CMMC

The Ultimate Guide to Achieving CMMC

Master CMMC 2.0 compliance with practical insights, actionable steps, and expert strategies for secure certification.

Alex Fuerst

Alex Fuerst

99 min read
The Ultimate Guide to Achieving CMMC
The Ultimate Guide to Achieving CMMC

Pro Tip: How to Use the Ultimate CMMC Guide

This isn’t a “one-and-done” read. No one reads 100 pages in one sitting anyway. It is your go-to reference for every stage of your CMMC journey.

  • Bookmark the Table of Contents: It is your roadmap to find exactly what you need, when you need it.

  • Revisit sections as your compliance maturity evolves.

  • Use it as your playbook: Highlight, annotate, and make it yours.

Want your own PDF copy? Just send an email to ix@isegrim-x.com
and we will hook you up!

Table of Contents

Executive Summary

The Cybersecurity Maturity Model Certification (CMMC) represents a comprehensive framework established by the U.S. Department of Defense (DoD) to enforce the protection of sensitive unclassified information shared with its contractors and subcontractors. As the Defense Industrial Base (DIB) faces increasingly frequent and complex cyberattacks, CMMC is designed to provide the DoD with increased assurance that its partners are meeting the necessary cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Any organization that conducts business with the DoD, including prime contractors and subcontractors at all tiers, will be required to achieve a specific CMMC level as a condition of contract award. The CMMC framework is structured into three levels of increasing cybersecurity maturity, each with a corresponding set of security requirements and assessment procedures. Level 1 focuses on basic cyber hygiene for the protection of FCI, while Levels 2 and 3 are designed to protect CUI from more sophisticated cyber threats.

The official implementation of CMMC begins on November 10, 2025, with a phased rollout over three years. This timeline makes it imperative for all DIB contractors to begin their compliance journey immediately. Organizations that delay their preparation risk being unable to compete for DoD contracts, as CMMC certification will become a mandatory requirement for contract awards.

This comprehensive guide provides a detailed overview of the CMMC program, its requirements, and a step-by-step approach to achieving and maintaining compliance. It covers everything from understanding the framework and determining your required level to implementing technical controls, preparing for assessments, and maintaining ongoing compliance.

Part 1: Understanding CMMC

Introduction to CMMC

The digital transformation of the global economy has brought unprecedented opportunities for innovation and collaboration. However, it has also created new vulnerabilities, with malicious cyber actors continuously seeking to exploit weaknesses in digital infrastructures. The Defense Industrial Base (DIB), a vast network of over 220,000 companies that contribute to the research, development, and production of U.S. military capabilities, has become a prime target for these adversaries.
The theft of intellectual property and sensitive defense information from the DIB poses a significant threat to U.S. economic and national security. The Council of Economic Advisers estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016, while the Center for Strategic and International Studies estimates that the total global cost of cybercrime was as high as $600 billion in 2017. Over a ten-year period, that burden would equate to an estimated $570 billion to $1.09 trillion in costs.

The Shift from Trust to Verification

To address this growing threat, the Department of Defense has shifted from a trust-based to a verification-based cybersecurity model. The CMMC program represents a pivotal change in how the DoD ensures the protection of sensitive information across its supply chain. It moves beyond the previous self-attestation model, which proved insufficient in ensuring consistent cybersecurity posture across the DIB, to a system of third-party assessments and certifications.
This new approach is designed to provide the DoD with a higher level of confidence that its partners have implemented the necessary security controls to protect FCI and CUI, thereby strengthening the overall security and resilience of the DIB. The program enforces existing cybersecurity requirements while providing a standardized assessment methodology to verify compliance.

Historical Context and Evolution

The CMMC program evolved from several key regulatory and policy developments:
2010: Executive Order 13556 established the Controlled Unclassified Information (CUI) Program, creating a standardized approach to handling sensitive but unclassified information across the federal government.
2015: The DoD implemented DFARS clause 252.204-7008, which required offerors to represent their compliance with NIST SP 800-171, relying on self-attestation.
2016: DFARS clause 252.204-7012 was revised to require compliance with NIST SP 800-171 no later than December 2017, along with cyber incident reporting requirements.
2019: A DoD Inspector General report cited significant lack of compliance within the DIB, highlighting the inadequacy of the self-attestation model.
2020: The National Defense Authorization Act (NDAA) Section 1648 directed the DoD to create an assessment framework, leading to the development of CMMC.
2025: The DoD implemented the CMMC Program to assess compliance through a verification-based approach, moving beyond self-attestation to third-party assessments.

CMMC Framework and Structure

The CMMC framework is built upon a tiered model of cybersecurity maturity, with each level representing a set of security requirements that an organization must implement to protect FCI and CUI. The framework is designed to be scalable, allowing organizations to achieve a CMMC level that is appropriate for the type and sensitivity of the information they handle.

The Three CMMC Levels

The CMMC framework consists of three distinct levels, each with specific security requirements and assessment procedures:

Level 1: Foundational

Level 1 is focused on the basic safeguarding of Federal Contract Information (FCI) and consists of 15 security requirements derived from FAR clause 52.204-21. This level is the minimum requirement for any organization that handles FCI and is designed to be achievable for even the smallest businesses in the DIB. The requirements focus on fundamental cyber hygiene practices such as access control, user authentication, malware protection, and physical security.

Level 2: Advanced

Level 2 is designed for the protection of Controlled Unclassified Information (CUI) and incorporates the 110 security requirements from NIST SP 800-171 Revision 2. This is the most common requirement for organizations that handle CUI and requires a more robust cybersecurity program than Level 1. The requirements span 14 security domains and address comprehensive security controls including access management, incident response, configuration management, and risk assessment.

Level 3: Expert

Level 3 is intended for organizations that handle CUI and are at risk from Advanced Persistent Threats (APTs). Level 3 includes all the requirements of Level 2, plus a subset of 24 requirements from NIST SP 800-172, which are designed to provide enhanced protection against sophisticated cyber threats. These additional requirements focus on advanced security capabilities such as threat hunting, advanced monitoring, and enhanced incident response.

The 14 Security Domains

The CMMC model is organized into 14 domains that align with the security requirement families in NIST SP 800-171 Rev 2:

Relationship to NIST Standards

The CMMC framework is closely aligned with National Institute of Standards and Technology (NIST) cybersecurity standards. Level 2 of CMMC is directly based on NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." Level 3 incorporates a subset of requirements from NIST SP 800-172, "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171."
This alignment with NIST standards ensures that the CMMC framework is based on a solid foundation of cybersecurity best practices that have been developed and refined over many years. Organizations that are already familiar with NIST standards will find the transition to CMMC more straightforward, as the underlying security principles and controls are consistent.

Understanding FCI vs. CUI

Understanding the distinction between Federal Contract Information and Controlled Unclassified Information is crucial for determining your required CMMC level:
Federal Contract Information (FCI) is defined in FAR 52.204-21 as "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government." FCI excludes information provided by the Government to the public (such as on public websites) or simple transactional information (such as necessary to process payments). FCI is the less sensitive of the two types of information and is protected at CMMC Level 1.
Controlled Unclassified Information (CUI) is defined in 32 CFR 2002.4(h) as "information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls." CUI is more sensitive than FCI and requires protection at CMMC Level 2 or Level 3. Examples of CUI categories include Controlled Technical Information (CTI), export-controlled information, and information covered by International Traffic in Arms Regulations (ITAR).

CMMC Ecosystem and Stakeholders

The CMMC program is supported by a complex ecosystem of organizations and stakeholders, each with distinct roles and responsibilities. Understanding this ecosystem is essential for any organization seeking to achieve CMMC compliance.

DoD CIO CMMC Program Management Office

The DoD Chief Information Officer CMMC Program Management Office (PMO) is responsible for the overall oversight and management of the CMMC program. The PMO develops and maintains the CMMC Model Overview, Assessment Guides, Scoping Guides, and Hashing Guide. It also serves as the scheme owner for the CMMC program, ensuring that it meets the requirements of international standards such as ISO/IEC 17011. The PMO establishes the requirements for C3PAOs, CAICO, assessors, and instructors.

CMMC Accreditation Body (Cyber AB)

The Cyber AB is a non-profit organization responsible for accrediting and overseeing the CMMC ecosystem. The organization is professionally staffed, managed by a Board of Directors, and operates in compliance with ISO/IEC 17011 standards. The Cyber AB is responsible for accrediting Certified Third-Party Assessment Organizations (C3PAOs) and the Cybersecurity Assessor and Instructor Certification Organization (CAICO). The Cyber AB also manages the CMMC marketplace, where organizations can find certified assessors and training providers.

Certified Third-Party Assessment Organizations (C3PAOs)

C3PAOs are organizations accredited by the Cyber AB to conduct CMMC Level 2 certification assessments on DIB contractors. These organizations must meet stringent requirements, including ISO/IEC 17020 accreditation, to ensure they are qualified to conduct CMMC assessments. C3PAOs employ certified assessors who conduct the assessments and submit assessment reports in the Enterprise Mission Assurance Support Service (eMASS). Upon successful assessment, C3PAOs issue CMMC certificates to DIB contractors.

Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

The DIBCAC is a government organization within the Defense Contract Management Agency (DCMA). The DIBCAC is responsible for conducting CMMC Level 2 certification assessments on C3PAOs and CMMC Level 3 certification assessments on DIB contractors. The DIBCAC also provides advisory support to the DoD CIO CMMC PMO on assessment-related matters.

Cybersecurity Assessor and Instructor Certification Organization (CAICO)

The CAICO is an organization accredited by the Cyber AB to certify CMMC assessors and instructors. The CAICO operates in compliance with ISO/IEC 17024 standards and is responsible for ensuring that CMMC professionals have the necessary knowledge and skills to conduct CMMC assessments and provide CMMC training.

CMMC Certified Professionals, Assessors, and Instructors

These are individuals who have been certified by the CAICO to perform various roles within the CMMC ecosystem:
CMMC Certified Professionals (CCPs) are qualified to assist organizations in preparing for CMMC assessments. They can help with gap assessments, remediation planning, and documentation preparation.
CMMC Certified Assessors (CCAs) are qualified to conduct CMMC assessments as part of a C3PAO team. They must first obtain CCP certification, then complete additional training and gain relevant experience.
CMMC Certified Instructors (CCIs) are qualified to provide CMMC training to organizations and individuals seeking to understand or prepare for CMMC compliance.

Assessment Types and Requirements

The CMMC program includes various assessment types and requirements, each designed to provide the DoD with a level of assurance appropriate for the sensitivity of the information being protected.

Self-Assessments vs. Certification Assessments

The CMMC program includes two primary types of assessments:
Self-Assessments are conducted by the Organization Seeking Assessment (OSA) itself and are required for CMMC Level 1 and for some CMMC Level 2 contracts (as specified in the solicitation). Self-assessments must be conducted annually for Level 1 and every three years for Level 2. The results of self-assessments are entered into the Supplier Performance Risk System (SPRS), where they are visible to DoD contracting officers.
Certification Assessments are conducted by an independent third party and are required for some CMMC Level 2 contracts and for all CMMC Level 3 contracts. CMMC Level 2 certification assessments are conducted by a C3PAO, while CMMC Level 3 certification assessments are conducted by the DIBCAC. Certification assessments are valid for three years from the CMMC Status Date.

Assessment Frequency and Validity Periods

The frequency and validity of CMMC assessments vary by level:

Annual Affirmation Requirements

In addition to periodic assessments, all organizations with a CMMC certification are required to submit an annual affirmation of compliance. This affirmation is a statement that the organization has continued to maintain its cybersecurity posture and has not made any significant changes that would affect its CMMC compliance. The annual affirmation is submitted through the SPRS. Failure to submit the annual affirmation will result in the expiration of the CMMC Status.

SPRS and eMASS Systems

The CMMC program relies on two key systems for managing assessment data:
Supplier Performance Risk System (SPRS) is a DoD system used to collect and manage information about DoD contractors, including their CMMC assessment results. The results of all CMMC self-assessments, annual affirmations, and CMMC Status information are entered into SPRS. SPRS is accessible to DoD contracting officers for verification of contractor compliance.
Enterprise Mission Assurance Support Service (eMASS) is a DoD system used to manage the CMMC certification assessment process. The results of all CMMC certification assessments (Level 2 C3PAO and Level 3 DIBCAC) are entered into eMASS. This system provides a secure platform for managing assessment artifacts and reports.

Conditional vs. Final CMMC Status

An organization can achieve two types of CMMC Status:
Conditional CMMC Status is achieved when an organization has a passing score on its assessment but has some remaining items on its Plan of Action and Milestones (POA&M). A Conditional CMMC Status is valid for 180 days, during which time the organization must close out its POA&M items through a closeout assessment.
Final CMMC Status is achieved when an organization has a passing score on its assessment with no POA&M items, or when it has successfully closed out its POA&M items within the 180-day timeframe. A Final CMMC Status is valid for three years from the CMMC Status Date (or from the Conditional CMMC Status Date if POA&Ms were involved).

POA&M Rules and Restrictions

A Plan of Action and Milestones (POA&M) is a document that identifies an organization's plan to correct deficiencies identified during a CMMC assessment. The CMMC program has strict rules regarding POA&Ms:
POA&Ms are not permitted for CMMC Level 1. All 15 requirements must be fully implemented before achieving Level 1 certification.
For CMMC Level 2 and Level 3, POA&Ms are allowed for some requirements. However, there are critical requirements that cannot be included in a POA&M. These critical requirements are specified in 32 CFR § 170.21 and must be fully implemented before certification.
All POA&M items must be closed out within 180 days of when the CMMC assessment results are finalized and submitted to SPRS or eMASS. If POA&M items are not closed out within this timeframe, the organization's Conditional CMMC Status will expire.
POA&M closeout requires an assessment. For Level 2 self-assessments, the POA&M closeout is conducted by the OSA. For Level 2 certification assessments, the POA&M closeout must be performed by an authorized C3PAO. For Level 3 certification assessments, the POA&M closeout is performed by the DIBCAC.

Part 2: Determining Your CMMC Requirements

Identifying Your Required CMMC Level

Determining the appropriate CMMC level for your organization is the foundational first step in your compliance journey. The required level is not a choice but is dictated by the type of information your organization processes, stores, or transmits as part of its work with the DoD.

Understanding Contract Requirements

The primary driver for your CMMC level is the specific requirements outlined in DoD contracts. As the CMMC program is implemented, new solicitations and contracts will explicitly state the required CMMC level for that particular effort through the inclusion of DFARS clause 252.204-7021. This clause relies on the requiring activity to identify the appropriate CMMC Status requirements based on the type of information to be processed, stored, or transmitted.
It is essential to carefully review all contract documents, including the statement of work, security classification guides, and any referenced DFARS clauses, to identify the required CMMC level. If the required level is not immediately clear, seek clarification from the contracting officer before submitting a proposal or bid.

FCI vs. CUI Determination

The type of information your organization handles is the key factor in determining your required CMMC level. As a general rule:
If your organization only handles Federal Contract Information (FCI), you will be required to achieve CMMC Level 1. This includes basic contract information that is not intended for public release but does not meet the definition of CUI.
If your organization handles Controlled Unclassified Information (CUI), you will be required to achieve at least CMMC Level 2. CUI includes information that requires safeguarding or dissemination controls pursuant to laws, regulations, or government-wide policies.
It is crucial to have a clear understanding of the definitions of FCI and CUI and to be able to identify which type of information your organization handles. This may require a data discovery and classification exercise to identify all instances of FCI and CUI within your environment. Organizations should review the DoD CUI Registry to understand the specific categories and subcategories of CUI that may apply to their contracts.

CMMC Levels Determination Methodology

The DoD has provided a methodology for determining the appropriate CMMC level for a given contract. This methodology is based on a risk assessment that considers the sensitivity of the information and the potential impact of its loss or compromise. The methodology is designed to ensure that the required CMMC level is commensurate with the risk to national security.
The determination process typically involves:
Identifying the type of information involved (FCI or CUI)
Assessing the sensitivity and criticality of the information
Evaluating the potential threat environment
Determining whether Advanced Persistent Threat (APT) protection is required
Specifying the appropriate CMMC level in the contract solicitation

Flow-Down Requirements for Subcontractors

Prime contractors are responsible for flowing down the CMMC requirements to their subcontractors. This means that if a prime contractor is required to achieve a certain CMMC level, all of its subcontractors that handle FCI or CUI for that contract will also be required to achieve the same CMMC level.
The flow-down requirements are specified in DFARS clause 252.204-7021, which requires contractors to include the requirements of the clause in all applicable subcontracts and to ensure that applicable subcontractors can conduct and submit an assessment. It is essential for subcontractors to understand their CMMC obligations and to work closely with their prime contractors to ensure they are meeting the necessary requirements.

When Level 3 is Required

CMMC Level 3 is required for organizations that handle CUI and are at risk from Advanced Persistent Threats (APTs). The determination of whether Level 3 is required is made by the DoD based on a risk assessment of the program and the sensitivity of the information involved.
Level 3 is typically required for programs that involve:
Critical technologies or capabilities
High strategic importance to national security
Information that is particularly attractive to nation-state adversaries
Programs where the loss of information could provide significant military or economic advantage to adversaries

Organizations seeking Level 3 certification must first achieve CMMC Status of Final Level 2 for the same assessment scope before undergoing a Level 3 assessment. This ensures that the foundational security controls are in place before implementing the enhanced protections required at Level 3.

Scoping Your CMMC Assessment

Properly scoping your CMMC assessment is one of the most critical and challenging aspects of the compliance process. The assessment scope defines the boundaries of the assessment and determines which assets, systems, and personnel are subject to the CMMC security requirements.

What is Assessment Scope?

