Article summary:

Editable CMMC templates cover every required domain and are organized by Level 1, Level 2, and Level 3. Each template helps document real security practices with example evidence, expert tips, and common pitfalls. Level 1 materials support self-assessments for protecting FCI, while Level 2 templates align to NIST SP 800-171 for safeguarding CUI. Level 3 resources build on Level 2 using selected NIST SP 800-172 requirements. Evidence collection and validation are streamlined through centralized documentation, control mapping, and organized artifacts such as SSPs and POA&Ms.

Editable CMMC templates by domain

CMMC templates help you document your security program clearly, consistently, and in a format that supports CMMC assessments. These templates cover the required practices across the applicable CMMC domains: six for a Level 1 self-assessment and all 14 for Levels 2 and 3.

Our CMMC certification document templates are fully editable, allowing you to tailor them to your environment while remaining aligned with FAR 52.204-21 (Level 1), NIST SP 800-171 Rev. 2 (Level 2), and selected NIST SP 800-172 requirements (Level 3). The templates include expert guidance, practical evidence, examples typically expected during reviews, and notes on common mistakes.

CMMC Access Control template

Access Control (AC) is a core part of the CMMC templates because it governs who can access systems, data, and resources, and under what conditions. It protects Federal Contract Information (FCI) in Level 1 and Controlled Unclassified Information (CUI) in Levels 2 and 3 by limiting exposure, preventing unauthorized use, and enforcing least privilege.

The Access Control Policy template provides a structured foundation for organizations to document real-world access practices clearly and consistently.

What the CMMC Access Control policy template helps you define:

• Account creation, approval, review and removal processes: Define how accounts are requested, approved, provisioned and disabled when people change roles or leave. Include who owns approvals, what evidence is retained (tickets/logs) and how often accounts are reviewed for continued need.
  
  
• Role-based access and separation of duties: Use roles and groups to grant consistent access based on job function, then split high-risk tasks so one person can’t request, approve and execute the same action. Document the role matrix and any compensating reviews for small teams.
  
  
• Least privilege and privileged account restrictions: Limit users and services to the minimum access needed for their work. Tighten who can hold admin rights, require non-admin accounts for daily tasks and audit privileged actions. Clearly list which roles can manage security tools and configurations.
  
  
• Login limits, session locks, and session-termination rules: Set thresholds for failed login attempts, define lockout duration, and require re-authentication after inactivity. Also, establish maximum session lengths. Make sure the values you document match what your directory, VPN and key apps actually enforce.
  
  
• Remote, wireless, mobile, and external system access controls: Specify which remote access methods are allowed (VPN/VDI/zero-trust), require encryption and MFA, and restrict privileged actions remotely. Define wireless standards, mobile device management/encryption expectations and how you approve and verify security for external systems.
  
  
• System use banners, public content controls, and information-sharing rules: Standardize login banners that notify users of monitoring and acceptable-use policies. Control who can publish public content and require reviews to prevent exposure of nonpublic data. Define how staff share information safely using labels, approvals and protective tooling.
  
  

Download the CMMC Access Control template

The CMMC Access Control template helps you define who gets access to FCI or CUI, how that access is approved, and how it’s reviewed over time.

Download the CMMC Access Control Policy template

Awareness and Training template for CMMC

CMMC Security Awareness and Training (AT) requirements focus on ensuring people understand their security responsibilities before mistakes become incidents. This domain protects systems by reducing human risk through consistent education. The Awareness and Training templates provide a structured, customizable policy that aligns training frequency, roles and records with NIST requirements.

The CMMC Awareness and Training template covers:

• Security awareness training for all users: Establishes baseline training for every system user, covering topics such as phishing, password hygiene, and incident reporting. This ensures all personnel understand how their daily actions affect the security of controlled information.
  
  
• Role-based security training: Provides targeted training for users with elevated or specialized responsibilities, such as administrators, developers or security staff. Training is delivered before access is granted and refreshed regularly to match system or role changes.
  
  
• Insider threat awareness: Trains users to recognize and report potential insider threat indicators, including unusual behavior or policy violations. This helps organizations detect risks early while reinforcing safe, confidential reporting channels.
  
  
• Physical security and environmental controls training: Ensures personnel responsible for facilities and physical safeguards understand how to operate and maintain controls like access systems, alarms and monitoring equipment that protect systems and data.
  
