How to Get CMMC Certified: A Step-by-Step Guide for Contractor

As cyber-attacks grow more sophisticated by the day, defense contractors must bring their A-game to protect sensitive government information. CMMC certification has always been mandatory for DoD contracts, but now the path to compliance has been simplified. With the introduction of CMMC 2.0, the DoD transformed its complex five-level system into a streamlined three-level framework.

Want to know what happened to Levels 4 and 5? They're gone, but don't worry—the new system still keeps defense information just as safe. This change shows how the DoD is making things easier and less expensive for contractors, especially small businesses, while keeping security standards high.

Whether you've been in the defense industry for years or you're just starting out, understanding CMMC 2.0 could make or break your chances of winning and keeping DoD contracts

1. Understand CMMC 2.0 and Determine Your Required Level

Gone are the days of the complex five-tier system! CMMC 2.0 has consolidated its framework into three distinct levels, each tailored to the sensitivity of information contractor’s handle. The DoD's strategic overhaul wasn't just about making things simpler—they wanted to create a more accessible program that wouldn't compromise on protecting sensitive defense information.

Organizations handling Federal Contract Information (FCI) need only meet the Foundational level requirements, while those managing Controlled Unclassified Information (CUI) must achieve Advanced or Expert certification. This simpler approach helps small businesses spend less on certification while keeping government information protected at every step in the defense supply chain.

CMMC 2.0 - Level 1: Foundational

CMMC 2.0 Level 1 (Foundational) represents the entry point for defense contractors handling Federal Contract Information (FCI). This basic level of cybersecurity certification ensures that organizations implement essential security practices to protect sensitive government information that isn't intended for public release. Think of it as building a strong foundation for your organization's security posture.

Compliance Requirements:

• Implementation of 17 fundamental cybersecurity practices derived from FAR clause 52.204-21
• Annual self-assessment requirement
• Leadership must submit compliance affirmation to SPRS
• No conditional certifications or Plans of Action & Milestones permitted
• Focuses exclusively on basic cyber hygiene
• Self-assessment conducted internally
• No formal documentation of processes required

Beyond the core requirements, Level 1 certification offers several advantages for organizations entering the defense contracting space. As the most affordable certification level, with costs ranging from $4,000-$6,000 depending on organization size, it provides a cost-effective entry point for contractors. The certification process aligns with standard industry practices, making it relatively straightforward for many organizations to achieve compliance.

However, it's important to note that Level 1 certification must be renewed annually, and organizations handling both FCI and CUI will need to upgrade to Level 2. This makes Level 1 an ideal starting point for contractors exclusively dealing with FCI, while providing a clear pathway for growth as their contract requirements evolve.

CMMC 2.0 - Level 2: Advanced

Level 2 certification has evolved significantly under CMMC 2.0. What was once a stepping stone in the original framework now stands as the primary certification level for protecting Controlled Unclassified Information (CUI). The Department of Defense has streamlined this level to align directly with NIST standards, making it clearer and more achievable for defense contractors.

Key Requirements:

• Implementation of 110 security controls from NIST SP 800-171
• Assessment every three years through self-evaluation or third-party certification
• Documentation of specialized equipment like IoT devices
• Ongoing security monitoring and updates
• Staff security training
• Verification of subcontractor compliance when handling CUI

The changes in CMMC 2.0 mark a significant departure from the previous framework. The DoD removed complex process documentation requirements to focus on actual security measures. One major improvement is the option for self-assessment in certain programs, which reduces certification costs while maintaining security standards.

The new framework includes a safety net for organizations through Plans of Action & Milestones (POA&Ms). Companies that achieve 80% of requirements can receive temporary certification if they fix remaining issues within 180 days. Missing this deadline, however, invalidates the certification.

What drives your assessment type? The sensitivity of your CUI and program criticality determine whether you can self-assess or need third-party certification. Companies handling sensitive information or working on critical projects like weapons systems still require assessment by a C3PAO.

CMMC 2.0 – Level 3: Expert

Level 3 certification stands at the top of the CMMC framework, created for contractors who handle the most sensitive Controlled Unclassified Information (CUI). The Department of Defense has transformed this expert level from CMMC 1.0's complex system into a clearer but more demanding standard focused on protecting critical defense information.

