5 Steps to Get Your Organization CMMC Certified

5 Steps to Get Your Organization CMMC Certified

What is the Department of Defense Cybersecurity Maturity Model Certification?

Debuted in 2015, the Department of Defense’s (DoD) Defense Federal Acquisition Regulation Supplement (DFARS) required certain contractors to meet the requirements of the NIST SP 800-171 cybersecurity framework by the end of 2017. This mandate was meant to provide a structure to protect the U.S. defense supply chain. Some DoD contractors attempted to become compliant through internal means, while others contracted Managed Security Service Providers. Compliance was not fully enforced, which created inconsistencies and slow adoption among contractors. In responses to these inconsistencies, the Cybersecurity Maturity Model Certification (CMMC) was born.

The new CMMC attempts to bring about a higher level of uniformity, including elements from cybersecurity standards (NIST SP 800-171 Rev. 1 and Rev. B, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933) to create one unified standard. These standards will also be used to measure a contractor’s cybersecurity maturity on a scale from Level 1: Basic Security Hygiene to Level 5: Advanced/Progressive.

Beginning October 2020, new contracts with the DoD will require contractors to have a CMMC certification at or above the certification level specified by the DoD for each new contract. This means each contractor will be required to demonstrate their cybersecurity maturity level through an audit performed by an accredited independent third-party assessor organization (C3PAO).

Why should DoD contractors and subcontractors be CMMC certified?

The DoD will require all primary contractors and their subcontractors to be CMMC certified. Current estimates project more than 300,000 companies will be affected by the new requirement, including many small-to-medium-sized businesses. For DoD contractors and subcontractors who wish to continue to bid on new work, they must be certified at or above the contract-required level by October 2020. The time is now to get ahead of the curve and take the steps necessary to be ready for your CMMC certification.

CMMC Structure

The CMMC framework is comprised of 17 domains and 43 capabilities. Within each of the capabilities there are specific Processes and Practices that measure maturity or institutionalization, as well as implementation. The process maturity component of the CMMC helps an organization institutionalize practices that both promote operational resilience and provide improved protection of sensitive information. Like the CMMC model, Processes are assessed as maturity levels (Note: Process maturity is not assessed for CMMC maturity level 1) and are repeated across all 17 domains.

Maturity Level Description

ML 1


Maturity not assessed at ML 1. Practices are assessed but is not institutionalized as a process.

ML 2


Establish a policy that includes [DOMAIN NAME]. Document the CMMC practices to implement the [DOMAIN NAME] policy.

ML 3


Establish, maintain, and resource a plan that includes [DOMAIN NAME].

ML 4


Review and measure [DOMAIN NAME] activities for effectiveness.

ML 5


Standardize and optimize a documented approach for [DOMAIN NAME] across all applicable organization units.

Table 1 CMMC Maturity Level Process Descriptions

Of the 171 practices in the CMMC model, 110 are derived from FAR Clause 52.204-21 and NIST SP 800-171r1. Of note, most practices are found within 6 domains. Those being: AC, AU, IR, RM SC, and SI (see table below).

CMMC Domain TableFigure 1 CMMC Practices Across Domains Per Level (derived from CMMC Model Version 1.0)

The following table outlines the Maturity Levels of the CMMC processes and practices. Note, an organization processing CUI must be certified at least at Level 3 – “Good Cyber Hygiene”.

Level Requirements

Level 1 - Basic Cyber Hygiene

In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.

Level 2 – Intermediate Cyber Hygiene

In order to pass an audit for this level, the DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus seven new “Other”* controls.

Level 3 – Good Cyber Hygiene

In order to pass an audit for this level, the DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 14 new “Other”* controls.

Level 4 - Proactive

In order to pass an audit for this level, the DoD contractor will need to implement 13 controls of NIST 800-171 RevB plus 13 new “Other”* controls

Level 5 – Advanced / Progressive

In order to pass an audit for this level, the DoD contractor will need to implement the final 5 controls in NIST 800-171 RevB. plus 11 new “Other”* controls

* "Other" controls are those outside the NIST 800-171 framework identified by the DoD.

