If your company serves the U.S. Department of Defense (DoD), you’ve probably come across the buzz concerning adherence to the Cybersecurity Maturity Model Certification (CMMC), commonly referred to as CMMC 2.0.
Be assured, CMMC is more than the latest buzz. It’s a U.S. government framework designed to enhance cybersecurity measures and ensure the protection of Controlled Unclassified Information (CUI) in the U.S. defense supply chain.
Beginning October 1, 2026, compliance with CMMC will become mandatory for managed service providers (MSPs), managed security service providers (MSSPs), and others who do business with the DoD or its various supply chain partners.
If your organization falls into this category, you’ll need to grasp the intricacies of CMMC compliance, the requirements involved, and the significant implications at stake.
Featured Partners: Governance, Risk, and Compliance (GRC) Software
How to become CMMC compliant as an MSP
If your organization is looking to navigate the path to CMMC compliance, make sure to follow the seven steps outlined below to ensure your organization meets the requirements and secures your place within the U.S. defense supply chain.
1. Implement and assess information security processes: Develop a system security plan and conduct a self-assessment to NIST 800-171 standards.
2. Improve processes and submit your score: Based on the results of your self-assessment, create a plan of action and milestones with target dates to achieve a maximum score of 110. Next, submit the score into the DoD’s Supplier Performance Risk System (SPRS).
3. Identify your scope: It could be the enterprise, organization, unit, or program enclave. Note that the Cyber-AB, the accreditation body authorized to oversee all CMMC assessments and training, has only released the assessment guide for CMMC 2.0 Levels 1-2 so far.
4a. Get a preliminary gap assessment: This is an optional step, but recommended. Schedule a preliminary gap assessment with an accredited, third-party assessment organization like NSF-ISR to identify gaps in your information security process.
4b. Address gap assessment findings: Using the analysis provided by the assessment organization, fix identified information security gaps and implement these changes in your organization.
5. Choose a C3PAO: With the information security gaps identified and corrected, use the Cyber-AB Marketplace to identify a CMMC Third Party Assessor Organization (C3PAO) like NSF-ISR, and schedule your CMMC assessment.
6. Undergo the CMMC assessment: Conduct your four-phase CMMC assessment with your selected C3PAO:
- Phase 1: Involves pre-assessment planning and gathering initial scope information, completing an artifact intake form, identifying assessment team members, developing a rough order of magnitude (ROM) and assessment plan, completing and approving the assessment plan, and doing a readiness review with NSF-ISR.
- Phase 2: The C3PAO conducts the CMMC assessment, beginning with a meeting between your organization and the NSF-ISR CMMC assessment team, followed by an analysis and review of objective evidence related to the CMMC practices, discussion of any preliminary findings, and then a final output.
- Phase 3: Results gathered by the assessment team are submitted to NSF-ISR, who performs a quality assurance (QA) review and forwards a recommendation to the OSC Sponsor and the CMMC-AB, triggering a CMMC-AB QA review. Based on the review, the CMMC-AB issues or denies CMMC-level recommendations.
- Phase 4: If the assessment identifies that your company falls a few practices short of the target CMMC performance level, you may require remediation. NSF-ISR forwards the remediation request to Cyber-AB for approval. Cyber-AB approves or denies the request. If approved, the 90-day clock for remediation starts, allowing you time to address any shortfalls in performance.
7. Obtain certification: The Cyber-AB reviews the assessment submitted by the C3PAO and makes a final decision on certification for your organization. Once the Cyber-AB decides to approve a submitted assessment, the accreditation body notifies your organization, and the C3PAO and three-year CMMC certification is awarded.
Levels of CMMC compliance
Keep in mind that there are three levels of certification you can be certified at and that you’ll need to choose the level that best suits your organization:
- Level 1 – Foundational: Must match the same fifteen controls as FAR 52.204-21 “basic” controls to protect Federal Contract Information (FCI) and controlled unclassified information (CUI). Level 1 requires annual certifications and self-assessments.
- Level 2 – Advanced: Requires 110 controls in the SP 800-171 Revision. Information that is critical to national security is prioritized, while information that isn’t a national security threat is non-prioritized. Level 3 requires a third-party assessor (3PAO) for prioritized acquisitions every three years and annual self-assessment and certification for non-prioritized acquisitions.
- Level 3 – Expert: In addition to the 110 controls that are required for the Level 2 certification, Level 3 requires compliance with NIST SP 800-172. It also requires triennial government-led assessments.