The CMMC assessment scope includes all assets, systems, and personnel that process, store, or transmit CUI or FCI. This includes not only the systems that directly handle this information but also any systems that provide security functions to protect those systems (Security Protection Assets). The scope also includes all personnel who have access to CUI or FCI, as well as any third-party vendors or service providers that have access to this information.
Proper scoping is essential because it directly impacts:
The cost and complexity of compliance
The number of security controls that must be implemented
The duration and cost of the assessment
The ongoing maintenance burden

Enclave vs. Enterprise Approach

There are two primary approaches to scoping a CMMC assessment:
Enclave Approach involves creating a separate, secure environment specifically for handling CUI. This can be a good option for organizations that have a small amount of CUI and can easily isolate it from the rest of their IT environment. The enclave approach can help reduce the scope of the assessment and the cost of compliance. An enclave can be physical (separate network infrastructure) or logical (segmented network with strict boundary controls).
Benefits of the enclave approach include reduced scope, lower implementation costs, and easier management of security controls. However, the enclave approach requires strict controls on data flows and can create operational challenges if CUI needs to be accessed from multiple locations or by many users.
Enterprise Approach involves bringing the entire organization's IT environment into scope for the CMMC assessment. This is typically necessary for organizations that have a large amount of CUI that is widely distributed throughout their IT environment. The enterprise approach is more complex and costly than the enclave approach but can provide a higher level of security and eliminate the need for strict boundary controls.
The enterprise approach is often more practical for organizations where:
CUI is handled by a large percentage of employees
CUI flows through many different systems and applications
The operational burden of maintaining an enclave would be too high
The organization wants to achieve a uniform security posture across all systems

Asset Categorization Methodology

The CMMC scoping guidance provides a methodology for categorizing assets to determine whether they are in scope for the assessment. The methodology includes the following asset categories:
CUI Assets are assets that process, store, or transmit CUI. These assets are always in scope for the assessment and must meet all applicable CMMC security requirements. Examples include file servers storing CUI, workstations used to create or edit CUI, and applications that process CUI.
Security Protection Assets (SPAs) are assets that provide security functions to the CMMC environment. SPAs are always in scope for the assessment because they protect CUI assets. Examples include firewalls, intrusion detection systems, authentication servers, log management systems, and backup systems.
Security Protection Data (SPD) is data that is created by or used by Security Protection Assets. SPD must be protected at the same level as CUI because compromise of SPD could lead to compromise of CUI. Examples include security logs, vulnerability scan results, and security configuration data.
Contractor Risk Managed Assets (CRMAs) are assets that are not part of the CMMC environment but are connected to it and could potentially impact its security. CRMAs are not in scope for the assessment, but they must be managed in accordance with the organization's risk-based security policies and procedures. Examples include corporate IT systems that are connected to the CUI environment but do not process CUI.
Specialized Assets are assets that are not capable of being fully secured due to technical limitations. Examples include Internet of Things (IoT) devices, operational technology (OT) systems, and government-furnished equipment (GFE). Specialized assets are not in scope for the assessment, but they must be documented in the System Security Plan (SSP) and managed in accordance with the organization's risk-based security policies and procedures.

Identifying CUI Data Flows

To properly scope your CMMC assessment, it is essential to identify all data flows of CUI within your environment. This includes:
Data flows between systems (network communications)
Data flows between personnel (email, file sharing)
Data flows with third-party vendors (cloud services, managed services)
Data flows with customers and partners (collaboration tools)
Creating data flow diagrams is a helpful way to visualize the flow of CUI and to identify all assets that are in scope for the assessment. These diagrams should show:
All systems that process, store, or transmit CUI
All systems that provide security functions (SPAs)
All connections between systems
All external connections (internet, partner networks, cloud services)
All boundary protection mechanisms (firewalls, VPNs)

Defining Assessment Boundaries

The assessment boundary defines the perimeter of the CMMC environment. All assets within the boundary are in scope for the assessment, while assets outside the boundary are not. The boundary should be clearly defined and documented in the System Security Plan.
Key considerations for defining the assessment boundary include:
Physical boundaries (data center locations, office locations)
Logical boundaries (network segments, VLANs, security zones)
Personnel boundaries (who has access to CUI)
Third-party boundaries (which vendors have access to CUI)
The boundary should be designed to minimize the scope while ensuring that all CUI is adequately protected. Boundary controls (firewalls, access controls) should be implemented to prevent unauthorized access to the CMMC environment.

Common Scoping Mistakes and How to Avoid Them

Scoping errors are among the most common mistakes organizations make when preparing for a CMMC assessment. These mistakes can lead to failed assessments and significantly increase the cost of compliance.
Under-Scoping occurs when an organization fails to include all assets that process, store, or transmit CUI in the scope of the assessment. This can lead to security gaps and a failed assessment. To avoid under-scoping, conduct a thorough data discovery exercise to identify all instances of CUI, trace all data flows, and include all systems that touch CUI.
Over-Scoping occurs when an organization includes assets in the scope that do not process, store, or transmit CUI. This can unnecessarily increase the cost and complexity of the assessment. To avoid over-scoping, carefully analyze data flows, implement network segmentation to isolate CUI, and use the asset categorization methodology to accurately classify assets.
Failing to Consider All Data Flows occurs when an organization fails to identify all data flows of CUI within its environment. This can lead to under-scoping and a failed assessment. To avoid this mistake, create comprehensive data flow diagrams, interview personnel to understand how they work with CUI, and review all system integrations and interfaces.
Failing to Consider All Third-Party Vendors occurs when an organization fails to include all third-party vendors that have access to CUI in the scope of the assessment. This can lead to security gaps and a failed assessment. To avoid this mistake, create a comprehensive inventory of all vendors and service providers, assess which vendors have access to CUI, and ensure vendor compliance with CMMC requirements.
Failing to Document Specialized Assets and CRMAs occurs when organizations do not properly document assets that are out of scope. Even though these assets are not assessed, they must be documented in the SSP with a justification for why they are out of scope and how they are managed to prevent risk to the CUI environment.

Understanding the 110 Security Requirements

CMMC Level 2 is aligned with NIST SP 800-171 Rev 2 and includes 110 security requirements designed to provide broad protection for CUI. These requirements are organized into 14 domains, each covering a specific area of cybersecurity.

Overview of the 14 Domains

A thorough understanding of these 110 requirements is essential for any organization seeking to achieve CMMC Level 2 compliance. The requirements are distributed across the 14 domains as follows:

Assessment Objectives from NIST 800-171A

It is important to note that while CMMC Level 2 includes 110 security requirements, NIST SP 800-171A expands these into approximately 320 assessment objectives. Each security requirement may have multiple assessment objectives that assessors will evaluate during the assessment.
For example, a single requirement such as "Limit system access to authorized users" may have multiple assessment objectives covering:
Determination of how the organization identifies authorized users
Examination of access control policies and procedures
Testing of access control mechanisms
Verification that unauthorized users cannot access systems
Organizations must address all assessment objectives, not just the high-level requirements, to achieve compliance. This is why proper documentation and evidence collection are critical components of CMMC preparation.

Organization-Defined Parameters

Some CMMC requirements include organization-defined parameters, which allow organizations to tailor certain aspects of the requirements to their specific needs and risk environment. However, for requirements derived from NIST SP 800-171, the DoD has specified certain parameters that must be used.
For example, the DoD has specified parameters for:
Password complexity requirements
Session timeout periods
Audit log retention periods
Unsuccessful logon attempt limits
Organizations must use the DoD-defined parameters where specified and document their rationale for any organization-defined parameters in their System Security Plan.

Part 3: Preparing for CMMC Compliance

Building Your CMMC Roadmap

Embarking on the CMMC compliance journey requires a well-defined and strategic roadmap. A comprehensive roadmap will guide your organization through the complexities of the CMMC framework and ensure that your efforts are efficient, effective, and aligned with your business objectives.

Conducting a Gap Assessment

The first step in building your CMMC roadmap is to conduct a thorough gap assessment. A gap assessment is a detailed review of your organization's current cybersecurity posture against the requirements of your target CMMC level. The goal is to identify any gaps between your current state and the CMMC requirements and to develop a plan to address those gaps.
The gap assessment should be conducted by a qualified CMMC professional who has a deep understanding of the CMMC framework and the NIST standards upon which it is based. The assessment should include:
Review of existing security policies and procedures
Examination of technical security controls
Interviews with key personnel
Review of system configurations
Analysis of security documentation
Identification of missing or inadequate controls
The output of the gap assessment should be a comprehensive report that identifies all gaps, prioritizes them based on risk and criticality, and provides recommendations for remediation.

Prioritizing Remediation Efforts

Once you have identified the gaps in your cybersecurity posture, the next step is to prioritize your remediation efforts. Not all gaps are equal, and some will pose greater risk than others. The prioritization process should be based on:
Risk Assessment: Evaluate the likelihood and impact of each gap being exploited. Focus first on gaps that pose the greatest risk to CUI.
Critical Requirements: Identify requirements that cannot be included in a POA&M. These must be remediated before the assessment.
Dependencies: Some controls depend on others being in place first. For example, audit logging depends on having systems properly configured.
Quick Wins: Identify gaps that can be remediated quickly and easily to build momentum and demonstrate progress.
Resource Availability: Consider the cost and effort required to remediate each gap and the resources available.

Creating a Realistic Timeline

After prioritizing your remediation efforts, create a realistic timeline for achieving CMMC compliance. The timeline should be based on:
The scope of your compliance efforts
The number and severity of gaps identified
The resources available (budget, personnel, expertise)
The complexity of required changes
The need for vendor procurement and implementation
The time required for testing and validation
For organizations starting from scratch, the timeline can range from 6 to 18 months or more, depending on the current state of cybersecurity maturity. Organizations with existing security programs may be able to achieve compliance more quickly.
It is important to be realistic in your timeline and to build in buffer time for unexpected delays. The timeline should be reviewed and updated regularly to ensure you remain on track to meet your compliance goals.

Budget Considerations and Cost Estimation

Achieving CMMC compliance can be a significant investment. Develop a detailed budget that includes:
Assessment Costs:
Gap assessment fees
Readiness assessment fees
Formal CMMC assessment fees (for certification assessments)
Implementation Costs:
Hardware and software purchases
Cloud service subscriptions
Network infrastructure upgrades
Security tool licensing
System integration costs
Personnel Costs:
Internal staff time
Consultant fees
Managed service provider fees
Training costs
Ongoing Costs:
Annual affirmation activities
Continuous monitoring tools
Maintenance and updates
Recurring assessments every three years
Work with a qualified CMMC professional to develop a realistic budget and identify potential cost-saving opportunities such as leveraging cloud services, using open-source tools where appropriate, or implementing an enclave approach to reduce scope.

Building Executive Buy-in and Support

Achieving CMMC compliance is a team effort that requires buy-in and support from all stakeholders, from the executive level down. Executive support is critical because:
CMMC compliance requires significant investment
Implementation may require changes to business processes
Compliance is necessary to maintain DoD contracts
Non-compliance can result in loss of business opportunities
To build executive buy-in:
Clearly communicate the business impact of CMMC
Emphasize the risk of non-compliance (inability to bid on contracts)
Present a clear roadmap and budget
Provide regular progress updates
Demonstrate return on investment (improved security posture, competitive advantage)

Assembling Your CMMC Team

Assemble a CMMC team with the necessary skills and expertise to lead your organization through the compliance process. The team should include:
CMMC Project Manager: Oversees the entire compliance effort, manages the timeline and budget, and coordinates all activities.
IT/Security Personnel: Implement technical controls, configure systems, and manage security infrastructure.
Compliance/Legal Personnel: Ensure policies and procedures meet requirements, manage documentation, and coordinate with assessors.
Business Unit Representatives: Provide input on operational requirements, help identify CUI data flows, and ensure controls do not disrupt business operations.
External Consultants: Provide expertise in CMMC requirements, conduct gap assessments, and assist with remediation (if needed).
The team should meet regularly to review progress, address challenges, and make decisions about implementation approaches.

Technical Implementation Strategies

Once you have a clear understanding of your CMMC requirements and have developed a roadmap for compliance, the next step is to implement the necessary technical controls.

Choosing Your Technical Architecture

The first step in implementing technical controls is to choose a technical architecture appropriate for your organization's needs:
On-Premises Architecture involves hosting all IT systems and data in your own data center. This approach provides a high level of control over your environment but can be more expensive and complex to manage. On-premises architecture may be appropriate for organizations with existing data center infrastructure, specific regulatory requirements, or concerns about cloud security.
Cloud-Based Architecture involves hosting IT systems and data in the cloud. This approach can be more cost-effective and scalable than on-premises architecture but introduces new security considerations. Cloud architecture is often appropriate for organizations without existing infrastructure, those seeking to reduce capital expenditures, or those needing geographic flexibility.
Hybrid Architecture combines on-premises and cloud-based systems. This approach provides flexibility to host systems and data in the location most appropriate for specific needs. Hybrid architecture is common among organizations transitioning to the cloud or those with specific requirements for certain systems to remain on-premises.

Cloud Service Provider Options

If you choose a cloud-based or hybrid architecture, select a cloud service provider (CSP) that can meet the security requirements of the CMMC framework:
Microsoft 365 Government Community Cloud (GCC) is designed for organizations that handle FCI. GCC provides enhanced security and compliance features compared to commercial Microsoft 365 but is less restrictive than GCC High.
Microsoft 365 GCC High is required for organizations that handle CUI. GCC High provides FedRAMP High authorization and meets the security requirements for protecting CUI in the cloud.
Amazon Web Services (AWS) GovCloud is a cloud computing platform designed to meet U.S. government security and compliance requirements. AWS GovCloud provides FedRAMP High authorization and is appropriate for organizations needing flexible and customizable cloud infrastructure.
Azure Government is Microsoft's government cloud platform, providing FedRAMP High authorization and isolation from commercial cloud services.
Google Cloud for Government provides FedRAMP authorization and government-specific security features.
When selecting a CSP, ensure the provider has appropriate FedRAMP authorization (Moderate for FCI, High for CUI). Review the provider's Shared Responsibility Matrix to understand which security controls are managed by the provider and which are the organization's responsibility.

Network Segmentation and Enclave Design

Network segmentation is a security technique that divides a network into smaller, isolated segments. This helps reduce the risk of a security breach by limiting an attacker's ability to move laterally through the network.
Key principles for network segmentation include:
Boundary Protection: Implement firewalls and access controls at segment boundaries to control traffic flow.
Least Privilege: Only allow necessary communications between segments.
Defense in Depth: Implement multiple layers of security controls.
Monitoring: Implement monitoring at segment boundaries to detect unauthorized access attempts.
For enclave design, create a separate, secure environment specifically for CUI with:
Dedicated network infrastructure or logical segmentation
Strict access controls at the enclave boundary
Monitoring of all traffic entering and leaving the enclave
Separate authentication systems or strong authentication requirements
Dedicated security protection assets (firewalls, IDS, logging)

Virtual Desktop Infrastructure (VDI)

Virtual Desktop Infrastructure (VDI) allows users to access a virtual desktop from any device. VDI can be beneficial for CMMC compliance because:
Centralized management of desktops ensures consistent security configurations
CUI remains in the data center rather than on endpoint devices
Easier to implement and enforce security controls
Simplified management of user access
Reduced risk of data loss from lost or stolen devices
VDI solutions appropriate for CMMC include:
VMware Horizon
Citrix Virtual Apps and Desktops
Microsoft Azure Virtual Desktop (in GCC High)
Amazon WorkSpaces (in GovCloud)

Implementing Required Security Controls

Once you have chosen your technical architecture and designed your network, implement the security controls required for your target CMMC level. This includes:
Access Controls: Implement authentication systems, access control lists, privileged access management, and multi-factor authentication.
Audit and Accountability: Implement centralized logging, log management systems, and log analysis tools.
Configuration Management: Establish baseline configurations, implement configuration management tools, and establish change control processes.
Incident Response: Implement security monitoring tools, intrusion detection systems, and incident response platforms.
System and Communications Protection: Implement firewalls, VPNs, encryption, and boundary protection mechanisms.
System and Information Integrity: Implement anti-malware solutions, patch management systems, and vulnerability scanning tools.

FIPS 140-3 Validated Cryptography

The CMMC framework requires the use of FIPS 140-3 validated cryptography to protect CUI. FIPS 140-3 is a U.S. government standard that specifies security requirements for cryptographic modules.
Ensure that all cryptographic modules used to protect CUI are FIPS 140-3 validated:
Use operating systems with FIPS 140-3 validated cryptographic modules (Windows, modern Linux distributions)
Verify that encryption solutions are FIPS 140-3 validated
Document FIPS 140-3 validation certificates for all cryptographic modules
Maintain screenshots and URLs of FIPS 140-3 validation listings from the NIST website

Access Control Implementation

Access control is one of the most critical domains in the CMMC framework, with 22 requirements at Level 2. Implementing effective access controls is essential for protecting CUI and ensuring that only authorized users can access sensitive information.

User Authentication and Authorization

The foundation of access control is the ability to verify the identity of users and ensure they are authorized to access the systems and data they are requesting. This requires implementation of a robust authentication and authorization system.
Key components include:
Identity Management: Implement a centralized identity management system (Active Directory, Azure AD, Okta) to manage user accounts and credentials.
Authentication Mechanisms: Implement strong authentication mechanisms that verify user identity before granting access.
Authorization Controls: Implement role-based access control (RBAC) or attribute-based access control (ABAC) to ensure users only have access to resources necessary for their job functions.
Account Management: Implement processes for creating, modifying, and disabling user accounts promptly when personnel changes occur.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is a security technique that requires users to provide two or more forms of identification before accessing a system or data. MFA is a key requirement of the CMMC framework and is essential for protecting CUI.
MFA implementation should include:
Coverage: Implement MFA for all users accessing CUI, especially for remote access and privileged accounts.
MFA Methods: Use approved MFA methods such as hardware tokens, software tokens (authenticator apps), smart cards, or biometric authentication.
Phishing-Resistant MFA: Consider implementing phishing-resistant MFA methods such as FIDO2 security keys or certificate-based authentication.
Backup Methods: Implement backup authentication methods in case primary MFA methods are unavailable.

Privileged Access Management

Privileged access management (PAM) is used to manage and control access to privileged accounts such as administrator accounts. PAM is essential for protecting CUI because privileged accounts have elevated permissions that could be exploited by attackers.
PAM implementation should include:
Privileged Account Inventory: Maintain an inventory of all privileged accounts.
Least Privilege: Grant users only the minimum privileges necessary to perform their job functions.
Privileged Session Management: Monitor and record all privileged sessions.
Just-in-Time Access: Implement just-in-time privileged access where users request elevated privileges only when needed.
Privileged Password Management: Implement automated password rotation for privileged accounts.

