access reviews, poor incident response testing, uncontrolled cloud storage, and unclear separation between business data and CUI.

Top CMMC Level 2 assessment evidence bottlenecks chart led by nonessential functionality, system baselining, incident handling, security engineering, flaw remediation, least privilege, system and file scanning, access restrictions for change, boundary protection, external connections, and System Security Plan evidence
The highest scoring evidence bottlenecks show why a mostly complete SSP can still struggle in assessment if proof is fragmented across baselines, tickets, scans, logs, incident records, cloud inheritance, and diagrams.
Identity and Access MFA, privileged accounts, and access reviews.

Confirm that users, devices, remote access paths, and administrator roles are controlled and reviewed.

Monitoring and Response Logs, vulnerabilities, incidents, and backups.

Show that security activity is monitored, prioritized, remediated, and tested with evidence.

  • Is multifactor authentication implemented where required?
  • Are endpoints protected and monitored?
  • Are vulnerabilities scanned, prioritized, and remediated?
  • Are audit logs collected and reviewed?
  • Are backups protected and tested?
  • Are unauthorized cloud, file sharing, and AI tools blocked or governed?

Checklist 7: Prepare Evidence Before the Assessment

A company may have decent security practices and still fail readiness because it cannot prove implementation.

CMMC readiness requires evidence that is organized, current, tied to the correct requirement, and consistent with the SSP, CUI flow map, scope, providers, and actual operating environment.

Your evidence repository should include policies, procedures, screenshots, configuration exports, access reviews, training records, vulnerability scan results, remediation tickets, incident response exercise records, cloud responsibility matrices, logs, diagrams, asset inventories, and proof of recurring security activities.

CMMC evidence type convergence matrix showing evidence patterns across policy and procedure, SSP and diagrams, configurations, logs and records, tickets and remediation, identity and access, training and personnel, and asset boundary provider evidence
The evidence type matrix reinforces the core readiness problem: documents alone are not enough. Level 2 readiness requires policy, SSP narrative, configurations, logs, tickets, screenshots, interviews, tests, diagrams, and recurring operating evidence.
  • Do we have evidence mapped to each applicable requirement?
  • Is the evidence current?
  • Does the evidence match the SSP?
  • Can we show that controls are operating, not just documented?
  • Can we explain inherited controls from cloud or managed service providers?
  • Is evidence stored securely and organized for review?

Checklist 8: Manage POA&Ms Correctly

POA&Ms can be useful, but they are not a substitute for readiness. Contractors should understand when POA&Ms are allowed, which requirements cannot be placed on a POA&M, and how quickly remediation must be closed.

Level 1 POA&Ms are not permitted. Level 2 and Level 3 allow limited use of POA&Ms, but the closeout assessment must confirm closure within 180 days of the Conditional CMMC Status Date; otherwise, the conditional status expires.

For Level 2, contractors should treat the System Security Plan, external connections, public information controls, and certain physical access requirements as items to fix before assessment rather than safe candidates for deferral.

  • Do we know which gaps are eligible for POA&M treatment?
  • Do we know which gaps must be remediated before assessment?
  • Do we have owners, due dates, and budget assigned to each POA&M item?
  • Can we close POA&M items within the 180 day window?
  • Are we avoiding overreliance on POA&Ms as a substitute for implementation?

Checklist 9: Review Cloud, SaaS, MSP, and AI Tools

Cloud and outsourced services are often the biggest hidden CMMC risk. Many contractors rely on Microsoft 365, AWS, Azure, Google Workspace, file sharing tools, CRM systems, ticketing platforms, managed service providers, AI tools, endpoint management tools, and security monitoring providers.

If a contractor uses an external cloud service provider to store, process, or transmit Covered Defense Information in contract performance, the contractor must require and ensure that the provider meets security requirements equivalent to the FedRAMP Moderate baseline and complies with applicable incident reporting and related requirements.