  
• Practical security exercises: Reinforce training through simulations such as phishing tests, Table-Top exercise activities, secure coding exercises or tabletop scenarios. These exercises connect theory to real-world situations and help validate user readiness.
  
  
• Training records and retention: Defines how training completion is tracked, monitored and retained. Maintaining accurate records supports audit readiness and demonstrates required awareness and role-based training are consistently enforced.
  
  

Download the Awareness and Training template for CMMC

The CMMC Awareness and Training template helps ensure that everyone who uses your IT systems gets the right level of security awareness and role-based training.

Download the CMMC Awareness and Training template

Audit and Accountability template for CMMC

Audit and Accountability (AU) controls in CMMC ensure systems consistently log, protect, and review security-relevant activity, enabling organizations to detect misuse, investigate incidents, and demonstrate compliance. These templates help standardize logging expectations, review practices and retention rules. They provide a clear structure without overcomplicating day-to-day operations.

The CMMC Audit and Accountability template includes these key subjects:

• Auditable event definitions and log sources:  Defines which system activities must be logged, such as logins, privilege changes and configuration updates, and maps them to specific systems like directories, firewalls, applications and cloud services.
  
  
• Audit record content and time synchronization: Specifies required log details, including user identity, timestamps, source, outcome and affected objects, while ensuring system clocks are synchronized so events can be accurately correlated during investigations.
  
  
• Log storage, retention and capacity management: Establishes how long audit records are retained, where they are stored and how capacity is monitored to prevent data loss while supporting regulatory, legal and incident response needs.
  
  
• Audit review, analysis, and reporting processes: Define how often logs are reviewed, what constitutes suspicious or inappropriate activity, and which roles are responsible for analysis, escalation, and documented follow-up actions.
  
  
• Protection of audit data and privileged access controls: Restricts access to audit logs and logging configurations to authorized personnel only, protecting records from tampering, deletion or unauthorized disclosure.
  
  
• Failure handling, alerts and recovery actions: Outline how systems respond to logging failures, including real-time alerts, fallback actions and recovery steps to ensure audit coverage is maintained during system issues.
  
  

Download the Audit and Accountability template for CMMC

The CMMC Audit and Accountability template helps you set expectations for what gets logged, how often logs are reviewed, how long records are retained, and who receives alerts when auditing fails.

Download the CMMC Audit and Accountability template

Configuration Management template for CMMC

Configuration Management (CM) under CMMC means keeping systems documented, controlled, and secure as they change. It protects CUI by ensuring approved configurations, controlled changes and accurate inventories. The template can also support the creation of a Digital Security Program (DSP), offering a broader structure for managing evolving configurations, updates, and controls.

The CMMC Configuration Management template includes:

• Secure Baseline Configurations (SBC) and version control: Define approved, secure configurations for systems and ensure a documented baseline exists, is reviewed regularly, and can be rolled back if changes introduce risk or instability.
• Change control and approval processes: Establishes how system changes are requested, reviewed, approved, tested and documented, with security impact considered before changes reach production.
• Access restrictions for making changes: Limits who can modify system configurations using role-based access, privileged access management and physical controls tied to approved responsibilities.
• Least functionality and service minimization: Requires disabling unnecessary ports, protocols, services and software to reduce attack paths and unauthorized system behavior.
• Software usage and licensing controls: Govern how licensed software is tracked and used, preventing unauthorized copying, distribution or peer-to-peer sharing.
• User-installed software restrictions: Controls whether users can install software, how exceptions are approved and how compliance is monitored to prevent unapproved applications.
  
  

Download the Configuration Management template for CMMC

The CMMC Configuration Management template will help you define how your organizational systems are inventoried, hardened, changed, and monitored to stay secure and consistent.

Download the CMMC Configuration Management template

Identification and Authentication template for CMMC

Identification and Authentication (IA) controls focus on proving who is accessing systems and ensuring they are allowed to do so. CMMC requires strong identity verification, secure authentication, and consistent credential management to protect CUI. This template provides a clear, auditable structure aligned with NIST controls, while remaining flexible enough to match how your systems and users actually operate. When implemented as part of an organization’s broader Information Assurance Program (IAP), these controls support formal verification of identity protections before systems are authorized for use and placed into production.