Table 2 CMMC Maturity Level Requirements

5 Steps to Prepare Your Organization for a CMMC Audit

1. Review CMMC Framework and Implement Holistic Compliance Program

As a basic introduction to CMMC, it is important to first review the framework and compare to pre-existing DFARS requirements. Organizations that have already completed a DFARS assessment and System Security Plan will be pleased to see the similarities between the two. Once your organization understands the compliance landscape, you should formalize an internal Compliance Program with a designated Data Protection Officer. This individual should be responsible for coordinating all CMMC-related activities, including the third-party certification process (step 5).

2. Identify Target CMMC Maturity Level and Applicable Controls

Each organization will have a target CMMC Maturity Level based on the types of DoD contracts they have and the classifications of data being stored, transmitted, or processed. Organizations certified at Levels 1 and 2 are authorized to be provided Federal Contract Information. These levels are reserved mostly for small organizations and subcontractors.

If Controlled Unclassified Information (CUI) or Covered Defense Information (CDI) is required, an organization will have to be certified at Level 3 or higher. It is expected that most large prime contractors processing CUI and CDI data will need to be certified at Levels 4 or 5. Once you understand your target level, you can identify the applicable CMMC controls for your organization.

3. Utilize Internal Audit Function for Self-Assessment

DoD contractors with the necessary resources should use a self-assessment to prepare themselves for a CMMC audit. Although only covering NIST SP 800-171 Rev. 1, internal IT departments can reference the “Self-Assessment Handbook – NIST Handbook 162”, which covers the controls needed for Levels 1 – 3. A self-assessment handbook for NIST SP800-171 Rev. B does not currently exist, but references to the draft can be helpful. In addition to a self-assessment, it may be necessary to perform a CMMC readiness assessment and develop a CMMC Roadmap to help remediate identified gaps (Step 4).

4. Perform a CMMC Readiness Assessment and Create CMMC Roadmap

Given the importance of passing your first CMMC audit, performing a readiness assessment and creating a cybersecurity roadmap may be a preferred route for DoD contractors before certification. These steps will enable your organization to see what will be required to achieve the desired CMMC Maturity Level.

In general, it is important to identify:

    • Applicable CMMC controls
    • Your security organization’s current maturity level
    • Gaps and areas for improvement

For organizations that face resource constraints or do not have an internal audit function, utilizing a third-party for this assessment may be beneficial. Revolutionary Security has the experience to assist organizations with building and improving cybersecurity programs to meet complex compliance requirements.

5. Engage an Independent Firm to Review Your Current Program and Address Gaps

For DoD contractors, the sole path to CMMC certification is through an accredited third-party audit of your cybersecurity maturity. As of the date of this article, the DoD and the CMMC Accreditation Body have not yet announced how these third-party assessors will be selected, trained, and accredited to perform CMMC assessments and certify organizations. Today, there are simply no accredited assessors for DoD contractors to engage. In the meantime, organizations should evaluate their current and desired states and work to address the gaps. An important part of this process is to engage an independent third-party to review your current practices, identify capability and evidence gaps, and help remediate gaps ahead of the official audit. Independent firms bring fresh perspectives and solution approaches. Unencumbered by prior knowledge, biases, or advocacy, third-party consultants will see your cybersecurity program similarly to how the accredited assessors will. Additionally, there is good value in having your team undergo mock audits in preparation for the official certification assessment.  

Our team of assessors have Defense industry experience performing DFARS assessments for some of the largest defense contractors in the nation. While CMMC is a new and evolving requirement, we apply expertise gained delivering NIST and industry-standard framework assessments to critical infrastructure environments to ensure that your company is positioned for success.

Request a Meeting


Which Transient Cyber Asset Model is Right for Your Organization?
6 Steps to Effectively Identify Cybersecurity Gaps