This article is written and contributed by Coalfire Federal, the leading provider of federal cybersecurity advisory and assessment services and Secureframe's trusted C3PAO partner.

If you’re feeling stuck on where to begin—or how to move forward—with CMMC Level 2 compliance, you’re not alone. The path can feel complex, but it doesn’t have to be chaotic. With a clear plan and the right priorities, you can move from uncertainty to assessment-ready with confidence.

Here are 10 key actions that set organizations up for success for CMMC 2.0:

1. Know Where CUI Lives

Start by identifying where Controlled Unclassified Information (CUI) is created, received, or stored. Contracts are often the best starting point—follow the flow from there.

2. Define the Scope

List all relevant assets and categorize them—CUI assets, security tools, external systems, and anything else in or out of Level 2 assessment scope.

3. Minimize the Footprint

Smaller boundaries mean fewer headaches. Look for ways to reduce the number of systems and users involved in handling CUI.

4. Get the Right People and Tools in Place

Identify internal stakeholders and compliance tools needed to manage the process effectively. Ownership is key.

5. Review Third-Party Dependencies

Audit your contracts and service agreements to ensure any vendors handling CUI or providing related services meet the same CMMC expectations.

6. Empower a Decision-Maker

You need someone with authority to enforce priorities and drive change. Without leadership buy-in, things stall.

7. Assess Against the Standard

Evaluate where you stand against the 110 CMMC practices and their related objectives. Don’t rely on assumptions. Always verify.

8. Document Your Gaps

For anything that’s not in place, develop clear Plans of Action and Milestones (POA&Ms) to track progress.

9. Fix What’s Easy First

Tackle quick wins. Implement simple technical fixes or policy updates with clear timelines and accountable owners.

10. Build the Long-Term Plan

Some gaps take more effort, like replacing non-compliant vendors or major infrastructure changes. Assign budget, owners, and a realistic schedule that aligns with the CMMC 2.0 timeline.

Keep moving toward assessment

Once you’ve addressed your gaps, stay disciplined about tracking progress. The sooner you schedule your Level 2 assessment, the more control you’ll have on timing, especially as the demand for Certified CMMC Assessors grows.