The CMMC Identification and Authorization template covers:

• Unique user and device identification: Ensures every user, service and device is uniquely identified before access is granted, preventing shared identities and reducing accountability gaps across systems.
  
  
• Multifactor authentication (MFA) enforcement: Requires MFA for local and network access to privileged accounts, and for network access to non-privileged accounts, significantly reducing the risk of credential theft and unauthorized entry.
  
  
• Device authentication and network admission: Verifies that only approved, authenticated devices can connect to organizational networks using certificates, MDM enrollment, or network access controls, with validation and approval performed through frameworks like the Information Assurance Program (IAP) before operational use.
  
  
• Identifier lifecycle management: Defines how user and device identifiers are approved, assigned, disabled after inactivity and protected from reuse to reduce misuse and orphaned accounts.
  
  
• Authenticator management and password standards: Establishes rules for password strength, MFA tokens, credential issuance, rotation, revocation and secure storage to protect authentication secrets.
  
  
• Protection of authentication feedback: Limits system responses during login attempts to avoid exposing sensitive details that could help attackers exploit authentication mechanisms.
  
  
• Cryptographic and third-party credential authentication: Ensures authentication mechanisms rely on FIPS-validated cryptographic modules (e.g., Cryptographic Module Validation Program (CMVP)-validated implementations) and trusted external identity credentials, such as PIV or FICAM-approved solutions, when applicable.
  
  

Download the Identification and Authentication template for CMMC

The CMMC Identification and Authentication template defines how users and devices are verified before accessing systems, with rules for MFA, credential management, and privileged access.

Download the CMMC Identification and Authentication template

Incident Response template for CMMC

Incident Response (IR) under CMMC means detecting, containing, investigating, and recovering from security incidents that could affect sensitive data and systems. It protects organizational operations and reporting obligations. This template provides a structured, NIST-aligned framework that helps teams respond consistently, document actions and demonstrate readiness during assessments.

Key subjects covered in our CMMC Incident Response template include:

• Incident response roles, training, and exercises: Define who participates in incident response, how quickly they must be trained, and how simulations and tabletop exercises reinforce real-world readiness across technical, operational, and leadership roles.
  
  
• Incident detection, handling and lifecycle management: Outlines a complete response process, from preparation and detection through containment, eradication, recovery and lessons learned, ensuring incidents are handled methodically and improvements are captured.
  
  
• Incident monitoring and automated tracking: Describes how tools such as SIEM, EDR and ticketing systems are used to identify, log, track and analyze incidents from initial alert through closure.
  
  
• Incident reporting and escalation requirements: Establish clear timelines and channels for reporting incidents, both internally and externally, aligned with contractual, regulatory, and customer notification obligations.
  
  
• Incident response assistance and support channels: Identify the central support function users contact to report incidents and receive guidance, ensuring rapid access to qualified responders during security events, using frameworks such as the Continuity of Operations Plan (COOP).
  
  
• Incident response planning, review and maintenance: Covers how the incident response plan is approved, distributed, reviewed, updated and protected through instructions like the Cybersecurity Standardized Operating Procedures (CSOP), so it remains current, owned and usable when incidents occur.
  
  

Download the Incident Response template for CMMC

The CMMC Incident Response template helps you develop an Incident Response Plan.

Download the CMMC Access Control Policy template

Maintenance template for CMMC

CMMC Maintenance Template (MA) controls focus on keeping systems reliable and secure throughout their lifecycle by governing how repairs, updates, and servicing are performed. This template will help you document controlled maintenance practices, protect systems during servicing and align maintenance activities with NIST requirements while being practical to implement.

The CMMC Maintenance template covers:

• Controlled maintenance activities and records: Defines how maintenance is scheduled, approved, documented, and reviewed, including on-site and off-site repairs. Ensures systems are serviced consistently, records are retained, and security controls are checked after maintenance is completed.
  
  
• Maintenance tools approval and inspection: Establishes rules for approving, monitoring, and inspecting tools used during maintenance. This reduces the risk of introducing malicious software or unauthorized changes through diagnostic tools, removable media, or remote support utilities.
  
  
• Nonlocal and remote maintenance controls: Documents how remote maintenance sessions are authorized, authenticated, monitored, and terminated. Helps ensure vendors and technicians use secure connections, strong authentication, and logging when performing maintenance from outside facilities.
  