Session Management and Termination

Session management ensures that user sessions are secure and terminated when no longer needed. CMMC requirements include:
Session Lock: Implement automatic session lock after a defined period of inactivity (typically 15 minutes or less).
Pattern-Hiding Displays: Ensure that session locks hide the contents of the display to prevent unauthorized viewing.
Session Termination: Implement automatic session termination after a defined condition (such as a period of inactivity or at the end of the workday).
Concurrent Session Control: Limit the number of concurrent sessions for users where appropriate.

Remote Access Security

Remote access allows users to access systems and data from outside the organization's physical location. While necessary for many organizations, remote access introduces security risks that must be managed.
Remote access security controls include:
Cryptographic Protection: Use cryptography to protect the confidentiality of remote access sessions (VPN, TLS).
Managed Access Control Points: Route all remote access through managed access control points (VPN concentrators, remote desktop gateways).
Remote Access Authorization: Require authorization before allowing remote access connections.
Remote Access Monitoring: Monitor and control all remote access sessions.
Privileged Remote Access: Implement additional controls for remote execution of privileged commands.

Wireless Access Controls

Wireless access introduces unique security challenges that must be addressed:
Wireless Authorization: Authorize wireless access prior to allowing connections.
Wireless Authentication: Implement strong authentication for wireless access (WPA2/WPA3 Enterprise with 802.1X).
Wireless Encryption: Use strong encryption to protect wireless communications (AES).
Wireless Monitoring: Monitor wireless access points for unauthorized devices.

Mobile Device Management

Mobile device management (MDM) is used to manage and control mobile devices such as smartphones and tablets. MDM is essential for protecting CUI accessed from mobile devices.
MDM implementation should include:
Device Enrollment: Require all mobile devices that access CUI to be enrolled in the MDM system.
Device Configuration: Enforce security configurations on mobile devices (password requirements, encryption, etc.).
Application Management: Control which applications can be installed on mobile devices.
Remote Wipe: Implement the ability to remotely wipe devices if they are lost or stolen.
Device Compliance: Continuously monitor device compliance with security policies and block non-compliant devices.

CUI Encryption Requirements

The CMMC framework requires encryption of CUI on mobile devices and mobile computing platforms. This ensures that if a device is lost or stolen, the CUI on that device cannot be accessed by unauthorized users.
Encryption requirements include:
Full Disk Encryption: Implement full disk encryption on all mobile devices and laptops (BitLocker, FileVault, etc.).
FIPS 140-3** Validated Cryptography:** Use FIPS 140-3 validated cryptographic modules for encryption.
Encryption Key Management: Implement secure key management practices to protect encryption keys.
Verification: Regularly verify that encryption is enabled and functioning on all devices.

Audit, Logging, and Monitoring

Audit, logging, and monitoring are essential for detecting and responding to security incidents. The CMMC framework includes 9 requirements in the Audit and Accountability domain designed to ensure organizations have the necessary capabilities to monitor their systems.

Audit Log Requirements

The CMMC framework requires implementation of audit logs that capture security-relevant events including:
User logons and logoffs
Privileged actions (administrative activities)
Changes to security configurations
Access to CUI
Failed access attempts
Changes to user accounts
System startup and shutdown
Audit logs must be configured to capture sufficient information to allow for investigation of security incidents, including:
Date and time of the event
User or process that initiated the event
Type of event
Success or failure of the event
Source and destination of the event

Centralized Log Management

Centralized log management involves collecting all audit logs from all systems in the environment and storing them in a central location. Benefits include:
Protection: Centralized logs are protected from unauthorized access and modification.
Analysis: Centralized logs make it easier to correlate events across multiple systems.
Retention: Centralized storage facilitates compliance with log retention requirements.
Monitoring: Centralized logs enable real-time monitoring and alerting.
Centralized log management solutions include:
Splunk
LogRhythm
Elastic Stack (ELK)
Microsoft Sentinel
Graylog

Log Retention and Protection

The CMMC framework requires retention of audit logs for a specified period and protection of those logs from unauthorized access and modification.
Log retention and protection requirements include:
Retention Period: Retain audit logs for at least one year, with at least three months immediately available for analysis.
Log Protection: Protect audit logs from unauthorized access, modification, and deletion.
Backup: Implement regular backups of audit logs to prevent loss.
Integrity: Implement mechanisms to detect unauthorized changes to audit logs.

Security Monitoring and Alerting

Security monitoring is the process of continuously monitoring systems and networks for signs of security incidents. The CMMC framework requires implementation of security monitoring capabilities that can detect and alert on security events.
Security monitoring should include:
Real-Time Monitoring: Implement real-time monitoring of security events.
Automated Alerting: Configure automated alerts for critical security events.
Correlation: Implement correlation of events across multiple systems to detect complex attack patterns.
Threat Intelligence: Integrate threat intelligence feeds to detect known malicious activity.
Security monitoring tools include:
Security Information and Event Management (SIEM) systems
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)
Endpoint Detection and Response (EDR) solutions

Review and Analysis Procedures

The CMMC framework requires implementation of procedures for regular review and analysis of audit logs. Review and analysis procedures should:
Regular Reviews: Conduct regular reviews of audit logs (daily, weekly, or based on risk).
Anomaly Detection: Look for anomalous activity that may indicate a security incident.
Trend Analysis: Analyze trends over time to identify potential security issues.
Documentation: Document the results of log reviews and any actions taken.
Follow-Up: Investigate and respond to any suspicious activity identified during log review.

Configuration and Change Management

Configuration and change management are essential for ensuring that systems are properly configured and that changes to systems are made in a controlled and secure manner. The CMMC framework includes 9 requirements in the Configuration Management domain.

Baseline Configurations

The CMMC framework requires establishment of baseline configurations for all systems. A baseline configuration is a documented set of specifications for a system that has been formally reviewed and agreed upon.
Baseline configuration development should:
Industry Standards: Base configurations on industry best practices (CIS Benchmarks, DISA STIGs).
Security Hardening: Remove unnecessary services and features.
Documentation: Document all configuration settings and the rationale for deviations from standards.
Review and Approval: Formally review and approve baseline configurations.
Version Control: Maintain version control of baseline configurations.

Change Control Procedures

The CMMC framework requires implementation of change control procedures that ensure all changes to systems are made in a controlled and secure manner.
Change control procedures should include:
Change Request: Require formal change requests for all changes to systems.
Review and Approval: Implement a review and approval process for all changes.
Testing: Require testing of changes in a non-production environment before implementation.
Documentation: Document all changes including what was changed, why, when, and by whom.
Rollback Plan: Develop rollback plans in case changes cause problems.
Post-Implementation Review: Conduct post-implementation reviews to verify changes were successful.

Security Impact Analysis

The CMMC framework requires implementation of security impact analysis for all proposed changes to systems. The security impact analysis should:
Assess Impact: Evaluate the potential impact of the change on system security.
Identify Risks: Identify any security risks that may be introduced by the change.
Mitigation: Develop mitigation strategies for identified risks.
Documentation: Document the results of the security impact analysis.
Decision: Use the security impact analysis to inform the decision to approve or reject the change.

Configuration Monitoring and Enforcement

The CMMC framework requires implementation of configuration monitoring and enforcement capabilities that can detect and alert on unauthorized changes to system configurations.
Configuration monitoring should include:
Automated Scanning: Implement automated scanning to detect configuration drift from baselines.
Alerting: Configure alerts for unauthorized configuration changes.
Remediation: Implement automated remediation where possible to restore baseline configurations.
Reporting: Generate reports on configuration compliance.
Configuration monitoring tools include:
Microsoft Endpoint Configuration Manager
Ansible
Puppet
Chef
Security configuration assessment tools

Software and Firmware Integrity

The CMMC framework requires implementation of capabilities to verify the integrity of software and firmware to ensure they have not been tampered with or modified in an unauthorized manner.
Integrity verification should include:
Digital Signatures: Verify digital signatures on software and firmware before installation.
Checksums: Verify checksums or hashes of software and firmware.
Trusted Sources: Only install software and firmware from trusted sources.
Integrity Monitoring: Implement file integrity monitoring to detect unauthorized changes to critical system files.

Least Functionality Principle

The CMMC framework requires implementation of the least functionality principle, which states that systems should be configured to provide only the functionality necessary to perform their intended purpose.
Least functionality implementation includes:
Disable Unnecessary Services: Disable all unnecessary services and features.
Remove Unnecessary Software: Remove all unnecessary software and applications.
Restrict Functionality: Restrict the use of functions, ports, protocols, and services to only those required.
Regular Review: Regularly review system functionality and remove anything that is no longer needed.

Incident Response and Recovery

Incident response is the process of detecting, analyzing, and responding to security incidents. The CMMC framework includes 3 requirements in the Incident Response domain designed to ensure organizations have the necessary capabilities to respond to security incidents.

Incident Response Plan Development

The CMMC framework requires development of an incident response plan that outlines procedures for detecting, analyzing, and responding to security incidents.
The incident response plan should include:
Incident Definition: Define what constitutes a security incident.
Roles and Responsibilities: Clearly define the roles and responsibilities of the incident response team.
Incident Categories: Define categories of incidents based on severity and impact.
Response Procedures: Document detailed procedures for each phase of incident response.
Communication Procedures: Define how incidents will be communicated internally and externally.
Escalation Procedures: Define when and how incidents will be escalated.
The incident response plan should follow industry frameworks such as NIST SP 800-61, "Computer Security Incident Handling Guide."

Incident Handling Procedures

The incident response plan should include detailed procedures for handling security incidents through all phases:
Detection and Analysis: Procedures for detecting incidents through monitoring, alerts, and user reports, and analyzing incidents to determine scope and impact.
Containment: Procedures for containing incidents to prevent further damage, including short-term containment (isolating affected systems) and long-term containment (applying temporary fixes).
Eradication: Procedures for removing the cause of the incident, such as removing malware, closing vulnerabilities, and removing unauthorized access.
Recovery: Procedures for restoring systems to normal operation, including restoring from backups, rebuilding systems, and verifying system integrity.
Post-Incident Activity: Procedures for conducting lessons learned reviews, updating the incident response plan, and implementing improvements.

Reporting Requirements to DoD

The CMMC framework requires reporting of security incidents to the DoD. The reporting requirements are specified in DFARS clause 252.204-7012, which requires contractors to report cyber incidents that affect their ability to perform requirements designated as operationally critical support or that involve CUI.
Reporting requirements include:
Timing: Report incidents within 72 hours of discovery.
Method: Report through the DoD Cyber Crime Center (DC3) at .
Information: Provide detailed information about the incident including what happened, what systems were affected, and what data may have been compromised.
Preservation: Preserve and protect images of all known affected systems and all relevant monitoring/packet capture data for at least 90 days.
Cooperation: Cooperate with DoD damage assessment activities.

Incident Response Team Roles

The incident response plan should clearly define the roles and responsibilities of the incident response team:
Incident Response Manager: Oversees the incident response process, makes key decisions, and coordinates with senior management.
Technical Leads: Analyze the incident, perform containment and eradication activities, and restore systems.
Communications Lead: Manages internal and external communications about the incident.
Legal Counsel: Provides legal guidance on incident response activities and regulatory requirements.
Business Representatives: Assess business impact and make decisions about operational priorities.

Testing and Exercises

The CMMC framework requires testing of the incident response plan to ensure it is effective. Testing should include:
Tabletop Exercises: Discussion-based exercises where team members walk through incident scenarios.
Functional Exercises: Exercises that simulate an incident and test specific functions of the incident response plan.
Full-Scale Exercises: Comprehensive exercises that simulate a real incident and test all aspects of the incident response plan.
Testing should be conducted at least annually and after significant changes to systems or the incident response plan. Results of testing should be documented and used to improve the incident response plan.

Lessons Learned Process

The incident response plan should include a lessons learned process used to identify and address weaknesses in the incident response process.
The lessons learned process should:
Timing: Conduct lessons learned reviews after every security incident.
Participants: Include all members of the incident response team and other relevant stakeholders.
Analysis: Analyze what happened, what went well, what could be improved, and what should be done differently next time.
Documentation: Document the results of the lessons learned review.
Action Items: Develop action items to address identified weaknesses.
Follow-Up: Track action items to completion and verify that improvements have been implemented.

Third-Party Risk Management

Third-party risk management is the process of identifying, assessing, and managing security risks posed by third-party vendors and service providers. The CMMC framework requires implementation of various security controls to manage third-party risks.

Vendor and Supplier Assessment

The CMMC framework requires assessment of third-party vendors and suppliers to ensure they have necessary security controls in place to protect CUI.
Vendor assessment should include:
Initial Assessment: Conduct security assessments before engaging new vendors.
Risk-Based Approach: Tailor the depth of assessment to the sensitivity of information the vendor will access.
Security Questionnaires: Use standardized security questionnaires to assess vendor security practices.
Documentation Review: Review vendor security documentation including policies, procedures, and certifications.
On-Site Assessments: Conduct on-site assessments for high-risk vendors.
Contract Requirements: Include specific security requirements in vendor contracts.

External Service Provider Requirements

External Service Providers (ESPs) are third-party vendors that provide IT services to the organization. The CMMC framework requires that ESPs meet the same security requirements as the organization itself.
This means:
CMMC Compliance: If an organization is required to achieve CMMC Level 2, any ESPs that have access to CUI must also achieve CMMC Level 2.
Assessment: ESPs must undergo the same type of assessment (self-assessment or certification assessment) as required for the organization.
Verification: Organizations must verify that ESPs have achieved the required CMMC level before allowing them to access CUI.
Monitoring: Organizations must monitor ESP compliance on an ongoing basis.

Shared Responsibility Matrix

A Shared Responsibility Matrix (SRM) is a document that clearly defines the security responsibilities of the organization and the ESP. The SRM is critical for ensuring that all security requirements are covered and that there are no gaps in responsibility.
The SRM should:
Comprehensive Coverage: Cover all 110 CMMC Level 2 requirements (or all applicable requirements for the target level).
Clear Assignment: Clearly indicate whether each requirement is the responsibility of the organization, the ESP, or shared.
NIST 800-171A Mapping: Be mapped to the NIST 800-171A assessment objectives.
Evidence: The ESP should be able to provide artifacts or proof for the items they are responsible for.
Review: The SRM should be reviewed and updated regularly.

Cloud Service Provider Compliance

Cloud Service Providers (CSPs) are a type of ESP that provides cloud computing services. The CMMC framework requires that CSPs have appropriate authorization to handle CUI.
CSP compliance requirements include:
FedRAMP Authorization: CSPs must have FedRAMP Moderate authorization (for FCI) or FedRAMP High authorization (for CUI).
Equivalency: FedRAMP authorization is considered equivalent to CMMC certification for the cloud infrastructure.
Shared Responsibility: Organizations must understand the shared responsibility model and ensure they are meeting their responsibilities.
Configuration: Organizations are responsible for securely configuring the cloud services they use.
Monitoring: Organizations are responsible for monitoring their use of cloud services.

Subcontractor Flow-Down Requirements

Prime contractors are responsible for flowing down CMMC requirements to their subcontractors. This is specified in DFARS clause 252.204-7021.
Flow-down requirements include:
Contract Language: Include DFARS clause 252.204-7021 in all subcontracts where the subcontractor will handle FCI or CUI.
Level Requirement: Specify the required CMMC level in the subcontract.
Verification: Verify that subcontractors have achieved the required CMMC level before allowing them to access FCI or CUI.
Monitoring: Monitor subcontractor compliance on an ongoing basis.
Support: Provide support to subcontractors in achieving CMMC compliance where appropriate.

Ongoing Vendor Monitoring

The CMMC framework requires ongoing monitoring of third-party vendors and suppliers to ensure they continue to meet necessary security requirements.
Ongoing monitoring should include:
Annual Reviews: Conduct annual reviews of vendor security posture.
Continuous Monitoring: Implement continuous monitoring of vendor access to systems and data.
Incident Reporting: Require vendors to report security incidents.
Compliance Verification: Regularly verify that vendors maintain required certifications and compliance.
Performance Metrics: Track vendor security performance metrics.
Remediation: Require vendors to remediate identified security issues within specified timeframes.

Part 4: Documentation and Evidence

System Security Plan

The System Security Plan (SSP) is a comprehensive document that describes the security controls in place to protect an organization's information systems. The SSP is a key requirement of the CMMC framework and one of the most important documents that will be reviewed during a CMMC assessment.

SSP Structure and Content

The SSP should be structured in accordance with NIST 800-171A assessment objectives. The SSP should include:
System Description: Detailed description of the information system including its purpose, functionality, and architecture.
Assessment Scope: Clear definition of the assessment scope including all in-scope assets and boundaries.
Security Controls: Description of how each security requirement is implemented.
Responsible Parties: Identification of who is responsible for implementing and maintaining each control.
Implementation Status: Current status of each control (implemented, partially implemented, planned).
Evidence: References to evidence that demonstrates control implementation.

Mapping to NIST 800-171A Assessment Objectives

The SSP should be mapped to the NIST 800-171A assessment objectives to ensure all security requirements are covered. NIST 800-171A provides assessment objectives for each of the 110 security requirements in NIST SP 800-171 Rev 2.
Each assessment objective should be addressed in the SSP with:
Determination Statements: How the organization determines compliance with the objective.
Examination Statements: What documentation will be examined to verify compliance.
Test Statements: What testing will be performed to verify compliance.

Control Implementation Descriptions

The SSP should include detailed descriptions of how each security control is implemented. Descriptions should be specific and provide enough detail to allow an assessor to verify that the control is implemented correctly.
Control implementation descriptions should include:
What: What control is implemented.
How: How the control is implemented (tools, processes, procedures).
Where: Where the control is implemented (which systems, locations).
Who: Who is responsible for the control.
When: When the control is performed (continuously, daily, monthly, etc.).
Evidence: What evidence demonstrates the control is working.

Documenting Compensating Controls

In some cases, it may not be possible to implement a security control exactly as specified in the CMMC framework. In these cases, it may be necessary to implement a compensating control.
A compensating control is an alternative control that provides an equivalent level of protection. The SSP should include:
Justification: Why the standard control cannot be implemented.
Compensating Control Description: Detailed description of the compensating control.
Equivalency Analysis: Explanation of how the compensating control provides equivalent protection.
Approval: Documentation of approval for the compensating control.

