CMMC Certification Steps

To land contracts with the Department of Defense (DoD), a business must be able to demonstrate compliance with the Cybersecurity Maturity Model Certification (CMMC). The framework is largely based on the NIST SP 800-171 standard. CMMC v2.0 is going through the rule-making process and its effective date is still up in the air. The new version is streamlined and offers more clarity and flexibility regarding the requirements organizations must meet for certification or compliance.

If CMMC is in your organization’s plans, here are some of the key CMMC Certification steps you will need to know.

Identify the Right Certification Level

CMMC 2.0 contains three certification levels. Organizations need to identify the certification level that is the best match early in their CMMC journey to know what requirements its security plan must meet.

Level 1: Foundational

Organizations can conduct an annual self-assessment to show Level 1 compliance. They will need to meet the requirements of 17 practices that represent the safeguarding requirements of the Federal Acquisition Regulation (FAR) 52.204.21.

Organizations that handle Federal Contract Information (FCI), but not Controlled Unclassified Information (CUI) will find Level 1 to be a good target.

Level 2: Advanced

This certification level is split into two groups. Organizations that handle CUI will need to work with a C3PAO to complete certification. Those organizations will need re-certification every three years. Organizations that don’t work with CUI will be able to do an annual self-assessment.

All organizations seeking Level 2 certification need to prove they implemented the requirements of NIST SP 800-171 (110 practices). Level 2 will likely be the most common.

Level 3: Expert

The most rigorous level of certification. Level 3 should be the target for organizations accessing CUI for high-priority DoD projects. For Level 3 certification organizations must meet all the requirements found in NIST 800-172. Assessments for Level 3 certification will be government-led and need to be completed every three years.

Scope your FCI & CUI

CMMC specifically focuses on FCI and CUI. FCI is information not intended for public release. It is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. CUI is defined as information that does not carry classified status but needs to be safeguarded due to government policies and laws or ordinances. Examples of CUI include data on defense, nuclear, and natural resources infrastructures, financial records, international agreements, and defense data.

Your CMMC certification only needs to apply to parts of your organization that touch FCI or CUI. It is a good idea for organizations to track the flow of FCI and CUI to identify what divisions do and do not encounter the data. Removing parts of the organization from the CMMC compliance/certification process that don’t apply can save time and money.

Conduct a Self-assessment

Executing a self-assessment is an effective way for your organization to prepare for certification by identifying existing NIST 800-171 and CMMC gaps and collecting evidence. To save costs early in the certification process, these assessments can be performed by the organization itself before engaging with a third party or conducting the formal assessment by the C3PAO. The data produced by the analysis enables organizations to remediate deficiencies before undergoing the formal CMMC assessment, which will likely save time and resources later on.  

Organizations should make it a priority to implement an assessment method that is easily repeatable to find gaps and prioritize remediation. After getting certified, organizations must conduct self-assessments and submit scores to maintain certification.

System Security Plans & Plan of Action and Milestones

A System Security Plan (SSP) is a required document that describes how an organization plans to meet the security requirements for a system. Information typically found in an SSP includes:

  • The system boundary
  • The environment in which the system operates
  • How the security controls are implemented
  • The relationships and connections to other systems

The SSP template from the NIST Computer Security Resource Center can be found here. Update SSPs as your cybersecurity policies and procedures change.

Newly allowed in CMMC 2.0, a Plan of Action and Milestones (POA&Ms) allows organizations to proceed with certification if a security gap exists by detailing how the gaps will be addressed. Contractors can use POA&Ms to achieve certification if specific deadlines for mitigating gaps are included. Be sure any POA&Ms document the remediation plans, identify the resources required, and establish milestones and completion dates.

Implement and Certify

When your organization is confident it has implemented the necessary controls for its certification level and has POA&Ms for any remaining gaps, begin the formal assessment process for the appropriate certification level. For levels 2 and 3, the auditor will verify the SSP, review any provided evidence, and interview people within the organization to grant you the certification.

CompliancePoint has a team of cybersecurity professionals that can help your organization design and implement a security program that meets NIST and CMMC requirements. Contact us at to learn more about how we can help.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.