  
• Maintenance personnel authorization and supervision: Identifies who is allowed to perform maintenance, how they are authorized, and when supervision or escorts are required. This limits system exposure by ensuring only trusted, qualified personnel have access during maintenance activities.
  
  
• Equipment sanitization before off-site repair: Requires removing sensitive data from systems or media before equipment leaves the facility. Protects controlled information from exposure when devices are repaired, replaced, or serviced by external vendors.
  
  
• Timely maintenance and service-level expectations: Align maintenance response times with defined SLAs and system owner expectations. Helps ensure repairs, spare parts, and support are available quickly enough to reduce operational disruption and security risk.
  
  

Download the Maintenance Template for CMMC

The CMMC Maintenance template helps organizations control how systems are serviced, repaired, and supported without introducing security risk.

Download the CMMC Maintenance template

Media Protection template for CMMC

CMMC Media Protection (MP) focuses on how sensitive data is handled when stored, moved, reused or destroyed. It safeguards CUI from loss, theft or improper disclosure through physical and digital media. This template provides clear rules, customization points, and an audit-ready structure aligned with NIST media protection requirements.

The CMMC Media Protection template includes these key topics:

• Media access and labeling controls: Defines which roles may access specific media types and how media must be labeled with handling and distribution markings to prevent misuse or accidental exposure of sensitive information.
  
  
• Secure media storage requirements: Establish controlled storage areas, assign custodians, and implement protection methods to ensure media remains secure until properly sanitized or destroyed.
  
  
• Media transport and handling procedures: Describe how media is transported, who can move it and how transport activities are logged to maintain full chain of custody.
  
  
• Media sanitization and destruction standards: Specify approved sanitization methods, such as NIST SP 800-88, to ensure data is unrecoverable before media is reused, released, or destroyed.
  
  
• Unapproved media use restrictions: Prohibit the use of unauthorized or unsecured media on organizational systems; reinforce technical controls and disciplinary enforcement tied to acceptable use policies.
  
  

Download the Media Protection Template for CMMC

The CMMC Media Protection template helps you set rules for how your organization controls, stores, transports, sanitizes, and disposes of media containing sensitive information.

Download the CMMC Access Control Policy template

Personnel Security template for CMMC

Personnel Security (PS) in CMMC is about managing human risk across the employee lifecycle – from hiring to role changes and separation. These controls protect systems and sensitive data by ensuring only trusted, authorized individuals have access. The Personnel Security templates translate CMMC and NIST requirements into practical HR, IT and security processes that are easy to apply and enforce consistently.

The CMMC Personnel Security template helps organizations address:

• Position risk categorization and screening: Roles are categorized by risk level to determine what level of background check and screening is required. This ensures that higher-risk positions receive deeper screening and that hiring practices align with legal and regulatory requirements.
  
  
• Personnel screening and rescreening: Background checks take place before access is granted and repeated when defined conditions are met. This reduces insider risk by ensuring continued trustworthiness as roles, responsibilities or risk levels change.
  
  
• Termination and offboarding controls: Access is revoked immediately when employment ends; credentials are disabled; assets are recovered; and exit interviews reinforce ongoing security obligations. This prevents unauthorized access after separation.
  
  
• Transfers and role changes: Access rights are reviewed and adjusted when employees move roles to prevent privilege buildup. This ensures employees only have access required for their current role.
  
  
• Access agreements and acknowledgments: Employees and contractors agree to comply with acceptable use, nondisclosure, and security responsibilities. Regular re-acknowledgment keeps expectations clear and enforceable as policies change.
  
  
• Third-party personnel security: Contractors and service providers get held to the same personnel security requirements as employees, including notification of personnel changes. This extends internal security to external partners with system access.
  
  
• Personnel sanctions and accountability: A formal process defines consequences for security violations. Clear sanctions promote accountability and ensures consistent handling of policy breaches across the organization.
  
  

Download the Personnel Security Template for CMMC

The CMMC Personnel Security template helps you define how people are screened, granted access, moved, and offboarded.

Download the CMMC Personnel Security template

Physical Protection templates for CMMC

Physical Protection (PE) under CMMC focuses on preventing unauthorized physical access to systems, equipment and facilities that store or process sensitive data. These templates help you document how spaces are secured, monitored and maintained, aligning daily facility operations with NIST physical and environmental protection requirements.

