CMMC 2.0 Compliance Checklist for Virginia DoD Contractors [2026]
April 15, 2026 · 11 min read · Metro Point IT Services
If your Virginia business holds a Department of Defense (DoD) contract and handles Controlled Unclassified Information (CUI), CMMC 2.0 compliance is not optional — and the enforcement timeline is now very real. This practical checklist covers the core requirements for CMMC 2.0 Level 2, which applies to the majority of defense subcontractors across Northern Virginia, Hampton Roads, and the broader DMV region.
CMMC 2.0 Timeline
CMMC requirements have been progressively included in DoD contracts since 2023. If you're a defense contractor in Virginia and haven't yet begun your CMMC implementation, you may already be at risk of losing contract eligibility.
Understanding CMMC 2.0 Levels
Level 1 (Foundational): 17 basic cyber hygiene practices from FAR 52.204-21. Annual self-assessment sufficient. Applies to Federal Contract Information (FCI) but not CUI.
Level 2 (Advanced): 110 practices aligned with NIST SP 800-171. Applies to contractors handling CUI. Third-party C3PAO assessment required for most contracts. This is the level most Virginia defense subcontractors need.
Level 3 (Expert): 110+ practices plus NIST SP 800-172 controls. Government-led assessments. Applies to the highest-priority DoD programs.
CMMC 2.0 Level 2 Technical Controls Checklist
- ☐ Access Control (AC): Unique user IDs for every account. Role-based access. Remote access controls. Separation of duties.
- ☐ Awareness & Training (AT): Security awareness training for all personnel. Role-specific training documented.
- ☐ Audit & Accountability (AU): Audit logs created, retained, and reviewed. Logs protected from tampering.
- ☐ Configuration Management (CM): Baseline configurations established. Changes controlled. Security settings applied.
- ☐ Identification & Authentication (IA): MFA enforced for all accounts. Password complexity enforced technically.
- ☐ Incident Response (IR): Incident handling capability established and tested. Incidents tracked and documented.
- ☐ Maintenance (MA): Maintenance activities controlled and logged. Remote maintenance secured.
- ☐ Media Protection (MP): CUI media access limited. Media sanitized before disposal. Media transport controlled.
- ☐ Personnel Security (PS): Personnel screened before CUI access. Access revoked upon termination.
- ☐ Physical Protection (PP): Physical access to CUI systems limited and logged. Visitors escorted.
- ☐ Risk Assessment (RA): Periodic risk assessments conducted. Vulnerabilities scanned and remediated.
- ☐ Security Assessment (CA): Security controls periodically assessed. POA&Ms maintained and tracked.
- ☐ System & Communications Protection (SC): Network traffic monitored. CUI encrypted in transit. Network segmentation implemented.
- ☐ System & Information Integrity (SI): Systems patched promptly. EDR deployed and monitored. Security alerts reviewed.
The System Security Plan (SSP)
The SSP is the cornerstone of CMMC compliance — a comprehensive document describing your system boundary, CUI data flows, and how each of the 110 controls is implemented. During a C3PAO assessment, assessors review your SSP and then verify that documented controls match reality. Discrepancies are findings. Enough findings means failing the assessment.
Common SSP Mistakes
Controls listed as 'implemented' that are only partially implemented. System boundary defined too broadly. No documented evidence of control implementation. SSP not updated after system changes — all common findings in Virginia defense contractor assessments.
Getting Started: CMMC Readiness Path
- Identify your CUI: what data, where it lives, who accesses it, how it flows
- Define your system boundary: all devices and cloud services in scope
- Conduct a gap assessment with a qualified CMMC RP or CCA
- Build your SSP and POA&M for identified gaps
- Remediate gaps — implement missing technical controls
- Engage a C3PAO for formal assessment (budget 3–6 months)
- Maintain compliance: keep SSP current, submit annual affirmations
CMMC Readiness Assessment for Virginia Contractors
Metro Point IT provides CMMC 2.0 gap assessments, SSP development, and technical remediation for Virginia defense contractors. Call (443) 741-0823 for a free initial consultation.
Common CMMC Implementation Mistakes Virginia Contractors Make
After conducting dozens of CMMC gap assessments for Virginia defense contractors, Metro Point IT has observed several recurring mistakes that can significantly delay certification or cause assessment failures:
Mistake 1 — Treating CMMC as a checkbox exercise. CMMC assessors are experienced cybersecurity professionals who can quickly identify the difference between a practice that's genuinely implemented and one that's been documented but not operationalized. An SSP that says 'MFA is implemented' but where assessors find five admin accounts without MFA during testing is an immediate finding.
Mistake 2 — Scoping the system boundary too broadly. Some contractors include every system and cloud service their company uses in their CMMC scope — including systems that never touch CUI. This dramatically increases the remediation cost and assessment complexity. The goal is to define the narrowest accurate boundary that encompasses all CUI processing and storage.
Mistake 3 — Starting the SSP without completing discovery. The SSP must accurately reflect your current environment. Starting documentation before you've fully inventoried your systems, users, data flows, and third-party services produces an SSP that will have gaps — and gaps become findings.
Timeline Reality Check
Most Virginia defense contractors underestimate the timeline to achieve CMMC Level 2 certification. From initial gap assessment to completed C3PAO assessment typically takes 12-18 months for companies starting from scratch. Companies with strong existing IT controls (already using M365 Business Premium with Defender, Intune, and Conditional Access) can sometimes compress this to 6-9 months.
Mistake 4 — Not addressing the supply chain. If you use subcontractors who access your systems or CUI, they may need to meet CMMC requirements as well. Many prime contractors are surprised to discover that their subcontractors' non-compliance creates risk for their own certification.
The bottom line: CMMC 2.0 implementation is a significant undertaking — but it's very achievable with proper planning, the right technical controls, and accurate documentation. Virginia defense contractors who begin the process now, rather than waiting until a contract specifically requires it, will have a significant competitive advantage in the increasingly competitive DoD contracting market. If you have questions about where to start, Metro Point IT offers free CMMC readiness consultations for Virginia contractors at no obligation.
Written by
Metro Point IT Editorial Team
CompTIA A+ & Network+ Certified | Microsoft 365 Solutions Expert | DMV IT Specialists
The Metro Point IT team consists of certified IT professionals with hands-on experience supporting businesses across Maryland, Virginia, and Washington DC.