The CMMC Level 2 Documentation Checklist
Every document a C3PAO will ask for during a Level 2 assessment, grouped by what it proves and when you need to produce it.
Assessors do not start with interviews. They start with a document request list sent two to four weeks before the site visit. The completeness and organization of your response to that list sets the tone for the entire assessment. This checklist covers every artifact commonly requested.
Core governance documents
System Security Plan (SSP); Plan of Action & Milestones (POA&M); information security policy; acceptable use policy; data classification policy; incident response plan; business continuity plan; configuration management plan; risk assessment report; audit and accountability plan; personnel security plan; media protection policy; physical protection policy; maintenance policy; vendor risk management policy.
Scoping and inventory
Network topology diagrams showing the CMMC assessment boundary; data flow diagrams for CUI; asset inventory with CUI-handling designations; user and role inventory including external users; system component inventory with configuration baselines; authorization boundary diagram; shared responsibility matrix for each CSP.
Operational evidence
Access control lists and role-based access control (RBAC) matrices; audit log samples showing monitored events; vulnerability scan reports with remediation evidence; patch management logs; MFA enrollment reports; conditional access policy exports; training completion records with dates; onboarding and offboarding checklists.
Physical and personnel
Facility access logs; visitor logs; physical walkthroughs with photos (door locks, labels, signage, cabling); CUI marking examples; background check records; non-disclosure agreements; termination checklist records; media sanitization records.
Incident and continuity
Tabletop exercise reports; incident response test records; backup verification logs; recovery time objective (RTO) validation; last full disaster recovery exercise report; DC3 incident report history (if applicable).