CMMC Compliant CRM Checklist: 25 Requirements Your CRM Must Meet

If your CRM touches any Controlled Unclassified Information -- contact records for DoD program managers, proposal data with technical specifications, contract details with performance work statements, or communications referencing controlled programs -- it falls squarely within your CMMC assessment boundary. Most defense contractors discover this too late, after an assessor flags their CRM as an in-scope asset they never properly secured. A CMMC compliant CRM checklist is not a nice-to-have; it is a prerequisite for any organization that manages defense relationships through a customer relationship management platform. This guide provides the definitive 25-point CMMC CRM checklist, mapped to specific NIST 800-171 controls, so you can evaluate your current platform, identify gaps, and close them before your assessment.

The problem is straightforward: commercial CRM platforms were designed to maximize sales productivity, not to protect CUI. Features like open API access, broad user permissions, and cloud-based integrations that make Salesforce or HubSpot powerful for commercial sales teams are the same features that create compliance failures in a defense contracting environment. Every record, every email logged, every note attached to an opportunity becomes a potential CUI exposure point that your C3PAO assessor will examine.

---

---

Why Your CRM Is in Your CMMC Assessment Boundary

The CMMC assessment boundary encompasses every system, component, and service that processes, stores, or transmits CUI. For defense contractors, CUI flows through the CRM in ways that are often invisible until an assessor starts asking questions.

CUI data flows in a typical defense CRM

Contact records contain names, titles, organizations, phone numbers, and email addresses of DoD personnel associated with controlled programs. While individual contact details may not be CUI, the aggregation of contacts linked to a specific classified or controlled program can constitute CUI under the "compilation" principle described in 32 CFR Part 2002.

Opportunity and pipeline data routinely contains contract numbers, CAGE codes, program names, performance periods, and contract values -- all of which may be marked as CUI or fall under CUI categories like Procurement and Acquisition (PROC) or Export Controlled information.

Proposal artifacts attached to opportunity records -- past performance volumes, technical approaches, cost models, and compliance matrices -- are among the most sensitive CUI categories that flow through CRM systems. Every attachment, every note summarizing a proposal strategy, and every task related to proposal development becomes an in-scope asset.

Communications are the most pervasive vector. Email threads logged automatically via CRM integrations, meeting notes linked to contacts, and internal comments on opportunity records all create CUI touchpoints. The email ingestion compliance blind spot is so common that most contractors have unprotected CUI in their CRM right now without realizing it.

Reporting and dashboards that aggregate pipeline data, win rates by agency, or contract performance metrics create derivative CUI that persists in the CRM long after individual records are updated.

The consequence is clear: your CRM is not a peripheral system you can exclude from your assessment boundary. It is a core CUI-processing asset, and your C3PAO assessor will evaluate it against every applicable NIST 800-171 control.

---

The 25-Point CMMC CRM Compliance Checklist

The following checklist maps 25 specific CRM requirements to their corresponding NIST SP 800-171 Rev 2 control families. Each requirement is something your assessor can -- and will -- verify during a Level 2 assessment. Priority levels indicate the order in which you should address gaps: Critical items represent the most common assessment failures, High items are frequently tested, and Medium items round out full compliance.

You can download and print this checklist, but the real work is in evaluating each item against your specific CRM implementation. The sections below break down each control family so you understand not just the "what" but the "how" and "why" behind each requirement.

---

Checklist Deep Dive by NIST 800-171 Control Family

Access Control (AC) -- Items 2, 3, 10, 16, 18, 19, 23

Access Control is the largest control family affecting CRM systems and the one where commercial platforms most consistently fail. The core principle is simple: every user should have access to exactly the CUI they need to perform their job, and nothing more.

RBAC with least privilege (Item 2) means your CRM must support granular role definitions -- not just "Admin" and "User" but roles like "Capture Manager (Program X)" that restrict visibility to specific opportunities, contacts, and artifacts. Most commercial CRMs offer basic roles but lack the record-level access controls needed for true least privilege in a multi-program defense environment.

