Cybersecurity Maturity Assessment Checklist: What to Measure and How

Why a Cybersecurity Maturity Assessment Is Not Optional for Federal Contractors

If you are a defense contractor, federal agency supplier, or regulated industry operator, the question is no longer whether you need a cybersecurity maturity assessment. The question is whether the one you are running is rigorous enough to withstand scrutiny from a DoD contracting officer, a C3PAO auditor, or a federal inspector. At Cleared Systems, we conduct these assessments regularly across defense, aerospace, healthcare, and manufacturing environments. What we find, consistently, is that most organizations are measuring the wrong things or measuring the right things the wrong way.

This checklist is designed to change that. It gives compliance managers and executives a structured, domain-by-domain framework for evaluating where your program actually stands, not where your last self-assessment said it stood.

What a Cybersecurity Maturity Assessment Actually Measures

A cybersecurity maturity assessment evaluates the capability and consistency of your security controls across defined domains. It is not a penetration test. It is not a policy review. It is a structured examination of whether your security program is designed, implemented, and operating at a level commensurate with your threat environment and regulatory obligations.

Maturity assessments typically score each domain against a scale, ranging from initial or ad hoc practices at the low end to optimized, continuously improving processes at the high end. For federal contractors, maturity is increasingly tied to specific frameworks: NIST SP 800-171's 14 domains, the CMMC model's practice and process requirements, and NIST CSF categories. Understanding where your controls fall on that scale is the foundation for everything that follows.

The Cybersecurity Maturity Assessment Checklist: Domain by Domain

1. Access Control

• Are user access rights based on least privilege and role-based access control?
• Is multi-factor authentication enforced for all privileged accounts and remote access?
• Are access reviews conducted on a documented, recurring schedule?
• Is there a formal process for revoking access upon employee termination or role change?
• Are system accounts and service accounts inventoried and regularly reviewed?

2. Configuration Management

• Is there a documented baseline configuration for all system components?
• Are configuration changes managed through a formal change control process?
• Are unauthorized configuration changes detected and remediated promptly?
• Is software installation restricted to approved and authorized applications?

3. Incident Response

• Is there a written incident response plan that has been tested within the last 12 months?
• Are roles and responsibilities for incident response clearly assigned and documented?
• Is there a defined process for reporting incidents to relevant authorities, including the DoD for contractors subject to DFARS 252.204-7012?
• Are incident lessons learned documented and used to update controls?

4. Risk Assessment

• Is a formal risk assessment conducted at least annually or when significant changes occur?
• Are risks documented in a risk register with assigned owners and remediation timelines?
• Does the risk assessment process address threats specific to your industry, contract environment, and data types?
• Are supply chain risks evaluated as part of the overall risk management process?

5. System and Communications Protection

• Is CUI and sensitive data encrypted in transit and at rest using approved cryptographic mechanisms?
• Are network boundaries defined and enforced through firewalls, segmentation, and monitoring?
• Is remote access protected and logged?
• Are endpoint security controls deployed and actively managed across all devices?

6. Audit and Accountability

• Are audit logs generated for all systems processing CUI or sensitive federal data?
• Are logs protected from unauthorized access and retained per policy and regulatory requirements?
• Is there a process for reviewing logs and alerting on anomalous activity?
• Are audit log reviews documented and tracked?

7. Security Assessment and Authorization

• Is there a current System Security Plan (SSP) that accurately reflects the operating environment?
• Is there an active Plan of Action and Milestones (POA&M) for all identified deficiencies?
• Are security controls assessed periodically for effectiveness, not just documented at implementation?
• Has your SPRS score been calculated accurately and submitted to the required government system?

8. Personnel Security and Awareness Training

• Do all users complete security awareness training before accessing systems and annually thereafter?
• Is role-based training provided to personnel with elevated access or security responsibilities?
• Are personnel screened prior to being granted access to CUI or sensitive systems?
• Is there a documented process for managing personnel security when employees depart?

