Eight Steps to the New Cybersecurity Maturity Model Certification (CMMC) Now Required by the DoD

Defence industrial base organisations need to take action for their journey to CMMC certification. Learn about the eight steps to achieve certification.

If your company does business with the U.S. Department of Defense (DoD), you may have received a memorandum or communication that flowed down regarding compliance to the CMMC 2.0 model.

Information security experts Rhia Dancel, CMMC registered practitioner, and Tony Giles, CMMC provisional assessor, with NSF International Strategic Registrations (NSF-ISR) certainly hope so.

They encourage you to understand the CMMC requirements and take the necessary steps to achieve certification for your organization. The sooner your organization understands and complies with CMMC, the better.

The Cybersecurity Maturity Model Certification programme mandates cybersecurity requirements for companies in the defence industrial base (DIB), which includes over 350,000 firms. “CMMC is a unified standard that takes into account all the various information security standards and best practises,” Dancel says. “The goal is to protect federal contract information (FCI) and controlled unclassified information (CUI). It's a five-year, phased rollout with new DoD contracts. CMMC requirements will appear in all contracts starting in fiscal year 2026, meaning all DoD contractors will need to comply in order to bid on the work”.

“It’s the first ever mandated information security standard and one the Department of Defense is extremely interested in,” Giles says. “It wants to see organisations meet those requirements.” DoD considers the CMMC programme a vital part of the government’s response to the rising tide of cybersecurity threats.

All DoD suppliers will have to be certified to the appropriate CMMC level in order to continue doing business with DoD under the mandated CMMC requirements. NSF-ISR was named one of the first C3PAO candidates to participate in the CMMC programme.

Giles suggests that organisations start the CMMC process with a basic question: Does my organization have controlled unclassified information? This is information created or owned by the government that needs to be safeguarded and released only under proper, legal and regulated controls, such as parts for a new defence aircraft or specifications for military uniforms.

8 Steps to CMMC

Dancel and Giles recommend the following eight-step process for DoD contractors and subcontractors to achieve CMMC certification for their firms.

  • Implement and assess information security processes

    Develop a system security plan and conduct a self-assessment to NIST 800-171 standards.
  • Improve processes and submit your score

    Based on the results of your self-assessment, create a plan of actions and milestones with target dates to achieve a maximum score of 110. Next, submit the score into the DoD’s Supplier Performance Risk System (SPRS).
  • Identify your scope

    It could be enterprise, organization unit or programme enclave. Note that the Cyber-AB, the accreditation body authorised to oversee all CMMC assessments and training, has only released the assessment guide for CMMC 2.0 Levels 1-2 so far.
  • Get a preliminary gap assessment

    This is an optional step, but still recommended. Schedule a preliminary gap assessment with an accredited, third-party assessment organization like NSF-ISR (C3PAO candidate) to identify gaps in your information security process.
  • Address gap assessment findings

    Using the analysis provided by the assessment organization, fix identified information security gaps and implement these changes in your organization.
  • Choose a C3PAO

    With those information security gaps identified and corrected, use the Cyber-AB Marketplace to identify a C3PAO like NSF-ISR, and schedule your CMMC assessment.
  • Undergo the CMMC assessment

    Conduct your CMMC assessment with your selected C3PAO. Expect the assessment to consist of four phases:

    Phase 1 kicks off with pre-assessment planning and includes gathering initial scope information, completing artifact intake form, identifying assessment team members, developing a rough order of magnitude (ROM) and assessment plan, completing and approving the assessment plan and doing a readiness review with NSF-ISR.

    In Phase 2, the C3PAO conducts the CMMC assessment. This starts with an opening meeting between your organization and NSF-ISR CMMC assessment team. What follows is an analysis and review of objective evidence related to the CMMC practises, discussion of any preliminary findings and then a final output.

    Phase 3 covers post-assessment reporting. Results gathered by the assessment team are submitted to NSF-ISR, who performs a quality assurance (QA) review and forwards a recommendation to the OSC Sponsor and the CMMC-AB, which triggers a CMMC-AB QA review. Based on the review, the CMMC-AB issues or denies CMMC level recommendation.

    Phase 4 may require remediation if the assessment identifies that a company falls a few practises short of the target CMMC performance level needed. NSF-ISR forwards the remediation request to Cyber-AB for approval. Cyber-AB approves or denies the request.

    If approved, the 90-day clock for remediation starts. This time allows addressing any shortfalls in performance.

  • Get certified

    The assessment results will be reviewed by the C3PAO QA individual and uploaded into CMMC eMASS. A Final or Conditional CMMC Level 2 certification will be issued by the C3PAO depending on the assessment results. For a Final CMMC Level 2 certification, your organization is awarded a three-year CMMC certification. For a Conditional CMMC Level 2 certification, a POA&M close-out is required and if successful will result in a three-year CMMC certification.

Dancel and Giles acknowledge that participating in the CMMC process requires time, effort and resources. On the other hand, there is powerful motivation to participate because any DoD supplier not in compliance with CMMC requirements will not be able to do business with the Department. For many smaller firms, the resulting loss of revenue could mean the difference between staying in business or having to close their doors.

Dancel and Giles believe the best approach for companies is to be well informed and get started on the CMMC certification process well in advance of the programme deadline. They point to a competitive advantage these firms will have over their competitors when responding to DoD requests for information (RFIs) and requests for proposals (RFPs).

Ready or oreparing for CMMC?

Begin the process with us or get your CMMC questions answered.

How NSF Can Help You

Get in touch to find out how we can help you and your business thrive.

What’s New with NSF