Session timeout (Item 3) requires automatic termination of inactive sessions. NIST does not specify an exact timeout period, but 15 minutes of inactivity is the widely accepted standard for CUI-processing systems. Your CRM must enforce this server-side -- a client-side screensaver is not sufficient.

Account lockout (Item 16) should trigger after no more than 3 to 5 consecutive failed login attempts. The lockout must persist for a minimum duration or require administrator intervention to unlock. This prevents brute-force attacks against CRM credentials.

Remote and mobile access (Items 18, 19, 23) require additional controls when CRM is accessed outside your managed network. VPN requirements, conditional access policies, managed device enforcement, and mobile application management (MAM) all come into play. If your sales team accesses the CRM from personal phones at trade shows, you have an access control gap.

Audit & Accountability (AU) -- Items 6, 7, 17, 24

Your assessor will ask to see CRM audit logs and will verify they cannot be modified or deleted by CRM administrators. This is where many Salesforce and Dynamics implementations fail -- the platform may log events, but administrators can modify or purge those logs.

Comprehensive logging (Item 6) means every create, read, update, and delete action on any CUI record must generate an audit event. "Read" is the critical one most platforms miss: if a user views a contact record containing CUI, that access must be logged. Salesforce's standard audit trail does not capture record views without Shield Event Monitoring -- a significant additional cost.

Tamper-proof trails (Item 7) require that audit logs be stored in a location where no CRM user, including administrators, can modify or delete them. This typically means exporting logs to a SIEM or write-once storage system outside the CRM's control plane.

Retention (Item 17) should align with your DFARS contractual obligations. While NIST 800-171 does not specify a retention period, DFARS 252.204-7012 requires preservation of contractor information systems and media for at least 90 days after a cyber incident. Best practice for defense contractors is 3-year retention of all CRM audit logs.

Configuration Management (CM) -- Items 13, 14

Baseline configuration (Item 13) means you must document the approved configuration of your CRM -- every setting, integration, custom field, workflow rule, and API connection. This baseline becomes the reference point against which all changes are measured.

Change control (Item 14) requires a formal process for approving, documenting, and tracking any modification to the CRM configuration. Adding a custom field, enabling an integration, changing a permission set, or updating a workflow must all go through change control. Your System Security Plan (SSP) must describe this process, and your assessor will verify it is followed.

Identification & Authentication (IA) -- Items 1, 8, 9, 22

MFA (Item 1) is non-negotiable. Every CRM user must authenticate with at least two factors. SMS-based MFA is acceptable under NIST 800-171 but is increasingly discouraged in favor of FIDO2 hardware tokens or authenticator applications. Your CRM platform must support MFA natively or integrate with an identity provider (IdP) that enforces it.

Unique identification (Item 8) prohibits shared accounts. Every CRM user must have a uniquely identifiable account. This sounds obvious, but shared "team" accounts for reception desks, conference room kiosks, or integration service accounts are common violations.

Password policy (Item 9) must enforce complexity requirements (minimum 12 characters, mixed case, numbers, special characters) and periodic rotation. NIST 800-63B has evolved to prioritize length over complexity, but 800-171 assessors still typically expect both.

Certificate authentication (Item 22) applies primarily to service accounts and API integrations. Any system-to-system connection to your CRM should use certificate-based or token-based authentication rather than stored username/password credentials.

Media Protection (MP) -- Items 4, 21

Encryption at rest (Item 4) requires that all CUI stored in your CRM database, file attachments, and backup media be encrypted using FIPS 140-2 validated cryptographic modules. AES-256 is the standard. Check whether your CRM provider uses FIPS-validated encryption or merely "AES-256" without FIPS validation -- the distinction matters to assessors.

Data sanitization (Item 21) means you must have documented procedures for securely erasing CUI when records are deleted, accounts are decommissioned, or storage media is retired. "Delete" in most CRM platforms moves records to a recycle bin where they persist for 15 to 30 days -- this must be accounted for in your sanitization procedures.

System & Communications Protection (SC) -- Items 5, 11, 12

TLS 1.2+ (Item 5) must be enforced for all connections to the CRM -- web browser access, API calls, email integrations, and mobile app connections. TLS 1.0 and 1.1 must be disabled. Verify that your CRM provider has deprecated older TLS versions and that your integrations do not fall back to them.

