Your CMMC Compliance Checklist: 11 Steps for Getting Started

If your business isn’t prepared for a Cybersecurity Maturity Model Certification (CMMC) assessment, starting the process today is crucial. The rollout of CMMC as a requirement for new Department of Defense (DoD) contracts is set to begin around Q3 of 2025, and with the average time for achieving compliance taking around 9-12 months, you need to start now to avoid potential delays down the line.

However, the path to CMMC compliance can be riddled with myths and feel over-complicated for many defense contractors. To assist you in preparing, this checklist outlines 11 essential steps to help your organization begin the journey toward CMMC certification. The 11 steps we will discuss in this checklist include:

1. Getting Familiar with the CMMC Framework
2. Determining the Appropriate CMMC Maturity Level
3. Deciding Who’s Responsible for CMMC Compliance
4. Assessing Your Data and Determining Your CMMC Compliance Boundary
5. Reviewing Your Existing Cybersecurity Frameworks
6. Conducting a NIST 800-171A Self-Assessment
7. Establishing a System Security Plan (SSP)
8. Building a Plan of Action and Milestones (POA&M)
9. Implementing Improvements Based on POA&M and Setting a Timeline for Full Compliance
10. Conducting a CMMC Self-Assessment
11. Choosing a CMMC Third Party Assessor Organization (C3PAO)

1. Get Familiar with the CMMC Framework

The CMMC framework was designed by the DoD to protect against cyber threats and safeguard Controlled Unclassified Information (CUI). It is a set of standards and requirements that the DoD mandates for its contractors and subcontractors.

Compliance is a lengthy process that contains multiple security levels, self-assessments, and third-party assessments. It ensures that organizations implement the necessary cybersecurity practices to protect sensitive information.

2. Determine the Appropriate CMMC Maturity Level for Your Organization

A CMMC maturity level is a set of processes and practices defining the requirements for handling sensitive information. The levels are built on a hierarchy system, with the higher levels denoting more mature cybersecurity where companies can address high-level security threats.

CMMC 2.0 consolidated the original five model levels into a more efficient three-tiered system. The current tiers are: Level 1 (foundational), Level 2 (advanced), or Level 3 (expert). Start by identifying which CMMC level aligns with the protection requirements for the information you handle.

3. Decide Who’s Responsible for CMMC Compliance for Your Organization

Aim to assign an individual or team to oversee CMMC compliance within your organization. This person must be familiar with the CMMC framework and typically have a fundamental understanding of cyber security and IT requirements. Making sure that there is clear ownership of this responsibility within your organization will help your company maintain a focused approach to achieving compliance; it helps you keep track of all communications, requirements, and assessments, and it ensures continuous monitoring of security practices.

4. Assess Your Data and Determine Your CMMC Compliance Boundary

There’s a reason your business needs to be CMMC compliant. To start, identify the areas within your organization that handle sensitive data. Determine which systems or networks your business uses that interact with this information, and which ones you need to focus on in order to meet CMMC compliance. Understanding the CUI your business is in contact with helps set your compliance boundary and assists with accurately scoping the necessary cybersecurity measures.

5. Review Your Existing Cybersecurity Frameworks to Determine Where to Start

You might have already adhered to security controls or achieved compliance before the transition from CMMC 1.0 to CMMC 2.0. However, since some guidelines have changed, don’t assume that what worked before will work now. Take the time to reevaluate your cybersecurity frameworks and practices to ensure they align with the new CMMC 2.0 requirements. Identify existing controls and processes that meet the current standards and pinpoint any areas that need enhancement.

6. Conduct a NIST 800-171A Self-Assessment to Identify Gaps

Perform a self-assessment based on NIST SP 800-171A, which outlines methods and procedures for evaluating the implementation of security requirements. Although NIST 800-171 and CMMC are complementary standards, they differ in compliance requirements: NIST 800-171 compliance can be achieved through self-assessment, whereas CMMC requires a third-party audit for certification. By completing the NIST 800-171 self-assessment first, you can identify gaps in your current cybersecurity practices in relation to CMMC requirements.

