The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework represents the most significant shift in defense supply chain cybersecurity requirements in a decade. For Georgia and Florida defense contractors—from precision machining shops in Marietta to electronics manufacturers in Melbourne—the 2026 certification deadline is approaching rapidly.
Why a Readiness Checklist Matters
CMMC Level 2 requires compliance with all 110 security controls defined in NIST SP 800-171 Rev 2. These controls span 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
For mid-market manufacturers, the challenge is not understanding what the controls require—it is knowing where you stand today. Without a structured assessment, gaps remain invisible until a C3PAO assessor discovers them during your formal audit.
The Core12 Approach to CMMC Readiness
This checklist takes each of the 14 control families and breaks them into specific, answerable questions. For each control, you will assess whether your organization has:
- Documented Policy: A written policy addressing the control requirement
- Implemented Practice: An active technical or procedural control in place
- Evidence Available: Artifacts (screenshots, logs, configuration exports) that demonstrate compliance
- Gap Identified: Areas where your current posture does not meet the requirement
Control Family 1: Access Control (AC)
Access Control contains 22 individual controls—the largest family in NIST 800-171. Key areas to assess include:
- Do you limit system access to authorized users, processes, and devices?
- Are user accounts reviewed and validated on a regular schedule?
- Do you enforce separation of duties through distinct accounts and access levels?
- Is remote access controlled through encrypted VPN connections with multi-factor authentication?
- Do you control the flow of Controlled Unclassified Information (CUI) between systems and networks?
Each of these questions maps to specific AC controls. Document your current state, identify gaps, and note the evidence available for each.
Control Family 2: Awareness and Training (AT)
Training requirements are often underestimated. Key questions include:
- Do all personnel receive security awareness training upon onboarding?
- Is security training refreshed at least annually?
- Do personnel with elevated access receive role-specific security training?
- Are training records maintained and available for audit review?
Control Family 3: Audit and Accountability (AU)
Audit logging is critical for demonstrating continuous compliance:
- Are audit logs generated for all system events relevant to security?
- Are audit logs protected from unauthorized modification or deletion?
- Is audit log capacity monitored to prevent data loss from storage exhaustion?
- Do you review and analyze audit logs for indicators of compromise?
Control Family 4: Configuration Management (CM)
Configuration management ensures consistency across your IT environment:
- Do you maintain baseline configurations for all information systems?
- Is a configuration change control process in place and documented?
- Are only essential capabilities and services enabled on production systems?
- Do you track and control changes to firmware, software, and hardware?
The Remaining Control Families
The checklist continues through Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI). Each family receives the same structured assessment approach: policy, practice, evidence, and gap identification.
Scoring Your Readiness
After completing all 14 control families, you will have a clear picture of your CMMC readiness across three dimensions:
Green (Compliant): Controls where you have documented policy, implemented practice, and available evidence. These are audit-ready.
Yellow (Partial): Controls where some elements are in place but gaps exist—typically missing documentation or incomplete technical implementation. These require focused remediation.
Red (Non-Compliant): Controls where no policy, practice, or evidence exists. These represent your highest-priority remediation targets and potential audit failures.
From Checklist to Remediation
Identifying gaps is only the first step. The critical next phase is building a prioritized remediation plan that addresses the highest-risk gaps first while working within your budget and operational constraints.
Core12 offers a complimentary Gap Analysis Review for organizations that complete this checklist. During this session, our CMMC-specialized advisors review your findings, prioritize remediation by risk severity and audit impact, and create a phased implementation roadmap.
The Southeast Defense Corridor
Georgia and Florida host a concentration of defense manufacturing operations that depend on CMMC compliance for contract eligibility. From the aerospace corridor in Marietta and Warner Robins, Georgia to the defense electronics clusters in Melbourne and Tampa, Florida, thousands of mid-market manufacturers face the same challenge: demonstrating cybersecurity maturity to maintain their position in the defense supply chain.
This checklist is designed specifically for these organizations—firms with 25–250 employees that require enterprise-grade compliance without enterprise-grade overhead.
Core12: Your Strategic Partner for Managed IT & Cybersecurity.