A Guide to the CMMC 2.0 Certification Process

As cyberattacks become more prevalent, so do government cybersecurity regulations. One of the most notable regulations to emerge in the last few years is Cybersecurity Maturity Model Certification (CMMC), with the latest 2.0 iteration just a few months ago. This is the Department of Defense’s latest effort to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC 2.0 is a simplified version of CMMC 1.0 and applies to any company bidding on DoD work, but its implications may extend beyond that. The process to become CMMC certified could be lengthy and complex depending on your existing security posture, so it’s smart to begin the work now in order to hit the 2026 deadline.

How organizations can get CMMC 2.0 certified

CMMC guidelines essentially state that companies need to have an effective cybersecurity program in place. The maturity of your security program will depend on the sensitivity of the information you would be handling through your DoD work. To simplify the certification process, the DoD is splitting contractors into three levels that align with different types of information. So the first step in becoming CMMC certified is to determine under which level your business falls.

Identifying your maturity level

Depending on the type of government information your business handles, you’ll fall into one of three maturity levels, each with its own set of guidelines. Level 1 is the lowest security level with the most basic requirements, while Level 3 is the highest level with the most advanced requirements. The DoD estimates that roughly 60% of its contractors will fall into Level 1 and fewer than 1,000 contractors will fall into Level 3. The remaining contractors will adhere to Level 2 requirements.

• Level 1: This level applies to all DoD contractors that handle FCI but not CUI. It calls for businesses to adopt the 17 basic cybersecurity practices laid out in FAR 17 and conduct annual self-assessments.
• Level 2: Contractors that handle CUI (critical or non-critical to national security), including manufacturers and any business making parts or supplying services for weapons, need to meet the 110 cybersecurity controls laid out in NIST 800-171. These controls generally require documentation and repeatable security processes. As for assessments, roughly half of all Level 2 contractors will be able to conduct annual self-assessments. The other half will need to hire a third-party assessment organization (C3PAO) to review their implementation of security controls every three years.
• Level 3: Large prime contractors, contractors that handle top-secret information, or those working on critical national security programs that could be targeted by nation-states or other Advanced Persistent Threats will need to meet the most stringent security requirements. In addition to meeting the 110 controls established in NIST 800-171, Level 3 contractors must also meet the 35 advanced controls in NIST 800-172. To ensure contractors have adequately implemented the protocols, a government team will review their security program once every three years.

Conduct an internal security assessment

Once you know to which level your organization belongs and the security requirements you must meet, you need to determine how close you are to becoming compliant. Start by looking at your security program through the lens of CMMC requirements to see which practices you meet and which you don’t, taking special note of the gaps in processes, controls, and technology.

For instance, Level 1 calls for security related to access controls, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Businesses that fall into Level 1 need to develop a security program that addresses all of these areas.

For Levels 2 and 3, you can leverage existing frameworks, like the NIST 800-171 self-assessment methodology, to get started. This framework will look at the areas identified in Level 1 as well as audit and accountability controls, security training initiatives, configuration management, incident response plans, system maintenance, personnel security, and ongoing risk assessment processes. Levels 2 and 3 call for establishing more advanced security programs which means you’ll need to ensure your security tech stack includes tools that cover all the families listed in NIST 800-171.

Develop a System Security Plan (SSP)

After conducting your security assessment, you’ll want to document the security measures you do have in place with a System Security Plan (SSP). According to NIST, an SSP is “a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.” It should include system boundaries, network diagrams, administrative roles, company security policies, information on how systems interact, incident response procedures, and more. You can use NIST’s SSP template for CUI as a starting point.

An SSP is a living document that should be updated any time a company’s security practices or procedures change. This document will be evaluated during the CMMC certification process, so it’s important to make it as detailed and accurate as possible.

Create a plan for CMMC readiness

At this point, you should understand the requirements your business needs to meet, have a document that details your existing security program, and a self-assessment that identifies the gaps between your security program and the CMMC requirements. The next step is to draw up a plan for how you’re going to close those gaps to become CMMC compliant. One way to get started is to create a Plan of Action and Milestones (PoAM). This document will identify holes in your security posture as well as how risky each hole is; it will also note how you plan to address them.

