The CMMC Compliance Command Center
A Definitive Guide for Defense Contractors
In This Guide
How You Approach CMMC is a Critical Business Decision
- By mid-2025, your CMMC status can give you a competitive advantage when bidding on DoD contracts—or prevent you from bidding at all
- Meeting the security requirements needed for CMMC certification has the potential to impact your entire IT setup—and hit your employees’ productivity if you get it wrong
- Obtaining trusted advisory and assessor services, an IT toolset tailored to your organization, and documenting procedures takes time but will improve your information security and provide the DIB, and your prime, with the assurance they require
- Holding off too long may put you at the back of a long line, waiting for auditor availability, and limit your ability to bid on contracts
This guide arms you with concise and practical suggestions to help you decide on the approach that works best for your organization.
Find Your CMMC Readiness Signal Now!How to Use This Guide
We’ve structured this guide into steps to match the different stages an organization goes through on its CMMC journey, and mapped out the most common questions companies have at each stage.
Each section provides a brief overview and then links to concise resources with more information—most take 1-4 minutes to watch or read.
Who We Are
ISI is the security and compliance partner to the defense industrial base. Through our MSP service, we’ve partnered with hundreds of DoD contractors to help them get ready for CMMC.
We hope you find this resource useful. If would like to discuss how ISI might be able to help you reach CMMC certification, please don’t hesitate to contact us.
Where are you on your CMMC Journey?
- I'm just starting our CMMC compliance journey
- I’m thinking about building a CMMC readiness plan for my organization
- I’m ready to start preparing my organization for CMMC
- I know where we have compliance gaps and need to start remediation
- I’m ready for a CMMC assessment
- I’d like to talk to a CMMC expert
Starting Out with CMMC Compliance
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a unified set of security standards designed to protect sensitive information that the defense industrial base (DIB) shares with its vendors and partners.
- DoD contracts have included a requirement through Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 for contractors and subcontractors to adhere to NIST SP 800-171A since December, 2017
- Defense contractors have been expected to meet NIST SP 800-171A compliance, and in many cases have been required to self-attest to that fact, since 2019
- The CMMC program introduces the requirement to achieve certification of your compliance posture through an audit against these security controls by a certified third-party assessment organization (C3PAO)
- The intent of CMMC is to provide assurances to the U.S. Department of Defense that DIB contractors have appropriate measures in place to safeguard controlled unclassified information (CUI) and federal contract information (FCI)
What is NIST SP 800-171?
NIST 800-171, first published in 2015 by the National Institute of Standards and Technology (NIST), lists the specific security processes and controls that entities handling CUI need to have in place. NIST 800-171 expands on the control statements to provide clarifying objective statements.
If you are a DoD contractor or subcontractor with DFARS 7012 in your contract(s), the DoD already expects you to be compliant with NIST 800-171.
READ: Learn about NIST 800-171 controls and objectives, the relevant DFARS clauses, and other terms relating to CMMC in our glossary (5 min)
READ: Understand the relationship between CMMC and NIST 800-171 (3 min)
Building a CMMC Readiness Plan for Your Organization
You’ve covered the basics and now you need to start developing a high-level CMMC readiness plan for your organization.
WATCH: John Nolan, our VP of IT Operations, shares his top tip for organizations about to start on the journey to CMMC readiness (3 min).
three key facts about cmmc
CMMC does not introduce new cybersecurity standards: DoD contractors with DFARS 7012 have been expected to adhere to NIST 800-171 since December 2017.
Even if you don’t handle CUI today, depending on the contracts you hold, you may still need CMMC Level 2 certification.
Depending on your organization’s CMMC readiness, it can take 9-12 months to prepare.
Does My Organization Need CMMC Certification?
The CMMC program applies to all DoD contractors, subcontractors, and suppliers because they handle FCI and, in many cases, CUI.
Organizations in the DIB are required to implement different controls and adhere to different standards, depending on the type and sensitivity of the information they handle. Assessment requirements also vary by maturity levels, from Level 1 (Foundational) to Level 3 (Expert).
When Should my Organization Start Preparing for CMMC?
The time taken to prepare for CMMC varies depending on the size and complexity of an organization. In general, you should prepare for the process to take 9-12 months.
FREE Resource: Get a sense for your compliance posture by taking our CMMC Readiness Questionnaire
WATCH: John Nolan explains below how long the process of getting CMMC ready takes (3 min)
CMMC rollout timeline:
The CMMC Marketplace, which allows assessments to start, is expected to go live by EOY 2024 with the publication of the final rule for 32 CFR on Dec. 16. 48 CFR, which introduces CMMC language into DoD contracts, is set to be published in April, 2025.