Key areas in our CMMC Physical Protection template include:

• Facility access authorization and reviews: Who can enter offices, server rooms, and restricted areas; how access is approved, issued, reviewed, and revoked; and how changes such as terminations or role changes are updated promptly.
  
  
• Physical access controls and visitor management: Badges, locks, guards, cameras, and visitor escort procedures to control entry, monitor movement, and reduce risks such as tailgating or unauthorized access.
  
  
• Monitoring, logging and visitor records: How physical access logs and visitor records are retained, reviewed and investigated to detect suspicious activity and support incident response.
  
  
• Protection of equipment, cabling and output devices: Securing network closets, cabling, power systems, printers, monitors and other devices so sensitive information can’t be viewed, removed or damaged without authorization.
  
  
• Environmental safeguards and emergency preparedness: Fire detection and suppression; emergency power, lighting, temperature, humidity, and water-damage controls to keep systems available and protected during adverse conditions.
  
  
• Alternate work site and delivery controls: Security expectations for home offices or secondary sites, and how equipment deliveries, removals, and staging areas are authorized, logged, and supervised.
  
  

Download the Physical Protection template for CMMC

The CMMC Physical Protection template covers how facilities, equipment, and supporting infrastructure are secured against unauthorized access, damage, and disruption.

Download the CMMC Physical Protection template

Risk Assessment template for CMMC

Risk Assessment (RA) in CMMC focuses on identifying threats, vulnerabilities, and potential impacts on systems that handle sensitive data, including CUI. It helps you prioritize security actions based on real risk, using frameworks such as the Cybersecurity Risk Management Program (RMP) or Governance, Risk & Compliance (GRC), and databases such as the Common Vulnerabilities and Exposures (CVE). These assessments often feed into broader efforts such as a Cybersecurity & Data Protection Program (CDPP), where organizational risk posture is formally documented.

This template provides a NIST-aligned structure for documenting risk activities, assessment cadence and remediation expectations that auditors can follow.

Our CMMC Risk Assessment template covers:

• Security categorization of systems and data: How systems and data are classified based on sensitivity and impact, so the right controls are applied consistently and documented by system owners.
  
  
• Formal risk assessment methodology and cadence: How risks are identified, analyzed and scored, including likelihood and impact, and how often assessments are performed and who reviews the results.
  
  
• Risk documentation and stakeholder reporting: Assessment results are captured in a risk register or report and shared with leadership and used to inform security and business decisions.
  
  
• Change-driven and periodic risk updates: Triggers for updating risk assessments are system changes, new threats or environmental shifts.
  
  
• Vulnerability scanning and analysis processes: How vulnerability scans are conducted, reviewed and tied back to overall risk using approved tools and procedures.
  
  

Download the Risk Assessment template for CMMC

The CMMC Risk Assessment template helps you define how risks are identified, analyzed, documented, and reviewed across systems that handle sensitive data.

Download the CMMC Risk Assessment template

Security Assessment template for CMMC

CMMC security assessments focus on verifying safeguards are implemented, working as intended and reducing risk over time. These templates help standardize assessments, authorizations and monitoring activities and align with NIST 800-53 CA controls and CMMC requirements.

The Security Assessment template covers:

• Security assessment planning and execution: How assessments are scoped, performed and documented, which controls are tested, who performs the assessment and how results are validated before shared with system owners and leadership.
  
  
• Assessment frequency and reporting: How often systems are assessed based on criticality and change activity, findings are formally captured in assessment reports and delivered to decision-makers.
  
  
• System interconnections and agreements: How internal and external system connections are approved, secured and reviewed, including interface details, security requirements and formal interconnection security agreements where required.
  
  
• Plans of Action and Milestones (POA&Ms): A structured way to track weaknesses, assign remediation ownership, prioritize risk and monitor progress until issues are resolved or formally accepted.
  
  
• Continuous monitoring and metrics: How ongoing monitoring is performed using defined metrics, reporting cadences and response actions to ensure security posture is maintained between assessments.
  
  

Download the Security Assessment Template for CMMC

The CMMC Security Assessment template helps you define how systems are formally assessed, authorized, and continuously monitored for risk across their lifecycle.

