What Is CMMC Compliance? 5 Key Steps To Help With CMMC Certification

If you are a defense contractor, subcontractor or your organization does business with the Department of Defense (DoD), you know that the Cybersecurity Maturity Model Certification (CMMC) 2.0 went into effect December 16, 2024. 

Under the regulation, you'll need to meet specific security and assessment requirements if you want to remain eligible to continue working with the DoD.

Although the requirements are expected to be rolled out in phases, you should not assume that you'll get a grace period to become compliant. It’s better to kickstart your compliance journey now rather than trying to scramble at the last minute to maintain your DoD contracts or be in a position to win new ones. 

Compliance is complex. So, it’s important to know where you stand and where to focus your efforts to make sure you are certified and compliant, saving you valuable time and money.

In this article, we'll explain what CMMC compliance is and walk you through the steps you can take now to help your organization be in the best position possible to become CMMC certified. 

With this information, you'll be able to effectively plan and budget your compliance strategy so you can maintain and secure future contracts with the DoD.

What Is CMMC?

The Department of Defense began work on its Cybersecurity Maturity Model Certification (CMMC) Program in 2019. CMMC was created, in part, to provide enhanced protection for information shared within the U.S. Defense Industrial Base (DIB) supplier pool. 

The first goal of CMMC is to validate the safeguards and practices that ensure basic cyber hygiene and the protection of federal contract information (FCI) and controlled unclassified information (CUI) within the DIB supplier and partner network. 

What Are CUI and FCI? 

Both CUI and FCI include information created or collected by or for the U.S. government, as well as information received from the government.

Related Article: How To Find CUI Within Your Environment & Set A CUI Boundary For CMMC

You can think of FCI as information the government gives to companies to help them complete their work on certain confidential government projects. The information is not meant for public disclosure. 

On the other hand, CUI is highly sensitive but unclassified information. While it doesn’t fall into the top-secret bucket, it still needs protecting to limit its access to only authorized users.

The second goal of CMMC is to provide a mechanism for the DoD to verify that primes and their subcontractors have implemented the security requirements for their CMMC level and are maintaining compliance across the contract period.

CMMC is a compilation of security controls from different security frameworks and regulations, including the National Institute of Standards & Technology (NIST) and the Federal Acquisition Regulation (FAR).

It builds on them by introducing a leveled assessment program that requires DIB businesses prove they're doing everything they can to safeguard the FCI and CUI they store, process, and transmit.

This means that if your business is already NIST SP 800-171 compliant, you have a solid foundation for CMMC certification.

Related Article: Step 1 For CMMC Certification: Understanding Your CUI & CMMC Level

What Are The CMMC Certification Levels?

CMMC has three certification levels that you should know about. These levels are based on the type of sensitive information you work with, and each level has specific controls and requirements you need to meet for certification.

Let’s take a look at each of these without the technical jargon. It’s important to understand that each certification level builds upon the requirements of the previous one, with more stringent cybersecurity controls required at higher levels.

Level 1 (Foundational)

Total requirements identified: 17

This level requires organizations who work only with FCI to self-assess annually. They need to be compliant with 17 basic cybersecurity practices based on 15 controls outlined in FAR 52.204-21.

Level 2 (Advanced)

Total requirements identified: 110

This level is for organizations who work with CUI and requires them to be compliant with the 110 security controls outlined in NIST SP 800-171. Most organizations at level 2 will be required to undergo third-party assessments once every three years.

Level 3 (Expert)

Total requirements: not defined but specific to project

This level is for organizations who are working on CUI and high priority DoD projects that are subject to advanced persistent threats (APTS). They will need to satisfy Level 2 requirements, plus additional controls from NIST SP 800-172. They will also be required to be assessed by federal auditors once every three years.

Now that you know what the three levels are there is a high possibility your organization will fall into level 2 or the advanced category as 95% of organizations do. But what does this mean, what are the key takeaways and where should your compliance efforts be focused?

Simply put, your focus should be on doing everything you can to protect CUI and making sure you are compliant with the 110 security controls outlined in NIST SP 800-171 revision 2.

Furthermore, make sure all 320 assessment objectives are met, and you need to ensure that you are ready to be certified by a Certified Third-Party Assessment Organization (C3PAO).

What Steps Can I Take To Be Ready For CMMC Certification?

You now have a good idea what CMMC is, why certification is important and what each level of the CMMC ladder covers. Where do you go from here? How can you make sure your CMMC readiness journey is as smooth as possible without any disruptions to your business?

Here are five steps you can take to make sure you meet the required cybersecurity standards to protect sensitive information and position your business as a leader to secure future government contracts.

Step 1: Understand What CMMC Level You Require

Earlier we covered that the CMMC levels are based on what type of sensitive information you handle. It’s critical to determine which level your organization falls under. Assess whether you use FCI, CUI or both.

This will give you a fairly good idea of where your organization should be and what controls you need to implement and satisfy.

You can verify this in your defense contract which may also specify the level you need to achieve, and if it doesn’t, contact your contracting office or the organization above you in the supply chain.

