CMMC Level 2 Readiness Checklist for Small Businesses

A practical small-business guide for scope, evidence, owners, and IT readiness before a CMMC Level 2 conversation.

Practical checklist for small businesses preparing the IT environment, evidence, and ownership needed for CMMC Level 2 readiness conversations.

Scope before tools
Evidence before assessment
Owners, dates, and remediation tracking

Start with scope and evidence

CMMC Level 2 readiness is not just a tool purchase. Small businesses need to understand what information is in scope, which systems touch it, what controls are already operating, and what evidence can support those controls. The most useful first step is a practical scope and evidence review before a customer, prime contractor, assessor, or internal deadline forces rushed decisions.

Use this checklist to prepare for a readiness conversation with the business owner, IT provider, compliance advisor, and any assessor or prime-contractor contact involved in the requirement.

For engineering, AEC, aerospace, manufacturing, and technical-services firms, the checklist should connect back to ordinary support work: Microsoft 365 administration, Azure resources, project-file access, endpoints, backups, and network documentation. Those are the systems a managed IT provider can help make explainable before formal compliance decisions are made.

Scope checklist

Identify whether Controlled Unclassified Information is confirmed, suspected, or not yet clear.
List the contracts, customers, primes, solicitations, or questionnaires driving the requirement.
List systems that may process, store, or transmit controlled customer or federal-contract data.
Include Microsoft 365, Azure, servers, endpoints, network devices, SaaS tools, vendors, and remote-access paths.
Document users, administrators, contractors, vendors, and guests with access.
Separate in-scope systems from normal business systems where practical.
Confirm who owns scope decisions and who can answer customer or assessor follow-up questions.

Scope mistakes are expensive because every later decision depends on them. If project files, email, Teams chats, SharePoint libraries, CAD files, cloud backups, or vendor portals might contain controlled data, those systems need to be reviewed before the company assumes they are out of scope.

Core Checklist Areas

Endpoint and network checklist

Device inventory is current.
Endpoint protection is deployed and monitored.
Patching status is visible.
Local admin rights are controlled.
Disk encryption status is documented where applicable.
Firewall, VPN, WiFi, and network segmentation are documented.
Network diagrams match the real environment.
Remote access paths are known and tied to named owners.
Vendor access paths are approved, limited, and removable.

Small-business environments often grow around convenience: a server added for one application, a VPN opened for a vendor, a shared folder created for one project, or a cloud app that became permanent. CMMC readiness does not require guessing. It requires a current inventory, clear access paths, and evidence that the company knows what is connected.

Backup and recovery checklist

Critical systems and data are included in backup scope.
Microsoft 365, servers, endpoint data, line-of-business systems, and project files are reviewed separately.
Restore tests are completed and documented.
Recovery priorities are written down.
Backup alerts have a clear owner.
Ransomware recovery expectations are discussed before an incident.
Backup evidence is stored where the owner and IT team can find it later.

Backup status is not the same as recovery proof. Owners should be able to see what is protected, how often it is protected, who receives alerts, when a restore was tested, and what the expected recovery order would be during an outage.

Logging and monitoring checklist

Important security logs are enabled.
Alerts go to a mailbox or system someone owns.
Review frequency is documented.
Incident escalation contacts are current.
Security events can be tied back to owners and next steps.
Microsoft 365, Entra ID, endpoint, firewall, VPN, and server logs are reviewed for practical coverage.
Evidence exports are dated and stored in a consistent location.

Logging only helps if someone owns the review. A useful readiness review should identify what logs exist, what alerts are actually seen, and how a business owner would know when a security event needed a decision.

Documentation, Evidence, And Remediation Rhythm

Documentation checklist

System inventory.
User and admin access records.
Policies and procedures that match actual practice.
Backup and restore evidence.
Endpoint and patch reports.
Network and data-flow diagrams.
Vendor access and vendor security documentation.
Security incident contact list.
Open remediation list with owners, dates, and status.
Evidence folder naming convention.
Recurring review calendar.

Documentation should not be theatrical. It should be usable. If a policy says one thing but the environment does another, the gap should become a remediation task rather than hidden in a binder. Good documentation makes current reality easier to explain, fix, and maintain.

Owner review and remediation plan

After the checklist is filled in, turn it into a short action plan:

Confirm what is in scope and what is still unknown.
Identify high-risk access, backup, endpoint, and network gaps.
Assign each remediation task to an owner.
Set a target date and status for each task.
Separate IT cleanup from compliance interpretation.
Schedule a recurring review so evidence stays current.

The owner should be able to understand the plan without decoding vendor acronyms. A strong action plan says what will be changed, why it matters, who owns it, and what evidence will show that it is done.

Common Gaps And Guardrails

Readiness guardrails

Do not treat this checklist as legal advice, certification guidance, or an assessor decision. CMMC requirements depend on the contract, solicitation, information handled, assessment path, and DoD implementation rules.

DoD CMMC Level 2 material currently describes Level 2 around the 110 NIST SP 800-171 Revision 2 requirements, with either self-assessment or C3PAO assessment every three years as specified by the solicitation, plus annual affirmation requirements. NIST SP 800-171 Revision 3 and SP 800-171A Revision 3 are current NIST publications, so organizations should verify which revision and assessment path applies before changing strategy.

BCT can help with the IT environment, evidence, Microsoft 365/Azure administration, endpoint cleanup, backup proof, network documentation, and support ownership. Formal interpretation and assessment requirements belong with qualified assessors, attorneys, and compliance advisors.

Official references: DoD CMMC overview, DoD CMMC Level 2 Assessment Guide, NIST SP 800-171 Rev. 3, and NIST CUI publications.

FAQ

Is this a substitute for an assessor or compliance advisor?

No. This is an IT-readiness and evidence organization guide. Formal interpretation and assessment decisions should be handled with the appropriate advisor or assessor.

What should the owner review first?

Start with scope, systems, users, administrators, backups, endpoints, and the evidence that proves controls are operating. A tool list without owners and records is not enough.

Can BCT help after the checklist is finished?

Yes. BCT can help turn checklist gaps into Microsoft 365, Azure, endpoint, backup, network, and documentation tasks with owners and dates.

What is the next step?

Send the current CMMC Level 2 checklist status to BCT and ask for a practical readiness review.

Next step:

Bring the checklist to a focused readiness review. BCT can help identify what is already supportable, what needs cleanup, and which gaps should become owner-assigned tasks before the business spends money on tools or enters a formal assessment conversation.

Request help turning this checklist into a supportable action plan.