Eight Steps to the New Cybersecurity Maturity Model Certification (CMMC) Now Required by the DoD
If your company does business with the U.S. Department of Defense (DoD), you may have received a memorandum or communication that flowed down regarding compliance to the CMMC 2.0 model.
Information security experts Rhia Dancel, CMMC registered practitioner, and Tony Giles, CMMC provisional assessor, with NSF International Strategic Registrations (NSF-ISR) certainly hope so.
They encourage you to understand the CMMC requirements and take the necessary steps to achieve certification for your organization. The sooner your organization understands and complies with CMMC, the better.
The Cybersecurity Maturity Model Certification program mandates cybersecurity requirements for companies in the defense industrial base (DIB), which includes over 350,000 firms. “CMMC is a unified standard that takes into account all the various information security standards and best practices,” Dancel says. “The goal is to protect federal contract information (FCI) and controlled unclassified information (CUI). It's a five-year, phased rollout with new DoD contracts. CMMC requirements will appear in all contracts starting in fiscal year 2026, meaning all DoD contractors will need to comply in order to bid on the work”
“It’s the first ever mandated information security standard and one the Department of Defense is extremely interested in,” Giles says. “It wants to see organizations meet those requirements.” DoD considers the CMMC program a vital part of the government’s response to the rising tide of cybersecurity threats.
All DoD suppliers will have to be certified to the appropriate CMMC level in order to continue doing business with DoD under the mandated CMMC requirements. NSF-ISR was named one of the first C3PAO candidates to participate in the CMMC program.
Giles suggests that organizations start the CMMC process with a basic question: Does my organization have controlled unclassified information? This is information created or owned by the government that needs to be safeguarded and released only under proper, legal and regulated controls, such as parts for a new defense aircraft or specifications for military uniforms.
8 Steps to CMMC
Dancel and Giles recommend the following eight-step process for DoD contractors and subcontractors to achieve CMMC certification for their firms.
Implement and Assess Information Security ProcessesDevelop a system security plan and conduct a self-assessment to NIST 800-171 standards.
Improve Processes and Submit Your ScoreBased on the results of your self-assessment, create a plan of actions and milestones with target dates to achieve a maximum score of 110. Next, submit the score into the DoD’s Supplier Performance Risk System (SPRS).
Identify Your ScopeIt could be enterprise, organization unit or program enclave. Note that the Cyber-AB, the accreditation body authorized to oversee all CMMC assessments and training, has only released the assessment guide for CMMC 2.0 Levels 1-2 so far.
Get a Preliminary Gap AssessmentThis is an optional step, but still recommended. Schedule a preliminary gap assessment with an accredited, third-party assessment organization like NSF-ISR (C3PAO candidate) to identify gaps in your information security process.
Address Gap Assessment FindingsUsing the analysis provided by the assessment organization, fix identified information security gaps and implement these changes in your organization.
Choose a C3PAOWith those information security gaps identified and corrected, use the Cyber-AB Marketplace to identify a C3PAO like NSF-ISR, and schedule your CMMC assessment.
Undergo the CMMC Assessment
Conduct your CMMC assessment with your selected C3PAO. Expect the assessment to consist of four phases:
Phase 1 kicks off with pre-assessment planning and includes gathering initial scope information, completing artifact intake form, identifying assessment team members, developing a rough order of magnitude (ROM) and assessment plan, completing and approving the assessment plan and doing a readiness review with NSF-ISR.
In Phase 2, the C3PAO conducts the CMMC assessment. This starts with an opening meeting between your organization and NSF-ISR CMMC assessment team. What follows is an analysis and review of objective evidence related to the CMMC practices, discussion of any preliminary findings and then a final output.
Phase 3 covers post-assessment reporting. Results gathered by the assessment team are submitted to NSF-ISR, who performs a quality assurance (QA) review and forwards a recommendation to the OSC Sponsor and the CMMC-AB, which triggers a CMMC-AB QA review. Based on the review, the CMMC-AB issues or denies CMMC level recommendation.
Phase 4 may require remediation if the assessment identifies that a company falls a few practices short of the target CMMC performance level needed. NSF-ISR forwards the remediation request to Cyber-AB for approval. Cyber-AB approves or denies the request.
If approved, the 90-day clock for remediation starts. This time allows addressing any shortfalls in performance.
Get CertifiedThe Cyber-AB reviews the assessment submitted by the C3PAO and makes a final decision on certification for your organization. Once the Cyber-AB decides to approve a submitted assessment, the accreditation body notifies both your organization and the C3PAO. If all goes well, your organization is awarded a three-year CMMC certification.
Dancel and Giles acknowledge that participating in the CMMC process requires time, effort and resources. On the other hand, there is powerful motivation to participate because any DoD supplier not in compliance with CMMC requirements will not be able to do business with the Department. For many smaller firms, the resulting loss of revenue could mean the difference between staying in business or having to close their doors.
Dancel and Giles believe the best approach for companies is to be well informed and get started on the CMMC certification process well in advance of the program deadline. They point to a competitive advantage these firms will have over their competitors when responding to DoD requests for information (RFIs) and requests for proposals (RFPs).