Key Requirements:

• Implementation of 110 security controls from NIST SP 800-171
• Addition of 24 advanced controls from NIST SP 800-172
• Government assessments by DCMA DIBCAC
• Active threat monitoring and response systems
• Enhanced security monitoring
• Yearly compliance verification
• Completed Level 2 certification

The shift to CMMC 2.0 brings important changes to Level 3. Instead of using third-party assessors, the government now directly evaluates compliance through DIBCAC assessments. The DoD removed complex documentation requirements to focus on actual security measures that protect against advanced cyber threats.

Level 3 certification requires significant investment, reflecting its role in protecting essential national security information. This level applies specifically to contractors working on critical defense programs, such as weapons systems and classified projects.

Do you need Level 3 certification? Check your DoD contracts. The Department clearly states required certification levels in each contract, with Level 3 reserved for programs involving the most sensitive information. A careful review of your current and future contracts will reveal your certification requirements.

2. Prepare Your Organization for CMMC Compliance

To prepare for CMMC compliance, you'll first need to conduct a comprehensive gap analysis to determine where your organization's cybersecurity measures fall short of certification requirements. Your cybersecurity team can perform this gap analysis if it has the necessary expertise, but many organizations choose to bring in a consultant with proven CMMC credentials, such as a C3PAO or RPO, to provide a more thorough evaluation. Think of this step as a cybersecurity "health check"—you're assessing the current state of your systems against the standards outlined in CMMC.

For organizations pursuing Level 2 or 3 certification, use the NIST SP 800-171 (for Level 2) and NIST SP 800-172 (for Level 3) frameworks as your guide to aligning your current security controls with the CMMC requirements. Level 2 requires implementing 110 security controls, while Level 3 adds 24 enhanced controls specifically designed to protect against Advanced Persistent Threats. If your organization already follows frameworks like ISO 27001 or HIPAA, identify areas of overlap to streamline your compliance efforts.

The scope of your assessment must include all systems, devices, and networks that process, store, or transmit CUI. Pay particular attention to specialized assets like IoT devices and operational technology, as these may require additional security measures. Your assessment should also evaluate cloud services—standard commercial solutions might not meet CMMC requirements.

Develop a System Security Plan (SSP)

After completing the gap analysis, develop System Security Plan (SSP) documents to detail how you'll meet each security control requirement. It is a blueprint that outlines your current security posture, explaining how you protect FCI or CUI through descriptions of your security controls, configurations, and policies. This security blueprint is crucial to your CMMC assessment, so it must be as comprehensive as possible, covering everything from access control to encryption methods.

Plan of Action & Milestones (POA&M)

Create a Plan of Action and Milestones (POA&M) for the areas you found in your gap analysis that need improvement. It should include specific tasks, responsible parties, and target dates for each milestone. The POA&M shows your commitment to achieving and maintaining compliance, even if you're still working toward meeting specific standards.

Implement Required Controls

Implement the controls based on your CMMC level to ensure your organization meets the specific requirements and practices outlined in that level. Some common controls include:

• Access Control Systems: Ensure only authorized personnel can access FCI or CUI, which might involve setting up role-based access and regular access reviews.
• Multi-Factor Authentication (MFA): MFA is required to verify the identity of users accessing sensitive data. Make sure your authentication processes are in line with CMMC standards.
• Encryption of CUI: Sensitive data must be encrypted in transit and at rest to prevent unauthorized access. Implementing encryption is a non-negotiable way of protecting CUI.
• Monitoring and Incident Response Capabilities: Having a robust system in place to monitor for security incidents and respond effectively is essential for compliance. Consider implementing a Security Information and Event Management (SIEM) system if you don’t already have one in place.

3. Conduct a Self-Assessment

 Your organization must evaluate its security practices by conducting a thorough internal assessment to identify gaps or weaknesses in its current cybersecurity posture. This evaluation should cover all relevant areas, ensuring they align with the requirements of your designated CMMC level.

Level 1 and Level 2 Self-Assessment

If your organization seeks Level 1 or the self-assessment route for Level 2, you'll be responsible for completing an internal review of your cybersecurity practices. The assessment isn't just a check-the-box exercise; it's a detailed process that requires you to assess your compliance with the CMMC framework critically. Here's what to expect:

• Complete a Self-Assessment Report that covers every control required for your level, describing how your organization meets those standards or, if applicable, outlining any areas where you are working to improve.
• Submit the Report to the DoD through a DoD-approved platform like the Supplier Performance Risk System (SPRS).