To produce a PoAM you can design your own or follow the templates of other government departments and agencies like the Defense Counterintelligence and Security Agency or FedRAMP. However it’s created, your PoAM should list out weaknesses or flaws, the security controls that will fix them, the point of contact, the scheduled completion date, the risk level, milestones and milestone completion dates, the estimated costs, status, and any other relevant information on how you plan to remedy the deficiencies.

Under the new CMMC guidelines, PoAMs can be submitted if a company doesn’t fully meet its Level requirements. However, by starting the CMMC certification prep process early, you can use the PoAM to prepare and cross items off your list before applying for certification.

Budgeting for CMMC Certification

Beyond the PoAM, your readiness plan should also include a timeline for preparing for submission and a budget for standing up your security program — or filling in identified gaps. This budget should include any fees associated with the security process, the cost of hiring a C3PAO (for Level 2 companies), and the costs of implementing the new technology, processes, and controls identified in your PoAM.

Budgetsfor becoming CMMC compliant can vary drastically because they depend on several factors, including which level your organization falls under, what your current security posture looks like, and whether you plan to complete the work in-house or through a third party.

If you’re relying on a consultant to conduct your gap analysis, you could spend anywhere from $15,000-$50,000 depending on the vendor and which requirements you need to meet. From there, you’ll need to factor in the hard costs of new tools and technology. Those expenses vary greatly depending on your CMMC level and the technology you already have in place. For instance, if your company falls under Level 3, you cannot use Office 365 or Google Workspace. You’ll need to implement a government cloud solution, which could run upwards of $50,000 for implementation alone.

Finally, if you fall into Level 2, you’ll need to factor in the costs of a C3PAO audit. This entity and process is new and pricing has not yet been announced — nor has it been determined if pricing will be regulated. But many experts are guessing those costs could come in anywhere from $15,000 to $35,000.

Find your C3PAO assessor (Level 2 only)

Level 2 companies need to hire a third-party assessment organization, or C3PAO, to assess the implementation of their security controls every three years. Cyber AB is the accreditation body that oversees all CMMC assessments, and C3PAOs are assessors who have been approved by Cyber AB to conduct and deliver CMMC assessments.

If your company falls under CMMC Level 2, you can find a C3PAO in Cyber AB’s directory. Once you have selected your provider, they can help you further assess your security program and perform a more comprehensive gap analysis to get you closer to earning your CMMC certification. You can then work with the C3PAO to schedule your CMMC assessment.

Submit for certification

When it comes time to formally apply for a CMMC certification, Cyber AB will review your application and assessment — whether it was conducted internally or by a C3PAO — to approve or deny your application for certification. If your business is approved, you will be certified for three years. Note that the C3PAO will submit your assessment and Cyber-AB will review the assessment to determine certification.

Though becoming CMMC certified is a huge win, maintaining that certification takes continuous work. Not only do you need to submit annual self-assessments or tri-annual reviews, but you also need to maintain your SSP and the security program itself to keep your certification. There are numerous benefits to maintaining a robust security program, but it can also be a significant amount of work, which is why it might make sense to partner with a third-party security expert, depending on the size and expertise of your team.

Start preparing for CMMC 2.0 compliance today

The process of preparing your organization for CMMC 2.0 compliance could easily take a year depending on your maturity level, existing security program, and internal resources. And certification will soon be required (2026) for anyone hoping to win a contract with the DoD. Companies with a healthy security posture, especially those following the NIST framework are likely in good shape. But those who need more guidance when it comes to security might need to enlist the help of an outside partner.

A managed security partner will not only help you become CMMC compliant, but it can also help you scale your cybersecurity efforts, so your organization is protected against all threats.

SolCyber is the first-of-its-kind outsourced security program partner. With our 24/7 detection and response services and Foundational Coverage, businesses can quickly become compliant with any level of CMMC 2.0.

Ready to begin your journey toward CMMC 2.0 compliance? Reach out to the experts at SolCyber today.