Self-Assessment Checklist for CMMC Level 2: A Practical Guide for Small and Mid-Sized Manufacturers

If your manufacturing company handles controlled unclassified information (CUI), achieving and maintaining compliance with the Cybersecurity Maturity Model Certification (CMMC) Level 2 is essential. While the process might seem daunting, a structured self-assessment can help you identify gaps and prepare you for official audits. Here's a straightforward, human-centric checklist to guide your self-assessment and strengthen your cybersecurity posture.

Understanding CMMC Level 2 Basics

CMMC Level 2 aligns with a set of cybersecurity practices that protect CUI by implementing 17 capabilities drawn from the NIST SP 800-171 standards. It acts as a bridge between basic cyber hygiene and advanced practices, emphasizing documentation, process maturity, and consistent implementation.

Preparing for Self-Assessment

Before diving into the checklist, ensure you have these foundational items ready:

• Current cybersecurity policies and procedures.

• Inventory of all systems, devices, and software that store or transmit CUI.

• Evidence of security controls (logs, audit reports, training records).

• Access controls list and user permissions.

Self-Assessment Checklist for CMMC Level 2

1. Access Control

• Are user accounts unique and assigned to specific individuals? — Verify that no shared or generic accounts are used.

• Is Multi-Factor Authentication (MFA) implemented? — Especially for remote access and privileged accounts.

• Are access permissions regularly reviewed and updated? — Ensure only authorized personnel access CUI.

2. Identification & Authentication

• Are credentials stored securely? — Follow best practices like password complexity and change policies.

• Are login attempts monitored? — Look for signs of unauthorized access attempts.

3. Media Protection

• Is CUI stored securely on physical media? — Use safes or locked cabinets for sensitive materials.

• Are media sanitization procedures in place? — Ensure data is irrecoverably erased when no longer needed.

4. Physical Protection

• Are physical access controls implemented? — Badge entry, visitor logs, alarm systems.

• Are sensitive areas clearly marked and monitored?

5. Awareness & Training

• Have all employees received cybersecurity training? — Cover phishing, social engineering, and proper handling of CUI.

• Are training records maintained?

6. Incident Response

• Is there an incident response plan in place? — Documented steps for handling cybersecurity incidents.

• Are employees trained on incident reporting?

• Are incidents logged and reviewed regularly?

7. Maintenance & System Acquisition

• Are systems patched and updated regularly? — Keep software current to mitigate vulnerabilities.

• Are only approved hardware and software used? — Prevent unauthorized devices or applications.

8. Configuration Management

• Are configurations documented and maintained? — Use baseline configurations and change controls.

• Are unauthorized changes prevented?

9. Risk Management

• Does your organization conduct periodic risk assessments? — Identify vulnerabilities related to CUI.

• Are mitigation plans in place? — Address identified risks promptly.

10. System & Communications Protection

• Are encryption protocols used for CUI in transit and at rest?

• Are cybersecurity tools in place, such as firewalls and intrusion detection systems?

11. Audit & Accountability

• Are audit logs generated and reviewed regularly? — Focus on activities related to CUI access and modification.

• Are logs protected from unauthorized access?

How to Use This Checklist

Go through each item methodically. For each, ask yourself or your team:

• Do we have this in place? (Yes/No)

• If not, what steps are needed to implement it?

• What evidence can we gather to prove implementation?

If you identify gaps, prioritize fixing these before your official CMMC assessment. Remember, this process isn’t about perfection but continuous improvement. Document your findings thoroughly, and consider consulting cybersecurity professionals specializing in manufacturing compliance if needed.

Final Thoughts

Self-assessment is a powerful tool to understand where your company stands regarding CMMC Level 2. It helps you ensure your cybersecurity practices are effective and prepares you for the formal audit process. By systematically evaluating each area, your manufacturing company can not only meet compliance but also build a resilient defense against evolving cyber threats.

For more detailed guidance, visit the official CMMC website or consult cybersecurity experts familiar with manufacturing industry challenges.