Your CMMC Checklist

Your CMMC Checklist

A defense contractor's roadmap to compliance

Assess your data

Begin by identifying whether (and where) your organization handles Controlled Unclassified Information (CUI). Start with a thorough review of your data environment, including digital files, emails, and physical records.

You should determine:

• What types of CUI you handle: Refer to the DoD's categories of CUI to ensure you understand what qualifies.
• Where your CUI resides: Map out data flows within your organization, including storage locations, such as on-premise servers, cloud platforms, or external systems. Don't overlook endpoints like laptops, mobile devices, or USB drives.
• Who interacts with CUI: Identify which teams or individuals access this data and why. This will help you evaluate risks and ensure proper handling.
• Your retention policies: Review whether your retention practices align with compliance requirements or if data can be minimized.

Document your findings in a centralized inventory. This baseline assessment is critical for implementing the necessary security measures to comply with CMMC and protect your organization from compliance risks.

Determine your CMMC level

What CMMC level you need to attain depends on the type of information you handle and the security obligations of your DoD contracts.

• Level 1 focuses on basic cybersecurity practices, including 17 essential controls like access control and physical security measures. This level requires an annual self-assessment and affirmation, establishing a baseline for organizations handling less sensitive federal contract information (FCI).
• Level 2 includes all Level 1 practices and expands to implement the 110 security controls from NIST SP 800-171. It mandates more advanced requirements suitable for handling CUI, like incident response and risk management, with triennial  third-party assessments and annual affirmations.
• Level 3, the highest level, involves comprehensive cybersecurity practices, including those from Levels 1 and 2, plus an additional 26 controls from NIST SP 800-172. This level requires continuous monitoring, advanced threat detection, and multi-year government-led assessments. This level is intended for contractors dealing with highly sensitive information.

Review your contracts to confirm which level corresponds to your obligations. If you're unsure, consult contracting officers or CMMC experts to ensure you're targeting the correct level. Planning ahead for higher-level requirements may also be beneficial if your organization intends to pursue more complex contracts in the future.

Decide Who Owns CMMC Compliance for Your Organization

Clear accountability is essential for a successful CMMC compliance effort. Designate an individual or team to oversee the process, ensuring all requirements are met and maintained over time.

Start by identifying a key decision-maker to act as the CMMC Compliance Owner. This person should have a strong understanding of your organization’s operations, data flow, and security infrastructure. Common choices include IT managers, Facility Security Officers (FSOs), or compliance officers. In smaller organizations, this role may fall to a dual-hatted individual balancing multiple responsibilities.

Next, assemble a compliance team to support the CMMC Compliance Owner. This team should include:

• HR staff to manage security training and employee clearances
• IT specialists to implement technical controls and monitor systems
• Operations staff to ensure compliance practices align with business processes
• External consultants to provide expertise on CMMC requirements and help close gaps.

Clearly define your team members’ roles and responsibilities. The Compliance Owner should be accountable for tracking progress, coordinating with stakeholders, and keeping leadership informed. By establishing ownership early, your organization can maintain focus and momentum throughout the compliance journey.

ISI Insight: If working with an expert partner, like ISI, for your CMMC compliance journey, they will help you develop a Customer Responsibility Matrix to provide a clear expectation of what is being handled by them and what will be handled by your team.

Review Your Existing Cybersecurity Framework

Before diving into specific compliance tasks, take a step back to assess your current cybersecurity framework. This review ensures your foundation is solid and identifies high-level gaps in your policies, tools, and practices that may need adjustment for CMMC readiness. Here are some basic steps:

• Inventory your tools and processes: Catalogue the cybersecurity measures you already have in place, such as firewalls, antivirus software, encryption tools, and monitoring systems. Document your current policies, procedures, and incident response plans.
• Map your framework to CMMC practices: Compare your cybersecurity environment with the broader requirements of the CMMC model, including access control, system protection, and incident response capabilities. Focus on identifying areas where you may need to introduce or strengthen capabilities.
• Assess your organization’s culture and training: Evaluate whether employees are actively engaged in cybersecurity practices, such as reporting phishing attempts or adhering to password policies. Consider gaps in training that may leave your organization vulnerable.
• Examine your governance and accountability: Ensure you have a clear structure for managing cybersecurity, with designated roles for monitoring and enforcing policies.

This comprehensive review will provide a clearer picture of your organization's cybersecurity maturity and set the stage for tackling specific CMMC requirements.

Conduct a NIST 800-171A Self-Assessment

NIST 800-171A is an assessment guide that provides detailed procedures for evaluating the 110 security controls outlined in NIST 800-171. Performing a self-assessment with this guide will show you how well your organization is implementing the controls required to protect CUI. The assessment will help you identify gaps and ensure you meet baseline CMMC compliance requirements.

Start by reviewing the guide to understand what each control entails and how to measure its effectiveness. Then document your current implementation status for each control, assessing whether it’s fully implemented, partially implemented, or not in place. Note any deficiencies, such as missing documentation or incomplete technical controls.

Test the effectiveness of your existing controls through activities like access reviews, system scans, and simulations. This ensures they’re functioning as intended and mitigating risks effectively.

Lastly, create a plan to address gaps based on your findings. Focus first on critical deficiencies that are essential for your CMMC level and expose your organization to significant risks, then move on to smaller tasks to address gaps in implementation. Document your results and any remediation plans to serve as a reference for discussions with external consultants or assessors.