Download the CMMC Security Assessment template

System and Communication Protection template for CMMC

In CMMC, System and Communication Protection focuses on keeping sensitive data secure as it moves across networks and resides within systems. That means strong boundaries, secure connections, resilient services and encryption you can prove. This template gives you a structured, editable policy mapped to NIST SC controls with clear bracketed fields so you can fill in technologies, owners and timeouts based on how your team actually runs security.

Our CMMC System and Communication Protection template covers:

• Application partitioning (admin vs. user functions): Separates everyday user activity from system management tools, preventing regular accounts from accessing admin consoles or privileged interfaces. In practice, this means dedicated admin accounts, jump hosts, management networks and tightly scoped access to directory, firewall and cloud consoles.
  
  
• Boundary protection and segmentation: How you monitor and control traffic at the external edge and inside the network (like DMZ-to-internal boundaries). The goal is to limit exposure, route traffic through managed interfaces, and ensure only approved pathways exist, supported by firewalls, gateways, proxies, IDS/IPS, and documented rules.
  
  
• Transmission confidentiality and integrity: Minimum requirements for protecting data in transit—internally and externally—using approved secure protocols and configurations. This is where you document what must be encrypted (e.g., CUI), which standards you follow (TLS/VPN/SSH), and how you prevent the use of weak or legacy protocols.
  
  
• Cryptography and key management: How encryption is used and how keys are generated, stored, accessed, rotated, backed up and destroyed. Auditors want to see that encryption is managed through a repeatable lifecycle (often with KMS/HSM, access controls and defined rotation rules).
  
  
• Session protection and network disconnect rules: Session authenticity (protecting sessions from hijacking) and inactivity timeouts for network sessions and applications. Good policies tie these limits to risk and explain enforcement points, VPN idle timeouts, reverse proxy settings, SSO token lifetimes and administrative session controls.
  
  
• Protection of information at rest and shared resources: What data must be protected on endpoints, servers, databases, backups and cloud storage and how you avoid leakage from shared components (like multi-tenant platforms, VDI, temporary directories or decommissioned storage). Expect evidence like encryption settings and sanitization procedures.
  
  

Download the System and Communication Protection template for CMMC

The CMMC System and Communication Protection template lays out how your organization safeguards networks, systems, and data as they move and connect.

Download the CMMC System and Communication Protection template

System and Information Integrity template for CMMC

System and Information Integrity focuses on keeping systems reliable, secure and free from unauthorized changes. CMMC requires organizations to detect flaws, malware and suspicious activity quickly. Our template gives you structured, assessor-ready policies you can customize to your tools, timelines and risk tolerance.

The System and Information Integrity template covers:

• Flaw remediation and patch management: How vulnerabilities are identified, tested, prioritized and remediated within established timeframes and processes like the Vulnerability & Patch Management Program (VPMP), so systems stay protected against known weaknesses and patching aligns with change and configuration management processes.
  
  
• Malware and malicious code protection: Endpoint, server, and gateway protections such as EDR, antivirus, and email filtering, including update schedules, scanning rules, quarantine actions, and response steps when malware or false positives are detected.
  
  
• System monitoring and detection capabilities: Logging, intrusion detection and continuous monitoring to identify attacks, unauthorized access and abnormal behavior while protecting monitoring data and adjusting visibility during periods of high risk.
  
  
• Security alerts and advisories handling: How external threat intelligence, vendor advisories and internal alerts are received, evaluated and distributed to the right roles with defined response timelines and accountability for acting on critical security directives.
  
  
• Software, firmware and data integrity checks: Integrity verification methods like file integrity monitoring and code validation, when checks occur and how unauthorized changes trigger investigation and incident response activities.
  
  
• Spam protection and input validation controls: Protections against unsolicited messages and malicious inputs by validating data, preventing injection attacks, auditing overrides and ensuring predictable system behavior when invalid or suspicious input is received.
  
  

Download the System and Information Integrity Template for CMMC

The System and Information Integrity template helps you document how systems stay trustworthy through patching, malware protection, monitoring, and integrity checks.

Download the CMMC Access Control Policy template

CMMC Level 1 template set

The CMMC 2.0 Level 1 template set focuses on protecting Federal Contract Information FCI), the non-public data tied to delivering products or services to the federal government. If your organization handles contracts but doesn’t work with CUI, this level sets the baseline. It focuses on straightforward, common-sense safeguards and relies on an annual self-assessment backed by leadership attestation in SPRS.

