Understanding the key steps of CMMC 2.0 compliance can make the process significantly less stressful and ensure your organization is fully prepared to meet requirements. Let's explore the crucial steps to achieving CMMC compliance, including how to determine your compliance level, implement the necessary security measures, and get ready for certification assessments.

Step 1: Determine your CMMC compliance level

The requirements for CMMC 2.0 compliance and assessment differ depending on your organization’s involvement with the DoD and the type of information you manage. So the first step is to identify the appropriate CMMC level for your organization.

Let's break down the three levels of CMMC 2.0 compliance to help you determine which one applies to you. 

CMMC Level 1: Foundational

CMMC Level 1 is designed to ensure that companies implement fundamental cybersecurity practices to protect Federal Contract Information (FCI). It includes 17 basic practices derived from FAR 52.204-21, focusing on areas such as access control, authentication, media protection, physical security, communications protection, and system integrity. Compliance at this level involves an annual self-assessment and executive certification.

CMMC Level 2: Advanced

CMMC Level 2 is intended for organizations that handle Controlled Unclassified Information (CUI) and requires more comprehensive cybersecurity measures than Level 1. It aligns with the NIST SP 800-171 rev 2 framework and encompasses 110 security practices. Critical national security information requires third-party assessments every three years, while non-critical information requires annual self-assessments.

CMMC Level 3: Expert

CMMC Level 3 is the highest level, tailored for organizations managing highly sensitive CUI. It emphasizes advanced cybersecurity practices to defend against Advanced Persistent Threats (APTs). This level builds on the practices of Levels 1 and 2, incorporating additional controls from a subset of NIST SP 800-172 (as specified by the DoD). Before pursuing Level 3, organizations must first meet the requirements of Levels 1 and then 2. A government-led assessment by the DoD is conducted every three years.

To determine your CMMC level, consider the following questions:

• What are your contractual obligations? Review your current or potential contracts with the DoD to identify any specified CMMC requirements. Look for references to CMMC levels in RFPs and contracts.
• What type of information do you handle? If your organization deals with FCI, you’ll need to meet at least Level 1 compliance. If you handle CUI, compliance with Level 2 or higher will be necessary, depending on the information’s sensitivity.
• How critical is your role in the DoD supply chain? If your organization has a non-critical role and manages less sensitive information, CMMC Level 2 (non-critical) might suffice. If your role is critical to national security or involves handling highly sensitive information, compliance with CMMC Level 2 (critical) or Level 3 will likely be required.
• Do your requirements align with prime contractors? If you are a subcontractor, engage with your prime contractors to understand any CMMC requirements passed down from the main contract. Prime contractors should guide the necessary CMMC level for their subcontractors.

For official guidance and additional resources on CMMC requirements and levels, refer to the CMMC Accreditation Body (CMMC-AB) website and the Department of Defense CMMC page.

Step 2: Conduct a gap analysis against CMMC requirements

The next step involves conducting an internal gap assessment to compare your current cybersecurity practices with the requirements of your designated CMMC level. 

Use the CMMC compliance checklists provided below to map your current security measures to the applicable CMMC 2.0 controls. Document whether each required control is fully, partially, or not implemented. Ensure that your organization is in compliance with DFARS requirements. This helps you systematically assess how your current practices align with the required standards and what you need to do to get compliant. 

For each requirement that is not fully implemented, identify the specific gaps in your current security posture. This could include missing controls, inadequate processes or technical configurations, or insufficient documentation.

Next, create a Plan of Actions and Milestones (POA&M) document that outlines the steps your organization will take to prioritize and address each identified gap. Include timelines, responsible parties, and specific actions needed to achieve compliance.

Once you have addressed the gaps, conduct a final internal review to ensure all CMMC 2.0 requirements are fully met. Prepare the necessary documentation and evidence to support your compliance in a formal assessment by a C3PAO.

Step 3: Complete the required CMMC assessment

Once you are confident that your security protocols align with CMMC requirements, you can proceed with the compliance assessment. The CMMC assessment process varies based on the compliance level needed. Assessments for CMMC Level 1 and non-critical Level 2 are less rigorous compared to those for critical Level 2 and Level 3.

Here’s an overview of the assessment process for each CMMC level:

CMMC Level 1 and Non-critical Level 2: Annual self-assessment

Organizations at these levels must perform an annual self-assessment to confirm compliance with the required cybersecurity practices. A senior executive must also formally affirm the results, certifying that the organization meets the necessary requirements.

To prepare, assemble the necessary compliance documentation and evidence, and select a self-assessment team knowledgeable about CMMC Level 1 requirements and your organization’s security posture. The DoD Chief Information Officer provides tools and guidance for scoping and conducting the self-assessment. Document whether each requirement is fully, partially, or not implemented. Critical requirements should be remediated immediately, while any other gaps should be addressed through your POA&M document, outlining specific steps, owners, and deadlines for remediation.

Another essential document is the System Security Plan (SSP), which serves as a detailed blueprint for how your organization protects its digital assets. The SSP should describe all of the specific security controls and practices in place to safeguard your information and IT infrastructure.

After completing the self-assessment, obtain executive sign-off to formally affirm that the organization meets CMMC Level 1 requirements.