AI tools need the same level of scrutiny. If an AI tool processes CUI, summarizes CUI, indexes controlled repositories, stores prompts or outputs containing CUI, analyzes vulnerability data, or supports security monitoring, it may affect the CMMC boundary and evidence package.

  • Do we know which cloud and SaaS tools process FCI or CUI?
  • Do we have customer responsibility matrices?
  • Do agreements address security, incident reporting, access, retention, and data handling?
  • Do AI tools process contract data, CUI, security data, or customer sensitive information?
  • Are prompts, outputs, logs, and embeddings controlled if they contain CUI?
  • Have we documented inherited controls in the SSP?

Checklist 10: Train Employees on CMMC, CUI, and Safe Workflows

CMMC readiness fails when employees do not understand what is expected of them.

Security controls need to show up in everyday behavior: where people store data, what tools they use, how they report incidents, how they handle CUI, and whether program and proposal teams understand contract impact.

Training should cover FCI, CUI, approved systems, prohibited tools, phishing, password and MFA expectations, incident reporting, removable media, cloud storage, AI tool restrictions, remote work, visitor handling, physical security, and subcontractor communication.

  • Do employees know what FCI and CUI are?
  • Do employees know where CUI may and may not be stored?
  • Do employees know how to report suspected incidents?
  • Do employees know which AI tools are approved and prohibited?
  • Do program managers and proposal teams understand when CMMC status may affect bid eligibility?
  • Do executives understand what they are affirming in SPRS?

Checklist 11: Flow Requirements to Subcontractors

CMMC readiness does not stop at the prime contractor's boundary.

If subcontractors process, store, or transmit FCI or CUI, the prime needs to know what data flows down, what level is required, whether status is current, what tools subcontractors use, and whether their cloud, SaaS, MSP, or AI environment creates risk.

Prime contractors should not discover during a proposal, assessment, or incident that a subcontractor used an unapproved system to process contract data.

  • Do we know which subcontractors receive FCI or CUI?
  • Do subcontracts include the right cybersecurity flow downs?
  • Do subcontractors have the required CMMC status before award?
  • Do we verify subcontractor SPRS or CMMC status when required?
  • Do subcontractors use cloud, SaaS, MSP, or AI tools with our contract data?
  • Do we have a process to reassess subcontractors during performance?

Checklist 12: Create a Continuous Compliance Rhythm

CMMC is not a one time project. It is an operating rhythm.

The environment changes after assessment: users change roles, providers change terms, tools get added, cloud settings drift, vulnerabilities appear, subcontractors change systems, AI tools spread, evidence goes stale, and the SSP falls behind reality unless someone owns the update cycle.

A practical continuous compliance rhythm should include monthly vulnerability reviews, quarterly access reviews, recurring SSP updates, annual policy reviews, incident response exercises, subcontractor reviews, cloud provider reviews, AI tool reviews, and leadership level compliance reporting before any affirmation is submitted.

The goal is simple: leadership should never be asked to affirm compliance based on stale evidence, outdated scope, or assumptions nobody has checked.

  • Do we have recurring control owners?
  • Do we review compliance monthly or only before proposals?
  • Do we update the SSP when systems or providers change?
  • Do we track evidence continuously?
  • Does leadership receive clear reporting before affirming compliance?
  • Do we know what would cause our current status to lapse or become inaccurate?

Red Flags That Your Company Is Not CMMC Ready

Your company may not be ready if the basic facts are still unclear or the evidence does not match the environment.

Red Flag 1Nobody can say where CUI lives.

If CUI may be in email, file shares, cloud drives, ticketing systems, proposal folders, laptops, AI tools, or subcontractor systems and nobody has mapped it, the scope is not ready.

Red Flag 2SPRS is treated as a stale record.

If the score, status, CAGE codes, system boundary, or affirmation owner is unclear, leadership may be relying on information that no longer matches the environment.

Red Flag 3The SSP does not match reality.