Network segmentation (Item 11) requires that your CRM infrastructure be logically or physically separated from systems that do not process CUI. If your CRM runs on the same network segment as your marketing website or guest Wi-Fi, you have a segmentation failure.

CUI boundary isolation (Item 12) goes further than network segmentation. Your CRM must enforce boundaries that prevent CUI from flowing to unauthorized systems through integrations, exports, or API access. This is where zero-trust CRM architecture becomes essential -- every data flow in and out of the CRM must be explicitly authorized and monitored.

System & Information Integrity (SI) -- Items 15, 20, 25

Vulnerability scanning (Item 15) requires regular scanning of your CRM infrastructure for known vulnerabilities. For SaaS CRM platforms, this shifts to evaluating the vendor's vulnerability management program and ensuring your configuration does not introduce vulnerabilities. For self-hosted or private-cloud CRM, you must perform your own scanning.

Input validation (Item 20) prevents injection attacks and malformed data from entering your CRM. Every form field, API endpoint, and data import mechanism must validate inputs. This is primarily a platform-level concern, but custom fields and integrations you build must also implement validation.

Malicious code protection (Item 25) requires scanning of file attachments uploaded to the CRM. Proposals, contracts, and other documents attached to CRM records must be scanned for malware before storage and upon retrieval.

---

CRM Platform Scorecard: How the Major Platforms Stack Up

Not all CRM platforms are created equal when it comes to CMMC compliance. The following scorecard evaluates four platforms against the 25-point checklist, based on their default configuration and available compliance features.

Scores reflect the number of checklist items each platform can satisfy: fully met out of the box, partially met with additional configuration or add-ons, or not met without third-party tools or architectural changes.

Salesforce GovCloud

Salesforce Government Cloud operates in a FedRAMP High authorized environment, which addresses many infrastructure-level controls. However, CRM-specific gaps remain. Record-level access control requires careful configuration of sharing rules, and audit logging of record views requires the Shield Event Monitoring add-on (approximately $25 per user per month). Session timeout and MFA are configurable but not enabled by default. CUI boundary isolation is limited by the platform's extensive integration ecosystem -- every connected app expands the potential CUI exposure surface.

Microsoft Dynamics 365 GCC High

Dynamics 365 GCC High is the strongest commercial contender, benefiting from Microsoft's significant investment in government cloud infrastructure. It inherits Azure Government's FedRAMP High and DoD IL4/IL5 authorizations. Access control and audit capabilities are more robust than Salesforce out of the box, and integration with Azure Active Directory (Entra ID) simplifies MFA and conditional access enforcement. The primary gaps are in CUI boundary isolation (Power Platform connectors can create uncontrolled data flows) and comprehensive read-access logging (requires Microsoft Purview, adding cost and complexity).

HubSpot

HubSpot is not designed for defense contractor use and lacks the fundamental infrastructure for CMMC compliance. It does not operate in a FedRAMP authorized environment. Audit logging is minimal -- there is no capability to log record views, and the activity log is limited in retention. Access control is role-based but not granular enough for record-level least privilege. Encryption at rest uses standard AWS encryption but is not FIPS 140-2 validated. There is no CUI boundary isolation, no network segmentation option, and no path to satisfying approximately 15 of the 25 checklist items without replacing the platform entirely.

Cabrillo Club

Cabrillo Club's CRM was architected from its foundation to satisfy every control in the NIST SP 800-171 framework as it applies to CRM operations. It is not a commercial platform with a compliance layer bolted on -- it is a purpose-built defense contractor platform where compliance is the default state, not an add-on. FIPS 140-2 validated encryption, immutable audit trails, record-level RBAC, CUI boundary isolation, and integrated vulnerability management are all included in the base platform. Defense contractors using Cabrillo Club can check all 25 items on this list without purchasing add-ons, hiring consultants to configure sharing rules, or accepting architectural compromises. Learn more in our CUI-safe CRM guide.

---

Step-by-Step Compliance Assessment for Your Current CRM

If you are already using a CRM and need to evaluate its compliance posture, follow this structured assessment process. Each step builds on the previous one, so complete them in order.