For organizations handling non-critical Level 2 CUI, an annual self-assessment against the relevant NIST SP 800-171 controls is also required. Similar to Level 1, a senior executive must affirm the results with a letter of attestation.

CMMC Critical Level 2: Engage a C3PAO (Certified Third-Party Assessment Organization)

Organizations handling critical CUI must undergo a third-party assessment conducted by a C3PAO every three years. Once ready, organizations can select a C3PAO from the list of authorized assessment organizations provided by the CMMC-AB.

The C3PAO will conduct a thorough review of your organization's implementation of the applicable NIST 800-171 controls. They will examine key documentation, including:

• System Security Plan (SSP): Details how the organization has implemented required cybersecurity practices and processes, covering areas such as system boundaries, risk assessment, incident response, and continuous monitoring.
• Plan of Action and Milestones (POA&M): Outlines the steps the organization will take to address any deficiencies found during an assessment.
• Supplier Performance Risk System (SPRS) Assessment: Evaluates a contractor's cybersecurity practices and risk management to ensure compliance with DoD requirements.

Other key documents may include a risk mitigation plan, incident response plan, continuous monitoring plan, access control policy, and configuration management plan. Assessors will also interview stakeholders, observe cybersecurity practices, and perform technical tests to validate the effectiveness of implemented controls.

After the review, the C3PAO may provide preliminary feedback on any identified issues. If compliant, the organization receives CMMC certification for the assessed level, valid for three years. Organizations must maintain and improve their cybersecurity practices during this period by adhering to their POA&M.

CMMC Level 3: Government-led assessment

Organizations seeking Level 3 certification must coordinate with the DoD to schedule a government-led assessment. Government assessors may hold a pre-assessment meeting to discuss scope, timing, and the assessment process. They will review key documentation, such as the SSP and POA&M, and conduct on-site evaluations, including interviews, cybersecurity practice observations, and technical testing.

Government assessors may provide a preliminary report highlighting any deficiencies or areas for improvement. The final report is submitted to the CMMC-AB for review, and if compliant, the organization receives certification valid for three years. To maintain compliance, Level 3 organizations must continuously monitor systems and controls, keep their POA&M up to date, and ensure policies reflect any changes in security posture or organizational practices.

Step 4: Maintain CMMC certification

After achieving certification, there are ongoing activities you’ll need to manage to maintain an active certification. These include: 

• Continuously monitoring your controls to ensure operating effectiveness and identify any opportunities for improvement. 
• Updating your SSP to reflect any changes in your security posture, IT infrastructure, or security controls. This document should be a living record that evolves as your organization’s environment changes.
• Actively managing the POA&M by addressing any identified gaps or deficiencies in security controls. Ensure that remediation efforts are tracked, completed, and documented according to the timelines set in the POA&M.
• Regularly testing and updating your incident response plan. In the event of a cybersecurity incident, you’ll also need to report the incident following DoD and CMMC guidelines.
• Conducting periodic self-assessments to ensure ongoing compliance with the relevant CMMC level. These self-assessments help identify and address issues before the next formal audit.
• Regularly reviewing and updating your cybersecurity policies and procedures to reflect changes in regulatory requirements, organizational changes, or new threats. 
• Completing security awareness and insider threat training for all personnel on at least an annual basis
• Documenting any changes in the organizational structure, technology, or processes that might affect your cybersecurity posture, as well as maintaining audit logs to ensure they are properly managed and available for review during audits. 

If the type of CUI or FCI you handle changes, you’ll also need to reassess which level of compliance you need, complete a gap assessment, and implement any additional controls needed to satisfy new requirements. 

Secureframe can continuously monitor your control status, automatically collect evidence for your audit, deploy security awareness training and policy reviews, and simplify document management.  

How to accelerate the CMMC certification process with automation

Automation is transforming the landscape of security, privacy, and compliance, particularly within the government and public sectors. With Secureframe’s automated compliance platform, government contractors and authorized software vendors can efficiently navigate complex framework requirements, implement and monitor necessary controls, and maintain continuous compliance with many compliance frameworks and standards.

• Federal compliance expertise: Our team of compliance experts, including former FISMA, FedRAMP, and CMMC auditors and consultants, is here to help you navigate CMMC questions and readiness. Our platform is continuously updated to reflect the latest federal compliance requirements, streamlining regulatory change management.
• Seamless integrations for enhanced automation: Secureframe integrates seamlessly with your existing technology stack, including AWS GovCloud, to automatically collect evidence, continuously monitor your security and compliance posture, and simplify the maintenance of your POA&M.
• Streamlined multi-framework compliance: Our intelligent cross-mapping feature enables quick compliance with multiple federal standards, such as NIST 800-53, NIST 800-171, NIST CSF, and CJIS, as well as commercial frameworks SOC 2, ISO 27001, and many more. By leveraging the controls you’ve already implemented for CMMC, Secureframe accelerates the compliance process and reduces redundant efforts across 40+ frameworks.
• Simplified document and policy management: Our platform offers templated policies, procedures, and SSPs crafted by former federal auditors, fully customizable to suit your needs. With our enterprise policy management capabilities, you can easily manage POA&M documents, impact assessments, and readiness reports.

Schedule a demo to learn more about how Secureframe helps organizations and government contractors achieve and maintain CMMC compliance.