If the SSP omits cloud providers, MSPs, SaaS platforms, AI tools, data flows, external connections, inherited controls, or current architecture, it is not ready for serious review.

Red Flag 4Evidence is scattered.

If proof lives across screenshots, spreadsheets, tickets, exports, emails, policies, and individual employee folders, the company may not be able to show control implementation cleanly.

Red Flag 5POA&Ms are treated as implementation.

A POA&M can manage eligible remediation. It cannot replace readiness, technical ownership, funding, or closure discipline.

Red Flag 6Subcontractor status is unknown.

If subcontractors receive FCI or CUI and the prime cannot verify flow downs, required status, or tool use, the readiness story has a gap.

Red Flag 7Leadership cannot explain the affirmation.

If executives are asked to affirm compliance without understanding the scope, evidence, gaps, and risks, the readiness process is broken.

A 30 / 60 / 90 Day CMMC Readiness Plan: Move From Guessing to Evidence

Ninety days is enough time to stop guessing.

The goal is not to become fully certified in one quarter. The goal is to establish visibility, define scope, identify the highest risk gaps, organize evidence, and give leadership a clear picture of what is ready, what is not, and what needs funding.

  1. Days 1 to 30Establish visibility.

    Identify applicable contracts, clauses, target opportunities, CAGE codes, SPRS records, CMMC UID status, FCI, CUI, Covered Defense Information, current systems, cloud services, SaaS platforms, MSPs, MSSPs, AI tools, external service providers, subcontractors, existing policies, existing SSPs, current POA&Ms, and known technical gaps.

  2. Days 31 to 60Define scope and gaps.

    Build or update the system boundary, asset inventory, CUI data flow map, network diagram, provider responsibility matrix, subcontractor flow down tracker, SSP, SPRS review, control matrix, gap assessment, POA&M eligibility review, and evidence repository.

  3. Days 61 to 90Remediate and prepare evidence.

    Prioritize gaps involving access control, MFA, endpoint protection, audit logging, vulnerability management, incident response, cloud configuration, CUI storage, AI tool use, backups, training, subcontractor flow downs, and leadership affirmation readiness.

By the end of 90 days, leadership should be able to answer seven questions without scrambling: What CMMC level do we need? Where do FCI and CUI live? Which systems and providers are in scope? What does SPRS currently show? Which gaps block readiness? What evidence supports the compliance claim? Who is accountable for the affirmation?

Minimum Viable CMMC Readiness Evidence Packet

A practical readiness packet should make CMMC evidence easy to find, explain, update, and defend.

The goal is not to create a giant binder. The goal is to create a current evidence packet that connects contract drivers, data flows, scope, controls, providers, subcontractors, SPRS records, and leadership affirmations.

  • Contract driver matrix showing applicable FAR, DFARS, agency, prime, and subcontractor requirements.
  • CMMC level and assessment type for current and target opportunities.
  • CAGE code, SPRS, and CMMC UID status summary.
  • FCI, CUI, and Covered Defense Information data map.
  • Scoped system boundary with in scope, out of scope, security protection, contractor risk managed, specialized, and provider assets.
  • Asset inventory for systems, users, endpoints, cloud services, SaaS platforms, MSPs, MSSPs, AI tools, and external service providers.
  • Current SSP that matches the actual environment.
  • CUI data flow map and network diagram.
  • Control matrix tied to requirements, owners, implementation status, and evidence.
  • Evidence repository with policies, procedures, screenshots, configuration exports, logs, tickets, scans, access reviews, training records, incident response evidence, and backup testing records.
  • POA&M register with eligibility review, owners, dates, funding, evidence, and closure status.
  • Cloud, SaaS, MSP, MSSP, and AI tool responsibility matrix.
  • Subcontractor flow down and status tracker.
  • Employee training and CUI handling evidence.
  • Leadership affirmation owner, review cadence, and signoff record.