Aligning your company with the right CMMC level and security controls ultimately will help you meet customer and regulatory requirements and expectations to make sure you keep your current contracts and have a competitive advantage to bid for new ones.

Step 2: Understand Your IT Environment

Once you have determined your organization’s CMMC level, the next step is to understand your IT environment and infrastructure. Make sure you document and include all systems and devices that store or share sensitive data like FCI or CUI.

Additionally, identify who has access to these systems and how you can limit access only to authorized users. This will help you get a good gauge of how many licenses and other security features or tools you will need to make sure your environment is compliant.

Step 3: Conduct A Gap Analysis

Now that you have knowledge of what systems handle CUI and who has access to them, conduct a gap analysis to help you compare your current security safeguards with the security controls listed in the NIST 800-171 framework.

Your gap analysis will help identify any areas you fall short or where you have vulnerabilities. This will give you a clear picture of what policies, procedures and technology you will need to address these gaps in order to achieve CMMC compliance.

Step 4: Develop A System Security Plan (SSP) And Implement Controls

You’ve identified your gaps and are ready to begin implementing the necessary security controls you need to fix those security defects and become CMMC compliant. 

The next step is to create a comprehensive System Security Plan (SSP) to explain and document exactly how your organization is going to safeguard the sensitive federal data you handle.

Related Article: CMMC Step 4: SSP Documentation–What’s Your CMMC Compliance Evidence?

It must be detailed enough to show the types of CUI your organization handles, how each type of CUI is processed, stored and shared, and a description of the security measures your organization has implemented for each NIST 800-171 control.

It should also highlight who will be responsible for implementing, monitoring and updating each security control. If a plan of action and milestones (POAM) is needed, your SSP should align with your POAM to address any gaps or vulnerabilities that exist.

Additionally, it’s essential to regularly review and update your SSP. It will be a document that keeps evolving as you implement and update new security controls and will serve as foundational evidence that your organization has done everything it needs to protect CUI and be CMMC certified.

Related Article: What Is A NIST 800-171 System Security Plan (SSP) & How To Create One

Step 5: Review Your Controls & Complete A CMMC Assessment

Perform a final sweep of your scoped environment by doing a pre-audit review to catch any previously undiscovered security vulnerabilities ahead of your official CMMC assessment.

First, start with a self-assessment and compare your controls against NIST SP 800-171, to make sure you have satisfied all areas of noncompliance in the NIST framework. If not, this can help you address any remaining gaps before your third-party assessment.

You should also conduct a mock audit so that your team is fully prepared to demonstrate the security controls you've put in place as well as answer any questions assessors may have about them. 

Once you're confident that you've met all the compliance requirements for your CMMC level, you can schedule your third-party assessment with a certified third-party assessor organization (C3PAO).

Related Article: How To Find An Approved C3PAO For Your CMMC Level 2 Assessment

Your assessment will include a thorough review of your SSP, as well as interviews with your team to ensure you are fully compliant. This is why I cannot stress enough how important it is to make sure your SSP is as comprehensive and detailed as possible.

It’s important to note that while we have found that most organizations can successfully follow the steps outlined above to ensure they are ready for their CMMC assessment, your organization may need to tweak the finer details, depending on your compliance readiness and how quickly you need to become CMMC certified.

Related Article: Understanding Your CMMC Audit: Here's What You Can Expect

The Bottom Line With CMMC Readiness & Certification

You now have a thorough understanding of what CMMC compliance is, what each level of CMMC requires, and 5 key steps to help your business with CMMC readiness before your official assessment.

Language for CMMC 2.0 has already started appearing in contracts. In addition, CMMC Level 2 self-assessments have been operational in the DoD's supplier performance risk system (SPRS) online portal since February 28, 2025. 

Not only that, but with the limited number of C3PAOs, available slots to schedule an assessment are filling up quickly. 

CMMC certification is critical for your business if you want to continue working with the DoD as well as gain a competitive advantage for winning new contracts. 

So, preparation is key and the time to act is now. 

These five keys steps we've outlined in this article will help streamline your CMMC compliance journey, minimize disruptions, and help you effectively budget for your compliance and assessment costs. 

If you have a large internal IT staff, you may have all the resources you need to ensure that your organization can successfully prepare and implement the necessary policies, procedures, and documentation for CMMC compliance.

If you don’t have a full in-house IT team or a team that has little compliance experience, you may want to explore working with an external IT provider who has compliance expertise and staff to guide and advise you.

Managed IT services help organizations adopt many of the security requirements outlined in NIST 800-171 and ultimately prepare for CMMC certification.

The right managed IT service provider (MSP) can also offer strategic guidance and support even after you've become certified.

Such ongoing support ensures that your SSP is updated to reflect any changes to your environment and that your team is still adhering to the security protocols you implemented. It also allows you to accurately self-attest to ongoing compliance each year, as required by the regulation. 

That said, we publish articles like this one so that business leaders have the information you need to keep your data and infrastructure safe and understand how to move forward whether you choose to work with us or not.

If you are feeling overwhelmed and just want to talk to a human, we get that too! Click the button to schedule a no-obligation readiness consultation.