The below checklist will help you determine the steps required to start working toward CMMC compliance.

  • Review your government (e.g. DoD) contracts to identify:
    • Whether you (or your prime) are required to protect Controlled Unclassified Information (CUI).


    • If you are required to attain a specific level of CMMC compliance as part of your contract.
  • Locate, identify and hire:
    • A high-end (read: expensive) cybersecurity firm to do a one-time, point-in-time NIST/CMMC assessment for your company and leave you to do the rest.


    • Exceed I.T. as your Managed Compliance partner to be your co-pilot and navigate you through the entire process until you eventually become certified.
  • Identify all internal AND external parties (department heads) who need to be part of the baseline assessment process.
  • Work with your chosen assessment firm to complete the entire CMMC Interim-Rule (and NIST 800-171) assessment – the initial (baseline) pre-assessment can take as little as 6 weeks or up to several months. This depends on several factors, including the responsiveness of internal & external teams and being committed to this process and its urgency.
  • Get your resulting documents (known as artifacts) which can include:
    • Plan of action & milestones (PoAM)
    • System Security Plan (SSP)
    • NIST 800-171 scoring document
  • Subsequently upload all required artifacts into the DoD SPRS system to satisfy past-due requirement (from Fall 2020). **
  • Review PoAM & SSP with your IT and/or IT security provider and decide which gaps to fill first, and work toward getting all gaps completed to where you can achieve a perfect score and, eventually, pass your audit. This process can take 3 - 12 months after the initial baseline scan & gap analysis has been completed.
  • Locate auditor who has been approved to review and, if complete, certify your company as CMMC-compliant. You will be looking for a Certified third-party assessment organization (also called a C3PAO).
  • Select, engage & schedule the C3PAO to perform the final audit assessment (certified assessor).
  • Final assessment completed by C3PAO auditor. Attain certification.
  • Keep up with any changes in CMMC and to stay in compliance.

** Note: As of this writing (early 2021), the CMMC accreditation body (CMMC-AB) had still not certified auditors. The CMMC-Interim rule, released in September 2020, required that, by November 30, 2020, all DoD contractors needed to have provided a self-assessment to the Government to show their current level of compliance, regardless of their score. Most DoD contractors have not completed this, even though it is past due, and puts their business at risk.

Feeling overwhelmed? Yeah, we know it’s a lot, and may leave you with even more questions. Schedule a call with our team today and we will discuss how we can help make sense of it and take a part of this load off your shoulders, ensuring you ace your certification!