Maintaining and Updating the SSP

The SSP is a living document that should be updated regularly to reflect changes to the organization's information systems or security controls.
SSP maintenance should include:
Regular Reviews: Review and update the SSP at least annually.
Change-Driven Updates: Update the SSP whenever there are significant changes to systems or controls.
Version Control: Maintain version control of the SSP.
Approval: Require formal approval of SSP updates.
Distribution: Distribute updated SSP to relevant stakeholders.

Policies and Procedures

Policies and procedures are the foundation of any cybersecurity program. The CMMC framework requires implementation of policies and procedures to ensure security controls are implemented consistently and effectively.

Required Policy Documentation

The CMMC framework requires implementation of policies and procedures for each of the 14 security domains. Policies should be high-level statements that outline the organization's approach to security, while procedures should be detailed step-by-step instructions for implementing security controls.
Required policies typically include:
Access Control Policy
Awareness and Training Policy
Audit and Accountability Policy
Configuration Management Policy
Identification and Authentication Policy
Incident Response Policy
Maintenance Policy
Media Protection Policy
Personnel Security Policy
Physical Protection Policy
Risk Assessment Policy
Security Assessment Policy
System and Communications Protection Policy
System and Information Integrity Policy

Procedure Development

Procedures should be developed for all key security activities. Procedures should be clear, concise, and written in a way that is easy for personnel to understand and follow.
Procedures should include:
Purpose: Why the procedure exists.
Scope: What the procedure covers.
Roles and Responsibilities: Who is responsible for each step.
Step-by-Step Instructions: Detailed instructions for performing the activity.
Frequency: How often the activity should be performed.
Documentation: What documentation should be created or maintained.
References: References to related policies, procedures, or standards.

Role-Based Responsibilities

Policies and procedures should clearly define the roles and responsibilities of all personnel involved in implementing security controls.
Role definitions should include:
Role Title: Name of the role.
Responsibilities: Specific security responsibilities of the role.
Authority: What authority the role has.
Qualifications: What qualifications are required for the role.
Training: What training is required for the role.

Policy Review and Approval

All policies and procedures should be reviewed and approved by senior management before implementation. This ensures that policies and procedures are aligned with the organization's business objectives and have necessary support from senior management.
Review and approval should include:
Review Process: Formal review process involving relevant stakeholders.
Approval Authority: Identification of who has authority to approve policies.
Documentation: Documentation of review and approval.
Effective Date: Clear indication of when the policy becomes effective.

Distribution and Acknowledgment

All policies and procedures should be distributed to all relevant personnel, and all personnel should be required to acknowledge that they have read and understood the policies and procedures.
Distribution and acknowledgment should include:
Distribution Method: How policies will be distributed (email, intranet, training).
Acknowledgment: Require personnel to acknowledge receipt and understanding.
Tracking: Track who has acknowledged policies.
New Employees: Ensure new employees receive and acknowledge policies during onboarding.

Policy Maintenance

Policies and procedures should be reviewed and updated regularly to ensure they remain current and effective.
Policy maintenance should include:
Review Frequency: Review policies at least annually.
Change Process: Formal process for proposing and approving changes.
Version Control: Maintain version control of policies.
Archive: Maintain archive of previous policy versions.
Communication: Communicate policy changes to all affected personnel.

Evidence Collection and Management

Evidence collection is the process of gathering and maintaining documentation that demonstrates compliance with CMMC security requirements. Effective evidence collection is essential for a successful CMMC assessment.

Types of Evidence Required

The CMMC framework requires various types of evidence including:
Policies and Procedures: Written policies and procedures for all security domains.
Configuration Files: System configuration files that demonstrate security settings.
Audit Logs: Audit logs that demonstrate monitoring and accountability.
Screenshots: Screenshots that demonstrate control implementation.
Interview Notes: Notes from interviews with personnel.
Test Results: Results from security testing such as vulnerability scans or penetration tests.
Certificates: Certificates such as FIPS 140-3 validation certificates.
Contracts: Contracts with vendors and service providers.
Training Records: Records of security training completion.

Continuous Evidence Collection Strategy

Implement a continuous evidence collection strategy rather than waiting until just before the assessment to gather evidence.
Continuous evidence collection should include:
Automated Collection: Implement automated collection of evidence where possible (logs, configuration backups, scan results).
Regular Collection: Establish regular schedules for collecting evidence that cannot be automated.
Centralized Storage: Store all evidence in a centralized location.
Organization: Organize evidence by security requirement or assessment objective.
Metadata: Include metadata with evidence (date collected, who collected it, what it demonstrates).

Evidence Organization and Storage

Evidence should be organized and stored in a way that makes it easy to find and retrieve.
Evidence organization should include:
Folder Structure: Create a logical folder structure organized by domain or requirement.
Naming Conventions: Use consistent naming conventions for evidence files.
Index: Maintain an index or catalog of all evidence.
Cross-References: Cross-reference evidence to specific requirements and assessment objectives.
Access Control: Implement access controls to protect evidence from unauthorized access.

Screenshot and Artifact Requirements

The CMMC framework requires collection of screenshots and other artifacts to demonstrate compliance with security requirements.
Screenshot and artifact best practices include:
Clarity: Ensure screenshots are clear and readable.
Completeness: Ensure screenshots show all relevant information.
Context: Include enough context to understand what the screenshot demonstrates.
Annotations: Add annotations to highlight specific settings or configurations.
Timestamps: Include timestamps where relevant.
Consistency: Use consistent methods for capturing screenshots.

Hashing for Artifact Integrity

The CMMC framework requires the use of hashing to verify the integrity of assessment artifacts. Hashing is a cryptographic technique that generates a unique fingerprint for a file.
The CMMC Hashing Guide provides detailed instructions on how to create hashes for assessment artifacts:
Hash Algorithm: Use SHA-256 or stronger hash algorithms.
Hash Creation: Create hashes for all assessment artifacts.
Hash Documentation: Document hashes in a hash manifest file.
Hash Verification: Assessors will verify hashes to ensure artifacts have not been modified.

Evidence Retention Requirements

Evidence should be retained for a specified period after the assessment.
Evidence retention should include:
Retention Period: Retain evidence for at least the duration of the CMMC certification (three years).
Backup: Implement regular backups of evidence.
Protection: Protect evidence from unauthorized access, modification, and deletion.
Disposal: Securely dispose of evidence when it is no longer needed.

Asset Inventory and Network Diagrams

A comprehensive asset inventory and accurate network diagrams are essential for scoping a CMMC assessment and demonstrating compliance with security requirements.

Comprehensive Asset Inventory Requirements

The CMMC framework requires maintenance of a comprehensive asset inventory that includes all assets that process, store, or transmit CUI.
The asset inventory should include:
Asset Identification: Unique identifier for each asset.
Asset Name: Descriptive name for the asset.
Asset Type: Type of asset (server, workstation, network device, etc.).
Asset Category: CMMC asset category (CUI Asset, SPA, CRMA, Specialized Asset).
Location: Physical or logical location of the asset.
Owner: Person or team responsible for the asset.
Operating System: Operating system and version.
IP Address: IP address(es) of the asset.
MAC Address: MAC address(es) of the asset.
Security Controls: Security controls applied to the asset.
Status: Current status of the asset (active, inactive, decommissioned).

Asset Categorization for CMMC

Assets should be categorized according to the CMMC asset categorization methodology:
CUI Assets: Assets that process, store, or transmit CUI.
Security Protection Assets (SPAs): Assets that provide security functions to the CMMC environment.
Contractor Risk Managed Assets (CRMAs): Assets that are connected to the CMMC environment but do not process CUI.
Specialized Assets: Assets that cannot be fully secured due to technical limitations.
Each asset should be clearly categorized and the categorization should be documented in the asset inventory and justified in the SSP.

Physical and Virtual Asset Tracking

The asset inventory should include both physical and virtual assets:
Physical Assets: Servers, workstations, network devices, mobile devices, and other physical hardware.
Virtual Assets: Virtual machines, containers, cloud-based services, and virtual network devices.
Both types of assets should be tracked with the same level of detail and should be included in the asset inventory.

Network Topology Documentation

Network topology documentation should provide a visual representation of the organization's network architecture.
Network diagrams should show:
Network Segments: All network segments and VLANs.
Boundary Protection: Firewalls, routers, and other boundary protection devices.
Assessment Boundary: Clear indication of the CMMC assessment boundary.
Connections: All connections between network segments and to external networks.
Security Zones: Different security zones (CUI environment, corporate network, DMZ, etc.).
Key Assets: Location of key assets such as servers, databases, and security devices.

Data Flow Diagrams

Data flow diagrams should provide a visual representation of how CUI flows through the organization's information systems.
Data flow diagrams should show:
CUI Sources: Where CUI originates (DoD contracts, customer communications, etc.).
CUI Processing: Systems that process CUI.
CUI Storage: Systems that store CUI.
CUI Transmission: How CUI is transmitted between systems.
CUI Destinations: Where CUI is sent (DoD, partners, etc.).
Protection Mechanisms: Encryption, access controls, and other protection mechanisms.

Keeping Documentation Current

Asset inventory and network diagrams should be kept current and updated whenever there are changes to the organization's information systems or network architecture.
Maintenance procedures should include:
Regular Reviews: Review asset inventory and network diagrams at least quarterly.
Change-Driven Updates: Update documentation whenever systems are added, removed, or modified.
Verification: Regularly verify that documentation matches the actual environment.
Version Control: Maintain version control of documentation.
Approval: Require approval of documentation updates.

Part 5: The Assessment Process

Preparing for Assessment

Preparing for a CMMC assessment is a critical step in the compliance process. Proper preparation can help ensure the assessment goes smoothly and that you achieve the desired outcome.

Readiness Assessment Checklist

Before scheduling a formal CMMC assessment, conduct a readiness assessment to ensure you are prepared. A readiness assessment checklist should include:
Security Controls:
All required security controls have been implemented
All controls have been tested and verified to be working
All critical requirements are fully implemented (no POA&Ms)
Documentation:
System Security Plan is complete and current
All required policies and procedures are developed and approved
Asset inventory is complete and current
Network diagrams and data flow diagrams are complete and current
Evidence:
All required evidence has been collected and organized
Screenshots and artifacts are clear and complete
Evidence is properly indexed and cross-referenced to requirements
Hashes have been created for all assessment artifacts
Personnel:
All personnel have been trained on their security responsibilities
Personnel are prepared for assessment interviews
Key personnel are available during the assessment period
Systems:
All systems are properly configured according to baselines
All systems are patched and up to date
All systems are functioning properly

Pre-Assessment Activities

Complete several pre-assessment activities before the formal assessment begins:
Final Documentation Review: Conduct a final review of all documentation and evidence to ensure completeness and accuracy.
Final Control Review: Conduct a final review of all security controls to ensure they are functioning properly.
Mock Assessment: Conduct a mock assessment to identify any potential issues. This can be done internally or with the help of a consultant.
Personnel Preparation: Ensure all personnel are prepared for the assessment and understand their roles.
Logistics: Arrange logistics for the assessment including meeting spaces, access to systems, and availability of personnel.
Communication: Communicate with all stakeholders about the assessment schedule and expectations.

Selecting a C3PAO

If you are required to undergo a certification assessment, you will need to select a Certified Third-Party Assessment Organization (C3PAO).
When selecting a C3PAO, consider:
Accreditation: Verify that the C3PAO is properly accredited by the Cyber AB.
Experience: Look for C3PAOs with experience assessing organizations similar to yours.
Reputation: Check references and reviews from other organizations.
Availability: Ensure the C3PAO can conduct the assessment within your required timeframe.
Pricing: Get quotes from multiple C3PAOs to ensure fair pricing.
Communication: Evaluate the C3PAO's communication style and responsiveness.
The Cyber AB maintains a marketplace of accredited C3PAOs at .

Understanding Assessment Costs

The cost of a CMMC assessment can vary significantly depending on:
Organization Size: Larger organizations with more systems will have higher assessment costs.
Scope Complexity: More complex environments with many systems and locations will cost more.
Assessment Type: Certification assessments are more expensive than self-assessments.
Level: Level 3 assessments are more expensive than Level 2 assessments.
Geography: Travel costs for on-site assessments can vary.
Typical costs for CMMC Level 2 certification assessments range from $15,000 to $100,000 or more. Get detailed quotes from multiple C3PAOs to understand the costs for your specific situation.

Timeline for Assessment Preparation

The timeline for assessment preparation varies depending on the organization's current cybersecurity posture and the scope of the compliance effort.
Typical timelines include:
Organizations Starting from Scratch: 12-18 months or more to implement all controls, develop documentation, and prepare for assessment.
Organizations with Existing Security Programs: 6-12 months to address gaps, enhance documentation, and prepare for assessment
Organizations with Mature Security Programs: 3-6 months to fine-tune controls, complete documentation, and prepare for assessment.
Start the preparation process as early as possible to ensure you are ready for the assessment when needed.

Common Preparation Mistakes

Organizations commonly make several preparation mistakes:
Waiting Too Long: Starting preparation too late and rushing to complete everything before the assessment.
Incomplete Gap Assessment: Failing to conduct a thorough gap assessment and missing critical gaps.
Inadequate Implementation: Implementing controls superficially without ensuring they are effective.
Poor Documentation: Failing to properly document control implementation and collect evidence.
Insufficient Testing: Failing to test controls before the assessment.
Lack of Personnel Preparation: Failing to prepare personnel for assessment interviews.
Underestimating Scope: Underestimating the scope of the effort and the resources required.

The CMMC Assessment Process

The CMMC assessment process is a structured process designed to verify that an organization has implemented necessary security controls to protect CUI. Understanding the assessment process can help ensure you are prepared.

Assessment Phases and Activities

The CMMC assessment process typically includes three phases:
Planning Phase involves working with the assessor to define the scope of the assessment, schedule the assessment, and identify key personnel who will be involved. Activities include scope validation, logistics planning, and document submission.
Execution Phase involves the assessor reviewing documentation and evidence, conducting interviews with key personnel, and performing technical testing to verify that security controls are implemented correctly. Activities include document review, evidence examination, personnel interviews, and technical testing.
Reporting Phase involves the assessor preparing a report that summarizes the findings of the assessment and provides a recommendation on whether the organization should be awarded a CMMC certification. Activities include findings compilation, report preparation, and results communication.

What Assessors Will Review

During the assessment, the assessor will review:
System Security Plan: Detailed review of the SSP to understand how controls are implemented.
Policies and Procedures: Review of all security policies and procedures.
Configuration Files: Examination of system configuration files to verify security settings.
Audit Logs: Review of audit logs to verify monitoring and accountability.
Screenshots: Examination of screenshots to verify control implementation.
Certificates: Review of certificates such as FIPS 140-3 validation certificates.
Training Records: Review of security training records.
Vendor Contracts: Review of contracts with vendors and service providers.

Interview Preparation

The assessor will conduct interviews with key personnel to verify that they understand their security responsibilities and are following the organization's policies and procedures.
Interview preparation should include:
Personnel Identification: Identify which personnel will be interviewed.
Training: Provide personnel with an overview of the CMMC framework and the assessment process.
Policy Review: Review relevant policies and procedures with personnel.
Practice: Conduct practice interviews to help personnel feel comfortable.
Honesty: Emphasize the importance of being honest and accurate in responses.
Availability: Ensure personnel are available during the assessment period.

Demonstrating Control Implementation

During the assessment, the assessor will ask the organization to demonstrate that security controls are implemented correctly. This may involve:
Configuration Demonstrations: Showing the assessor how a particular security control is configured
Process Demonstrations: Demonstrating how a particular security process is performed.
Tool Demonstrations: Showing the assessor how security tools are used.
Access Demonstrations: Demonstrating access controls and authentication mechanisms.
Be prepared to provide real-time demonstrations of control implementation.

Assessment Artifact Requirements

The assessor will require the organization to provide assessment artifacts including:
Documentation: All policies, procedures, and the SSP.
Evidence: All collected evidence including screenshots, logs, and test results.
Configurations: System configuration files.
Diagrams: Network diagrams and data flow diagrams.
Inventories: Asset inventories.
Hash Manifest: Hash manifest file with hashes of all artifacts.
Have all artifacts ready and organized before the assessment begins.

Handling Assessment Findings

During the assessment, the assessor may identify findings, which are instances where the organization is not in compliance with a security requirement.
Findings may be:
Not Met: The requirement is not implemented or is implemented incorrectly.
Partially Met: The requirement is partially implemented but has gaps.
Met: The requirement is fully implemented.
For findings that are Not Met or Partially Met:
Understand the Finding: Ensure you understand exactly what the issue is.
Assess Criticality: Determine if the finding involves a critical requirement that cannot be on a POA&M.
Develop Remediation Plan: Develop a plan to remediate the finding.
POA&M or Immediate Fix: Determine if the finding can be included in a POA&M or must be fixed immediately.
Communicate: Communicate with the assessor about your remediation plan.

Self-Assessment Guide

Self-assessments are a key component of the CMMC program and are required for CMMC Level 1 and for some CMMC Level 2 contracts.

Self-Assessment Methodology

The self-assessment methodology involves reviewing each security requirement and determining whether the organization is in compliance.
The self-assessment process should include:
Requirement Review: Review each security requirement to understand what is required.
Evidence Collection: Collect evidence that demonstrates compliance with the requirement.
Compliance Determination: Determine whether the requirement is Met or Not Met.
Documentation: Document the basis for the compliance determination.
Scoring: Calculate the overall score based on the number of requirements met.
The self-assessment should be conducted by personnel who have a deep understanding of the organization's information systems and security controls.

Scoring and Documentation

The self-assessment should be scored according to the CMMC scoring methodology.
For each security requirement:
Met: The requirement is fully implemented and functioning as intended.
Not Met: The requirement is not implemented or is not functioning as intended.
For CMMC Level 1, all 15 requirements must be Met to achieve compliance
For CMMC Level 2, the organization must achieve a passing score. The passing score is determined by the number of requirements that are Met.
Documentation should include:
Assessment Date: When the assessment was conducted.
Assessor: Who conducted the assessment.
Scope: What was assessed.
Results: Results for each requirement (Met or Not Met).
Evidence: References to evidence supporting each determination.
Score: Overall score.