This process ensures your organization has the proper safeguards to protect FCI and CUI. The self-assessment allows you to address minor issues before requiring a more formal review or third-party assessment.

CMMC Scoping Guidance

Not all of your organization's assets and networks may be subject to CMMC, so scoping allows you to focus your efforts on the right areas. For example, you might classify assets based on whether they store, process, or transmit FCI or CUI. Once classified, you can ensure that these specific systems meet the required controls while reducing unnecessary efforts on other parts of the infrastructure that won't handle FCI or CUI.

4. Engage a Certified Third-Party Assessment Organization (C3PAO)

Once your self-assessment or third-party assessment (for Levels 2 and 3) is complete, it's time for the official review and decision. The organization responsible for granting CMMC certification is the CMMC Accreditation Body (Cyber AB), which oversees this process.

For companies pursuing Level 2 certification via a third-party assessment or Level 3 certification, a CMMC Third-Party Assessment Organization (C3PAO) will conduct an in-depth review of your cybersecurity practices. After the assessment, the C3PAO compiles a report detailing its findings and submits a thorough analysis to Cyber AB.

5. Complete the Assessment and Certification Process

If the C3PAO finds your organization meets all the requirements for your level, Cyber AB will issue your official CMMC certification. However, Cyber AB will pause the approval process if it identifies gaps or deficiencies, allowing you to address the outstanding issues before you resubmit for review.

If this happens, you don't need to panic. Turn to your Plan of Action and Milestones to fix any deficiencies and bring your organization into full compliance. Once you address the gaps, you must reschedule a follow-up assessment to demonstrate your organization's progress. Depending on how far off you were the first time, this could involve re-engaging with the C3PAO or completing a smaller, targeted assessment. After your team has made the necessary improvements, the reassessment process should lead to successful credentialing.

6. Maintain Compliance

CMMC certification is more than a one-and-done event. To stay compliant, your organization must continuously monitor its systems and security practices, including regularly updating its cybersecurity protocols and monitoring potential threats or vulnerabilities.

Level 1 companies must submit a self-assessment on an annual basis to prove that their organization still meets the basic cybersecurity hygiene practices required for protecting FCI. Level 2 companies renew every three years, which, depending on your contract, could involve either a third-party or self-assessment to ensure your security measures remain aligned with NIST SP 800-171 standards.

72-Hour Incident Reporting

Suppose your organization is certified at Level 2 or Level 3. In that case, you must also be ready to report any cybersecurity incidents that affect Controlled Unclassified Information (CUI) to the DoD within 72 hours. This reporting requirement means your organization should have strong incident response plans so you can quickly identify, mitigate, and report breaches or security events that may impact sensitive data.

Annual Affirmations

Level 2 and Level 3 organizations must also submit annual affirmations, formal declarations that their organization complies with the applicable security standards throughout the year. This essential step signals the DoD that their organization continuously upholds CMMC standards.

7. Resources for Assistance

Navigating the CMMC process can feel overwhelming, but you don't have to go it alone. Numerous resources are available to help guide your organization through the various steps, from preparation to maintaining compliance. Here are a few key options to consider:

• CMMC Consulting Services: Consider working with a professional consultant to guide your company through the CMMC certification process smoothly and can provide valuable support in completing a gap analysis, control implementation, and preparation for third-party assessments.
• Training and Prep Courses: Organizations looking to upskill their teams should consider enrolling in training and preparation courses designed to help companies meet CMMC requirements. For example, New Horizons offers courses that provide in-depth coverage of CMMC controls, helping your team understand what’s needed to comply with the framework.
• Official Resources: Finally, the DoD CMMC website is an invaluable resource for accessing official documentation, updates, and guidance related to the CMMC framework. Whether looking for the latest policies, scoping guidance, or certification updates, the DoD's CMMC portal should be your go-to source for staying informed.

The Time to Act on CMMC Compliance is Now

Given the timeline of 21+ months to fully prepare and achieve certification, the best time to start the CMMC process is now. Don’t wait until the last minute—begin your journey toward CMMC compliance today to safeguard your business for the future.

For more guidance and assistance, explore CMMC preparation courses through New Horizons and start working toward compliance now.