CMMC language is expected to start appearing in contracts from May 2025 and will be rolled out in phases over a three-year period. Keep up with all the rollout updates by visiting our Countdown to CMMC article.
- We anticipate that the first phase of CMMC requirements in contracts will only relate to Level 1 (requiring self-assessment only)
- We expect Level 2 CMMC requirements will start to appear in contract awards in September/October 2025
Decide when is right for your business:
The CMMC Levels Guide:
What CMMC Level Applies to my organization?
Identifying the correct level for your business is important: depending on your level, you may need a third-party assessment by a C3PAO and you will be expected to meet different numbers of controls.
Myth-busting: Even if you don’t currently handle CUI, you may still need to gain Level 2 certification.
- Contract awards will specify which maturity level organizations are required to hold once CMMC rolls out
- If DFARS 252.204-7012 is present in your contracts, it's extremely likely that you will be expected to achieve Level 2 certification
- Be aware that your Prime may also flow down requirements for you to be Level 2 certified
READ: Learn about the differences between the three CMMC levels and when they apply (4 min)
READ: Explore the various DFARS clauses that are relevant to CMMC and what they mean for DoD contractors (3 min)
CMMC Compliance Costs
Organizations face various costs when preparing for CMMC:
- Third-party assessments (for CMMC Level 2): Costs vary based on your organization’s size and complexity. We estimate assessment costs will start from a base of around $30,000
- Technology upgrades: Invest in tools that align with your CMMC level
- Training: Train employees on CMMC practices
- Documentation tools: Consider software for maintaining records
Resourcing for CMMC
A key question for business leaders when considering CMMC is: “What resources do I need to get the work done?”
While NIST 800-171A provides controls and clarifying objective statements, it can still be challenging to understand what is what is needed to meet these requirements.
WATCH: John Nolan explains below the resources you’ll need when you start your CMMC journey (3 min)
CMMC Consulting: Compliance Support
A key question for you to answer is whether you intend to handle your cybersecurity requirements in-house or engage an MSP to assist you.
What this means for you: You need to determine whether your current available resources—your in-house IT team or existing MSP—will be able to take your organization to compliance, or if you need to secure support from an expert partner.
Tip: Your MSP will need to be CMMC certified to the same level as your organization to support you with CMMC. Check with your MSP so you understand their CMMC plans.
Request A Discovery CallExpert guidance and support: working with an MSP
An MSP that is a Registered Provider Organization (RPO) can provide pre-assessment consulting services and offer support during assessments.
- An expert partner, like ISI, with experience preparing clients for assessments like DIBCAC High can be a vital resource to ensure you keep in scope only those systems, etc., that are necessary to meet NIST 800-171A and CMMC requirements
- They can also advise you on what an auditor is looking for, support you through your audits, and “speak NIST”
WATCH: John explains how responsibilities are typically split between you and your MSP (3 min)
Preparing Your Organization for CMMC: How to Get Started
Ready to start building your CMMC/NIST SP 800-171A Compliance Action Plan? This section takes you through the first two steps on your CMMC journey: understanding the levels of CMMC.
FREE Resource: Explore our CMMC Readiness Questionnaire to gain insight on your compliance posture.
To start on your journey, you first need to determine what CMMC level is appropriate for your organization.
CMMC 2.0 has three certification levels, which each have distinct assessment requirements.
- Level 1: For contractors dealing with federal contract information (FCI). Requires adherence to 17 foundational controls and only a self-assessment is required.
- Level 2: For contractors holding, processing or transmitting controlled unclassified information (CUI) or that are contractually required to be prepared to do so. Requires you to meet all 110 controls in NIST 800-171A. Audit by a third party assessment organization (C3PAO) is required for most Level 2 contractors.
- Level 3: Applies to companies that handle CUI and other extremely sensitive data for DoD programs with the highest priority. These companies are likely to experience frequent cyberattacks, advanced persistent cyber threats, and are required to implement thoroughly robust incident response procedures. Level 3 organizations are assessed exclusively by Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessors.
Tip: If your contract(s) currently contain DFARS 252.204-7012, which requires you to adhere to NIST 800-171, it is very likely that you will be expected to meet CMMC Level 2.
READ: Find out more about the different CMMC levels (4 min)
DOWNLOAD: Learn about FCI and CUI in the DCSA’s Controlled Unclassified Information Frequently Asked Questions PDF (external link)
Carrying out a gap analysis allows you to identify gaps in your current cybersecurity practices.
