The CMMC Command Center
A Definitive Guide for Defense Contractors
Choosing how your organization approaches CMMC is a critical business decision:
- Your CMMC status can give you a competitive advantage when bidding on contracts from mid-2025—or prevent you from bidding at all
- Meeting the controls required for CMMC has the potential to impact your entire IT setup—and hit your employees’ productivity if you get it wrong
- Obtaining trusted advisory and assessment services, an IT toolset tailored to your organization, and documenting procedures takes time but will improve your security posture and provide the DIB, and your prime, the assurance they require
- Holding off too long may put you at the back of a long line, waiting for auditor availability, and limit your ability to bid on contracts
Using This Guide
We’ve broken this guide out to match the different stages an organization goes through on its CMMC journey, and mapped out the most common questions they have at each stage.
Each section provides a brief overview and then links to concise resources with more information—most will take 1-4 minutes to watch or read.
Who We Are
ISI is the security and compliance partner to the defense industrial base. Through our MSP service, we’ve partnered with hundreds of DoD contractors to help them get ready for CMMC.
We hope you find this resource useful. If would like to discuss how ISI might be able to help you on your CMMC journey, please don’t hesitate to contact us.
Where are you on your CMMC Journey?
CMMC 101: The Basics
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a unified set of security standards designed to protect controlled unclassified information (CUI) that the defense industrial base (DIB) shares with its vendors and partners.
- Since December 2017, defense contracts have included a requirement through DFARS 252.204-7012 for contractors and subcontractors to adhere to NIST SP 800-171A
- Contractors have been expected to meet NIST 800-171A compliance, and in many cases have been required to self-attest to that fact, since 2019
- CMMC introduces the requirement to achieve certification of your compliance posture and be audited against these controls by a certified third-party assessment organization (C3PAO)
- The intent of CMMC is to provide assurances to the DoD that DIB contractors have appropriate measures in place to safeguard federal contract information (FCI) and CUI
What is NIST SP 800-171?
NIST 800-171, first published in 2015, lists the specific processes and controls that entities handling CUI need to have in place. NIST 800-171A expands on the control statements to provide clarifying objective statements.
If you are a DoD contractor or subcontractor with DFARS 7012 in your contract(s), the DoD already expects you to be compliant with NIST 800-171.
READ: Learn about NIST 800-171 controls and objectives, the relevant DFARS clauses, and other terms relating to CMMC in our glossary (5 min)
READ: Understand the relationship between CMMC and NIST 800-171 (3 min)
three key facts about cmmc
CMMC does not introduce new cybersecurity standards: DoD contractors with DFARS 7012 have been expected to adhere to NIST 800-171 since December 2017.
Even if you don’t handle CUI today, depending on the contracts you hold, you may still need CMMC Level 2 certification.
Depending on your organization’s CMMC readiness, it can take 9-12 months to prepare.
Does CMMC apply to my organization?
CMMC applies to all DoD contractors, subcontractors, and suppliers because they handle FCI and, in many cases, CUI.
Organizations in the DIB are required to implement different controls and adhere to different standards, depending on the type and sensitivity of the information they handle. Assessment requirements also vary by level.
When Should my Organization Start Preparing for CMMC?
The time taken to prepare for CMMC varies depending on the size and complexity of an organization. In general, you should prepare for the process to take 9-12 months.
FREE Resource: Get a sense for your compliance posture by taking our CMMC Readiness Questionnaire
WATCH: John Nolan explains below how long the process of getting CMMC ready takes (3 min)
CMMC rollout timeline:
The CMMC Marketplace, which allows assessments to start, is expected to go live by EOY 2024. CMMC language is expected to start appearing in contracts from May 2025 and will be rolled out in phases over a three-year period. Keep up with all the rollout updates by visiting our Countdown to CMMC article.
- We anticipate that the first phase of CMMC requirements in contracts will only relate to Level 1 (requiring self-assessment only)
- We expect Level 2 CMMC requirements in contracts will start to appear from September/October 2025
Deciding when is right for your business:
What CMMC Level Applies to my organization?
