CMMC 2.0 Phase 1 Checklist: 12 Essential Steps to Avoid Costly Delays in 2026
CMMC 2.0 Phase 1 Checklist is now a real 2026 compliance priority for many U.S. defense contractors. The Department of Defense says CMMC Phase 1 began on November 10, 2025 and runs through November 9, 2026, and this phase focuses primarily on Level 1 and Level 2 self-assessments. DoD also highlights that contractors need to submit affirmations with their CMMC assessments in SPRS.
If you want to win applicable DoD contracts, this is not just a theoretical framework. Under DFARS Subpart 204.75, contracting officers must check SPRS and cannot award a contract to an offeror that does not have a current CMMC status at the level required by the solicitation for the relevant systems used in contract performance.
Table of Contents
Why the CMMC 2.0 Phase 1 Checklist matters in 2026
The CMMC 2.0 Phase 1 Checklist matters because the live program now sits across the DoD CMMC Program, 32 CFR Part 170, and the acquisition rules in DFARS Subpart 204.75. At a practical level, Level 1 is based on the 15 safeguards in FAR 52.204-21, while Level 2 uses the security requirements in NIST SP 800-171 Rev. 2 for protecting CUI in nonfederal systems.
That makes this topic highly valuable for readers searching for real compliance actions instead of generic definitions. For broader regulatory context on your site, this article should also connect to your Compliance & Reporting hub, your SEC Cyber Rule Timeline 2026, and your Incident Response Deadlines US UK guide.
Who should use this CMMC 2.0 Phase 1 Checklist
This CMMC 2.0 Phase 1 Checklist is useful for prime contractors, subcontractors, compliance managers, IT leads, and proposal teams that support DoD work.
For Level 1, the organization must achieve a MET result for all required security requirements, no POA&Ms are permitted, results must be submitted in SPRS, and affirmation is required. For Level 2 self-assessment, the organization can achieve either Conditional or Final status, must submit results in SPRS, and if a POA&M is used, it must meet the rule’s conditions and be closed out within 180 days or the conditional status expires. Level 2 self-assessment also requires affirmation at the time of assessment and annually thereafter.
12-Step CMMC 2.0 Phase 1 Checklist
1. Read the solicitation and confirm the required CMMC level
Start with the solicitation. Under DFARS Subpart 204.75, the contracting officer includes the required CMMC level in the solicitation, and award depends on having the required current status.
2. Identify whether you handle FCI, CUI, or both
Your environment must be classified correctly. Level 1 aligns to the FAR 52.204-21 safeguards for contractor systems handling FCI, while Level 2 aligns to NIST SP 800-171 Rev. 2 for protecting CUI.
3. Define your CMMC assessment scope before you do anything else
The rule is explicit: the CMMC Assessment Scope must be specified prior to assessment. Use the official CMMC Resources & Documentation page and the DoD scoping guides so your scope, asset list, and diagrams all match the systems actually used for the contract.
4. Build a clean inventory of in-scope systems and supporting assets
Document endpoints, servers, cloud services, identity systems, security tools, network diagrams, and system owners. Good scoping and asset documentation reduce confusion later during assessment and SPRS submission.
5. Map your controls to the correct requirement set
For Level 1, map your safeguards to FAR 52.204-21. For Level 2, map your controls to NIST SP 800-171 Rev. 2 and prepare evidence that shows the controls are actually implemented, not just planned.
6. Close obvious gaps before the assessment starts
This is where many teams lose momentum. Level 1 does not allow POA&Ms at all. Level 2 self-assessment can allow a limited POA&M only under the program rules, and any permitted POA&M must be closed through a closeout self-assessment within 180 days.
7. Run a real self-assessment, not a checkbox exercise
For Level 1, the rule says the self-assessment uses the objectives from NIST SP 800-171A that map to the Level 1 requirements. For Level 2 self-assessment, the organization must perform the assessment under the procedures in the rule, score it using the CMMC methodology, and upload the results into SPRS.
8. Prepare your SPRS submission details in advance
For Level 1 and Level 2 self-assessments, the rule lists the core SPRS inputs, including the CMMC level, status date, assessment scope, associated CAGE code(s), and the compliance result or overall score, plus POA&M status where applicable.
9. Submit the assessment results into SPRS
SPRS is the DoD system where vendors submit Level 1 and Level 2 CMMC compliance information and where the acquisition community reviews current status.
10. Submit the affirmation of compliance
Do not stop after the assessment. The rule says affirmations are entered electronically in SPRS, and an affirming official must submit them after the relevant assessment and annually thereafter.
11. Verify subcontractor readiness where relevant
The CMMC program applies to both contractors and subcontractors when they will process, store, or transmit FCI or CUI on unclassified contractor systems in connection with DoD work. Prime contractors should confirm supply-chain readiness early, not after proposal submission.
12. Put the CMMC 2.0 Phase 1 Checklist on a governance calendar
Treat this as an ongoing compliance program, not a one-time scramble. Level 1 self-assessments must be refreshed annually, Level 2 self-assessments must be refreshed every three years, and affirmations must stay current. That makes recurring governance, evidence maintenance, and executive ownership essential.
If your team is also building response and documentation workflows, add internal links here to your Cybersecurity Incident Response Timeline and Reduce Detection Time Regulatory Deadlines Risk articles.
Common mistakes to avoid
The biggest mistake is assuming every 2026 opportunity works the same way. The solicitation controls the required level, and DoD acquisition rules require a current status in SPRS at the required level for award. Another common mistake is treating Level 1 like Level 2. Level 1 requires every requirement to be met with no POA&M, while Level 2 self-assessment has a limited conditional path under strict rules.
A third mistake is forgetting the affirmation. The rule is clear that affirmations are not optional paperwork; they are part of maintaining current status.
CMMC 2.0 Phase 1 Checklist FAQ
Is CMMC Phase 1 already live?
Yes. DoD says Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments.
Are POA&Ms allowed in the CMMC 2.0 Phase 1 Checklist process?
For Level 1, no. For Level 2 self-assessment, only limited POA&M use is allowed under the rule, and closeout must happen within 180 days or the conditional status expires.
How often do contractors need to reassess?
Level 1 self-assessment is annual. Level 2 self-assessment is every three years, with affirmations remaining annual.
Where are results and affirmations submitted?
They are submitted in SPRS. The SPRS CMMC portal is the official place for vendors to enter Level 1 and Level 2 data, and the rules require affirmations to be completed there.
Final Thoughts
A strong CMMC 2.0 Phase 1 Checklist page can perform well because it matches live search intent: defense contractors want a practical checklist that helps them scope correctly, assess correctly, submit correctly, and avoid losing awards over preventable compliance mistakes. This is the kind of topic that fits naturally with your existing internal cluster around compliance, reporting timelines, and response deadlines. For more related reading, link this page to SEC vs UK Cyber Reporting Deadlines, SEC Cyber Rule Timeline 2026, and your Compliance & Reporting category page.