Entering Results in SPRS

The results of the self-assessment should be entered into the Supplier Performance Risk System (SPRS).
SPRS entry should include:
Assessment Date: Date the assessment was completed.
Assessment Type: Type of assessment (self-assessment).
Score: Overall score.
POA&M: Information about any POA&M items (for Level 2).
Assessor: Information about who conducted the assessment.
Access SPRS at .

Self-Assessment Best Practices

Best practices for conducting a self-assessment include:
Honesty and Objectivity: Be honest and objective in your assessment. Do not overstate your compliance.
Evidence-Based: Base your determinations on actual evidence, not assumptions.
Comprehensive: Review all requirements thoroughly.
Team Approach: Involve personnel from all relevant departments.
Documentation: Thoroughly document your assessment process and results.
Management Review: Review the assessment results with senior management.
Continuous Improvement: Use the assessment results to identify areas for improvement.

Annual Self-Assessment Process

For CMMC Level 1, self-assessments must be conducted annually. For CMMC Level 2 self-assessments, they must be conducted every three years.
Establish a process for conducting these assessments regularly:
Schedule: Establish a schedule for conducting assessments.
Responsibility: Assign responsibility for conducting assessments.
Process: Document the assessment process.
Review: Review and update the process regularly.
Tracking: Track when assessments are due and completed.

Maintaining Objectivity

It is important to maintain objectivity when conducting a self-assessment.
To maintain objectivity:
Independent Reviewers: Use independent reviewers who are not responsible for implementing the controls.
External Assistance: Consider engaging external consultants to conduct or review the self-assessment.
Evidence-Based: Base determinations on objective evidence rather than subjective opinions.
Conservative Approach: When in doubt, be conservative in your determinations.
Peer Review: Have self-assessments reviewed by peers or management.

Certification Assessment

Certification assessments are conducted by an independent third party and are required for some CMMC Level 2 contracts and for all CMMC Level 3 contracts.

Certification Assessment Process

The certification assessment process is similar to the self-assessment process but is conducted by an independent third party and is more rigorous.
The certification assessment process includes:
Pre-Assessment Planning: Working with the assessor to plan the assessment.
Document Review: The assessor reviews all documentation and evidence.
Interviews: The assessor conducts interviews with key personnel.
Technical Testing: The assessor performs technical testing to verify control implementation.
Findings Development: The assessor documents any findings.
Report Preparation: The assessor prepares a detailed assessment report.
Results Communication: The assessor communicates the results to the organization.

C3PAO vs. DIBCAC Assessments

CMMC Level 2 certification assessments are conducted by a C3PAO, while CMMC Level 3 certification assessments are conducted by the DIBCAC.
C3PAO Assessments:
Conducted by accredited third-party organizations
Organization selects and contracts with the C3PAO
Results entered into eMASS
Certificate issued by the C3PAO
DIBCAC Assessments:
Conducted by government assessors
Required for Level 3
Also used to assess C3PAOs
Results entered into eMASS
More rigorous than C3PAO assessments

Assessment Scope Validation

At the beginning of the certification assessment, the assessor will validate the scope of the assessment to ensure it is accurate and complete.
Scope validation includes:
Asset Inventory Review: Reviewing the asset inventory to ensure all CUI assets are included.
Network Diagram Review: Reviewing network diagrams to verify the assessment boundary.
Data Flow Review: Reviewing data flow diagrams to ensure all CUI flows are captured.
Boundary Verification: Verifying that the assessment boundary is properly defined and controlled.
Exclusions: Reviewing any assets excluded from scope and verifying the justification.
Be prepared to provide detailed explanations and justifications for scoping decisions.

On-Site vs. Remote Assessments

Certification assessments can be conducted on-site or remotely.
On-Site Assessments:
Assessor visits the organization's facilities
Allows for direct observation of controls
May be required for certain types of controls (physical security)
Higher travel costs
Remote Assessments:
Conducted using video conferencing and remote access tools
Lower cost due to no travel
May be more convenient for both parties
Requires robust remote access capabilities
The choice between on-site and remote assessment is typically made during the planning phase based on the nature of the controls and the preferences of both parties.

Assessment Duration Expectations

The duration of a certification assessment varies depending on the size and complexity of the organization and the scope of the assessment.
Typical assessment durations:
Small Organizations (< 50 employees): 3-5 days
Medium Organizations (50-500 employees): 5-10 days
Large Organizations (> 500 employees): 10-20 days or more
Complex Environments: May require additional time
The assessment duration should be discussed and agreed upon during the planning phase.

Post-Assessment Activities

After the assessment is complete, several post-assessment activities occur:
Report Review: The organization receives a draft assessment report and has an opportunity to review and provide feedback.
Findings Discussion: The organization and assessor discuss any findings and potential remediation approaches.
Final Report: The assessor issues a final assessment report.
Certificate Issuance: If the assessment is successful, the C3PAO issues a CMMC certificate (for C3PAO assessments).
SPRS/eMASS Entry: The assessment results are entered into SPRS or eMASS.
POA&M Development: If there are allowable findings, the organization develops a POA&M.
Communication: The organization communicates the results to relevant stakeholders.

Plans of Action and Milestones

A Plan of Action and Milestones (POA&M) is a document that identifies an organization's plan to correct deficiencies identified during a CMMC assessment.

When POA&Ms are Allowed

POA&Ms are not allowed for all requirements:
Level 1: POA&Ms are not permitted. All 15 requirements must be fully implemented.
Level 2 and Level 3: POA&Ms are allowed for some requirements, but not for critical requirements.
The specific requirements that cannot be included in a POA&M are specified in 32 CFR § 170.21.

Critical Requirements That Cannot Be in POA&Ms

Critical requirements are those that are considered essential for the protection of CUI and must be fully implemented before certification.
Examples of critical requirements include:
Access control requirements related to authentication and authorization
Encryption requirements for CUI
Incident reporting requirements
Certain audit and accountability requirements
Review 32 CFR § 170.21 for the complete list of critical requirements for each level.

POA&M Development

The POA&M should include detailed information about each deficiency and the plan to correct it.
POA&M content should include:
Requirement ID: The ID of the requirement that is not met.
Requirement Description: Description of the requirement.
Finding Description: Detailed description of the deficiency.
Risk Assessment: Assessment of the risk posed by the deficiency.
Remediation Plan: Detailed plan for correcting the deficiency.
Resources Required: Resources needed to implement the remediation plan.
Responsible Party: Person or team responsible for remediation.
Milestones: Key milestones in the remediation process.
Target Completion Date: Date by which the deficiency will be corrected (must be within 180 days).
Status: Current status of the remediation effort.

180-Day Closeout Requirement

All POA&M items must be closed out within 180 days of when the CMMC assessment results are finalized and submitted to SPRS or eMASS.
The 180-day clock starts when:
For self-assessments: When the assessment results are submitted to SPRS
For certification assessments: When the assessment results are submitted to eMASS
If POA&M items are not closed out within 180 days, the organization's Conditional CMMC Status will expire.

POA&M Closeout Assessment

The closeout of a POA&M must be confirmed by a POA&M closeout assessment.
Level 2 Self-Assessment: The POA&M closeout self-assessment is performed by the organization itself using the same methodology as the initial self-assessment.
Level 2 Certification Assessment: The POA&M closeout certification assessment must be performed by an authorized or accredited C3PAO.
Level 3 Certification Assessment: The POA&M closeout certification assessment is performed by the DIBCAC.
The closeout assessment evaluates only the requirements that were Not Met in the initial assessment.

Conditional vs. Final Status

Conditional CMMC Status is achieved when an organization has a passing score on its assessment but has some remaining items on its POA&M. The Conditional status is valid for 180 days.
Final CMMC Status is achieved when:
An organization has a passing score with no POA&M items, OR
An organization has successfully closed out its POA&M items within 180 days
Final CMMC Status is valid for three years from the CMMC Status Date (or from the Conditional CMMC Status Date if POA&Ms were involved).

Part 6: Maintaining CMMC Compliance

Annual Affirmation Process

In addition to periodic assessments, all organizations with a CMMC certification are required to submit an annual affirmation of compliance.

Affirmation Requirements

The annual affirmation is a statement that the organization has continued to maintain its cybersecurity posture and has not made any significant changes that would affect its CMMC compliance.
The affirmation should confirm:
The organization continues to meet all CMMC requirements
No significant changes have been made to systems or controls
The organization continues to protect CUI appropriately
All security controls remain effective
The annual affirmation is submitted through the SPRS.

What Triggers a New Assessment

Several events can trigger the need for a new assessment rather than just an affirmation:
Significant Architectural Changes: Major changes to the network architecture or system boundaries.
Scope Changes: Changes to the assessment scope such as adding new systems that process CUI.
Security Incidents: Significant security incidents that may have compromised CUI.
Merger or Acquisition: Organizational changes such as mergers or acquisitions.
Failed Affirmation: If the organization cannot affirm continued compliance.
Expiration: If the CMMC Status expires due to failure to affirm or close POA&Ms.

Maintaining Evidence Between Assessments

Continue to collect and maintain evidence between assessments to ensure readiness for the next assessment and to support annual affirmations.
Evidence maintenance should include:
Continuous Collection: Continue automated collection of evidence such as logs and configuration backups.
Regular Updates: Regularly update documentation to reflect any changes.
Organization: Maintain organized evidence repositories.
Review: Periodically review evidence to ensure it is current and complete.
Retention: Retain evidence for the full three-year assessment cycle.

Changes That Require Reassessment

Some changes may require a new assessment before the three-year cycle:
Major System Changes: Implementation of new major systems or significant changes to existing systems.
Boundary Changes: Changes to the assessment boundary that add or remove significant assets.
Control Changes: Significant changes to how security controls are implemented.
Organizational Changes: Major organizational changes such as mergers or acquisitions.
Consult with a qualified CMMC professional to determine whether a change requires a new assessment.

Affirmation in SPRS

The annual affirmation is submitted through the SPRS system.
SPRS affirmation process:
Login: Log into SPRS with appropriate credentials.
Navigate: Navigate to the CMMC affirmation section.
Review: Review the current CMMC Status and requirements.
Affirm: Submit the affirmation confirming continued compliance.
Timing: Submit the affirmation before the annual deadline to avoid expiration of CMMC Status.
Failure to submit the annual affirmation will result in the expiration of the CMMC Status, which will prevent the organization from bidding on contracts that require CMMC certification.

Continuous Compliance and Improvement

Achieving CMMC compliance is not a one-time event but an ongoing process. Continuous compliance and improvement are essential for maintaining CMMC certification and ensuring the ongoing protection of CUI.

Ongoing Monitoring and Maintenance

Continue to monitor and maintain security controls that were implemented to achieve CMMC compliance.
Ongoing activities should include:
Vulnerability Scanning: Conduct regular vulnerability scans to identify security weaknesses.
Patch Management: Implement timely patching of systems and applications.
Log Review: Regularly review audit logs for signs of security incidents.
Configuration Monitoring: Monitor systems for configuration drift from baselines.
Access Reviews: Conduct regular reviews of user access to ensure appropriateness.
Incident Monitoring: Continuously monitor for security incidents.

Security Control Effectiveness Reviews

Conduct regular reviews of the effectiveness of security controls to ensure they are providing the necessary level of protection.
Effectiveness reviews should include:
Control Testing: Periodically test security controls to verify they are functioning correctly.
Metrics Analysis: Analyze security metrics to assess control effectiveness.
Incident Analysis: Analyze security incidents to identify control weaknesses.
Audit Findings: Review findings from internal and external audits.
Improvement Identification: Identify opportunities to improve control effectiveness.

Keeping Up with Evolving Threats

The threat landscape is constantly evolving, so it is important to keep up with the latest threats and update security controls as necessary.
Threat awareness activities should include:
Threat Intelligence: Subscribe to threat intelligence feeds and security bulletins.
Industry Information: Participate in industry information sharing groups.
Security News: Monitor security news and developments.
Training: Provide ongoing security training to personnel on emerging threats.
Control Updates: Update security controls to address new threats.

Training and Awareness Programs

Continue to provide training and awareness programs to all personnel to ensure they are aware of their security responsibilities.
Ongoing training should include:
Annual Training: Provide annual security awareness training to all personnel.
Role-Based Training: Provide role-based training to personnel with specific security responsibilities.
New Hire Training: Provide security training to all new hires during onboarding.
Refresher Training: Provide refresher training on specific topics as needed.
Phishing Simulations: Conduct regular phishing simulations to test and train personnel.
Training Documentation: Maintain records of all training completion.

Configuration Management Discipline

Maintain strong configuration management discipline to ensure systems remain in compliance with baseline configurations.
Configuration management discipline should include:
Change Control: Enforce change control procedures for all system changes
Configuration Audits: Conduct regular audits of system configurations.
Drift Detection: Implement automated detection of configuration drift.
Remediation: Promptly remediate any configuration drift.
Documentation: Maintain current documentation of all system configurations.

Incident Response Readiness

Maintain a high level of incident response readiness to ensure the organization can quickly and effectively respond to security incidents.
Incident response readiness should include:
Plan Updates: Regularly update the incident response plan.
Team Training: Provide regular training to the incident response team.
Exercises: Conduct regular incident response exercises.
Tool Maintenance: Maintain incident response tools and ensure they are functioning.
Contact Lists: Maintain current contact lists for incident response.
Lessons Learned: Implement improvements based on lessons learned from incidents and exercises.

Managing Organizational Change

Organizational change can have a significant impact on CMMC compliance. Managing change effectively is essential for maintaining compliance.

Personnel Changes and Access Management

When personnel leave the organization or change roles, promptly remove or modify their access to systems and data.
Personnel change procedures should include:
Termination Process: Implement a formal termination process that includes immediate revocation of access.
Role Change Process: Implement a process for modifying access when personnel change roles.
Access Review: Conduct regular reviews of access to identify and remove unnecessary access.
Documentation: Document all access changes.
Automation: Automate access revocation where possible.

System and Network Changes

When systems or networks are added, removed, or modified, ensure changes are made in a controlled and secure manner.
System and network change procedures should include:
Change Control: Follow change control procedures for all system and network changes.
Security Review: Conduct security reviews of all changes.
Testing: Test changes before implementation.
Documentation: Update documentation to reflect changes.
Scope Impact: Assess whether changes impact the assessment scope.

Vendor and Supplier Changes

When vendors or suppliers are added, removed, or changed, ensure new vendors meet necessary security requirements.
Vendor change procedures should include:
Security Assessment: Conduct security assessments of new vendors.
Contract Review: Ensure vendor contracts include appropriate security requirements.
Transition Planning: Plan transitions between vendors to ensure continuity of security.
Documentation: Update documentation to reflect vendor changes.
Monitoring: Monitor new vendors to ensure ongoing compliance.

Scope Boundary Changes

When the scope of the CMMC assessment changes, it may be necessary to conduct a new assessment.
Scope change considerations include:
New Systems: Adding new systems that process CUI may require scope expansion.
Decommissioned Systems: Removing systems from scope should be documented.
Boundary Changes: Changes to the assessment boundary should be carefully evaluated.
Assessment Impact: Determine whether scope changes require a new assessment.
Documentation: Update all documentation to reflect scope changes.

Mergers and Acquisitions Impact

Mergers and acquisitions can have a significant impact on CMMC compliance.
M&A considerations include:
Due Diligence: Conduct cybersecurity due diligence on any organization being acquired.
Gap Assessment: Conduct gap assessments to identify compliance issues.
Integration Planning: Develop a plan for integrating the acquired organization into the CMMC compliance program.
Timeline: Understand the timeline for achieving compliance for the acquired organization.
Reassessment: Determine whether a new assessment is required after the merger or acquisition.

Part 7: Special Topics and Advanced Considerations

Small Business Considerations

Small businesses face unique challenges when it comes to achieving CMMC compliance due to limited resources and expertise.

Resource Constraints and Solutions

Small businesses often have limited financial and personnel resources, which can make CMMC compliance challenging.
Solutions for resource constraints include:
Prioritization: Focus resources on the most critical requirements first.
Phased Implementation: Implement controls in phases rather than all at once.
Cost-Effective Solutions: Choose cost-effective solutions such as cloud services and open-source tools.
Shared Resources: Share resources with other small businesses where appropriate.
External Assistance: Engage external consultants or MSPs to supplement internal resources.

Managed Service Provider Options

A Managed Service Provider (MSP) can be a valuable partner for small businesses seeking CMMC compliance.
MSP services can include:
Implementation: Implementing and managing security controls.
Monitoring: Providing 24/7 security monitoring.
Assessment Support: Supporting the organization through CMMC assessments.
Training: Providing security training and awareness.
Incident Response: Providing incident response services.
When selecting an MSP:
Ensure the MSP has experience with DIB contractors
Verify the MSP has its own CMMC Level 2 certification
Review the MSP's Shared Responsibility Matrix
Ensure the MSP can provide evidence for their responsibilities
Verify the MSP's staff are U.S. persons

Cost-Effective Implementation Strategies

Small businesses can use several cost-effective strategies to achieve CMMC compliance:
Enclave Approach: Implement an enclave to reduce the scope of the assessment.
Cloud Services: Use cloud services (GCC High) to reduce infrastructure costs.
Open-Source Tools: Use open-source security tools where appropriate.
Self-Assessment: Conduct self-assessments instead of certification assessments where allowed.
Shared Services: Share services with other small businesses (shared SOC, shared assessments).
Incremental Implementation: Implement controls incrementally rather than all at once.

Leveraging DoD Small Business Resources

The DoD offers various resources to help small businesses achieve CMMC compliance:
DoD Office of Small Business Programs: Provides resources and guidance for small businesses at .
Procurement Technical Assistance Centers (PTACs): Provide free counseling and assistance to businesses seeking government contracts at .
Manufacturing Extension Partnership (MEP): Provides cybersecurity assistance to manufacturers at .
SBIR/STTR Programs: Small Business Innovation Research and Small Business Technology Transfer programs may provide funding for cybersecurity improvements.