Step 1: Map CUI Data Flows Through Your CRM

Before you can assess compliance, you must understand exactly what CUI enters your CRM, how it gets there, and where it goes. Document every data flow:

• Inbound: Email integrations, manual data entry, form submissions, API imports from other systems, file uploads
• Internal: Record creation, field updates, workflow automation, report generation, dashboard views
• Outbound: Email sends, API exports, report downloads, integrations with other systems (ERP, proposal tools, project management)

For each flow, identify whether CUI is present. Use the CUI Registry to determine which CUI categories apply to your data. Common categories for defense CRM data include Controlled Technical Information (CTI), Export Controlled, Procurement and Acquisition, and Source Selection Information.

Step 2: Define Your CRM Assessment Boundary

Based on your data flow mapping, draw the boundary around every component that touches CUI. This includes:

• The CRM application itself (web interface, mobile app)
• The underlying database and file storage
• Identity providers and authentication services
• Integration middleware (Zapier, MuleSoft, custom APIs)
• Email servers connected to the CRM
• Backup and disaster recovery systems
• Any device used to access the CRM

Everything inside this boundary must satisfy the applicable NIST 800-171 controls. The goal of the CMMC compliance guide is to help you understand this boundary definition process across your entire organization.

Step 3: Run the 25-Point Checklist Against Your CRM

Go through each of the 25 items in the checklist table above. For each item, document one of three statuses:

• Met: The control is fully implemented and can be demonstrated to an assessor with evidence
• Partially Met: The control is implemented in some form but has gaps (document the specific gaps)
• Not Met: The control is not implemented or cannot be verified

Be honest. Your self-assessment carries legal weight under the False Claims Act. Overstating your compliance posture is not a risk worth taking. If you are unsure whether a control is met, mark it as Partially Met and investigate further.

Step 4: Prioritize and Remediate Gaps

Organize your gaps by priority level (Critical, High, Medium) from the checklist table. Address Critical items first -- these are the controls most likely to result in assessment failure and the ones assessors check earliest.

For each gap, determine whether it can be closed through:

• Configuration change: Adjusting existing CRM settings (e.g., enabling MFA, setting session timeout)
• Add-on or integration: Purchasing additional modules or connecting third-party tools (e.g., SIEM for audit log export)
• Architectural change: Fundamentally restructuring how CUI flows through your CRM (e.g., implementing network segmentation)
• Platform replacement: Migrating to a CRM that satisfies the requirement natively

Configuration changes are fast and inexpensive. Add-ons increase cost and complexity. Architectural changes require significant planning and investment. Platform replacement is the most disruptive but may be the most cost-effective path if your current CRM cannot satisfy a large number of Critical and High items.

Step 5: Document Everything in Your System Security Plan

Your SSP must describe how each NIST 800-171 control is implemented for your CRM. For every checklist item, your SSP should include:

• The specific control implementation (what technology, configuration, or process satisfies the requirement)
• Evidence of implementation (screenshots, configuration exports, policy documents)
• Responsible parties (who maintains the control and monitors its effectiveness)
• Any Plan of Action and Milestones (POA&M) entries for controls not yet fully implemented

The SSP is the single document your C3PAO assessor will use as their roadmap. If a control is not described in your SSP, it will be evaluated as "not implemented" regardless of whether you have actually implemented it. Detailed guidance on CMMC Level 2 requirements can help you understand what assessors expect for each control.

To learn more about meeting compliance requirements, explore our CMMC guide for small businesses.

---

Common CRM Compliance Gaps and How to Close Them

After evaluating hundreds of defense contractor CRM implementations, the same gaps appear repeatedly. Here are the five most common and the specific actions needed to close them.

Gap 1: No Audit Logging of Record Views

The problem: Most CRM platforms log record creation, updates, and deletion but not record views. NIST 800-171 control 3.3.1 requires logging of "successful and unsuccessful system access" -- viewing a CUI record is system access.

How to close it: In Salesforce, purchase Shield Event Monitoring. In Dynamics 365, enable Microsoft Purview audit log with the E5 license tier. In HubSpot, this cannot be closed -- the platform does not support view logging. In Cabrillo Club, view logging is enabled by default for all records.

