The 5-Step Guide to Prepare for the CMMC

Table of Contents

  1. Introduction
  2. Five steps towards CMMC certification
    1. Identify your CMMC level
    2. Scope your FCI & CUI
    3. Conduct a self-assessment
    4. Create a System Security Plan (SSP)
    5. Get certified
  3. Conclusion


In November 2021, the Department of Defense (DoD) released the latest version of CMMC, dubbed “CMMC 2.0,” which introduced several key updates. While defense contractors are already required to conduct a NIST 800-171 Basic Assessment, certification is the next step in their journey. Getting certified takes time and preparation. This guide covers the five practical steps to go from zero to certified.

Five steps towards CMMC certification

1. Identify your CMMC level

CMMC level requirements vary on a contract-by-contract basis based on the criticality of the data being handled. At a minimum, all contractors will need to meet the requirements of CMMC Level 1, the basic level required for contractors who process Federal Contract Information (FCI). If you handle Controlled Unclassified Information (CUI), you’ll need to certify at CMMC Level 2. And if you handle very sensitive CUI, you’ll need to certify at CMMC Level 3. Most contractors and subcontractors will fall under CMMC Level 1 and CMMC Level 2, while most larger prime contractors (e.g., Lockheed Martin, Raytheon, etc.) will fall under CMMC Level 3.

2. Scope your FCI & CUI

Not every part of your organization needs to get certified, and aligning your entire organization with NIST 800-171 may be unimaginably expensive and technically impossible. The DoD only considers the parts of your organization that touch FCI & CUI to be “in-scope” when it comes to official certification. For this reason, it is wise to spend time tracking the flow of FCI & CUI. When properly scoped, an organization can be logically and physically separated from the rest of the organization into an enclave, making compliance and certification much more feasible and cost-effective.

3. Conduct a self-assessment

Self-assessments are the only way for your organization to collect evidence, achieve compliance, and prepare for certification. If you’ve already conducted a NIST 800-171 Basic Assessment, you’ve already conducted a gap analysis. You should continue refining this process and using it continuously to find gaps and prioritize remediation. Even after you’ve been certified, you’ll need to conduct a self-assessment and submit your score to maintain your certification. Ideally, There are several approaches to establishing a self-assessment process. You must implement a method that is automated, scalable, and evidence-driven.

Manual Process

The quickest way to get started is with “pen and paper” using manual tools like spreadsheets or documents to keep track of everything. You’ll need to meet with people, conduct interviews, document their answers, collect evidence, and then manually identify gaps and calculate a score. If you work with subcontractors, you’ll also need to keep track of them manually. Ultimately, you’ll get results, but it’ll be a resource intensify process that won’t scale with the evolving requirements from the DoD.

Legacy GRC Solutions

Some defense contractors already have access to Governance, Risk, and Compliance (GRC) solutions. While contractors can customize these solutions to handle the complexity of CMMC, it’ll require dedicated teams and a cooperative vendor to help set you up. You’ll need to gain access to the question sets, build custom dashboards & reports, and deploy your instance on a FedRAMP High Baseline before you can even get started, let alone get meaningful and actionable results.

Lightweight GRC Assessment Platform

Defense contractors can trust Isora GRC from SaltyCloud, the Lightweight GRC Assessment Platform. The platform is easy to deploy, proven at scale at large research universities and provides end-to-end assessment capabilities for the CMMC. Launch NIST 800-171 and NIST 800-172 assessments, securely collect evidence, and roll up your results into CMMC Readiness Dashboards that make it easy to identify gaps and track compliance. Save time with automated and exportable System Security Plans (SSPs) and Plans of Actions & Milestones (POA&Ms) with embedded remediation guidance. Isora GRC is built on AWS and can be deployed on AWS GovCloud which is FedRAMP High Baseline compliant.


Suppose your organization doesn’t have the in-house talent to undertake CMMC compliance. In that case, it’ll make sense to outsource the work to a Registered Provider Organization (RPO) or C3PAO from the CyberAB Marketplace. Hiring a consultant will be the easiest route, helping you save time and yield accurate results. However, it’ll be the most expensive option and won’t necessarily have continuity year-over-year. Ideally, you would supplement with a consultant while you work to hire the in-house talent that can help you manage compliance over time.

4. Create a System Security Plan (SSP)

Once you’ve scoped your organization, started aligning against the required security practices, and started collecting evidence, the next thing you need to do is organize everything together in an SSP. The SSP is a collection of documents that paint a picture of your environment and how it implemented the security practices. It should be a living, breathing document that will need to change as you improve your security posture. While the DoD does not ask you to submit this document for CMMC Level 1, you are still required to have one. For CMMC Level 2 and CMMC Level 3 certifications, your SSP will be the ultimate blueprint for certification. The NIST Computer Security Resource Center (CSRC) provides an SSP template (.docx).

5. Get Certified

If you’ve reached this point, you’ve done the heaviest lifting already. The final action item is getting certified. If you’re aiming for CMMC Level 2 certification, you’ll need to work with a C3PAO from the CyberAB Marketplace. If you’re aiming for CMMC Level 3 certification, you’ll need to undergo a government-led assessment. Your auditor will verify your SSP, review any evidence you provide, and interview people in your organization to grant you the certification. If you still haven’t implemented all required practices, the DoD may allow you to use a time-restricted POA&M. Alternatively, and in limited cases, you can apply for a waiver. Your third-party or government certification will be valid for three years. After three years, you’ll need to go through the process all over again. However, subsequent recertifications should be much easier if you’ve implemented a repeatable, evidence-driven compliance process.


Although the CMMC 2.0 simplifies the requirements and minimizes them in scope and expectations, getting certified is no easy feat. Contractors need to spend time understanding the requirements and establish a repeatable, evidence-driven compliance process to stay compliant, achieve certification, and stay ahead of the evolving requirements from the DoD.