The 5-Step Guide to Prepare for the CMMC

Table of Contents.

  1. Introduction
  2. Step-by-Step Guide
    1. Identify your CMMC level
      1. CMMC Level 1, Foundational
      2. CMMC Level 2, Advanced
      3. CMMC Level 3, Expert
    2. Scope your CUI & FCI
    3. Conduct a CMMC gap analysis
      1. Spreadsheets
      2. Legacy GRC Solutions
      3. Isora GRC from SaltyCloud
      4. Consultants
    4. Create a System Security Plan (SSP)
    5. Get Certified
  3. How does SaltyCloud help?
  4. Conclusion


In November 2021, the Department of Defense (DoD) released the latest version of CMMC, dubbed “CMMC 2.0,” which introduces a few key updates. While the DoD has not yet finalized rulemaking, contractors looking to get certified at Level 2 or Level 3 should prepare their organization for certification. Getting certified can seem like a daunting task but by following a few, fool-proof steps, you can get on the path towards certification.

In this step-by-step guide, we’ll discuss the practical steps you can take to prepare for a CMMC certification.

Step-by-Step Guide

1. Identify your CMMC level

CMMC levels vary depending on the criticality of the data being handled. This means that you’ll need to certify against the level that best matches the type of data your organization handles. At a minimum, all contractors will need to meet the requirements of Level 1 which is the basic level required for contractors to process Federal Contract Information (FCI). If you handle Controlled Unclassified Information (CUI), you’ll need to certify at Level 2. And if you handle very sensitive CUI, you’ll need to certify at Level 3. Most contractors and subcontractors will fall under Level 1 and Level 2. It will mostly be large primes (e.g., Lockheed Martin, Raytheon, etc.) who fall under Level 3.

CMMC Level 1, Foundational

Level 1 requires contractors to comply with 17 practices (aka controls) from the National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171.

CMMC Level 2, Advanced

Level 2 requires compliance with the initial 17 practices and the additional 93 practices (110 total) from NIST 800-171.

CMMC Level 3, Expert

Level 3 requires compliance with all 110 practices from NIST 800-171, together  with   further practices (yet to be specified) from NIST 800-172.

2. Scope your CUI & FCI

Not every part of your organization needs to be certified (but it can be if you so choose). The DoD only considers the parts of your organization that touch FCI and CUI to be “in-scope” when it comes to official certification. For this reason, you need to spend some time understanding where critical data is stored, how it’s processed, and how it’s transmitted in your organization. Additionally, you’ll want to identify any and all individuals who handle FCI and CUI. When you have a good understanding, you’ll want to isolate those parts of your organization into a separate enclave. Doing so will help you focus only on the aspects of your organization that need to be certified, making certification efficient and cost-effective. If you’d like to learn more about scoping your environment and establishing an enclave, we wrote the Guide to Scoping FCI & CUI for NIST 800-171 & CMMC.

3. Conduct a CMMC gap analysis

To be certified, contractors need to prove that their organization (or enclave) has implemented the required practices. Conducting a gap analysis will help you gauge compliance, assess the effectiveness of existing practices, collect evidence, and plan remediation strategies. And if you’ve already started conducting a NIST 800-171 Basic Assessment as required by the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule, you’re halfway there. Your gap analysis is your NIST 800-171 Basic Assessment which will become your yearly CMMC self-assessment (if you’re working towards CMMC Level 1 or Level 2).

There are several approaches to conducting the gap analysis. It’s important that you implement a method that is automated, repeatable, and evidence-driven because you’ll continue to use it from here on out.


Contractors can choose to conduct a gap analysis using spreadsheets. This is the most hands-on approach but will require a large amount of FTE investment spent on manual tasks, and the results are usually error-prone and tracking can be a nightmare. You’ll also need to identify and implement a separate solution to store sensitive evidence.

Legacy GRC Solutions

Contractors can choose to conduct a gap analysis using legacy Governance, Risk, and Compliance (GRC) solutions. This method can help you build an integrated risk management program but will require FTE investment to deploy and set up before you can start getting meaningful results. Even if you already have an existing solution deployed, you’ll still need to work with the solution provider to build custom questionnaires, dashboards, and reports.

Isora GRC from SaltyCloud

Contractors can choose to conduct a gap analysis using Isora GRC from SaltyCloud. This method is relatively inexpensive and easy to deploy. It provides a complete CMMC workflow and serves as your system of record. Isora GRC allows you to conduct a gap analysis and self-assessments against each CMMC level, collect and securely store evidence, access CMMC dashboards, and export compliance reports, Plans of Action and Milestones (POAMs), and System Security Plans (SSPs). As with other solutions, you’ll need the cooperation of committed survey respondents to ensure a successful deployment.


Contractors can choose to have a consultant conduct a gap analysis. This method will save a lot of time and will yield objective and accurate results but it will be very expensive and you won’t necessarily have continuity year-over-year.

4. Create a System Security Plan (SSP)

Once you have a good understanding of your environment and where it stands against the required practices, you’ll want to put it all together into the required SSP. The SSP is a collection of documents that paint a picture of your environment and how it implemented the required practices. It should be a living, breathing document as it’ll need to change as you make improvements to your security posture. The NIST Computer Security Resource Center (CSRC) provides an SSP template (.docx)  and other NIST 800-171 resources.

5. Get Certified

Once you’ve gotten all the pieces in place, you are ready to be certified. If you’re shooting for CMMC Level 2, you’ll need to choose a Certified Third-Party Assessor Organization (C3PAO) that suits your organization. If you’re shooting for CMMC Level 3, you’ll need to go through a government-led assessment. As of writing this guide, the DoD has not released details on how they will work. However, you can expect to have an auditor verify your SSP, review any evidence you provide, and interview people in your organization in order to grant you the certification. If you still haven’t implemented all required practices, the DoD may give you the opportunity to make use of a time-restricted POAM. Alternatively, and in limited cases, you can apply for a waiver.

Your third-party or government certification will be valid for three years. After three years, you’ll need to go through the process all over again. However, if you’ve implemented a repeatable, evidence-driven compliance process, subsequent recertifications should be much easier.

How does SaltyCloud help?

SaltyCloud offers Isora GRC, a Governance, Risk, and Compliance (GRC) Assessment Platform that makes it easier for contractors to meet the cybersecurity requirements of the CMMC. It provides the ability to conduct assessments against the prescribed security frameworks (e.g., NIST 800-171, NIST 800-172, etc.), collect evidence, access dashboards, and export compliance reports and Plans of Action and Milestones (POAMs). SaltyCloud is a CMMC Registered Provider Organization (RPO). Learn more about Isora GRC.


Although the CMMC 2.0 simplifies the requirements and minimizes them in both scope and expectations, getting certified is no easy feat. Contractors need to spend time to understand the requirements and their environment. They also need to establish a repeatable, evidence-driven compliance process to achieve certification and make recertification in subsequent years easier.