Gap 2: CUI Leaking Through Email Integrations

The problem: Bi-directional email sync (Gmail, Outlook) automatically copies email content into CRM records. If any synced email contains CUI, that CUI is now in your CRM regardless of whether the CRM itself is compliant. The reverse is also true -- CRM data included in email templates flows out to email servers that may not be within your assessment boundary.

How to close it: Implement content inspection on email integration pipelines. Restrict automatic email sync to approved domains. Use CUI marking detection to flag or block emails containing CUI indicators. Our detailed analysis of the email ingestion CUI compliance blind spot covers this topic comprehensively.

Gap 3: Overly Broad User Permissions

The problem: CRM administrators grant wide access to avoid support tickets. Sales reps can see every contact, every opportunity, and every attached document -- even for programs they are not authorized to access. This violates the least privilege principle (NIST 800-171 3.1.2) and separation of duties (3.1.4).

How to close it: Implement record-level sharing rules tied to program assignments. Create role hierarchies that mirror your organization's need-to-know structure. Conduct quarterly access reviews and remove permissions that are no longer needed. Use zero-trust CRM architecture principles where every access request is verified against current authorization.

Gap 4: No CUI Boundary Isolation

The problem: The CRM connects to marketing automation, social media tools, website analytics, and other commercial systems through integrations. CUI can flow through these connections into systems that are entirely outside your assessment boundary and your control.

How to close it: Audit every CRM integration. For each connection, determine whether CUI can flow through it. Disable or restrict integrations that create uncontrolled CUI flows. Implement API-level access controls that prevent CUI fields from being exposed to unauthorized integrations. Consider whether your CRM's integration architecture can support true boundary isolation -- if it cannot, architectural changes or platform replacement may be necessary.

Gap 5: Backups and Disaster Recovery Not Encrypted

The problem: CRM data is encrypted in the production database (satisfying Item 4), but backups are stored unencrypted or with non-FIPS-validated encryption. Backup media -- whether cloud snapshots, exported CSV files, or physical tape -- contains the same CUI as production and must meet the same protection standards.

How to close it: Verify that all backup mechanisms use FIPS 140-2 validated encryption. Ensure backup storage locations are within your assessment boundary. Implement access controls on backup media that are at least as restrictive as production controls. Document backup encryption in your SSP and include backup media in your media protection procedures.

---

Frequently Asked Questions

Does my CRM need to be CMMC certified?

No. There is no "CMMC certification" for software products. CMMC certification applies to your organization, not to individual tools. However, every system in your assessment boundary -- including your CRM -- must satisfy the applicable NIST 800-171 controls for your organization to achieve certification. If your CRM cannot support a required control, your organization cannot be certified until you remediate the gap. The practical effect is the same: your CRM must meet the standards, even though the certification is issued to your company. Review the CMMC compliance guide for the full organizational certification process.

Can HubSpot be used for defense contractor CRM?

HubSpot can be used for managing commercial (non-defense) customer relationships within a defense contracting organization, but it is not suitable for any CRM function that involves CUI. HubSpot does not operate in a FedRAMP authorized environment, lacks FIPS 140-2 validated encryption, provides minimal audit logging, and cannot enforce the granular access controls required by NIST 800-171. If you currently use HubSpot and plan to pursue CMMC Level 2 certification, you will need to either exclude it entirely from your CUI processing workflows (using a separate, compliant CRM for defense work) or migrate to a compliant platform. Maintaining two separate CRM systems creates operational complexity and increases the risk of CUI spillage between them.

What NIST 800-171 controls apply to CRM systems?

All 110 controls in NIST SP 800-171 Rev 2 potentially apply to any system within your CMMC assessment boundary, including your CRM. The 25 items in this checklist represent the controls most directly relevant to CRM operations. However, controls from other families -- such as Physical Protection (PE) for the data center hosting your CRM, Personnel Security (PS) for CRM administrators, and Incident Response (IR) for responding to CRM security events -- also apply. Your SSP must address every control and identify how it is implemented, not applicable, or inherited from another system. The CMMC Level 2 requirements explained article provides a detailed walkthrough of all 110 controls.