Identifying the correct level for your business is important: depending on your level, you may need a third-party assessment by a C3PAO and you will be expected to meet different numbers of controls.
Myth-busting: Even if you don’t currently handle CUI, you may still need to gain Level 2 certification.
- Contracts will specify which level a contractor is required to hold once CMMC rolls out
- If DFARS 252.204-7012 is present in your contracts, it is extremely likely that you will be expected to achieve Level 2 certification
- Be aware that your Prime may also flow down requirements for you to be Level 2 certified
READ: Learn about the differences between the three CMMC levels and when they apply (4 min)
READ: Explore the various DFARS clauses that are relevant to CMMC and what they mean for DoD contractors (3 min)
Budgeting for CMMC
Organizations face various costs when preparing for CMMC:
- Third-party assessments (for CMMC Level 2): Costs vary based on your organization’s size and complexity. We estimate assessment costs will start from a base of around $30,000
- Technology upgrades: Invest in tools that align with your CMMC level
- Training: Train employees on CMMC practices
- Documentation tools: Consider software for maintaining records
Resourcing for CMMC
A key question for business leaders when considering CMMC is: “What resources do I need to get the work done?”
While NIST 800-171A provides controls and clarifying objective statements, it can still be challenging to understand what is what is needed to meet these requirements.
WATCH: John Nolan explains below the resources you’ll need when you start your CMMC journey (3 min)
In-house or an expert partner?
A key question for you to answer is whether you intend to handle your cybersecurity requirements in-house or engage an MSP to assist you.
What this means for you: You need to determine whether your current available resources—your in-house IT team or existing MSP—will be able to take your organization to compliance, or if you need to secure support from an expert partner.
Tip: Your MSP will need to be CMMC certified to the same level as your organization to support you with CMMC. Check with your MSP so you understand their CMMC plans.
Request A Discovery CallExpert guidance and support: working with an MSP
An MSP that is a Registered Provider Organization (RPO) can provide pre-assessment consulting services and offer support during assessments.
- An expert partner, like ISI, with experience preparing clients for assessments like DIBCAC High can be a vital resource to ensure you keep in scope only those systems, etc., that are necessary to meet NIST 800-171A and CMMC requirements
- They can also advise you on what an auditor is looking for, support you through your audits, and “speak NIST”
WATCH: John explains how responsibilities are typically split between you and your MSP (3 min)
Preparing for CMMC: Getting Started
Ready to start building your CMMC/NIST SP 800-171A Compliance Action Plan? This section takes you through the first two steps on your CMMC journey.
FREE Resource: Explore our CMMC Readiness Questionnaire to gain insight on your compliance posture.
To start on your journey, you first need to determine what CMMC level is appropriate for your organization.
CMMC 2.0 has three levels, which each have distinct assessment requirements.
- Level 1: For contractors dealing with federal contract information (FCI) only. Requires adherence to 17 controls and self-assessment only
- Level 2: For contractors holding, processing or transmitting controlled unclassified information (CUI) or that are contractually required to be prepared to do so. Requires you to meet all 110 controls in NIST 800-171A
- Level 3: Applies to companies that handle CUI for DoD programs with the highest priority and are likely to experience advanced persistent threats
Tip: If your contract(s) currently contain DFARS 252.204-7012, which requires you to adhere to NIST 800-171, it is very likely that you will be expected to meet CMMC Level 2.
READ: Find out more about the different CMMC levels (4 min)
DOWNLOAD: Learn about FCI and CUI in the DCSA’s Controlled Unclassified Information Frequently Asked Questions PDF (external link)
Carrying out a gap analysis allows you to identify gaps in your current cybersecurity practices.
