Skip to content
Close
Get Started
Get Started
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals."
City of Valdosta, GA
Get out of the IT trenches

Municipal Disaster Recovery Checklist

Download the guide for real-life scenarios, containing data backup lessons and a checklist to help ensure you are ready for a disaster. 


Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical concerns.
Get Started

2025 Managed IT Services Cost & Pricing Guide

You’ve probably heard about how managed IT services saves businesses money and are wondering if that’s possible for your organization too. This guide will help walk you through different pricing strategies and costs you can expect.

 

Get the Guide
Get Started
msps-internal-it-to-enhance-operational-efficiency

CMMC Level 2 Readiness Checklist

Are You Prepared for Level 2 Third-Party Certification?
Use our practical self-assessment for DoD subcontractors.  

Beginning November 10, 2026, subcontractors that handle Controlled Unclassified Information (CUI) must obtain CMMC Level 2 certification through a third‑party C3PAO. Self‑assessments will no longer be sufficient. 

This checklist will help your organization evaluate audit readiness by focusing on Level 2 priorities—helping you address gaps before audit availability becomes a constraint. 

CMMC Readiness Checklist - Horizontal

 

Want a Copy? Download the PDF ⬇️

1. CUI Scoping & Boundary Definition  

⏹️ Clearly identify where CUI exists in our environment.

⏹️ Understand how CUI flows through systems. 

⏹️ Document which users, roles, and workflows access or handle CUI. 

2. System Security Plan (SSP) Accuracy 

⏹️ Create a current, complete SSP that aligns to all 110 NIST SP 800-171 controls.

⏹️ Identify a clear owner who updates the SSP when systems or processes change.

3. Implemented Security Controls  

⏹️ Limit CUI system access to authorized personnel only.

⏹️ Enforce multifactor authentication (MFA) on all applicable systems.

⏹️ Enable endpoint protection, logging, backup, and monitoring on in-scope systems. 

⏹️ Define configuration standards and ensure systems remain securely configured over time.

4. Evidence Readiness & Organization 

⏹️ Maintain current, organized documentation for each applicable security control.

⏹️ Ensure evidence is verifiable and can be produced quickly when requested by an assessor.

⏹️ Regularly review evidence to confirm it reflects your actual environment and practices.

5. Operationalized Policies 

⏹️ Create security policies and enforce them in daily operations.

⏹️ Demonstrate policy compliance through training records, enforcement actions, and reviews.

⏹️ Regularly review and update policies.

6. Incident Response & Recovery Readiness 

⏹️ Create a documented incident response plan aligned to your environment.

⏹️ Clearly define roles and responsibilities during an incident.

⏹️ Show the ability to recover systems and data within defined timelines.

7. Risk Assessment & Plan of Actions & Milestones (POA&M) 

⏹️ Conduct a formal gap assessment against NIST SP 800-171.

⏹️ Document known gaps in your POA&M with owners, priorities, and achievable timelines.

⏹️ Track and document progress against the POA&M.

8. Organizational Readiness for a C3PAO Audit 

⏹️ Ensure leadership understands that third-party audits are mandatory starting November 10, 2026.

⏹️ Give yourself between 6 and 12 months to prepare for your audit.

⏹️ Plan accordingly around limited C3PAO availability.

⏹️ Prepare to host assessors and efficiently respond to requests. 

How to Interpret Your Results

20 or more checked: You are likely on a credible path to audit readiness. Validate evidence quality and consistency.

⚠️ 13 to 19 checked: You may still be technically capable but not audit-ready under Phase 2 expectations.

12 or fewer checked: Immediate action is needed to avoid certification delays and potential loss of DoD contract eligibility.

Note: This is a distilled version of CMMC Level 2 compliance requirements and best practices showing high priority items. This is not a complete assessment.

Need help getting started? VC3 provides tailored CMMC compliance support, gets you ready for assessments, and guides you through every requirement.

"Cyber bullies are out there advancing all the time ..."

"I was pleasantly surprised when we went through the EDR upgrade. I didn’t even know I needed it. But the cyber bullies are out there advancing all the time, so VC3 needs to be advancing too, and I don’t even have to ask about it.”

▸ City of Port Lavaca City Official

 

Implementing all these best practices may feel overwhelming. Reach out to VC3 today to connect with a CMMC expert!