7. Establish a System Security Plan (SSP)

A System Security Plan (SSP) outlines an information system’s security requirements, and lays out a plan for meeting those requirements. To stay on track for CMMC compliance, develop your business SSP plan to formally document your organization’s cybersecurity practices, policies, and procedures. The SSP should detail how your organization implements the required CMMC practices and controls so you have a detailed account and comprehensive overview of your cybersecurity framework.

8. Build a Plan of Action and Milestones (POA&M)

Create a Plan of Action and Milestones (POA&M) to address any gaps identified during your self-assessment. A POA&M outlines the steps needed to achieve full compliance in your organization. If your organization struggles to meet certain security controls, a POA&M can help identify these gaps and outline the necessary technologies or procedures to address them.

9. Implement Improvements Based on POA&M and Set a Timeline for Full CMMC Compliance

Assess your organization’s progress toward CMMC compliance and establish a realistic timeline for achieving full certification. Consider factors such as the complexity of the required controls, resource availability, and contractual deadlines. You might also consider partnering with a Registered Provider Organization (RPO), which can help with a variety of performance metrics and assist you through the compliance process.

10. Conduct a CMMC Self-Assessment

Perform a CMMC self-assessment to verify that your organization meets the required practices and processes for your targeted maturity level. This assessment should mirror the official certification process and help identify any remaining areas for improvement. 

Thoroughly evaluate your current practices and identify specific vulnerabilities (if there are any) before undergoing the official assessment. This approach ensures that your company will be well-prepared for future assessments and increases your likelihood of achieving the desired certification level.

You can also assess your compliance posture with our CMMC readiness questionnaire.

11. Choose a CMMC Third Party Assessor Organization (C3PAO)

For organizations falling into CMMC level 2, you will select a Certified Third-Party Assessor Organization (C3PAO) for your official CMMC assessment. The C3PAO will evaluate your organization’s compliance with the CMMC requirements and issue a certification based on your demonstrated cybersecurity practices. Choosing a reputable and experienced C3PAO is crucial for a successful assessment.

FAQs about CMMC Compliance

What Are the CMMC Levels and Their Requirements?

CMMC includes several maturity levels, each with specific cybersecurity requirements:

Level 1 – Foundational

Level 1 focuses on basic cybersecurity practices, including 17 essential controls like access control and physical security measures. This level requires an annual self-assessment and affirmation, establishing a baseline for organizations handling less sensitive federal contract information (FCI).

Level 2 – Advanced

Level 2 includes all Level 1 practices and expands to implement all 110 security controls from NIST SP 800-171. It requires more advanced measures like incident response and risk management, with triennial assessments and annual affirmations, suitable for handling CUI.

Level 3 – Expert

Level 3, the highest level, involves comprehensive cybersecurity practices, including those from Levels 1 and 2, plus additional controls from NIST SP 800-172. This level requires continuous monitoring, advanced threat detection, and multi-year government-led assessments. This level is ideal for contractors dealing with highly sensitive information.

What Are the Costs of CMMC Compliance?

While there is no fixed cost for CMMC compliance, the road to becoming compliant can become costly. These costs stem from an organization’s size, maturity level, and the complexity of required cybersecurity controls. For example, a company looking to comply with Level 3 will likely have to spend more money to meet technology standards than those looking to obtain Level 1. Expect these additional fees from cybersecurity implementation costs, consultants, and third-party assessments.

How Long Is CMMC Certification Good For?

The CMMC certification is valid for three years. Level 1 requires annual self-assessments, while Levels 2 and 3 require reassessments every three years.

Do Subcontractors Need to Be CMMC Compliant

Yes, subcontractors within the defense industrial base (DIB) who handle CUI or FCI must also achieve CMMC compliance. Any organizations that receive contracts or subcontracts from a prime contractor are impacted by flow-down requirements: they must adhere to the same level of compliance as the original contractor.

Reach CMMC Compliance with IsI

Achieving CMMC compliance is a complex but essential process for organizations that handle sensitive information and work with the DoD. By following the 11 steps above and getting familiar with the CMMC framework, your path to CMMC compliance will be that much easier. 

At IsI, we understand the challenges of CMMC compliance and are here to support you every step of the way. Regardless of where you are in your compliance journey, our expertise can help you navigate the complexities of CMMC to achieve and maintain compliance. To learn more about how we can help you achieve CMMC certification, contact us today.