Mako Logics
Call

Resources / CMMC Readiness Checklist

CMMC Readiness Checklist for Houston manufacturers.

The 20 Level 2 controls that matter most, what evidence assessors actually ask for, and where small Houston shops typically get stuck. Written for manufacturers, machine shops, and industrial suppliers bidding on DoD prime and subcontract work.

Talk to us about CMMC readiness

Published April 21, 2026. Updated continuously as CMMC rulemaking progresses.

This is informational content, not a CMMC assessment. Mako is not a C3PAO (Certified Third-Party Assessment Organization). We help clients prepare for assessments and coordinate with C3PAOs; we do not issue CMMC certifications.

What CMMC is, in plain English

The Cybersecurity Maturity Model Certification is the DoD’s answer to years of cyber incidents at defense suppliers. If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), the program requires you to implement specific security controls and — depending on the contract — prove it to an independent assessor.

Three levels exist. Most of the real work and most of the pain lives at Level 2, which maps to the 110 practices from NIST SP 800-171. The rulemaking (32 CFR Part 170) established the program; 48 CFR amendments continue to flow through as DoD rolls it into contracts.

Level 1 vs Level 2 — which one is in your contract?

Level 1 (Foundational)

Applies to contractors handling FCI only (no CUI). 15 practices, self-assessment, annual affirmation. If your contract doesn’t flow down CUI, this is probably you — but check the contract language, don’t assume.

Level 2 (Advanced)

Applies to contractors handling CUI. 110 practices from NIST SP 800-171. Most contracts require a C3PAO-led assessment every three years; some allow self-assessment with annual affirmation. This is where almost every small Houston shop bidding on DoD work lands.

The 20 controls that most define your readiness

Every Level 2 assessment touches all 110 practices, but in practice small shops fail on a predictable subset. These are the ones we see bite first. Pass these cleanly and the rest is usually a matter of documentation.

Access Control (AC)

  • AC.L2-3.1.1 — Limit system access to authorized users, processes, and devices
  • AC.L2-3.1.2 — Limit system access to the types of transactions and functions that authorized users are permitted to execute
  • AC.L2-3.1.5 — Employ the principle of least privilege

Identification & Authentication (IA)

  • IA.L2-3.5.3 — Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts
  • IA.L2-3.5.7 — Enforce a minimum password complexity and change of characters when new passwords are created

System & Communications Protection (SC)

  • SC.L2-3.13.1 — Monitor, control, and protect communications at external and internal boundaries
  • SC.L2-3.13.8 — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
  • SC.L2-3.13.11 — Employ FIPS-validated cryptography to protect CUI

System & Information Integrity (SI)

  • SI.L2-3.14.1 — Identify, report, and correct system flaws in a timely manner
  • SI.L2-3.14.2 — Provide protection from malicious code at appropriate locations
  • SI.L2-3.14.7 — Identify unauthorized use of organizational systems

Audit & Accountability (AU)

  • AU.L2-3.3.1 — Create and retain system audit logs and records to enable monitoring and investigation of unlawful or unauthorized activity
  • AU.L2-3.3.5 — Correlate audit record review, analysis, and reporting processes for investigation and response

Incident Response (IR)

  • IR.L2-3.6.1 — Establish an operational incident-handling capability
  • IR.L2-3.6.3 — Test the organizational incident response capability

Configuration Management (CM)

  • CM.L2-3.4.1 — Establish and maintain baseline configurations and inventories of organizational systems
  • CM.L2-3.4.2 — Establish and enforce security configuration settings for IT products

Risk Assessment + Security Assessment (RA / CA)

  • RA.L2-3.11.2 — Scan for vulnerabilities in organizational systems and applications periodically
  • CA.L2-3.12.1 — Periodically assess the security controls in organizational systems to determine if they are effective

Evidence your assessor will actually ask for

A CMMC assessment is an evidence review, not a technical audit. If the evidence doesn’t exist, the control isn’t in place — regardless of what’s configured on the system. The artifacts we see requested most:

  • System Security Plan (SSP) covering all 110 practices with specific implementation narratives
  • Plan of Action & Milestones (POA&M) for any gaps
  • Asset inventory with CUI data-flow mapping
  • Network architecture diagram showing CUI enclave boundaries
  • Identity & access management policy + current user-access review records
  • Vulnerability scan reports (recurring, not a one-time screenshot)
  • Incident-response plan + records of at least one tabletop exercise
  • Audit log samples + the review cadence documented
  • Training records for privileged users and workforce
  • FIPS-validated cryptography attestation (with NIST CMVP certificate numbers where applicable)

Where small Houston shops typically get stuck

1. CUI scoping

The biggest money-saver on a CMMC budget is reducing the scope of systems that touch CUI. Shops that try to make their entire corporate network CMMC-compliant pay 5–10x what shops that build a proper CUI enclave pay. Get scoping right before spending a dollar on controls.

2. FIPS-validated cryptography, not just FIPS-compliant

The standard explicitly says FIPS-validated. “FIPS mode enabled” on your VPN doesn’t satisfy the requirement unless the specific product has a current NIST CMVP certificate. Many common small-business products don’t.

3. SPRS score timing

DoD requires a current Supplier Performance Risk System (SPRS) score from your NIST 800-171 self-assessment before award. Shops that wait until they win the bid to figure this out lose the contract. Get the SPRS score in place before you respond to the solicitation.

4. MSP and cloud provider boundary

If you use an MSP or a cloud provider, their boundary needs to be documented and their own CMMC posture verified. External Service Providers (ESPs) handling CUI need to meet Level 2 themselves or provide a current FedRAMP Moderate equivalent attestation. This catches shops using shared consumer cloud products.

5. Ongoing evidence, not a point-in-time push

Assessors look at whether your controls have been operating consistently, not whether you had them running the week before the assessment. Backups that were tested every quarter for a year beat backups that were tested twice in the two months before assessment.

Timeline and cost framing

  • CUI scoping + gap analysis: 4–8 weeks. Biggest ROI on your compliance budget.
  • Remediation (closing the gaps): 3–9 months depending on how much legacy infrastructure has to change. Small shops with clean environments move faster.
  • SSP + POA&M authoring: 4–6 weeks, runs in parallel with remediation.
  • Pre-assessment (mock assessment): 2–4 weeks. Highly recommended before spending C3PAO money.
  • C3PAO assessment itself: typically 1–2 weeks on-site + ~4 weeks of report turnaround.
  • Budget framing (small shops): six-figure program all-in once remediation + tooling + assessment fees are counted. Worth knowing before you commit to a DoD pipeline.

How Mako helps Houston manufacturers get CMMC-ready

We map your current environment to the 110 practices, scope a CUI enclave that keeps your compliance footprint small, and stand up the infrastructure to meet the controls — FIPS cryptography, audit logging, configuration baselines, tested backup and incident response. Every one of our TWIC® engineers can work on-site at your facility when that’s what the remediation calls for.

We do not issue the certification itself; we coordinate with a C3PAO for the assessment. We do prepare you to pass, and we stay on after the assessment to keep evidence current for your three-year cycle.

Schedule a 15-Minute Discovery Call