CMMC Phase 2 Readiness Checklist: Score Your Gaps Before November 10

CMMC Phase 2 enforcement begins November 10, 2026. That is 134 days from today. If you hold DoD contracts involving Controlled Unclassified Information, you will need a C3PAO third-party assessment to keep bidding on new work. The question most contractors still cannot answer: what is your SPRS score right now, and how many of the 110 NIST SP 800-171 controls are you actually meeting?

This post gives you a control-family-by-control-family checklist to answer that question yourself. Run through it, score your gaps, and you will know exactly where your remediation effort needs to focus. Our existing CMMC deadline guide covers the broader program context and the assessor bottleneck in detail. This post picks up where those stop: the controls themselves.

How SPRS Scoring Works

Your SPRS (Supplier Performance Risk System) score is the DoD’s snapshot of your NIST SP 800-171 compliance. Every defense contractor handling CUI must calculate and submit this score to the SPRS portal. A senior company official must affirm it, and that affirmation carries False Claims Act liability. This is not a formality.

The scoring works by subtraction. Start at 110, which represents a perfect score with all controls implemented. Each unimplemented control subtracts its weighted value: 1, 3, or 5 points depending on the control’s criticality. The minimum possible score is -203, meaning no controls are in place.

Controls weighted at 5 points are the ones the DoD considers most critical to CUI protection, including multifactor authentication, FIPS-validated encryption, and audit logging.

A practical benchmark: if your score is below 88, you likely cannot receive even a Conditional certification, which allows limited use of POA&Ms for gaps you commit to closing within 180 days. If your score is above 88 but below 110, Conditional certification may be possible provided none of your gaps involve 5-weight controls. A clean 110 is the target.

If you have not calculated your SPRS score yet, the checklist below will get you started. If you have a score but have not updated it in the past six months, recalculate. Your environment changes, and your score drifts with it.

The 14 Control Families: Your Gap Checklist

NIST SP 800-171 Rev 2 organizes its 110 controls into 14 families. For each family below, we list the control count and the questions your C3PAO assessor will effectively be asking. Every “no” represents a gap in your score. The weight of each gap varies, but every one counts.

1. Access Control (22 controls)

The largest family and the one most organizations underestimate. Key checkpoints:

• Do all users have unique accounts with role-based access to CUI systems?
• Is access limited to authorized transactions and functions for each role?
• Are remote access sessions encrypted and monitored?
• Do you enforce session timeouts and lock screens on CUI workstations?
• Is wireless access restricted and authenticated?
• Are mobile devices connecting to CUI systems managed and controlled?

2. Awareness and Training (3 controls)

Small but frequently cited in assessment findings.

• Do all employees with CUI access receive security awareness training at least annually?
• Are managers and system administrators trained on their specific security responsibilities?
• Do you maintain training records that assessors can review?

3. Audit and Accountability (9 controls)

Assessors verify that you can detect and investigate unauthorized access. Without centralized logging, you have no evidence trail.

• Are system events logged across endpoints, servers, firewalls, and cloud services?
• Are audit logs protected from unauthorized modification or deletion?
• Do you review logs regularly and investigate anomalies?
• Can you correlate events across systems to trace an incident end to end?
• Do you retain logs for a defined period (typically six months or longer)?

4. Configuration Management (9 controls)

Baseline configurations and change control for every system in your CUI boundary.

• Do you maintain documented baseline configurations for all CUI systems?
• Is a formal change control process in place for system modifications?
• Are unnecessary services, ports, and protocols disabled?
• Do you restrict software installation to approved applications?

5. Identification and Authentication (11 controls)

Identity is the perimeter. This family includes several of the highest-weighted controls in the SPRS methodology.

• Is multifactor authentication enforced for all local and remote access to CUI systems?
• Do you use FIPS-validated cryptographic modules for authentication?
• Are passwords enforced with minimum complexity and rotation requirements?
• Are default passwords eliminated across all devices and applications?
• Do you authenticate devices before allowing network connections?

6. Incident Response (3 controls)

Only three controls, but assessors probe deeply into each one through documentation review and employee interviews.