- Start by identifying the systems in your IT environment through which FCI and/or CUI might flow
- You’ll be able to create a detailed inventory of your assets and controls once you understand which types of covered data your organization handles, as well as where this data is housed
WATCH: John Nolan explains below how you can assess your organization’s current cybersecurity/compliance posture (2 min)
Preparing for CMMC: Implementation & Remediation
Once you’ve figured out where the gaps in your IT environment, processes and technologies lie, you’ll need to implement solutions to fill them.
This might include cybersecurity tooling, ongoing monitoring of your networks and information assets, or migration to a cloud platform that’s FedRAMP Moderate authorized or CMMC/NIST SP 800-171 compliant.
This step is where you create your System Security Plan (SSP) and Plan of Action and Milestones (POA&M) to outline steps for achieving compliance.
- Engaging skilled professionals through an MSP, like ISI, can help you identify appropriate and cost effective solutions
- Remember that each objective can be met in multiple ways, so it’s important you find a solution that also meets your company’s needs
WATCH: John Nolan explains below what to do next once you’ve carried out a self-assessment (2 min)
WATCH: John explains the key components of a System Security Plan (2 min)
WATCH: John identifies the controls that are most commonly missed by DoD contractors (2 min)
Next, you need to apply the necessary controls and document their implementation.
- It’s possible to migrate your entire infrastructure (a lift-and-shift migration) or move just part of your environment into an isolated portion of the cloud, known as an enclave
- All Cloud Service Providers will need to meet the FedRAMP Moderate security baseline standard
- Many DoD contractors establish their infrastructure on FedRAMP authorized platforms, like Microsoft 365 Government Community Cloud (GCC) and Google Workspace
- Managed Service Providers, like ISI, can provide expert guidance on the most appropriate solution for your business and manage your migration project
Getting Ready for Your Assessment
When you are confident you are CMMC ready, it’s time to think about assessment.
Level 1 Requires a Self-Assessment
If you fall into CMMC Level 1, you are required to conduct a self-assessment and submit your score to the Supplier Performance Risk System (SPRS) annually.
The guide for CMMC Level 1 assessment () can be downloaded from the DoD CIO site.
Preparing for a C3PAO Audit (Level 2)
If you fall into CMMC Level 2, once you are confident you are CMMC ready, you can start thinking about booking in your audit.
- The CMMC Marketplace—which allows assessments to commence—is expected to open by EOY 2024. Check out our Countdown to CMMC article for our latest estimates
- Registered Provider Organizations (RPOs) can also be authorized C3PAOs, but they cannot provide the same client with both pre-assessment consulting services and assessments
WATCH: John Nolan shares below his advice on how to effectively prepare for a C3PAO audit (3 min)
WATCH: John explains how to select a C3PAO (3 min)
WATCH: John explains what to expect at the audit and how to assemble the right team to support you (3 min)
DOWNLOAD: The Assessment Guide and Scoping Guidance from the DoD CIO CMMC site ()
Maintaining a Robust Cybersecurity Posture
Once you’ve passed your audit and received your certificate, the work doesn’t stop there.
All controls in NIST 800-171A require some degree of regular maintenance to ensure you remain compliant and secure.
- This includes ongoing documentation, risk assessments, and maintenance, updates and patching
- It is also important to keep on top of new requirements and information released by the DoD on expected cybersecurity standards
WATCH: John Nolan describes below what ongoing activities are required to maintain a robust cybersecurity posture (3 min)
WATCH: John explains how to maintain compliance when you make changes to your IT infrastructure (3 min)
READ: Learn about the importance of continuous monitoring and what is entailed (2 min)
WATCH: John explains how NIST 800-171 Revision 3, while not yet required for CMMC, will in future extend compliance requirements (3 min)
Compliance and your wider organization
- The cybersecurity-related policies and procedures that your organization must follow
- Regular employee trainings that must be undertaken
- Certain HR processes you must have in place, like visitor logs
- How you select and work with suppliers and subcontractors
WATCH: John talks through the impact of CMMC on your wider organization (2 min)
WATCH: John summarizes the employee trainings required for CMMC (4 min)
WATCH: John discusses how maintaining compliance will also impact how you work with your supply chain (3 min)