Limit system access to authorized users, processes, and devices.
Free CMMC tool · browser only
CMMC compliance checklist
Review all 110 NIST SP 800-171 Rev. 2 requirements by family, mark Met, Not met, or N/A, track gaps, and print your illustrative CMMC readiness checklist.
Educational checklist — not a C3PAO assessment
How the checklist works
The checklist groups the 110 NIST SP 800-171 Rev. 2 requirements into their 14 control families. Overall and family percentages count Met controls divided by applicable controls; anything marked N/A is excluded from that denominator, and unreviewed controls remain visible.
What to verify before an assessment
The requirement titles here are concise paraphrases, not the full NIST text. Confirm applicability, scoping, evidence, and the current contract requirement against the official publication and your assessor. A status choice is a planning note, not proof that a requirement is satisfied.
Illustrative control set condensed from NIST SP 800-171 Rev. 2 — verify the full requirement text and your scoping against the official publication before an assessment. This educational tool is not a substitute for a C3PAO assessment.
Published references
Open the source material and verify the requirements or values that apply to your situation.
Questions to verify
Frequently asked questions
Does this checklist certify CMMC compliance?
No. It is an educational planning aid and cannot replace an assessment, the full NIST requirement text, or the evidence an assessor will review.
Why does this use NIST SP 800-171 Rev. 2?
The current CMMC program rule incorporates Rev. 2 for Level 2. NIST has published Rev. 3, so verify the requirements named in your contract before relying on any checklist.
Where is my checklist saved?
Selections stay in this browser's local storage. Longlead does not receive them, and this page makes no network request with your answers.
Longlead flags which upcoming DoD projects will trigger CMMC requirements 12–24 months early.
See Longlead Cyber