Enclave Approach for Small Businesses

The enclave approach can be particularly beneficial for small businesses with limited CUI.
Enclave benefits for small businesses:
Reduced Scope: Smaller scope means fewer systems to secure and lower costs.
Focused Investment: Concentrate resources on a smaller, more manageable environment.
Operational Flexibility: Corporate systems can operate with less restrictive controls.
Lower Assessment Costs: Smaller scope typically results in lower assessment costs.
Enclave considerations:
Operational Impact: Ensure the enclave does not create unacceptable operational constraints.
Boundary Controls: Implement strong boundary controls to protect the enclave.
User Training: Train users on how to work within the enclave.
Data Classification: Implement clear data classification to ensure CUI stays in the enclave.

Cloud and Hybrid Environments

Many organizations are using cloud-based or hybrid environments to host their IT systems and data. Understanding how CMMC applies in cloud environments is essential.

FedRAMP Authorization Equivalency

The CMMC framework recognizes FedRAMP authorization as equivalent to CMMC certification for cloud service providers.
FedRAMP equivalency means:
FedRAMP Moderate: Equivalent to CMMC Level 1 for cloud infrastructure.
FedRAMP High: Equivalent to CMMC Level 2 for cloud infrastructure.
Verification: Organizations can verify FedRAMP authorization at .
Shared Responsibility: Organizations are still responsible for their portion of the shared responsibility model.
Configuration: Organizations are responsible for securely configuring cloud services.

Microsoft GCC and GCC High

Microsoft 365 Government Community Cloud (GCC) and GCC High are cloud-based productivity suites designed for U.S. government requirements.
Microsoft 365 GCC:
Suitable for FCI
FedRAMP Moderate authorized
Lower cost than GCC High
Appropriate for Level 1 requirements
Microsoft 365 GCC High:
Required for CUI
FedRAMP High authorized
Isolated from commercial cloud
Appropriate for Level 2 and Level 3 requirements
Higher cost than GCC

AWS GovCloud and Other CSP Options

Several cloud service providers offer government-specific cloud environments:
AWS GovCloud:
FedRAMP High authorized
Isolated from commercial AWS
Flexible infrastructure options
Appropriate for Level 2 and Level 3
Azure Government:
FedRAMP High authorized
Isolated from commercial Azure
Integrated with Microsoft 365 GCC High
Appropriate for Level 2 and Level 3
Google Cloud for Government:
FedRAMP authorization available
Government-specific security features
Appropriate for government workloads
When selecting a CSP:
Verify FedRAMP authorization level
Review the Shared Responsibility Matrix
Understand which controls are managed by the CSP and which are the organization's responsibility
Ensure the CSP can provide evidence for their responsibilities

Shared Responsibility in Cloud Environments

In a cloud environment, there is a shared responsibility for security between the organization and the cloud service provider.
Typical shared responsibility model:
CSP Responsibilities:
Physical security of data centers
Infrastructure security (compute, storage, network)
Hypervisor security
Some platform services
Organization Responsibilities:
Data classification and protection
Access control and identity management
Application security
Configuration of cloud services
Monitoring and logging
The specific division of responsibilities varies by service model (IaaS, PaaS, SaaS) and should be clearly documented in a Shared Responsibility Matrix.

Hybrid On-Premises and Cloud Architectures

Many organizations use hybrid architectures that combine on-premises and cloud-based systems.
Hybrid architecture considerations:
Consistent Controls: Ensure security controls are consistent across on-premises and cloud environments.
Secure Connections: Implement secure connections between on-premises and cloud environments (VPN, dedicated connections).
Data Flows: Carefully manage data flows between on-premises and cloud environments.
Unified Monitoring: Implement unified monitoring across both environments.
Assessment Scope: Ensure the assessment scope includes both on-premises and cloud components.
Documentation: Document the hybrid architecture clearly in network diagrams and the SSP.

Common Pitfalls and How to Avoid Them

Organizations encounter several common pitfalls when seeking CMMC compliance. Understanding these pitfalls can help avoid them.

Top 10 Compliance Mistakes

The most common CMMC compliance mistakes are:
Inadequate Scoping: Over-scoping or under-scoping the CUI environment
Insufficient Documentation: Waiting until assessment to gather documentation
Incomplete Asset Inventory: Missing assets that process CUI
Inadequate Access Control: Failing to implement least privilege
Poor Third-Party Risk Management: Not assessing vendor security
Insufficient Incident Response: Inadequate incident response planning
Weak Configuration Management: Not maintaining secure configurations
Inadequate Training: Generic training not addressing CMMC specifics
Poor Audit Log Management: Not properly configuring and monitoring logs
Incomplete Risk Assessment: Superficial risk assessments

Scoping Errors

Scoping errors are the most common mistake and can lead to failed assessments or unnecessary costs.
Under-Scoping Errors:
Missing systems that process CUI
Failing to include Security Protection Assets
Not identifying all data flows
Excluding third-party systems that access CUI
Over-Scoping Errors:
Including systems that do not process CUI
Not implementing network segmentation
Including corporate systems unnecessarily
How to Avoid:
Conduct thorough data discovery
Create comprehensive data flow diagrams
Work with a qualified CMMC professional
Review scoping decisions with assessors before the formal assessment

Documentation Failures

Documentation failures are a common cause of assessment delays and failures.
Common Documentation Failures:
Incomplete System Security Plan
Missing policies and procedures
Inadequate evidence collection
Poor organization of documentation
Outdated documentation
How to Avoid:
Start documentation early in the compliance process
Implement continuous evidence collection
Maintain organized documentation repositories
Regularly review and update documentation
Use templates and checklists

Access Control Weaknesses

Access control weaknesses are frequently identified during assessments.
Common Access Control Weaknesses:
Overly permissive access rights
Failure to implement least privilege
Inadequate privileged access management
Weak password policies
Missing multi-factor authentication
Failure to remove access when personnel leave
How to Avoid:
Implement role-based access control
Regularly review and remove unnecessary access
Implement strong authentication mechanisms
Use privileged access management tools
Automate access revocation processes

Third-Party Risk Oversights

Organizations often overlook third-party security risks.
Common Third-Party Oversights:
Not assessing vendor security practices
Missing vendors in the scope
Inadequate vendor contracts
No Shared Responsibility Matrix
Failure to verify vendor CMMC compliance
How to Avoid:
Maintain comprehensive vendor inventory
Conduct security assessments of all vendors with CUI access
Include security requirements in vendor contracts
Develop and maintain Shared Responsibility Matrices
Regularly monitor vendor compliance

Training and Awareness Gaps

Training and awareness gaps can lead to security incidents and assessment findings.
Common Training Gaps:
Generic training not addressing CMMC requirements
Infrequent training
No role-based training
Failure to train on CUI handling
No insider threat awareness
How to Avoid:
Develop CMMC-specific training programs
Provide annual training to all personnel
Provide role-based training for personnel with security responsibilities
Include CUI handling in training
Conduct regular phishing simulations

Audit Log Deficiencies

Audit log deficiencies limit the ability to detect and investigate security incidents.
Common Audit Log Deficiencies:
Inadequate log coverage
Logs not centralized
Logs not protected
Logs not reviewed
Insufficient log retention
How to Avoid:
Implement comprehensive logging across all systems
Use centralized log management
Protect logs from unauthorized access and modification
Implement regular log review procedures
Retain logs for required periods

Risk Assessment Shortcomings

Risk assessments are often conducted superficially without adequate depth.
Common Risk Assessment Shortcomings:
Infrequent risk assessments
Superficial analysis
Failure to identify all risks
No risk mitigation plans
No vulnerability scanning
How to Avoid:
Conduct risk assessments at least annually
Use structured risk assessment methodologies
Include all systems and data in risk assessments
Develop risk mitigation plans for identified risks
Conduct regular vulnerability scanning,

CMMC Implementation Timeline and Phases

The CMMC program is being implemented in a phased manner over three years to allow time for assessor training and for companies to prepare.

Phase 1: Initial Implementation (November 2025)

Phase 1 begins on November 10, 2025, which is 60 days after the publication of the final CMMC DFARS rule in the Federal Register on September 10, 2025.
Phase 1 Characteristics:
New solicitations will require CMMC Level 1 or Level 2 self-assessments as appropriate
Organizations must have current CMMC assessments to bid on contracts
Self-assessments are entered into SPRS
Annual affirmations are required
Phase 1 Preparation:
Organizations should begin compliance efforts immediately
Conduct gap assessments
Implement required controls
Develop documentation
Conduct self-assessments

Phase 2: Level 2 Certification Begins (Month 12)

Phase 2 begins 12 months after Phase 1 (approximately November 2026).
Phase 2 Characteristics:
Some solicitations will require CMMC Level 2 certification assessments conducted by C3PAOs
The DoD may opt to delay Level 2 certification requirements in some contracts to option periods
Organizations must work with accredited C3PAOs
Assessment results are entered into eMASS
Phase 2 Preparation:
Organizations expecting Level 2 certification requirements should prepare early
Select and engage a C3PAO
Conduct readiness assessments
Ensure all controls are fully implemented and documented

Phase 3: Level 3 Certification Begins (Month 24)

Phase 3 begins 24 months after Phase 1 (approximately November 2027).
Phase 3 Characteristics:
Some solicitations will require CMMC Level 3 certification assessments conducted by DIBCAC
The DoD may opt to delay Level 3 certification requirements in some contracts to option periods
Organizations must first achieve Final Level 2 status
Assessment results are entered into eMASS
Phase 3 Preparation:
Organizations expecting Level 3 requirements should achieve Level 2 certification first
Implement enhanced Level 3 controls
Prepare for government-led assessment
Ensure mature security program is in place

Phase 4: Full Implementation (Month 36)

Phase 4 begins 36 months after Phase 1 (approximately November 2028).
Phase 4 Characteristics:
All solicitations and contracts will include applicable CMMC level requirements as a condition of contract award
CMMC becomes a standard requirement across all DoD contracting
Organizations without appropriate CMMC certification cannot compete for contracts
Phase 4 Preparation:
All DIB contractors should have achieved appropriate CMMC levels
Maintain ongoing compliance
Prepare for recurring assessments every three years

Planning for Phased Rollout

Organizations should plan for the phased rollout:
Immediate Actions (Now - Phase 1):
Conduct gap assessments
Begin implementing controls
Develop documentation
Prepare for self-assessments
Short-Term Actions (Phase 1 - Phase 2):
Complete control implementation
Conduct self-assessments
Enter results in SPRS
Prepare for certification assessments if required
Medium-Term Actions (Phase 2 - Phase 3):
Undergo certification assessments as required
Achieve Final CMMC Status
Maintain ongoing compliance
Prepare for Level 3 if required
Long-Term Actions (Phase 3 - Phase 4):
Achieve all required CMMC levels
Establish continuous compliance processes
Prepare for recurring assessments

Early Implementation Considerations

In some procurements, the DoD may implement CMMC requirements in advance of the planned phase.
Early Implementation Risks:
Some contracts may require certification assessments in Phase 1
Some contracts may require Level 3 certification in Phase 2
Organizations may need to accelerate compliance efforts
Early Implementation Preparation:
Monitor solicitations closely for CMMC requirements
Be prepared to accelerate compliance efforts if needed
Maintain flexibility in compliance planning
Consider achieving higher levels earlier to maximize competitiveness

Part 8: Resources and Next Steps

Official Resources and References

Various official resources and references can help organizations achieve CMMC compliance.

DoD CIO CMMC Website and Documentation

The DoD CIO CMMC website is the primary source of official information about the CMMC program.
Website:
Key Resources:
CMMC Model Overview (Version 2.13)
CMMC Assessment Guides (Levels 1, 2, and 3)
CMMC Scoping Guides (Levels 1, 2, and 3)
CMMC Hashing Guide
CMMC 101 Brief
Technical Implementation Requirements
Levels Determination Brief

NIST Publications

NIST publications provide the foundation for CMMC security requirements.
NIST SP 800-171 Revision 2: "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" - Foundation for CMMC Level 2
NIST SP 800-171A: "Assessing Security Requirements for Controlled Unclassified Information" - Provides assessment objectives
NIST SP 800-172: "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171" - Foundation for CMMC Level 3
NIST SP 800-61: "Computer Security Incident Handling Guide" - Guidance for incident response
Website:

CMMC Accreditation Body Resources

The Cyber AB website provides resources for finding assessors and training.
Website:
Key Resources:
C3PAO Marketplace
Training provider directory
CMMC Assessment Process (CAP) documentation
Certification information for CCPs, CCAs, and CCIs

Federal Acquisition Regulation Clauses

FAR clauses establish requirements for federal contractors.
FAR 52.204-21: "Basic Safeguarding of Covered Contractor Information Systems" - Foundation for CMMC Level 1
Website:

Defense Federal Acquisition Regulation Supplement

DFARS clauses establish DoD-specific requirements.
DFARS 252.204-7012: "Safeguarding Covered Defense Information and Cyber Incident Reporting" - Requires NIST SP 800-171 implementation
DFARS 252.204-7019: "Notice of NIST SP 800-171 DoD Assessment Requirements" - Requires self-assessment in SPRS
DFARS 252.204-7020: "NIST SP 800-171 DoD Assessment Requirements" - Provides government access for assessments
DFARS 252.204-7021: "Cybersecurity Maturity Model Certification Requirements" - Implements CMMC program requirements
Website:

Code of Federal Regulations

32 CFR Part 170 is the final rule that codifies the CMMC program requirements.
32 CFR Part 170: "Cybersecurity Maturity Model Certification (CMMC) Program"
Website:

Training and Professional Development

Various training and professional development opportunities are available for individuals who want to learn about CMMC or become CMMC professionals.

Defense Acquisition University Courses

The Defense Acquisition University (DAU) offers free online CMMC training courses.
CYB-1010: "Introduction to CMMC" - Overview of the CMMC program
CYB-1030: "CMMC for Contractors" - Detailed guidance for contractors seeking compliance
Website:

CMMC Certified Professional (CCP) Certification

The CCP certification is designed for individuals who want to assist organizations in preparing for CMMC assessments.
Requirements:
Relevant degree or equivalent experience
CompTIA A+ certification or equivalent
CUI training completion
CCP training course completion
Passing score on CCP exam
Certification Body: CAICO (accredited by Cyber AB)
Benefits:
Demonstrate CMMC knowledge
Assist organizations with compliance preparation
Foundation for CCA certification

CMMC Certified Assessor (CCA) Certification

The CCA certification is designed for individuals who want to conduct CMMC assessments.
Requirements:
CCP certification
Three years of relevant cybersecurity experience
CCA training course completion
Passing score on CCA exam
Employment by an accredited C3PAO
Certification Body: CAICO (accredited by Cyber AB)
Benefits:
Conduct CMMC assessments
Work for C3PAOs
Advanced career opportunities in CMMC

Vendor Training Programs

Many vendors offer training programs on CMMC and related topics.
Training Topics:
CMMC framework and requirements
NIST SP 800-171 implementation
Specific security controls
Assessment preparation
Cloud security for CMMC
**Vendors:**kmkk
Microsoft (GCC High training)
Amazon Web Services (GovCloud training)
Security consulting firms
C3PAOs

Industry Conferences and Events

Industry conferences and events provide opportunities to learn from experts and network with peers.
Relevant Conferences:
RSA Conference
Black Hat
DEF CON
NDIA Cybersecurity Conferences
CMMC-specific events hosted by Cyber AB
Benefits:
Learn about latest developments
Network with CMMC professionals
Hear case studies and best practices
Meet potential vendors and partners

Building Your Action Plan

The final step in your CMMC compliance journey is to build an action plan that will guide you through the implementation process.

30-60-90 Day Implementation Plan

A 30-60-90 day implementation plan breaks down the compliance effort into manageable chunks.
First 30 Days:
Conduct gap assessment
Determine required CMMC level
Assemble CMMC team
Develop high-level roadmap
Identify quick wins
Begin executive communication
Days 31-60:
Develop detailed implementation plan
Begin implementing quick wins
Start policy and procedure development
Begin asset inventory
Initiate vendor assessments
Develop budget
Days 61-90:
Continue control implementation
Complete policy and procedure development
Complete asset inventory
Begin evidence collection
Conduct initial training
Review progress and adjust plan

Quick Wins and Early Priorities

Identify quick wins and early priorities to build momentum and demonstrate progress.
Quick Wins:
Implement multi-factor authentication
Conduct security awareness training
Enable full disk encryption on laptops
Implement centralized logging
Conduct vulnerability scanning
Update password policies
Early Priorities:
Critical requirements that cannot be on POA&Ms
High-risk gaps identified in gap assessment
Foundational controls that other controls depend on
Controls that require significant time to implement

Long-Term Compliance Strategy

Develop a long-term compliance strategy that outlines how you will maintain CMMC compliance over time.
Long-Term Strategy Components:
Continuous monitoring and maintenance
Regular training and awareness
Periodic risk assessments
Annual affirmations
Recurring assessments every three years
Continuous improvement processes
Adaptation to evolving threats

Measuring Progress and Success

Establish metrics for measuring progress and success.
Progress Metrics:
Number of controls implemented
Number of gaps remediated
Percentage of documentation complete
Percentage of personnel trained
Number of systems in compliance
Success Metrics:
Achievement of CMMC certification
Passing score on assessment
No critical findings
Successful POA&M closeout (if applicable)
Ability to bid on DoD contracts

Adjusting Your Approach Based on Lessons Learned

Be flexible and adjust your approach based on lessons learned.
Lessons Learned Process:
Regular review of progress
Identification of what is working and what is not
Adjustment of plans and approaches
Documentation of lessons learned
Sharing of lessons learned with team
Application of lessons to future efforts

Appendices

Appendix A: CMMC Level 1 Requirements

The following table lists the 15 security requirements for CMMC Level 1, derived from FAR clause 52.204-21:

Req-ID Requirement Description
AC.L1-b.1.i Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.L1-b.1.ii Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.L1-b.1.iii Verify and control/limit connections to and use of external information systems.
AC.L1-b.1.iv Control information posted or processed on publicly accessible information systems.
IA.L1-b.1.v Identify information system users, processes acting on behalf of users, or devices.
IA.L1-b.1.vi Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
MP.L1-b.1.vii Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
PE.L1-b.1.viii Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PE.L1-b.1.ix Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
SC.L1-b.1.x Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
SC.L1-b.1.xi Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
SI.L1-b.1.xii Identify, report, and correct information and information system flaws in a timely manner.
SI.L1-b.1.xiii Provide protection from malicious code at appropriate locations within organizational information systems.
SI.L1-b.1.xiv Update malicious code protection mechanisms when new releases are available.
SI.L1-b.1.xv Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Appendix B: CMMC Level 2 Requirements

CMMC Level 2 includes 110 security requirements from NIST SP 800-171 Rev 2, organized into 14 domains:

Access Control (AC) - 22 Requirements

Awareness and Training (AT) - 3 Requirements

Audit and Accountability (AU) - 9 Requirements

Configuration Management (CM) - 9 Requirements

Identification and Authentication (IA) - 11 Requirements

Incident Response (IR) - 3 Requirements

Maintenance (MA) - 6 Requirements

Media Protection (MP) - 9 Requirements

Personnel Security (PS) - 2 Requirements

Physical Protection (PE) - 6 Requirements

Risk Assessment (RA) - 3 Requirements

Security Assessment (CA) - 4 Requirements

System and Communications Protection (SC) - 16 Requirements

System and Information Integrity (SI) - 7 Requirements

Appendix C: CMMC Level 3 Requirements

CMMC Level 3 includes all 110 requirements from Level 2, plus a subset of 24 requirements from NIST SP 800-172. These enhanced requirements provide protection against Advanced Persistent Threats (APTs).
The 24 Level 3 requirements are drawn from the following domains:

Access Control (AC) - 4 Enhanced Requirements

Enhanced access control for CUI
Advanced authentication mechanisms
Enhanced privileged access management
Advanced session controls

Audit and Accountability (AU) - 3 Enhanced Requirements

Enhanced audit logging capabilities
Advanced audit correlation
Enhanced audit protection

Configuration Management (CM) - 2 Enhanced Requirements

Enhanced configuration management
Advanced change detection

Identification and Authentication (IA) - 3 Enhanced Requirements

Advanced authentication mechanisms
Enhanced credential management
Advanced identity verification

Incident Response (IR) - 2 Enhanced Requirements

Advanced incident detection
Enhanced incident response capabilities

Risk Assessment (RA) - 3 Enhanced Requirements

Advanced threat intelligence
Enhanced vulnerability assessment
Advanced risk monitoring

Security Assessment (CA) - 2 Enhanced Requirements

Enhanced security assessment
Advanced continuous monitoring

System and Communications Protection (SC) - 3 Enhanced Requirements

Advanced boundary protection
Enhanced cryptographic protection
Advanced communications security

System and Information Integrity (SI) - 2 Enhanced Requirements

Advanced threat detection
Enhanced system monitoring
Note: The specific requirements for Level 3 are detailed in NIST SP 800-172 and the CMMC Level 3 Assessment Guide.

