CMMC Level 2 Blumira Checklist

Blumira is committed to supporting our manufacturing customers and making sure they have the visibility, reporting, and indelible historical record of security activity needed to meet compliance. This is why Blumira doesn’t limit the number of log sources you need to monitor, or charge additional fees based on the volume of data necessary to maintain that complete record.

To help prepare for the immediate deadline of self-assessment and fast-approaching deadline in 2026 for third-party assessment, we’ve prepared a downloadable checklist of specific objectives requiring the use of a monitoring solution like the SIEM integrated within the Blumira platform and questions you should ask to determine if your environment is CMMC-ready. 

CMMC Level 2 2025/2026 Deadlines

The Department of Defense is rolling out the Cybersecurity Maturity Model Certification (CMMC) to strengthen protection of Controlled Unclassified Information (CUI). Starting November 10, 2025, all DoD contractors and subcontractors must complete a self-assessment for CMMC Level 1 or 2 to be eligible to bid on new contracts. By November 10, 2026, most organizations handling CUI are required to pass a Level 2 assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) to bid on contracts.

Why You Need to Start Now

Demand for CMMC assessors far exceeds supply. With only a few dozen assessors available to serve more than 100,000 organizations seeking Level 2 certification, scheduling delays are unavoidable. Preparation can take up to six months, and there is already a 6-month waiting list to secure an assessment, which is likely to increase as the deadlines near. Organizations that postpone getting started risk missing their certification window and losing contract eligibility.

How Scoring Works

CMMC Level 2 scoring is based on the 110 cybersecurity controls outlined in NIST 800-171. Each control is weighted by importance:

• 1, 3, or 5 points per control
• 110 points total
• 110 points needed to pass
• 88 points required for a provisional pass

Failing any 3- or 5-point control means an automatic failure. If you miss smaller 1-point items, you can get a provisional pass and submit a Plan of Action and Milestones (POA&M) to fix them within 180 days. Repeats could be costly, though: taking a second assessment could cost upwards of $30,000, so it's well worth the preparation now to save yourself headaches later. You can download the checklist through the form above, and can reach out if you have more questions or want to know more about the CMMC support Blumira offers to customers.