- Start by identifying the systems in your IT environment through which FCI and/or CUI might flow
- You’ll be able to create a detailed inventory of your assets and controls once you understand which types of covered data your organization handles, as well as where this data is housed
WATCH: John Nolan explains below how you can assess your organization’s current cybersecurity/compliance posture (2 min)
UNderstanding YOur CMMC Compliance Gaps & Starting Remediation
Once you’ve figured out where the gaps are in your IT environment and information systems, processes, and technologies, you’ll need to implement solutions to fill them.
This might include cybersecurity tooling, ongoing monitoring of your networks and information assets, or migration to a cloud platform that’s FedRAMP Moderate authorized or CMMC/NIST SP 800-171 compliant.
This step is where you create your System Security Plan (SSP) and Plan of Action and Milestones (POA&M) to outline steps for achieving compliance.
- Engaging skilled professionals through an MSP, like ISI, can help you identify appropriate and cost effective solutions
- Remember that each objective can be met in multiple ways, so it’s important you find a solution that also meets your company’s needs
WATCH: John Nolan explains below what to do next once you’ve carried out a self-assessment (2 min)
WATCH: John explains the key components of a System Security Plan (2 min)
WATCH: John identifies the controls that are most commonly missed by DoD contractors (2 min)
Next, you need to apply the necessary controls and document their implementation.
- It’s possible to migrate your entire infrastructure (a lift-and-shift migration) or move just part of your environment into an isolated portion of the cloud, known as an enclave
- All Cloud Service Providers will need to meet the FedRAMP Moderate security baseline standard
- Many DoD contractors establish their infrastructure on FedRAMP authorized platforms, like Microsoft 365 Government Community Cloud (GCC) and Google Workspace
- Managed Service Providers, like ISI, can provide expert guidance on the most appropriate solution for your business and manage your migration project
Getting Ready for Your CMMC Assessment and Choosing a C3PAO
When you're confident you are CMMC ready, it’s time to think about assessment.
Level 1 Requires a Self-Assessment
If you fall into CMMC Level 1, you're required to conduct a self-assessment and submit your score to the Supplier Performance Risk System (SPRS) annually.
The guide for CMMC Level 1 assessment () can be downloaded from the DoD CIO site.
Preparing for a C3PAO Audit (Level 2)
If you fall into CMMC Level 2, once you're confident you're CMMC ready, you can plan to book your audit.
- Final rulemaking for 32 CFR ended in October, and the CMMC Marketplace—which allows assessments to commence—is expected to open by EOY 2024. Check out our Countdown to CMMC article for our latest estimates
- Registered Provider Organizations (RPOs) can also be authorized C3PAOs, but they cannot provide the same client with both pre-assessment consulting services and assessments
WATCH: John Nolan shares below his advice on how to effectively prepare for a C3PAO audit (3 min)
WATCH: John explains how to select a C3PAO (3 min)
WATCH: John explains what to expect at the audit and how to assemble the right team to support you (3 min)
DOWNLOAD: The Assessment Guide and Scoping Guidance from the DoD CIO CMMC site ()
Maintaining a Robust Cybersecurity Posture
Once you’ve passed your audit and received your certificate, the work doesn’t stop there.
All controls in NIST 800-171A require some degree of regular maintenance to ensure you remain compliant and secure.
- This includes ongoing documentation, risk assessments, established incident response procedures, and regular maintenance, updates and patching
- It's also important to keep on top of new requirements and information released by the Department of Defense on new and forthcoming cybersecurity standards
WATCH: John Nolan describes below what ongoing activities are required to maintain a robust cybersecurity posture (3 min)
WATCH: John explains how to maintain compliance when you make changes to your IT infrastructure (3 min)
READ: Learn about the importance of continuous monitoring and what is entailed (2 min)
WATCH: John explains how NIST 800-171 Revision 3, while not yet required for CMMC, will in future extend compliance requirements (3 min)
CMMC Compliance and your wider organization
- The cybersecurity-related policies and procedures that your organization must follow
- Regular employee trainings that must be undertaken
- Certain HR processes you must have in place, like visitor logs
- How you select and work with suppliers and subcontractors
WATCH: John talks through the impact of CMMC on your wider organization (2 min)
WATCH: John summarizes the employee trainings required for CMMC (4 min)
WATCH: John discusses how maintaining compliance will also impact how you work with your supply chain (3 min)