• Do you have a documented, tested incident response plan with assigned roles?
• Have you conducted a tabletop exercise within the last 12 months?
• Do you report incidents to the DoD and track them through resolution?

7. Maintenance (6 controls)

Covers both routine and remote maintenance of CUI systems.

• Is maintenance on CUI systems performed by authorized personnel only?
• Do you supervise maintenance activities by external vendors?
• Are maintenance tools controlled and media sanitized before leaving the facility?
• Is remote maintenance monitored and terminated when complete?

8. Media Protection (9 controls)

CUI lives on more media types than most organizations realize: USB drives, printed drawings, backup tapes, decommissioned hard drives.

• Do you mark media containing CUI with appropriate designations?
• Is CUI on digital media encrypted using FIPS-validated encryption?
• Do you sanitize or destroy media before disposal or reuse per NIST SP 800-88?
• Is physical transport of CUI media controlled and tracked?

9. Personnel Security (2 controls)

The smallest family. Straightforward but often overlooked in documentation.

• Do you screen personnel before granting access to CUI systems?
• Is CUI access revoked promptly when employees transfer or terminate?

10. Physical Protection (6 controls)

Relevant for any facility where CUI is stored, processed, or discussed, including manufacturing floors and engineering workstations. Our manufacturing-specific CMMC guide covers the shop-floor challenges in detail.

• Is physical access to CUI systems limited to authorized individuals?
• Do you maintain visitor logs and escort visitors in controlled areas?
• Are physical access devices (badges, keys, codes) managed and inventoried?
• Do you monitor the physical facility with alarms, cameras, or guards?

11. Risk Assessment (3 controls)

Assessors want evidence that you actively scan for and evaluate risk on an ongoing basis.

• Do you conduct periodic risk assessments of your CUI environment?
• Do you scan for vulnerabilities on a regular schedule and remediate findings?
• Is vulnerability scanning output reviewed and acted upon, not just archived?

12. Security Assessment (4 controls)

Your System Security Plan and ongoing compliance monitoring live here. The SSP is the single most important document in your assessment.

• Do you have a current System Security Plan that describes how all 110 controls are implemented?
• Do you assess your security controls periodically to confirm they are still effective?
• Do you have a documented remediation plan for deficiencies identified during assessments?
• Do you monitor your security controls on an ongoing basis, not just at assessment time?

13. System and Communications Protection (16 controls)

The second-largest family. Covers network architecture, encryption, and data flow protections.

• Do you monitor and control communications at system boundaries (firewalls, proxies)?
• Is CUI encrypted in transit and at rest using FIPS-validated cryptographic modules?
• Are publicly accessible systems separated from internal CUI networks?
• Is your network segmented to isolate CUI processing from general business traffic?
• Do you use DNS filtering and deny-by-default policies for outbound traffic?
• Are collaborative computing devices (webcams, microphones) controlled in CUI spaces?

14. System and Information Integrity (7 controls)

Patching, malware protection, and flaw remediation.

• Do you deploy endpoint protection (EDR) across all CUI systems?
• Are security patches applied within defined timelines (critical patches within 72 hours)?
• Do you monitor for unauthorized changes to system configurations?
• Are spam and malicious content filtered at email and web gateways?
• Do you receive and act on security alerts from vendors and threat intelligence sources?

Five Controls That Fail Assessments Most Often

Across the 110 controls, a handful account for a disproportionate share of assessment failures. These are the ones to prioritize if you are triaging your remediation effort.

Multifactor authentication (3.5.3, weight 5). MFA must cover all access to CUI systems, not just admin accounts or VPN. Many organizations deploy MFA on their primary identity platform but miss application-level access, shared workstations, or legacy systems that do not support modern authentication protocols. Partial deployment counts as a failure. Every access path to CUI needs MFA, no exceptions.

FIPS-validated encryption (3.13.11, weight 5). CUI must be encrypted at rest and in transit using cryptographic modules validated under FIPS 140-2 or 140-3. Standard TLS and BitLocker may qualify, but you must verify the specific module certificates. “We use encryption” is not sufficient for your assessor. “We use FIPS 140-2 validated module [name and certificate number]” is what they require.

If your organization uses Microsoft 365 for CUI, this typically means GCC High, not standard commercial licensing.