This packet is especially important for small and midsized contractors because CMMC readiness is becoming a proposal and award readiness system, not a one time IT project.

The Bottom Line

CMMC readiness is not just about passing an assessment. It is about protecting contract eligibility.

Small and midsized contractors that prepare early can define scope calmly, close the right gaps, organize evidence, review cloud and AI tools, manage subcontractors, validate SPRS, and help leadership understand what it is affirming.

Companies that wait for a solicitation, prime request, contracting officer, or assessor to force the issue may end up solving scoping, documentation, technical controls, provider responsibility, POA&M, SPRS, AI tool, and subcontractor problems all at once.

That is a bad way to run a readiness program.

The standard is simple: know the contract, find the data, define the boundary, prove the controls, and affirm only what the evidence supports.

How GS Consulting Helps

GS Consulting helps government contractors turn CMMC readiness from a vague compliance project into a practical contract readiness plan.

That means identifying FCI and CUI, reviewing contract drivers, defining the assessment boundary, updating SSPs and POA&Ms, evaluating cloud, SaaS, MSP, MSSP, and AI tool risk, validating SPRS readiness, preparing evidence packages, supporting subcontractor flow down reviews, and building remediation roadmaps aligned to contract requirements.

The goal is not to make the binder look better. The goal is to help the company explain its scope, prove its controls, support its affirmations, and stay eligible for the opportunities it wants to pursue.

Research Sources and Caveats

The original research in this article uses GS Consulting derived planning metrics based on public CMMC program rules, acquisition clauses, the DoD CMMC Level 2 Assessment Guide, and assessment objective evidence mapping.

The CMMC Evidence Burden Score is a planning tool. It is not an official CMMC score, legal conclusion, certification result, C3PAO assessment determination, or substitute for contract specific review.

Actual evidence needs depend on the contractor's scope, architecture, implementation, providers, inherited controls, assessment boundary, clauses, FCI and CUI data flows, assessor judgment, and customer or prime requirements.

Ready to find out what your CMMC evidence actually proves?

GS Consulting helps government contractors identify FCI and CUI, define CMMC scope, review SSPs and POA&Ms, validate SPRS readiness, evaluate cloud and AI tool risk, organize evidence, and build a practical remediation roadmap before the next solicitation or prime request.

Contact GS Consulting

Frequently Asked Questions About CMMC Readiness

Can we use a POA&M to pass a CMMC Level 2 assessment?

Yes, but only with strict limits.

POA&Ms are not allowed for Level 1. For Level 2, POA&Ms may be allowed for specific lower risk requirements, but not for critical requirements that must be met before assessment. Any allowed POA&M items must be remediated and closed out within 180 days of the Conditional CMMC Status Date, or the conditional status can expire.

The practical point: do not treat a POA&M as a substitute for readiness. Treat it as a tightly managed remediation plan.

Do CMMC requirements apply to subcontractors?

Yes, when subcontractors process, store, or transmit FCI or CUI in support of contract performance.

Prime contractors should identify which subcontractors receive FCI or CUI, flow down the right cybersecurity requirements, verify required CMMC status when applicable, review subcontractor use of cloud, SaaS, MSP, and AI tools, and reassess subcontractor risk during performance.

What is the difference between FCI and CUI in CMMC scoping?

FCI is information that is not public and is provided by or generated for the government under a contract. It generally drives Level 1 basic safeguarding.

CUI is information that requires safeguarding or dissemination controls under law, regulation, or government wide policy. It generally drives Level 2 or Level 3 requirements, depending on the contract and sensitivity.

The practical difference is scope and evidence. CUI usually requires stronger controls, more detailed scoping, more evidence, and more disciplined provider and subcontractor management.

Suggested Future Reading

GS Consulting Logo

© GS Consulting, LLC . All Rights Reserved | For more information, contact us at info@gsconsultingllc.com. Image credit: ©iStock.com/Vertigo3d. Privacy Policy | Terms of Use