CMMC compliance checklist
Sourced and condensed from encryption authority Preveil’s guide, here is a comprehensive checklist to help you track your CMMC compliance progress.
1. Determine your CMMC level based on the type of data you handle:
- Assess whether your organization handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to determine the necessary level of CMMC compliance.
- Review your contracts to identify the level specified by DoD or other government agencies to ensure you are in compliance.
2. Designate a compliance point person:
- Assign a single person within your organization to own the CMMC compliance process and coordinate efforts across various departments to ensure timely implementation of compliance measures, and liaise with external parties if necessary.
3. Identify and limit the scope of CUI within your environment:
- Determine where CUI resides within your organization’s systems and networks.
- Streamline the CUI environment to minimize the number of endpoints and personnel with access, in order to reduce complexity and costs.
- Restrict the scope of CUI to reduce the attack surface and enhance the effectiveness of your security measures.
4. Restrict access to CUI to critical personnel:
- Limit access to CUI only to individuals who require it for their job responsibilities.
- Implement robust access controls and authentication mechanisms to prevent unauthorized access to sensitive information.
- Restrict access to essential personnel and organizations to mitigate the risk of data breaches and unauthorized disclosures.
5. Select compliant technologies for CUI protection:
- Choose technology solutions that meet the stringent security requirements for protecting CUI.
- Ensure selected technologies incorporate encryption standards such as FIPS 140-2 validation for securing CUI during transmission and storage.
- Ensure compliance with the Federal Risk and Authorization Management Program (FedRAMP) standards if you’re a cloud service provider (CSP) hosting CUI.
6. Retain a CMMC Registered Practitioner (RP), if desirable:
- Consider engaging a CMMC RP to assist in implementing technologies, organizing documentation, and identifying compliance gaps.
- While optional, hiring a registered provider organization (RPO) can streamline the compliance journey and ensure thorough preparation for assessment.
7. Develop a comprehensive System Security Plan (SSP):
- Create a detailed System Security Plan (SSP) that outlines your organization’s cybersecurity program and how it meets the required controls to serve as a roadmap for assessors, in demonstrating compliance with NIST 800-171 or other relevant standards.
- Regularly update the SSP to reflect changes in the organization’s systems and security posture.
8. Establish a Plan of Action and Milestones (POA&M):
- Identify controls that are not fully met and develop a Plan of Action and Milestones (POA&M) to address deficiencies.
- Outline specific actions, timelines, and resources required to remediate non-compliant controls.
- Regularly review your POA&M, update it, and track progress towards your compliance goals.
9. Conduct a self-assessment against NIST 800-171A:
- Perform a thorough self-assessment against the objectives outlined in NIST 800-171A to gauge compliance readiness, evaluate strengths and weaknesses, and inform of remediation efforts.
- Assess adherence to all relevant controls and objectives to ensure alignment with the desired CMMC level.
10. Remediate any identified security gaps:
- Address identified security gaps by implementing the necessary measures outlined in the POA&M.
- Prioritize remediation efforts based on the severity and impact of each security gap.
- Close any noted security gaps to strengthen overall cybersecurity posture and enhance readiness for assessment.
11. Optionally, seek final review from an RPO or C3PAO:
- Consider engaging an RPO or Certified Third-Party Assessment Organization (C3PAO) for a final review before the formal assessment to ensure readiness and identify any remaining compliance gaps.
12. Schedule a C3PAO assessment for certification:
- Arrange for a C3PAO to conduct the formal assessment for CMMC certification.
- Complete the assessment and await your results.
Tips to make CMMC compliance easier
Transitioning to CMMC certification may seem daunting, but you can simplify the process by leveraging existing frameworks and certifications that align with CMMC standards. CMMC draws heavily from established cybersecurity frameworks, so you have an opportunity to glean knowledge and understanding from frameworks that are already in use.
Among these frameworks is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which offers comprehensive guidelines for managing cybersecurity risks. Adopting the NIST CSF enables you to harmonize its practices with CMMC requirements ahead of time, ultimately facilitating a smoother certification journey.
Additionally, certifications like FedRAMP, FISMA, ISO 27001, and NIST SP 800-171 complement CMMC objectives. Leveraging these resources not only aids in achieving CMMC compliance but also enhances overall cybersecurity resilience. Embracing these frameworks empowers your organization to demonstrate robust compliance while fortifying your security posture.