Audit event logging (3.3.1, weight 3). You must capture system events across your entire CUI boundary: endpoints, servers, firewalls, identity providers, and cloud services. A centralized SIEM platform is the standard approach. Assessors will ask to see logs, review retention policies, and confirm that anomalies are investigated. If you cannot produce six months of logs on request, this control fails.

Incident response testing (3.6.3, weight 3). Having an incident response plan on paper is not sufficient. You must test it. A tabletop exercise within the last 12 months satisfies this control. Assessors will interview employees about their roles in the plan and verify that lessons from exercises were incorporated into updates. Our free tabletop exercise template can help you run one this month.

Media sanitization (3.8.3, weight 3). Before reuse or disposal, all media that stored CUI must be sanitized using NIST SP 800-88 guidelines. This includes hard drives, USB drives, backup media, and printed documents. Many organizations have a decommissioning process for servers but forget about the USB drive in the engineering workstation or the CUI printout in the recycling bin.

POA&Ms Will Not Save You at the Last Minute

Plans of Action and Milestones are permitted under CMMC 2.0, but the guardrails are strict. You cannot use a POA&M on any control weighted at 5 points, which includes the critical controls listed above. All POA&M items must be closed within 180 days of your conditional certification. And your overall score must remain at or above the conditional threshold.

A POA&M is a commitment to fix a specific gap on a specific timeline, with named resources and milestones. Assessors evaluate whether your plan is credible. Walking into your C3PAO assessment with a dozen open POA&Ms signals that you are not ready, and that is not a path to certification. We covered the POA&M constraints in detail in our earlier deadline analysis.

Your 134-Day Action Plan

If you start this week, the November 10 deadline is achievable. Here is what each month needs to produce.

July 2026: Score and scope. Calculate your SPRS score using the checklist above. Identify every system, network segment, and data store where CUI lives. Define your assessment boundary.

If you do not already have a qualified MSP or CMMC consultant, engage one now. Start contacting C3PAOs to reserve an assessment slot in October or early November. Scheduling capacity is already tight, and waiting until September means you are joining a waitlist.

August 2026: Remediate and document. Close the highest-weight gaps first: MFA, FIPS encryption, and audit logging. Build or update your System Security Plan to describe how each of the 110 controls is implemented in your specific environment. Begin security awareness training if you have not already. Deploy or configure your SIEM, tighten endpoint protection, and segment your network to isolate CUI systems.

September 2026: Validate and test. Run an internal readiness review against every control. Confirm that your SSP matches the actual environment, because configuration drift between documentation and reality is one of the most common assessment failures. Conduct a tabletop exercise to satisfy incident response testing requirements. Collect evidence artifacts (screenshots, configuration exports, training records, policy documents) organized by control family.

October 2026: Final prep. Run a mock assessment with your MSP or consultant. Close any remaining gaps. Finalize your POA&M for controls that will not be fully remediated by assessment day, and confirm none of those controls carry a weight of 5. Confirm your C3PAO assessment date and logistics.

November 2026: Assessment. Complete your C3PAO assessment and receive your certification determination.

Our 90-day quickstart roadmap breaks down the first three months of remediation in week-by-week detail. If you are a manufacturer dealing with CUI on the shop floor, our manufacturing-specific guide covers the OT segmentation and legacy equipment challenges that make compliance harder for production environments.

Start With a Score, Not a Guess

Every contractor in the defense supply chain will eventually need a number: a SPRS score to post, or a C3PAO certification to show. The organizations that act on a measured gap close faster than those operating on assumptions about their readiness. Run through the checklist above, calculate your score, and identify your highest-weight gaps. If your score is where it needs to be, schedule your C3PAO assessment now while slots remain available. If it is not, 134 days is enough time to close the gaps, but only if you start this week.

Infonaligy supports CMMC readiness for defense contractors across Texas. We run gap assessments against all 110 NIST 800-171 controls, build remediation roadmaps, implement the technical controls, and prepare organizations for C3PAO assessment. If your Dallas-Fort Worth area business handles CUI and you have not started the readiness process, contact us for a gap assessment before the calendar fills up.