Appendix D: CMMC Glossary, Acronyms and Definitions

This appendix provides comprehensive definitions for all key terms, acronyms, and technical concepts used throughout this guide. Understanding these terms is essential for navigating the CMMC compliance process effectively.
 
A
ABAC (Attribute-Based Access Control)
An access control method where access rights are granted to users through the use of policies that combine attributes such as user characteristics, resource properties, and environmental conditions.
AC (Access Control)
A security domain covering the limitation of information system access to authorized users, processes, or devices, and the types of transactions and functions that authorized users are permitted to exercise.
AD (Active Directory)
Microsoft's directory service for Windows domain networks, used for identity and access management, authentication, and authorization of users and computers.
AES (Advanced Encryption Standard)
A symmetric encryption algorithm widely used for securing sensitive data. CMMC requires the use of FIPS-validated AES encryption for protecting CUI.
Annual Affirmation
A yearly statement required from organizations with CMMC certification confirming they have maintained their cybersecurity posture and compliance. Failure to submit annual affirmation results in expiration of CMMC status.
APT (Advanced Persistent Threat)
A prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period. CMMC Level 3 is specifically designed to protect against APTs.
Assessment Objectives
Specific criteria from NIST SP 800-171A used to evaluate whether security requirements are properly implemented. Each CMMC requirement has associated assessment objectives that assessors use during evaluations.
Assessment Scope
The boundaries of what will be assessed during a CMMC assessment, including systems, networks, facilities, and processes that handle CUI or FCI. Proper scoping is critical for assessment success.
AT (Awareness and Training)
A security domain covering security awareness education and role-based security training for personnel with assigned security roles and responsibilities.
AU (Audit and Accountability)
A security domain covering the creation, protection, and retention of information system audit records necessary to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
AWS (Amazon Web Services)
A comprehensive cloud computing platform provided by Amazon. AWS GovCloud and other FedRAMP-authorized AWS services are commonly used by DIB contractors for CMMC compliance.
 
B
Baseline Configuration
A documented set of specifications for an information system that has been formally reviewed and agreed upon, serving as a basis for future builds, releases, and changes. Required under the Configuration Management domain.
 
C
C3PAO (Certified Third-Party Assessment Organization)
Organizations accredited by the Cyber AB to conduct CMMC Level 2 certification assessments on DIB contractors. C3PAOs must maintain ISO/IEC 17020 accreditation.
CA (Security Assessment)
A security domain covering the assessment of security controls to determine effectiveness and remediation of deficiencies. Includes periodic assessments and continuous monitoring activities.
CAICO (Cybersecurity Assessor and Instructor Certification Organization)
An organization accredited by the Cyber AB to certify CMMC assessors and instructors, operating in compliance with ISO/IEC 17024 standards.
CCA (CMMC Certified Assessor)
Individuals qualified to conduct CMMC assessments as part of a C3PAO team. CCAs must first obtain CCP certification, then complete additional training and demonstrate relevant experience.
CCI (CMMC Certified Instructor)
Individuals qualified to provide CMMC training to organizations and individuals seeking to understand or prepare for CMMC compliance.
CCP (CMMC Certified Professional)
Individuals qualified to assist organizations in preparing for CMMC assessments, including gap assessments, remediation planning, and documentation preparation. CCPs cannot conduct official CMMC assessments.
CFR (Code of Federal Regulations)
The codification of the general and permanent rules published in the Federal Register by the executive departments and agencies of the federal government. 32 CFR Part 170 contains CMMC regulations.
Change Control
A systematic approach to managing all changes made to a system, ensuring that no unnecessary changes are made, all changes are documented, tested, and approved before implementation.
CIO (Chief Information Officer)
An executive responsible for the information technology and computer systems that support enterprise goals. The DoD CIO oversees the CMMC Program Management Office.
CIS (Center for Internet Security)
A nonprofit organization that develops cybersecurity best practices and standards, including the CIS Controls and CIS Benchmarks, which align with many CMMC requirements.
CM (Configuration Management)
A security domain covering baseline configurations and monitoring of information system changes, including configuration settings, change control processes, and least functionality principles.
CMMC (Cybersecurity Maturity Model Certification)
A comprehensive framework established by the U.S. Department of Defense to enforce the protection of sensitive unclassified information shared with its contractors and subcontractors through a tiered certification model.
Compensating Controls
Alternative security measures implemented when a standard control cannot be implemented as specified, providing equivalent or comparable protection. Compensating controls must be documented in the SSP and approved by assessors.
Conditional CMMC Status
A status achieved when an organization has a passing score on its assessment but has some remaining items on its Plan of Action and Milestones (POA&M). Valid for 180 days, during which POA&M items must be closed.
CRMA (Contractor Risk Managed Asset)
Specialized assets that are subject to heightened cybersecurity threats and require additional security measures beyond standard CMMC requirements.
CSP (Cloud Service Provider)
A company that offers network services, infrastructure, or business applications in the cloud. CSPs used for CUI must meet FedRAMP authorization requirements or equivalent.
CTI (Controlled Technical Information)
A subset of CUI that includes technical data with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
CUI (Controlled Unclassified Information)
Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Cyber AB (CMMC Accreditation Body)
A non-profit organization responsible for accrediting and overseeing the CMMC ecosystem, including C3PAOs and CAICO. The Cyber AB operates in compliance with ISO/IEC 17011 standards.
 
D
DAU (Defense Acquisition University)
The corporate university of the Department of Defense providing training and career management for the acquisition workforce. DAU offers CMMC-related training courses.
DC3 (DoD Cyber Crime Center)
A DoD organization that provides cyber forensics, investigative, and analytical services. DIB contractors must report cyber incidents to DC3 through the DIBNet portal.
DCMA (Defense Contract Management Agency)
A component of the U.S. Department of Defense that works directly with defense contractors. DCMA houses the DIBCAC, which conducts Level 3 assessments.
DFARS (Defense Federal Acquisition Regulation Supplement)
Regulations that supplement the Federal Acquisition Regulation (FAR) for Department of Defense acquisitions. Key DFARS clauses include 252.204-7012 (CUI protection) and 252.204-7019 (CMMC requirement).
DIB (Defense Industrial Base)
A vast network of over 220,000 companies that contribute to the research, development, and production of U.S. military capabilities, ranging from large prime contractors to small suppliers.
DIBCAC (Defense Industrial Base Cybersecurity Assessment Center)
A government organization within the Defense Contract Management Agency (DCMA) responsible for conducting CMMC Level 2 certification assessments on C3PAOs and CMMC Level 3 certification assessments on DIB contractors.
DISA (Defense Information Systems Agency)
A combat support agency of the U.S. Department of Defense providing IT and communications support. DISA manages the SPRS system used for CMMC reporting.
DMZ (Demilitarized Zone)
A physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, typically the internet, while keeping the internal network secure.
DoD (Department of Defense)
The United States federal department responsible for coordinating and supervising all agencies and functions of the government directly related to national security and the military.
 
E
EDR (Endpoint Detection and Response)
Cybersecurity technology that continuously monitors end-user devices to detect and respond to cyber threats such as ransomware and malware. EDR solutions help meet several CMMC requirements.
eMASS (Enterprise Mission Assurance Support Service)
A DoD system used to manage the CMMC certification assessment process and assessment artifacts. C3PAOs and DIBCAC submit assessment results through eMASS.
Enclave
A set of system resources that operate in the same security domain and share the protection of a single, common, continuous security perimeter. The enclave approach is one scoping strategy for CMMC assessments.
ESP (External Service Provider)
Third-party organizations that provide services involving the processing, storage, or transmission of CUI on behalf of a DIB contractor. ESPs must meet the same CMMC requirements as the contractor.
 
F
FAR (Federal Acquisition Regulation)
The principal set of rules governing the federal acquisition process in the United States. FAR clause 52.204-21 establishes basic safeguarding requirements for FCI.
FCI (Federal Contract Information)
Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Protected at CMMC Level 1.
FedRAMP (Federal Risk and Authorization Management Program)
A government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Cloud providers handling CUI must be FedRAMP authorized.
FIDO2 (Fast Identity Online 2)
An open authentication standard that enables passwordless authentication using biometrics or security keys. FIDO2 can be used to meet MFA requirements.
Final CMMC Status
A status achieved when an organization has a passing score on its assessment with no POA&M items, or when POA&M items have been successfully closed within 180 days. Valid for three years from the CMMC Status Date.
FIPS 140-2 (Federal Information Processing Standard 140-2)
A U.S. government security standard used to approve cryptographic modules. Being phased out in favor of FIPS 140-3.
FIPS 140-3 (Federal Information Processing Standard 140-3)
The updated version of FIPS 140-2, providing requirements for cryptographic modules. CMMC requires FIPS-validated cryptography for protecting CUI at rest and in transit.
Flow-Down Requirements
The requirement for prime contractors to ensure that subcontractors at all tiers meet the same CMMC level requirements when handling FCI or CUI. Prime contractors are responsible for verifying subcontractor compliance.
 
G
GCC (Government Community Cloud)
Cloud environments designed specifically for government agencies and contractors handling sensitive data. Examples include Microsoft 365 GCC High and Azure Government.
GFE (Government-Furnished Equipment)
Equipment owned by the government and provided to a contractor for use in performing a contract. GFE handling CUI must be included in assessment scope.
 
I
IA (Identification and Authentication)
A security domain covering the identification and authentication of users and devices as a prerequisite to allowing access to organizational information systems.
IDS (Intrusion Detection System)
A device or software application that monitors a network or systems for malicious activity or policy violations and generates alerts for security personnel.
IEC (International Electrotechnical Commission)
An international standards organization that prepares and publishes international standards for electrical and electronic technologies. ISO/IEC standards are referenced in CMMC accreditation requirements.
IoT (Internet of Things)
Network-connected devices that collect, transmit, or process data. IoT devices in the assessment scope must meet CMMC security requirements.
IPS (Intrusion Prevention System)
A network security technology that examines network traffic flows to detect and prevent vulnerability exploits by blocking malicious traffic in real-time.
IR (Incident Response)
A security domain covering the establishment of an operational incident handling capability for organizational information systems, including preparation, detection, analysis, containment, recovery, and reporting.
ISO (International Organization for Standardization)
An international standard-setting body composed of representatives from various national standards organizations. ISO standards are used for C3PAO and CAICO accreditation.
IT (Information Technology)
The use of computers to store, retrieve, transmit, and manipulate data or information, typically in the context of a business or enterprise.
ITAR (International Traffic in Arms Regulations)
U.S. regulations that control the export and import of defense-related articles and services. ITAR-controlled information is a category of CUI requiring CMMC Level 2 or 3.
L
Least Functionality
The principle of configuring systems to provide only essential capabilities and prohibiting or restricting the use of unnecessary functions, ports, protocols, and services.
 
M
MA (Maintenance)
A security domain covering the performance of maintenance on organizational systems and control of maintenance tools, including both preventive and corrective maintenance.
MAC (Media Access Control)
A unique identifier assigned to network interfaces for communications on the physical network segment. Also refers to Mandatory Access Control in some security contexts.
MDM (Mobile Device Management)
Software that allows IT administrators to control, secure, and enforce policies on smartphones, tablets, and other endpoints. Required for managing mobile devices that access CUI.
MEP (Manufacturing Extension Partnership)
A national network that exists to strengthen U.S. manufacturing competitiveness. MEP centers provide cybersecurity assistance to small manufacturers pursuing CMMC compliance.
MFA (Multi-Factor Authentication)
An authentication method that requires two or more verification factors to gain access to a resource, such as combining something you know (password) with something you have (token) or something you are (biometric).
MP (Media Protection)
A security domain covering the protection and control of information system media during transport, storage, use, and disposal, including both digital and non-digital media.
MSP (Managed Service Provider)
A company that remotely manages a customer's IT infrastructure and end-user systems. MSPs that handle CUI are considered External Service Providers and must meet CMMC requirements.
 
N
NDAA (National Defense Authorization Act)
A federal law specifying the annual budget and expenditures of the U.S. Department of Defense. Section 1648 of the FY2020 NDAA directed the creation of the CMMC program.
NDIA (National Defense Industrial Association)
A trade association for the U.S. government and defense industrial base, providing resources and advocacy for defense contractors.
NIST (National Institute of Standards and Technology)
A U.S. federal agency that develops technology, metrics, and standards to drive innovation and economic competitiveness. NIST cybersecurity standards form the foundation of CMMC.
NIST SP 800-171
NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." The standard that forms the basis for CMMC Level 2 requirements (110 security requirements across 14 domains).
NIST SP 800-171A
NIST Special Publication 800-171A, assessment procedures for NIST SP 800-171, providing assessment objectives and methods for verifying implementation of security requirements.
NIST SP 800-172
NIST Special Publication 800-172, "Enhanced Security Requirements for Protecting Controlled Unclassified Information." A supplement to NIST SP 800-171 that provides enhanced security requirements for CMMC Level 3 (24 additional requirements).
 
O
Organization-Defined Parameters
Specific values or settings that an organization must define based on their risk assessment and operational needs. Examples include password length, session timeout periods, and audit log retention periods.
OSA (Organization Seeking Assessment)
The organization that is undergoing a CMMC assessment, whether self-assessment or certification assessment.
OT (Operational Technology)
Hardware and software that detects or causes a change through direct monitoring and control of physical devices, processes, and events. OT systems handling CUI must meet CMMC requirements.
 
P
PAM (Privileged Access Management)
Security solutions that help organizations control and monitor privileged access to critical systems and data, including management of administrative accounts and elevated permissions.
PE (Physical Protection)
A security domain covering the protection of physical facilities and equipment from unauthorized access, environmental hazards, and other physical threats.
PMO (Program Management Office)
The DoD Chief Information Officer CMMC Program Management Office responsible for overall oversight and management of the CMMC program, including development of assessment guides and program policies.
POA&M (Plan of Action and Milestones)
A document that identifies an organization's plan to correct deficiencies identified during a CMMC assessment, including specific milestones, responsible parties, and completion dates. Must be closed within 180 days.
PS (Personnel Security)
A security domain covering personnel screening, termination procedures, and protection of information during personnel actions such as transfers and terminations.
PTAC (Procurement Technical Assistance Center)
Organizations that provide assistance to businesses seeking government contracts, including guidance on CMMC requirements and compliance strategies.
 
R
RA (Risk Assessment)
A security domain covering the assessment of risk to organizational operations, organizational assets, and individuals resulting from the operation of information systems and the processing, storage, or transmission of CUI.
RBAC (Role-Based Access Control)
An approach to restricting system access to authorized users based on their role within an organization, ensuring users have only the permissions necessary for their job functions.
RSA (Rivest-Shamir-Adleman)
A public-key cryptosystem widely used for secure data transmission. RSA encryption must use FIPS-validated implementations when protecting CUI.
 
