COMPLIMENTARY CMMC RESOURCES:
→ Gauge Your Compliance Posture — CMMC Readiness Signal
→ Download — Talk to Your Boss About CMMC
→ Visit — The CMMC Command Center
EXECUTIVE BRIEF
This article provides one of the only first-hand perspectives into the CMMC program available to defense contractors. Here are three key takeaways from our experience passing our level 2 audit:
Dig deeper and continue learning below!
On January 29, 2025, ISI successfully passed its five-day CMMC Level 2 assessment and received our Certificate of Status on March 10, 2025. While external service providers (ESPs)are not required to achieve a CMMC Certificate of Status, we voluntarily went through this process for two main reasons:
Our CMMC Level 2 assessment experience highlighted several key takeaways. Here's what we want to pass on to defense contractors:
Our insights come directly from our compliance and IT team, a group of seasoned CMMC practitioners with over 300 combined years of compliance experience.
Check out our proven CMMC preparation strategy below!
Since the establishment of our managed IT and compliance service offering in 2019, we have been strategically developing our preparation strategy to share with customers. Now that our strategy has led to our own certification, we are excited to provide this information to contractors across the DIB.
Begin your preparation efforts by aligning your compliance strategy with your overall business goals or trajectory.
Key tasks:
ISI Insight: Level 2 (C3PAO), our certification level, offers the widest range of opportunities for defense contractors. This maturity level satisfies Level 1 requirements and is a pre-requisite for Level 3 certification.
After determining which CMMC level best suits your business, you’ll want to audit your internal IT department. This will offer an honest insight into the resources your business will require to prepare and achieve compliance.
Key questions to consider:
ISI Insight: If you answered no to any of these questions, consider bringing on an external service provider (ESP) to support your compliance journey.
>> Gauge your readiness posture in just minutes with our online tool.
Next you will want to determine how your current compliance posturing stacks up against CMMC requirements. Once you have chosen which maturity level your business is going after, perform a gap assessment using the corresponding compliance regulation as the benchmark.
Regulation for each maturity level:
ISI Insight: Some controls may have multiple objectives to it. Even if one objective is deficient and the others meet the requirements, mark the control as UNMET.
After identifying deficiencies in your compliance posturing through your gap assessment, the next step will be to develop a POA&M to kickstart your remediation efforts.
POA&Ms can be developed on industry-specific applications (like FutureFeed) or on a basic excel sheet. Either way, you will want to make sure your POA&M includes these data points at the task level:
ISI Insight: While POA&Ms are not permitted for CMMC Level 1, they are allowed for conditional Level 2 and Level 3 Certificates of Status. However, it is limited. A quick rule to remember for conditional certification is that three- to five-point controls are not allowed on a POA&M.
Once your POA&M is completed and you have a rough cost estimate for each remediation task, it’s time to finalize your compliance budget. In 2025, the government provided its first cost-estimate for achieving NIST 800-171 compliance, totaling $175,700. However, it is important to note, this estimate includes labor and software costs.
ISI Insight: Working with an external service provider can help reduce these costs through economies of scale. For example, Microsoft Government Community Cloud licensing for a 10-person organization is going to be much less expensive if you receive enterprise pricing through your ESP.
Your SSP is a core requirement for CMMC certification. If you do not have an SSP in place, your C3PAO won’t even assess your organization. If you have an outdated SSP, you will fail your assessment.
As you progress and finish your remediation tasks listed in your POA&M, it is imperative you update your SSP with any changes in process or tools to ensure compliance.
ISI Insight: If you have your policies and procedures documented but housed across different documents or departments, link them in your SSP to make sure the most up-to-date version is accessible.
Once you finish remediating all core controls that are not allowed on a POA&M, start holding semi-regular mock Level 2 audits. This is different from a gap assessment as it is not solely focused on the technical aspects of compliance.
A successful mock audit will prepare you to verify compliance in three separate testing methodologies:
ISI Insight: Your mock audit is only as good as the person running it. If your IT department is not well-versed in CMMC or defense cybersecurity requirements, we highly recommend bringing in external, expert support. A Managed IT and Compliance provider, like ISI, can manage your IT, manage your compliance journey, and conduct a mock audit. You can also hire a C3PAO as a consultant. However, the C3PAO consulting your organization CANNOT perform your official assessment.
Once your remediation efforts are underway, begin interviewing potential C3PAOs. You can find a list of approved C3PAOs on the Cyber AB website. Here are two key things to look for when choosing a C3PAO:
ISI Insight: If you are working with a CMMC-certified ESP, see if they have a list of C3PAO. Working with a C3PAO familiar with your ESP’s process and environment can increase predictability for both you and the assessment team, which can result in cost savings.
The CMMC assessment is broken down into four phases. Find a brief analysis and key insight into each phase below:
You have our first-hand insights and an outline of our preparation strategy. But the truth for many SMB defense contractors is that it won’t be enough. CMMC is unique and requires a dedicated, full-time IT department with the relevant experience to deliver a successful result.
Here is how working with a CMMC-proven Managed IT and Compliance provider, like ISI, can increase predictability and streamline your compliance journey:
The short answer is Level 2 applies to any organization who is contractually obligated to achieve this level.
While CMMC Level 2 is focused on contractors who handle Controlled Unclassified Information (CUI), there are instances where Level 2 will still apply to you even if you do not actively handle CUI. These instances can include:
The CMMC 2.0 program and marketplace went into effect on December 16, 2024. However, CMMC is broken into two federal regulations:
The 48 CFR is not in effect yet, meaning the government cannot begin the phased rollout of CMMC requirements. However, prime contractors are allowed to, and have begun to, flow down requirements before the government rollout.
The length of your assessment depends on the scale and scope of your business. If you have a small enclave of employees that work on defense contracts, your assessment is likely going to take less time than an organization that must achieve compliance company-wide.
That said, you should expect your assessment to take around 5 business days.
Check out these free CMMC Resources from ISI:
“How to Talk to Your Boss About CMMC” Slide Deck