Frequently asked questions (FAQs)
CMMC is a highly complex, costly, and lengthy process with many advantages and challenges. It’s important to understand that it is not a one-time achievement but an ongoing commitment to maintaining cybersecurity readiness. Keep in mind, if your organization chooses to pursue the certification, it must be prepared to continually monitor and update its security measures to adapt to evolving threats and regulatory changes.
Here are some frequently asked questions about CMMC:
What is Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard developed by the U.S. DoD to enhance the cybersecurity posture of the Defense Industrial Base (DIB). It establishes a framework of cybersecurity requirements for organizations that work with DoD, to safeguard CUI and FCI from cyberthreats.
Building upon existing cybersecurity standards and best practices, it integrates elements from frameworks such as NIST Special Publication 800-171, ISO 27001, and others.
Certification under CMMC is required for all DoD contractors and subcontractors, including suppliers and vendors, across the defense supply chain. CMMC involves undergoing assessment by accredited third-party assessors to demonstrate compliance with the prescribed cybersecurity requirements for the applicable certification level.
By implementing CMMC, the DoD aims to strengthen the overall cybersecurity resilience of its supply chain, reduce the risk of data breaches and intellectual property theft, and ensure the protection of sensitive government information.
Who needs to get CMMC certified?
Anyone who provides services to organizations or agencies within the DIB or subcontracts for DoD will need to obtain the appropriate level of CMMC certification. The process can be costly, resource-intensive, and time-consuming, so you’ll need to determine whether pursuing CMMC certification aligns with your organization’s strategic goals and market opportunities.
If working with DoD contractors or subcontractors is a significant part of your business, obtaining CMMC certification may be essential for maintaining competitiveness and compliance. If not, and if you are comfortable pivoting your business model away from DoD contracts, you can avoid the labor and costs associated with certification.
What is the deadline for CMMC compliance certification?
The deadline for CMMC compliance is October 1, 2026 for all MSPs, MSSPs, and any other organizations who do business with DoD and its supply chain contractors.
Although that deadline might seem far off, it can take 12-18 months to complete the CMMC compliance certification process before you even begin the assessment itself — so you should start as soon as possible.
How much does CMMC compliance cost?
The cost to support a Level 1 self-assessment and affirmation (not including the security implementation) would be between $4,000 and $6,000, depending on the size of your company.
The cost of a Level 2 self-assessment and related affirmations is estimated between $37,000 for small entities and nearly $49,000 for larger entities. A Level 2 certification assessment is projected to cost nearly $105,000 for small entities and approximately $118,000 for larger entities (including the triennial assessment and affirmation and two additional annual affirmations).
The total cost of a Level 3 certification assessment includes the expenses associated with a Level 2 certification assessment and the outlays for implementing and assessing the security requirements specific to Level 3. For a small organization, the estimated recurring and nonrecurring engineering costs associated with meeting the security mandates for Level 3 are $490,000 and $2.7 million, respectively. The projected cost of a certification assessment is more than $10,000 (including the triennial assessment and affirmation and two additional annual affirmations).
For a larger organization, the estimated recurring and nonrecurring engineering costs associated with Level 3 safeguards are $4.1 million and $21.1 million, respectively. The projected cost of a certification assessment and related affirmations is more than $41,000 (including the triennial assessment and affirmation and two additional annual affirmations).
How long does it take to get CMMC certified?
The process takes the average organization between 12-18 months to complete the seven steps of CMMC compliance enumerated above, plus another 9-15 months to obtain the assessment.
Bottom line: CMMC compliance is costly, but will pay off long-term
For MSPs seeking CMMC compliance, there’s a great deal both to consider and undertake. Having a proactive approach and full understanding of the specific requirements and how to meet them, the scope of what’s involved, and investing in the necessary resources are all crucial factors your organization needs to address.
You also need to factor in that the timeline for certification can vary from approximately one to three years depending upon the certification level you choose to pursue, and that the costs for certification can be considerable and variable based on factors such as your certification level, organization size, and existing cybersecurity posture.
That said, by investing in the compliance process, you can secure government contracts and bolster your reputation as a trusted cybersecurity partner ahead of your peers in an increasingly regulated landscape.
Tego VP of Marketing Jennifer Vosburgh spoke with Channel Insider’s Katie Bavoso about how MSPs can navigate evolving CMMC compliance requirements, working with an RPO, and achieving lasting success.