S
SBIR (Small Business Innovation Research)
A U.S. government program intended to help certain small businesses conduct research and development. SBIR participants handling CUI must meet CMMC requirements.
SC (System and Communications Protection)
A security domain covering the monitoring, control, and protection of communications at system boundaries and key internal boundaries within organizational information systems.
SHA (Secure Hash Algorithm)
A family of cryptographic hash functions designed by the National Security Agency. SHA-256 and higher are acceptable for CMMC compliance; SHA-1 is deprecated.
Shared Responsibility Matrix (SRM)
A document that clearly delineates the security responsibilities between an organization and its service providers, particularly cloud service providers. Required for all External Service Provider relationships.
SI (System and Information Integrity)
A security domain covering the identification, reporting, and correction of information system flaws in a timely manner, including malware protection, system monitoring, and security alerts.
SIEM (Security Information and Event Management)
Technology that provides real-time analysis of security alerts generated by applications and network hardware, supporting centralized log management and security monitoring requirements.
SOC (Security Operations Center)
A centralized unit that deals with security issues on an organizational and technical level, monitoring and analyzing security events and coordinating incident response.
SPA (Security Protection Asset)
Assets specifically designated to provide security functions for the information system, such as firewalls, authentication servers, and security monitoring tools.
SPD (Security Protection Data)
Data specifically created or used for security purposes, such as audit logs, authentication credentials, and encryption keys. SPD requires additional protection.
SPRS (Supplier Performance Risk System)
A DoD system used to collect and manage information about DoD contractors, including their CMMC assessment results, self-assessment scores, and POA&M status.
SSP (System Security Plan)
A comprehensive document that describes the security controls implemented or planned for an information system, required for CMMC compliance. The SSP maps organizational security practices to CMMC requirements.
STIG (Security Technical Implementation Guide)
Configuration standards developed by DISA for securing information systems and software. STIGs provide detailed technical guidance that can help meet CMMC requirements.
STTR (Small Business Technology Transfer)
A U.S. government program that expands funding opportunities in the federal innovation research and development arena. STTR participants handling CUI must meet CMMC requirements.
 
T
TLS (Transport Layer Security)
A cryptographic protocol designed to provide communications security over a computer network. CMMC requires FIPS-validated TLS 1.2 or higher for protecting CUI in transit.
 
V
VDI (Virtual Desktop Infrastructure)
A virtualization technology that hosts desktop environments on a centralized server, allowing users to access their desktop from any device. VDI is commonly used to create secure enclaves for CUI access.
VLAN (Virtual Local Area Network)
A logical grouping of network devices that allows network segmentation without physical separation. VLANs can be used to isolate CUI environments from other networks.
VoIP (Voice over Internet Protocol)
Technology that allows voice communications over internet protocol networks. VoIP systems handling CUI discussions must meet CMMC security requirements.
VPN (Virtual Private Network)
A secure network connection that uses encryption to create a private network over a public network. VPNs are commonly used for remote access to CUI environments and must use FIPS-validated encryption.
 
W
WPA2 (Wi-Fi Protected Access 2)
A security protocol developed to secure wireless networks. WPA2 with AES encryption is the minimum acceptable standard for wireless networks in CMMC environments.
WPA3 (Wi-Fi Protected Access 3)
The latest Wi-Fi security protocol, providing improved security over WPA2, including stronger encryption and protection against brute-force attacks. Recommended for new wireless deployments.
 
Additional Key Terms
Assessment Boundary
The logical and physical perimeter that defines what is included in and excluded from a CMMC assessment. Clearly defining the assessment boundary is critical for scoping.
Certification Assessment
A formal CMMC assessment conducted by an independent third party (C3PAO for Level 2, DIBCAC for Level 3) that results in official CMMC certification.
CMMC Level 1 (Foundational)
The entry-level CMMC certification focused on basic safeguarding of Federal Contract Information (FCI), consisting of 15 security requirements derived from FAR 52.204-21.
CMMC Level 2 (Advanced)
The intermediate CMMC certification designed for protection of Controlled Unclassified Information (CUI), incorporating 110 security requirements from NIST SP 800-171 across 14 domains.
CMMC Level 3 (Expert)
The highest CMMC certification level intended for organizations handling CUI at risk from Advanced Persistent Threats (APTs), including all Level 2 requirements plus 24 enhanced requirements from NIST SP 800-172.
CMMC Marketplace
An online platform maintained by the Cyber AB where organizations can find certified C3PAOs, CCPs, CCAs, and training providers.
CMMC Status Date
The date on which an organization achieves CMMC certification, marking the beginning of the three-year certification validity period.
Data Flow Diagram
A graphical representation showing how CUI moves through an organization's systems, networks, and processes. Required documentation for CMMC assessments.
Gap Assessment
An evaluation comparing an organization's current cybersecurity posture against CMMC requirements to identify deficiencies that must be remediated before formal assessment.
In-Scope Assets
Systems, networks, facilities, and personnel that are included within the CMMC assessment boundary because they process, store, or transmit CUI or provide security functions.
Out-of-Scope Assets
Systems and resources that are excluded from the CMMC assessment boundary because they do not process, store, or transmit CUI and are properly isolated from in-scope assets.
Readiness Assessment
A practice assessment conducted before the formal CMMC assessment to verify that all requirements are met and documentation is complete. Often conducted by CCPs.
Self-Assessment
A CMMC assessment conducted by the organization itself, required for Level 1 and permitted for some Level 2 contracts as specified in the solicitation.
The 14 Domains
The organizational structure of CMMC requirements, consisting of: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Security Assessment (CA), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical Protection (PE), Personnel Security (PS), Risk Assessment (RA), System and Communications Protection (SC), and System and Information Integrity (SI).

This glossary is based on official CMMC documentation, NIST standards, and DoD guidance current as of October 2025. Terms and definitions are subject to updates as the CMMC program evolves.

Appendix E: Assessment Preparation Checklist

Use this checklist to ensure you are prepared for your CMMC assessment:

Documentation Preparation

System Security Plan (SSP) is complete and current
All required policies are developed and approved
All required procedures are developed and approved
Asset inventory is complete and current
Network diagrams are complete and current
Data flow diagrams are complete and current
All evidence has been collected and organized
Evidence is properly indexed and cross-referenced
Hash manifest has been created for all artifacts
All documentation has been reviewed for accuracy

Control Implementation

All required security controls have been implemented
All controls have been tested and verified
All critical requirements are fully implemented (no POA&Ms)
Configuration baselines have been established
Systems are patched and up to date
All systems are functioning properly
Access controls are properly configured
Multi-factor authentication is implemented
Encryption is properly configured
Audit logging is properly configured
Centralized log management is implemented
Security monitoring is operational
Incident response plan is developed and tested
Backup and recovery procedures are in place

Personnel Preparation

All personnel have been trained on security responsibilities
Personnel are prepared for assessment interviews
Key personnel are available during assessment period
Roles and responsibilities are clearly defined
Contact information for all key personnel is current

Vendor and Third-Party Management

All vendors and service providers have been identified
Vendor security assessments have been conducted
Shared Responsibility Matrices have been developed
Vendor CMMC compliance has been verified
Vendor contracts include appropriate security requirements

Technical Environment

Assessment scope is properly defined
Assessment boundary is clearly marked
Network segmentation is properly implemented
Boundary controls are functioning properly
All in-scope systems are identified and documented
Specialized assets and CRMAs are properly documented

Logistics

Assessment has been scheduled with C3PAO (if applicable)
Meeting spaces have been arranged
Remote access has been configured (if remote assessment)
All stakeholders have been notified of assessment schedule
Assessment artifacts are ready for submission

Final Checks

Mock assessment has been conducted
All findings from mock assessment have been addressed
Final documentation review has been completed
Final control review has been completed
Executive briefing has been conducted
Contingency plans are in place for potential issues

Appendix F: Sample Templates

Sample System Security Plan (SSP) Outline

  1. Introduction
    1.1 Purpose
    1.2 Scope
    1.3 Document Organization
  2. System Description
    2.1 System Name and Identifier
    2.2 System Purpose and Function
    2.3 System Owner and Authorizing Official
    2.4 System Environment
  3. Assessment Scope
    3.1 Assessment Boundary
    3.2 In-Scope Assets
    3.3 Out-of-Scope Assets and Justification
    3.4 Asset Categorization
  4. System Architecture
    4.1 Network Diagrams
    4.2 Data Flow Diagrams
    4.3 System Components
    4.4 External Connections
  5. Security Control Implementation
    5.1 Access Control (AC)
    5.2 Awareness and Training (AT)
    5.3 Audit and Accountability (AU)
    5.4 Configuration Management (CM)
    5.5 Identification and Authentication (IA)
    5.6 Incident Response (IR)
    5.7 Maintenance (MA)
    5.8 Media Protection (MP)
    5.9 Personnel Security (PS)
    5.10 Physical Protection (PE)
    5.11 Risk Assessment (RA)
    5.12 Security Assessment (CA)
    5.13 System and Communications Protection (SC)
    5.14 System and Information Integrity (SI)
  6. External Service Providers
    6.1 ESP Inventory
    6.2 Shared Responsibility Matrices
    6.3 ESP Compliance Verification
  7. Appendices
    A. Asset Inventory
    B. Acronyms and Definitions
    C. References

Sample Policy Template

[ORGANIZATION NAME]
[POLICY NAME]
Version: [X.X]
Effective Date: [Date]
Review Date: [Date]

  1. PURPOSE
    [State the purpose of the policy]
  2. SCOPE
    [Define what and who the policy applies to]
  3. POLICY STATEMENT
    [High-level statement of the organization's position]
  4. ROLES AND RESPONSIBILITIES
    [Define who is responsible for what]
  5. REQUIREMENTS
    [Specific requirements that must be met]
  6. ENFORCEMENT
    [Consequences of non-compliance]
  7. EXCEPTIONS
    [Process for requesting exceptions]
  8. DEFINITIONS
    [Key terms and definitions]
  9. RELATED DOCUMENTS
    [References to related policies and procedures]
  10. REVISION HISTORY
    [Track changes to the policy]
    Approved by:
    [Name, Title, Date]

Sample Procedure Template

[ORGANIZATION NAME]
[PROCEDURE NAME]
Version: [X.X]
Effective Date: [Date]

  1. PURPOSE
    [Why this procedure exists]
  2. SCOPE
    [What this procedure covers]
  3. ROLES AND RESPONSIBILITIES
    [Who does what]
  4. PREREQUISITES
    [What must be in place before starting]
  5. PROCEDURE STEPS
    Step 1: [Action]
    Step 2: [Action]
    Step 3: [Action]
    [Continue as needed]
  6. FREQUENCY
    [How often this procedure is performed]
  7. DOCUMENTATION
    [What records must be maintained]
  8. REFERENCES
    [Related policies, procedures, standards]
  9. REVISION HISTORY
    [Track changes to the procedure]

Sample POA&M Template

Plan of Action and Milestones (POA&M
Organization: [Name]
Assessment Date: [Date]
POA&M Date: [Date]
Requirement ID: [e.g., AC.L2-3.1.3]
Requirement Description: [Full text of requirement]
Finding Description:
[Detailed description of the deficiency]
Risk Assessment:
Impact: [High/Medium/Low]
Likelihood: [High/Medium/Low]
Overall Risk: [High/Medium/Low]
Remediation Plan:
[Detailed plan for correcting the deficiency]
Resources Required:

  • [Resource 1]
  • [Resource 2]
    Responsible Party: [Name, Title]
    Milestones:
  1. [Milestone 1] - [Target Date]
  2. [Milestone 2] - [Target Date]
  3. [Milestone 3] - [Target Date]
    Target Completion Date: [Date - must be within 180 days]
    Status: [Not Started / In Progress / Complete]
    Notes:
    [Any additional information]

Appendix G: Useful Tools and Software

 

Security Assessment and Compliance Tools

Tool Purpose Type
Nessus Vulnerability scanning Commercial
OpenVAS Vulnerability scanning Open Source
SCAP Compliance Checker Configuration compliance Free (NIST)
CIS-CAT Configuration assessment Free/Commercial
Lynis Security auditing Open Source
 

Access Control and Identity Management

Tool Purpose Type
Active Directory Identity management Commercial (Microsoft)
Azure AD Cloud identity management Commercial (Microsoft)
Okta Identity and access management Commercial
Duo Security Multi-factor authentication Commercial
YubiKey Hardware MFA tokens Commercial
 

Log Management and SIEM

Tool Purpose Type
Splunk SIEM and log management Commercial
Microsoft Sentinel Cloud-native SIEM Commercial (Microsoft)
Elastic Stack (ELK) Log management and analysis Open Source
Graylog Log management Open Source
LogRhythm SIEM Commercial
 

Endpoint Protection

Tool Purpose Type
Microsoft Defender Endpoint protection Commercial (Microsoft)
CrowdStrike Falcon EDR Commercial
Carbon Black EDR Commercial
SentinelOne EDR Commercial
ClamAV Anti-malware Open Source
 

Configuration Management

Tool Purpose Type
Microsoft Endpoint Configuration Manager Configuration management Commercial (Microsoft)
Ansible Configuration automation Open Source
Puppet Configuration management Open Source/Commercial
Chef Configuration management Open Source/Commercial
Tripwire File integrity monitoring Commercial
 

Network Security

Tool Purpose Type
pfSense Firewall Open Source
Cisco Firepower Next-gen firewall Commercial
Palo Alto Networks Next-gen firewall Commercial
Snort Intrusion detection Open Source
Suricata Intrusion detection Open Source
 

Encryption and Cryptography

Tool Purpose Type
BitLocker Full disk encryption Commercial (Microsoft)
FileVault Full disk encryption (Mac) Free (Apple)
VeraCrypt Disk encryption Open Source
OpenSSL Cryptographic library Open Source
GnuPG Email encryption Open Source
 

Backup and Recovery

Tool Purpose Type
Veeam Backup and recovery Commercial
Commvault Backup and recovery Commercial
Symantec Backup and recovery Commercial
 

Documentation and Compliance Management

Tool Purpose Type
GRC platforms (e.g., ServiceNow GRC) Compliance management Commercial
Confluence Documentation Commercial
SharePoint Documentation and collaboration Commercial (Microsoft)
Lucidchart Diagramming Commercial
Draw.io Diagramming Free

Appendix H: CMMC Ecosystem Contact Information

 

DoD CMMC Program Management Office

Website: https://dodcio.defense.gov/cmmc/

Email: dodcio.cmmc@mail.mil

CMMC Accreditation Body (Cyber AB)

Website: https://cyberab.org/

Email: info@cyberab.org

Marketplace: https://cyberab.org/marketplace

Defense Contract Management Agency (DCMA) - DIBCAC

Website: https://www.dcma.mil/

DIBCAC Information: Available through DoD CIO CMMC website

Supplier Performance Risk System (SPRS)

Website: https://www.sprs.csd.disa.mil/

Support: SPRS Help Desk available through website

National Institute of Standards and Technology (NIST)

Website: https://www.nist.gov/

CSRC: https://csrc.nist.gov/

SP 800-171: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

Defense Acquisition University (DAU)

Website: https://www.dau.edu/

CMMC Courses: Search for "CMMC" in course catalog

DoD Small Business Programs

Website: https://business.defense.gov/

Small Business Resources: https://business.defense.gov/Small-Business-Programs/

Procurement Technical Assistance Centers (PTACs)

Website: https://www.apexaccelerators.us/

Find a PTAC: Use website locator tool

Manufacturing Extension Partnership (MEP)

Website: https://www.nist.gov/mep

Cybersecurity Resources: https://www.nist.gov/mep/cybersecurity

FedRAMP Program Management Office

Website: https://www.fedramp.gov/

Marketplace: https://marketplace.fedramp.gov/

DoD Cyber Crime Center (DC3)

Website: https://www.dc3.mil/

DIBNet (Incident Reporting): https://dibnet.dod.mil

Conclusion

 
Achieving CMMC compliance is a significant undertaking that requires commitment, resources, and expertise. However, it is also an essential step for any organization that wants to continue doing business with the Department of Defense. The CMMC program represents a fundamental shift in how the DoD ensures the protection of sensitive information across its supply chain, moving from a trust-based model to a verification-based model.
This guide has provided a comprehensive overview of the CMMC program, from understanding the framework and determining your required level to implementing technical controls, preparing for assessments, and maintaining ongoing compliance. The key takeaways from this guide include:
 
Start Early: The implementation of CMMC begins on November 10, 2025, with a phased rollout over three years. Organizations should begin their compliance efforts immediately to ensure they are ready when CMMC requirements appear in their contracts.
 
Understand Your Requirements: Carefully determine your required CMMC level based on the type of information you handle and the specific requirements in your contracts. Properly scope your assessment to include all systems that process, store, or transmit CUI while avoiding unnecessary over-scoping.
 
Implement Comprehensive Controls: CMMC Level 2 includes 110 security requirements across 14 domains. Successful compliance requires implementation of comprehensive security controls, not just superficial checkbox compliance.
 
Document Everything: Proper documentation is essential for a successful CMMC assessment. Develop a comprehensive System Security Plan, implement all required policies and procedures, and maintain organized evidence of control implementation.
 
Prepare Thoroughly: Conduct gap assessments, implement remediation plans, and conduct readiness assessments before scheduling your formal CMMC assessment. Proper preparation significantly increases the likelihood of a successful assessment.
 
Maintain Continuous Compliance: CMMC compliance is not a one-time event but an ongoing process. Implement continuous monitoring, conduct regular training, maintain current documentation, and submit annual affirmations to maintain your CMMC certification.
 
Leverage Available Resources: Take advantage of the many resources available to help you achieve CMMC compliance, including official DoD guidance, NIST publications, training programs, and professional assistance from CMMC Certified Professionals and C3PAOs.
 
The path to CMMC compliance may seem daunting, but with proper planning, commitment, and execution, it is achievable for organizations of all sizes. Moreover, the security improvements implemented as part of CMMC compliance will not only help you meet DoD requirements but will also strengthen your overall cybersecurity posture and protect your organization from the growing threat of cyberattacks.
 
As you embark on your CMMC compliance journey, remember that you are not alone. The CMMC ecosystem includes a wide range of professionals, organizations, and resources dedicated to helping you succeed. By following the guidance in this document and leveraging the available resources, you can achieve CMMC compliance and position your organization for continued success in the Defense Industrial Base.
 
The time to act is now. Begin your CMMC compliance journey today to ensure you are ready to compete for DoD contracts in the CMMC era.

Document Information
Title: The Ultimate Guide to Achieving CMMC
Version: 4.1
Date: October 12, 2025
Author: IX
Based on: CMMC Complete Document Collection and Internet Research
Sources:
DoD CIO CMMC Program Documentation
NIST SP 800-171 Rev 2
NIST SP 800-171A
NIST SP 800-172
32 CFR Part 170
DFARS Clauses
Industry Best Practices

Disclaimer: This guide is provided for informational purposes only and does not constitute legal or professional advice. Organizations should consult with qualified CMMC professionals, legal counsel, and their contracting officers to ensure they are meeting all applicable requirements. The CMMC program is subject to change, and organizations should always refer to the latest official guidance from the DoD CIO CMMC Program Management Office.

Read more