How do I know if my CRM stores CUI?

Start by examining what information your CRM contains about DoD contracts and programs. If any of the following are present, your CRM almost certainly stores CUI:

• Contract numbers, CAGE codes, or DUNS numbers associated with DoD contracts
• Names and contact information for DoD personnel linked to controlled programs
• Technical specifications, performance work statements, or statements of work
• Proposal content including technical approaches, cost data, or past performance references
• Source selection information or procurement-sensitive data
• Export-controlled technical data or International Traffic in Arms Regulations (ITAR) information
• Communications (emails, notes, meeting summaries) referencing any of the above

If you are unsure, apply the CUI Registry categories from the National Archives CUI program to your CRM data. When in doubt, treat data as CUI and include the CRM in your assessment boundary -- it is far less costly to over-scope than to face a compliance finding for under-scoping.

What is the fastest way to make my CRM CMMC compliant?

The fastest path depends on your starting point. If you are using a commercial CRM with significant gaps (more than 10 unmet checklist items), migrating to a purpose-built defense contractor CRM like Cabrillo Club is typically faster than remediating a non-compliant platform. Migration to a compliant platform can be completed in 4 to 8 weeks, while remediating a commercial CRM often takes 6 to 12 months of configuration, add-on procurement, integration changes, and documentation. If you are using Salesforce GovCloud or Dynamics 365 GCC High with fewer than 5 gaps, targeted remediation may be more efficient -- but budget for the add-on costs (Shield, Purview, premium security licenses) that will recur annually. In either case, start with Step 1 of the assessment process above: map your CUI data flows before making any platform decisions.

Can I use a Plan of Action and Milestones (POA&M) for CRM gaps?

Yes, but with significant limitations. Under CMMC Level 2, POA&Ms are permitted for a limited number of controls (those not designated as "must achieve" in the CMMC assessment guide). Your overall score must still reach 80% (at least 88 of 110 controls met) for conditional certification, and all POA&M items must be closed within 180 days. This means you cannot use POA&Ms as a long-term workaround for fundamental CRM deficiencies. Critical checklist items like MFA, encryption at rest, and encryption in transit are "must achieve" controls that cannot be POA&M'd -- they must be fully implemented before your assessment. Use POA&Ms strategically for Medium-priority items while you complete remediation, not as a substitute for platform compliance.

---

Moving from Checklist to Compliance

A checklist identifies gaps. Closing those gaps requires action. The defense contractors who move fastest through the CMMC assessment process are those who recognize that CRM compliance is not a configuration project -- it is an architecture decision.

If your current CRM requires 15 add-ons, 6 months of configuration, and ongoing consultant support to satisfy 25 basic requirements, the platform was not designed for your mission. Every workaround introduces complexity, and complexity is the enemy of both compliance and the sales productivity your CRM is supposed to deliver.

Cabrillo Club was built for defense contractors who need a CRM that handles CUI safely from the first login. Every item on this checklist -- from FIPS 140-2 validated encryption to immutable audit trails to record-level RBAC -- is included in the base platform. No add-ons. No consultants configuring sharing rules. No architectural compromises. Just a CRM that works the way defense contractors need it to, with compliance as the foundation rather than an afterthought.

Start with the checklist. Assess your current platform honestly. And if the gaps are wider than a POA&M can bridge, consider whether it is time to stop retrofitting and start with a CRM that was purpose-built for the job.

For the complete architectural blueprint behind a CUI-safe CRM, read our CUI-Safe CRM: The Complete Guide for Defense Contractors. For the broader compliance context, our CMMC compliance guide covers the full certification journey from gap analysis through assessment day.

---

This checklist is based on [NIST SP 800-171 Rev 2](https://csrc.nist.gov/pubs/sp/800-171/r2/upd1/final) requirements as they apply to CRM systems within a CMMC Level 2 assessment boundary. Requirements are derived from the [DFARS 252.204-7012](https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.html) clause and the CMMC Assessment Guide. Defense contractors should consult their CMMC Registered Practitioner or C3PAO for organization-specific guidance.