Get Started
Preparing for the CMMC: 5 Step Quick Guide

SaltyCloud Research Team

Updated Sep 16, 2022 Read Time 7 min


The DoD released CMMC 2.0 in 2021 and this guide outlines five practical steps for defense contractors to transition from a NIST 800-171 Basic Assessment to full certification.

In November 2021, the Department of Defense (DoD) released the latest version of CMMC, dubbed “CMMC 2.0,” which introduced several key updates. While defense contractors are already required to conduct a NIST 800-171 Basic Assessment, certification is the next step in their journey.

Getting certified takes time and preparation. This guide covers the five practical steps to go from zero to certified.

Five steps towards CMMC certification


1) Identify your CMMC level. 2) Scope your organization’s operations, focusing only on “in-scope” areas dealing with FCI and CUI. 3) Conduct automated, scalable, and evidence-driven self-assessments. 4) Create a SSP as a living document. 5) Get Certified by working with C3PAOs or undergoing a government-led assessment.

Although the CMMC 2.0 simplifies the requirements and minimizes them in scope and expectations, getting certified is no easy feat. Contractors need to spend time understanding the requirements and establish a repeatable, evidence-driven compliance process to stay compliant, achieve certification, and stay ahead of the evolving requirements from the DoD.

1. Identify your CMMC level

CMMC level requirements vary on a contract-by-contract basis based on the criticality of the data being handled. At a minimum, all contractors will need to meet the requirements of CMMC Level 1, the basic level required for contractors who process Federal Contract Information (FCI). If you handle Controlled Unclassified Information (CUI), you’ll need to certify at CMMC Level 2. And if you handle very sensitive CUI, you’ll need to certify at CMMC Level 3. Most contractors and subcontractors will fall under CMMC Level 1 and CMMC Level 2, while most larger prime contractors (e.g., Lockheed Martin, Raytheon, etc.) will fall under CMMC Level 3.

2. Scope your FCI & CUI

Not every part of your organization needs to get certified, and aligning your entire organization with NIST 800-171 may be unimaginably expensive and technically impossible. The DoD only considers the parts of your organization that touch FCI & CUI to be “in-scope” when it comes to official certification. For this reason, it is wise to spend time tracking the flow of FCI & CUI. When properly scoped, an organization can be logically and physically separated from the rest of the organization into an enclave, making compliance and certification much more feasible and cost-effective.

3. Conduct a self-assessment

Self-assessments are the only way for your organization to collect evidence, achieve compliance, and prepare for certification. If you’ve already conducted a NIST 800-171 Basic Assessment, you’ve already conducted a gap analysis. You should continue refining this process and using it continuously to find gaps and prioritize remediation. Even after you’ve been certified, you’ll need to conduct a self-assessment and submit your score to maintain your certification. Ideally, There are several approaches to establishing a self-assessment process. You must implement a method that is automated, scalable, and evidence-driven.

Manual Process

The quickest way to get started is with “pen and paper” using manual tools like spreadsheets or documents to keep track of everything. You’ll need to meet with people, conduct interviews, document their answers, collect evidence, and then manually identify gaps and calculate a score. If you work with subcontractors, you’ll also need to keep track of them manually. Ultimately, you’ll get results, but it’ll be a resource intensify process that won’t scale with the evolving requirements from the DoD.

Legacy GRC Solutions

Some defense contractors already have access to Governance, Risk, and Compliance (GRC) solutions. While contractors can customize these solutions to handle the complexity of CMMC, it’ll require dedicated teams and a cooperative vendor to help set you up. You’ll need to gain access to the question sets, build custom dashboards & reports, and deploy your instance on a FedRAMP High Baseline before you can even get started, let alone get meaningful and actionable results.

Lightweight GRC Assessment Platform

Defense contractors can trust Isora GRC from SaltyCloud, the Lightweight GRC Assessment Platform. The platform is easy to deploy, proven at scale at large research universities and provides end-to-end assessment capabilities for the CMMC. Launch NIST 800-171 and NIST 800-172 assessments, securely collect evidence, and roll up your results into CMMC Readiness Dashboards that make it easy to identify gaps and track compliance. Save time with automated and exportable System Security Plans (SSPs) and Plans of Actions & Milestones (POA&Ms) with embedded remediation guidance. Isora GRC is built on AWS and can be deployed on AWS GovCloud which is FedRAMP High Baseline compliant.


Suppose your organization doesn’t have the in-house talent to undertake CMMC compliance. In that case, it’ll make sense to outsource the work to a Registered Provider Organization (RPO) or C3PAO from the CyberAB Marketplace. Hiring a consultant will be the easiest route, helping you save time and yield accurate results. However, it’ll be the most expensive option and won’t necessarily have continuity year-over-year. Ideally, you would supplement with a consultant while you work to hire the in-house talent that can help you manage compliance over time.

4. Create a System Security Plan (SSP)

Once you’ve scoped your organization, started aligning against the required security practices, and started collecting evidence, the next thing you need to do is organize everything together in an SSP. The SSP is a collection of documents that paint a picture of your environment and how it implemented the security practices. It should be a living, breathing document that will need to change as you improve your security posture. While the DoD does not ask you to submit this document for CMMC Level 1, you are still required to have one. For CMMC Level 2 and CMMC Level 3 certifications, your SSP will be the ultimate blueprint for certification. The NIST Computer Security Resource Center (CSRC) provides an SSP template (.docx).

5. Get Certified

If you’ve reached this point, you’ve done the heaviest lifting already. The final action item is getting certified. If you’re aiming for CMMC Level 2 certification, you’ll need to work with a C3PAO from the CyberAB Marketplace. If you’re aiming for CMMC Level 3 certification, you’ll need to undergo a government-led assessment. Your auditor will verify your SSP, review any evidence you provide, and interview people in your organization to grant you the certification. If you still haven’t implemented all required practices, the DoD may allow you to use a time-restricted POA&M. Alternatively, and in limited cases, you can apply for a waiver. Your third-party or government certification will be valid for three years. After three years, you’ll need to go through the process all over again. However, subsequent recertifications should be much easier if you’ve implemented a repeatable, evidence-driven compliance process.

How Isora GRC from SaltyCloud can help


Isora GRC from SaltyCloud is the powerfully simple CMMC solution, making regulatory compliance easier while helping organizations improve their cyber resilience.

Knowing where sensitive data resides, if it’s protected, and whether it meets the CMMC requirements warrants an agile and lightweight solution that transcends outdated GRC platforms and tedious manual spreadsheets.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

  • Ace CMMC compliance audits with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors and leadership.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect CUI and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
  • Minimize third-party risk with a complete vendor inventory, vendor risk assessment surveys, and vendor approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how companies use Isora GRC from SaltyCloud to ease the pressure of CMMC.

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content

This guide covers everything you need to know about TAC 202, including what it entails, why it's important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule risk assessment of customer information security programs.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule requiring IT security programs securing customer data

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with
collaborative GRC tooling