Our CMMC 2.0 policy template set for Level 1  is designed to make that self-assessment practical. The templates help you clearly define scope, document how FCI is handled, and show evidence that required practices are in place. They align with FAR 52.204-21 and Level 1 assessment objectives, so what you document directly supports what assessors expect to see.

To keep things simple, we’ve gathered all six required CMMC Level 1 domains into a single, streamlined template, giving you one cohesive place to manage policies, practices, and evidence without juggling multiple documents.

The CMMC Level 1 template set includes:

• Access Control (AC)
• Identification and Authentication (IA)
• Media Protection (MP)
• Physical Protection (PE)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
  
  

Download the CMMC Level 1 Template Set

The CMMC Level 1 template set gathers all the ones you’ll need for this level’s FCI protection.

Download the CMMC Level 1 template set

CMMC Level 2 template set

The CMMC 2.0 Level 2 compliance requirements are designed for organizations that handle Controlled Unclassified Information (CUI) and need to show a stronger, more structured security program. Unlike Level 1, Level 2 assessments dig deeper into how controls are implemented, maintained, and proven over time. Assessors will look for real evidence that security practices are working as intended across systems, people, and processes.

Assessments at this level follow the guidance in NIST SP 800-171A and allow flexibility in how requirements are validated. Evidence can come from documentation, technical configurations, interviews, or direct observation. The result is a formal assessment score and report that clearly shows where requirements are met and where gaps remain, providing both the organization and the DoD with a defensible view of CUI protection.

To simplify preparation, we bundled all required domain templates into a single, organized set. Everything you need is grouped in one place for faster prep, cleaner reviews, and simpler evidence tracking.

CMMC Level 2 set includes:

• Access Control (AC)
• Awareness and Training (AT)
• Audit and Accountability (AU)
• Configuration Management (CM)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PE)
• Risk Assessment (RA)
• Security Assessment (CA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
  
  

Download the CMMC Level 2 template set

The CMMC Level 2 template set gathers all the templates you’ll need for CUI protection.

Download the CMMC Level 2 template set

CMMC Level 3 requirements

The CMMC Level 3 requirements and assessment process are designed for organizations that already have Level 2 fully in place and need stronger protections for Controlled Unclassified Information (CUI) based on contract needs. Before you can even pursue Level 3, you must have achieved a Final Level 2 (C3PAO) CMMC Status for every applicable system in your CMMC Assessment Scope, as defined in 32 CFR § 170.18(a).

At Level 3, the requirements come from NIST SP 800-172 (with DoD-approved parameters where applicable), and DCMA DIBCAC performs the certification assessment. The assessment process follows NIST SP 800-172A methods, with a strong focus on advanced defenses aligned with higher-adversary risk, including stronger access controls, tighter segmentation, and more mature incident response and monitoring practices across environments handling CUI.

How to streamline CMMC evidence collection and validation

Preparing for CMMC isn’t just about documenting controls. It’s about proving they actually operate. Strike Graph helps organizations preparing for a Level 1 self-assessment or working toward Level 2 or Level 3 certification do exactly that by streamlining evidence collection and validation.

Rather than chasing screenshots and spreadsheets, teams use Strike Graph’s AI-native platform for CMMC compliance to automatically collect evidence, validate it against CMMC and NIST SP 800-171 requirements, and keep everything tied back to a centralized System Security Plan (SSP) and Plan of Action and Milestones (POA&M).

Justin Beals, CEO of Strike Graph, says this evidence gap is where many CMMC efforts break down.

“Most CMMC failures don’t come from missing policies. They come from broken evidence,” says Beals. “When a policy says one thing but system logs tell a different story, assessors see risk. Compliance isn’t about what you’ve written down. It’s about whether your systems consistently reflect what you claim is in place.”

Strike Graph is designed to close that gap. The platform continuously maps live artifacts to specific CMMC controls, flags inconsistencies early, and validates evidence as systems change, not just right before an assessment.

To get started, organizations can use Strike Graph’s free, guided CMMC self-assessment. It provides a clear view of where controls are fully met, partially met, or missing, and shows exactly what needs to be addressed next. Instead of guessing where to start, teams get a practical, prioritized path toward meeting DoD expectations at the required CMMC level.