9. Media Protection

• Is portable media use controlled, tracked, and restricted to authorized devices?
• Is media containing CUI sanitized or destroyed before disposal in accordance with NIST guidelines?
• Are media protection policies documented and enforced through technical controls where possible?

10. Physical Protection

• Are facilities that house CUI or sensitive systems physically secured with access controls?
• Is visitor access controlled, logged, and escorted in controlled areas?
• Are physical access logs reviewed and retained?

How to Score Your Assessment Results

Once you have worked through the checklist, map each domain against a five-level maturity scale: Level 1 (Initial), Level 2 (Managed), Level 3 (Defined), Level 4 (Quantitatively Managed), and Level 5 (Optimizing). For most federal contractors, the target is Level 3 or higher across all domains. CMMC Level 2 contractors must demonstrate consistent implementation of all 110 NIST SP 800-171 practices, which generally corresponds to a Level 3 maturity posture.

Document your findings by domain, identify the specific gaps, assign owners and target remediation dates, and fold the results into your POA&M. An assessment that does not produce an actionable remediation plan is an assessment that will not improve your security posture before your next audit.

If you are preparing for a formal third-party assessment, review our detailed guide on how to conduct a cybersecurity maturity assessment before your CMMC audit for deeper preparation guidance.

Common Maturity Assessment Failures We See in the Field

After conducting assessments across dozens of defense contractors and regulated organizations, several failure patterns appear consistently:

1. Treating documentation as evidence of implementation. A policy exists on paper, but no one follows it. Assessors look for operational evidence, not documents alone.
2. Scoping the assessment too narrowly. Organizations often exclude cloud environments, third-party systems, or remote worker endpoints. Every system that processes, stores, or transmits CUI is in scope.
3. Conflating IT compliance with cybersecurity maturity. Compliance with a checklist does not equal mature security. Maturity requires consistency, measurement, and continuous improvement.
4. Failing to connect the assessment to the SSP and POA&M. These documents must reflect reality. If your assessment surfaces a gap, your SSP and POA&M must capture it. Review how SSP and POA&M work together as cornerstones of a strong security program.
5. Not reassessing after significant changes. Maturity assessments are not annual events alone. Acquisitions, system migrations, personnel changes, and new contract requirements all trigger the need for reassessment.

Selecting the Right Framework for Your Assessment

The framework you use should align with your regulatory obligations and customer requirements. Defense contractors handling CUI should anchor assessments to NIST SP 800-171 and the CMMC model. Organizations with broader federal obligations may also need to address NIST SP 800-53. Healthcare organizations under federal contracts face layered obligations under both HIPAA and federal cybersecurity requirements.

Regardless of which framework applies, the assessment methodology should be consistent: define scope, gather evidence, evaluate control effectiveness, score results, document findings, and build a remediation roadmap. Our Federal and SLED Risk Assessment services are built around exactly this methodology, tailored to the regulatory environment each client operates in.

For organizations managing multiple compliance frameworks simultaneously, consider how compliance program development can integrate your maturity assessment findings into a unified, sustainable program rather than a series of disconnected audits.

When to Bring in Outside Expertise

Internal assessments are valuable, but they carry inherent bias. Teams that built a security program tend to see it charitably. For organizations preparing for a formal CMMC assessment, pursuing a new federal contract, or responding to an identified breach or compliance finding, an independent third-party assessment provides the objectivity necessary to surface real gaps.

A Regulatory vCISO can also serve as an ongoing assessment function, providing the continuous oversight that periodic point-in-time assessments cannot deliver. This is particularly valuable for small to mid-size contractors who do not have a full-time security leadership role but face the same regulatory obligations as larger primes.

Take the Next Step Toward a Defensible Security Posture

A cybersecurity maturity assessment is only as valuable as the action it drives. Whether you are starting from scratch, preparing for a formal CMMC audit, or trying to close persistent gaps before a contract renewal, Cleared Systems can help you conduct an assessment that holds up under scrutiny and produces a clear, prioritized path forward. Request a quote today to discuss your assessment needs with our team, or explore our engagement models to find the right level of support for your organization.