Establish a System Security Plan (SSP)

A System Security Plan (SSP) is the cornerstone of your cybersecurity compliance efforts. It lays out a detailed account and comprehensive overview of your cybersecurity framework. Creating an SSP ensures transparency and provides assessors with a clear understanding of your cybersecurity framework.

Armed with the results from the first four steps on this checklist, your SSP should identify the systems, applications, and environments that store, process, or transmit CUI; spell out employees’ roles and responsibilities in maintaining security; and document your existing security controls. 

If some controls are not fully implemented, document them honestly and include references to your Plan of Action and Milestones (POA&M) (our next step), which outlines how and when these gaps will be resolved. Regularly update your SSP as your systems, practices, or regulatory requirements evolve. Treat it as a living document that reflects your organization's ongoing compliance efforts.

ISI Insight: Your SSP is a critical document needed for your CMMC certification, especially for Level 2. If you do not have one, or it is not up-to-date, you could risk failing your assessment and starting the process all over again!

Build a Plan of Action and Milestones (POA&M)

A POA&M outlines how your organization will address gaps and deficiencies in meeting CMMC requirements. It serves as a project plan to guide remediation efforts, prioritize actions, and track progress toward full compliance.

Here's how to build an effective POA&M:

• Review findings from your NIST 800-171A self-assessment and your System Security Plan (SSP) to pinpoint areas where controls are missing or need improvement.
• For each deficiency, detail the specific actions required to implement or improve the control. Be precise about the steps involved, whether it’s updating policies, deploying new technologies, or providing employee training.
• Prioritize tasks based on their importance to your overall security posture and compliance goals. Critical issues that pose significant risks should take precedence over lower-impact items.
• Create a timeline for each action, setting realistic deadlines that align with your organization’s resources, and designate responsibility for each task. This might include specific team members, external vendors, or consultants.

Implement Improvements Based on Your POA&M and Set a Timeline for Full CMMC Compliance

With your POA&M in place, it's time to take actionable steps to close compliance gaps and achieve your CMMC certification goals. Begin addressing deficiencies outlined in the POA&M. This might involve deploying technical solutions, revising security policies, or providing targeted employee training. Ensure that each task is completed according to the specified plan.

Track the status of each remediation task and measure success against the milestones set in your POA&M. Regular check-ins with responsible parties will help maintain accountability and keep the project on schedule.

Establish a clear timeline for achieving full compliance. Consider the complexity of the remaining tasks, resource availability, and any upcoming deadlines associated with contract bids or audits. Communicate this timeline to stakeholders to align expectations.

You might want to consider partnering with a Registered Provider Organization (RPO), which can help with a variety of performance metrics and assist you through the compliance process. Collaboration with experts can help ensure that improvements are thorough and aligned with compliance standards.

ISI Insight: We advise our customers seeking Level 2 certification to allot at least 9-12 months for their CMMC readiness timeline. That said, timelines can vary based on a variety of factors, including current security posturing, size of company, and percentage of work that is DoD-related.

Conduct a CMMC Self-Assessment

Your CMMC self-assessment is the final checkpoint before your audit to evaluate your organization’s readiness for certification. It’s a chance to fine-tune your compliance posture and instill confidence in your readiness for the official CMMC evaluation.

Here's how to conduct a thorough self-assessment:

• Review your documentation: Ensure that your SSP, POA&M, and any other supporting documents are complete, accurate, and up to date. 
• Test control implementations: Verify that all security controls required for your CMMC level are fully implemented and operational. This includes testing technical safeguards, reviewing policy adherence, and evaluating employee awareness of cybersecurity practices.
• Simulate assessor questions: Prepare your team by running mock interviews based on likely questions a CMMC assessor might ask. Focus on demonstrating understanding and implementation of practices across the 14 CMMC domains.
• Assess readiness across domains: Evaluate your compliance status for each CMMC domain. Document any residual gaps that may still need addressing. (See a full list of all the domains here.)
• Conduct a peer or external review: If possible, engage a third-party consultant or peer reviewer with CMMC expertise to validate your self-assessment findings. Their perspective can help uncover issues you might have overlooked.

Finalize remediation tasks: Address any remaining gaps or weaknesses identified during the self-assessment to ensure your organization is fully prepared for the formal certification process.

Choose a CMMC Third Party Assessment Organization (C3PAO)

Selecting a qualified CMMC Third Party Assessor Organization (C3PAO) is a crucial final step in your journey toward certification. This organization will evaluate your compliance efforts and determine if your organization meets the requirements for your targeted CMMC level.

Ensure the C3PAO is accredited by the CMMC Accreditation Body (Cyber AB). Only authorized C3PAOs can conduct official CMMC assessments. If you’re working with an external service provider (ESP), see if they recommend any C3PAOs. Their familiarity with your ESPs process and procedures can result in a smoother assessment process. 

Some C3PAOs offer additional services, such as readiness reviews or ongoing support. While these are separate from formal assessments, they can provide valuable insights and assistance. Though remember: you cannot undergo a CMMC audit by the same organization that’s been helping you prepare for assessment.

Before finalizing your choice, have a detailed discussion with the C3PAO about their process, timeline, and any preparatory requirements. This ensures clarity and reduces surprises during the assessment.

And remember: plan ahead. Demand for assessments is growing. There are over 80,000 contractors in the DIB and, as of January, 2025, fewer than 40 authorized C3PAOs listed on the Cyber AB Marketplace. Contact potential C3PAOs early to inquire about scheduling availability to align with your compliance timeline.