How to Prepare Your Business for CMMC 2.0 Certification

How to Prepare Your Business for CMMC 2.0 Certification

Avatar photo
Charles Ho
7 min read
Share this article:

When it comes to national security, the Department of Defense (DoD) is focused on setting up the best protections against attacks on the ground, in the air, and online. The Pentagon is fending off millions of attacks each day as bad actors try to steal government secrets being passed between government officials, DoD employees, and contractors. The stakes are high and the DoD cannot take any risks, especially with contractors. Creating compliance standards is the only way to guarantee DoD information is safe regardless of where it is in the supply chain.

The DoD’s latest effort to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) is by introducing the Cybersecurity Maturity Model Certification (CMMC) 2.0. These new compliance standards are an iteration of CMMC 1.0 and will apply to all entities that want to place a bid to conduct business with the DoD.

What is CMMC 2.0?

CMMC 2.0 is a framework that ensures all DoD contractors have the appropriate security controls in place so sensitive government intelligence can’t be intercepted at any point in the logistics system. All 300K+ DoD contractors and their subcontractors must meet the requirements set out in CMMC 2.0 by 2026 to continue working with the DoD.

The new version of CMMC draws heavily from the National Institute of Standards and Technology (NIST) framework, specifically NIST 800-171, and is broken up by maturity levels.

Understanding Maturity Levels

CMMC 2.0 has condensed the maturity levels from five to three in its latest update.

The designated levels dictate whether a business can conduct a self-assessment or if they need to hire a third-party assessment organization (C3PAO) to review the controls in place. In either case, all submissions are reviewed by Cyber AB to secure the final certification.

The first step to becoming CMMC 2.0 compliant is determining which level your business falls into and understanding the controls associated with that level.

Level 1: 17 Practices Required

The DoD estimates that roughly 60% of its contractors will fall into Level

1, which applies to all DoD contractors that handle FCI but not CUI. As the lowest security level, Level 1 requirements haven’t changed drastically from CMMC 1.0 and include 17 basic cybersecurity practices that are primarily related to access control and physical protections.

Because Level 1 contractors aren’t handling sensitive information, and practices can be performed ad-hoc without documentation, annual self-assessments are now allowed under CMMC 2.0. Though Level 1 requires the fewest controls and is the easiest route to certification, applying these controls in a way that earns certification will still be a heavy lift for businesses. For assured success, it’s necessary to start early and rely on the expertise of skilled security professionals.

Level 2: 110 Practices Required

This level applies to contractors handling CUI both critical and non-critical to national security. It will apply to many manufacturers as well as any business making parts or services for weapons. The requirements at this level are quite a bit more advanced than Level 1 and require documentation and building repeatable security processes. Contractors in Level 2 need to meet the compliance standards laid out in NIST 800-171.

When it comes to assessments, Level 2 contractors are split into two subcategories: those handling critical national security information and those handling non-critical national security information. Contractors that handle non-critical national security information can conduct an annual self-assessment. Those handling critical national security information (roughly half of all Level 2 companies) will need to hire a C3PAO to assess the company’s implementation of security controls. Additionally, these C3PAO assessments will need to be repeated every three years.

Level 3: 110+ Practices Required

This is the top security level and applies to contractors that handle top-secret information or those working on critical national security programs that could be targets of attacks from nation-states or other Advanced Persistent Threats (APT). According to the DoD, fewer than 1,000 contractors will fall into Level 3.

Level 3 calls for 35 advanced controls from NIST 800-172 in addition to the 110 controls established in NIST 800-171. Contractors who fall into Level 3 won’t be allowed to conduct self-assessments, nor will they be assessed by a C3PAO. A government team will be tasked with conducting the assessment every three years.

How to Prepare Your Business for CMMC 2.0 Certification - SolCyber

To be considered compliant, businesses must adhere to both the practices and processes laid out in their level’s requirements. Practices, also known as controls, refer to the technical activities a business engages in to meet requirements, whereas processes measure a business’s maturity in implementing cybersecurity procedures to meet the requirements. If a business meets the practices of Level 3 but only the processes of Level 2, it would need to be certified at Level 2.

How to become CMMC compliant

All organizations that work with the DoD need to be CMMC certified by 2026 so it’s best to start now because establishing the appropriate security practices and processes will require some effort. Becoming CMMC compliant first requires that you determine which level your company falls into, and then that you adhere to the requirements of that level.

 High-level CMMC requirements 

The requirements of each level generally relate to how government data is stored and transmitted, who has access to that data, whether or not those people have been trained on cybersecurity best practices, which security protocols have been implemented at your business, and what kind of incident response plan is in place. The full list of requirements is laid out in NIST 800-171 and NIST 800-172, but the CMMC breaks down the requirements into 17 core domains, which include:

  1. Access Control
  2. Asset Management
  3. Audit and accountability
  4. Awareness and training
  5. Configuration management
  6. Identification and authentication
  7. Incident response
  8. Maintenance
  9. Media protection
  10. Personnel security
  11. Physical protection
  12. Recovery
  13. Risk management
  14. Security assessment
  15. Situational awareness
  16. System and communications protection
  17. System and information integrity

Once you understand where your company sits and which types of controls you need to put in place, it’s time to get started.

Steps for attaining CMMC compliance

Once you have identified which level your business belongs to and have reviewed the practices associated with that level, you can begin to prepare your organization for the compliance review. Though your level will determine the exact path to certification, the steps below will serve as a basic outline.

  1. Conduct a gap analysis: Review the practices you need to meet and conduct a self-assessment using the NIST 800-171 self-assessment methodology, which will give you an assessment score (the perfect score being 110).
  2. Create a plan of action: Based on your assessment, you’ll need to create a POA&M that outlines how you’ll address shortcomings so you can achieve the perfect 110 score. This includes the action items, milestones, and target dates for completion, as determined by your maturity level. This POA&M will likely include things like implementing multi-factor authentication, hosting cybersecurity training for your employees, developing an incident response plan, limiting privileged account access, investing in endpoint detection and response technology, maintaining audit logs of which users access information and when, setting up firewalls, managing access to physical devices and servers, and putting a process in place for timely patching.
  3. Submit to SPRS: Next, you’ll submit your score and POA&M into the DoD’s Supplier Performance Risk System (SPRS).
  4. Choose a C3PAO (Level 2 only): Level 2 companies that handle critical national security information will need to undergo an assessment by an accredited C3PAO chosen from the Cyber AB Marketplace. Once you’ve selected a provider, you can schedule your CMMC assessment.
  5. Submit for certification: Whether your assessment was completed in-house or by a C3PAO, Cyber AB will review it and decide on certification.If your business is approved, you will be certified for three years.

How a Managed Security Program Provider can help

Obtaining CMMC compliance is vital for any business that wants to start, or continue, doing business with the Department of Defense. The process can be intense regardless of which level a business is applying for, and bringing in security experts can help with the undertaking.

A managed security program provider, like SolCyber, can help you assess your organization, address any shortcomings, and get you get CMMC certified faster. They can also provide the ongoing tools, support, and monitoring services you need to maintain your certification status year after year. Furthermore, there are downstream benefits to your business, beyond a DoD contract, which you can read here.

SolCyber is here to make achieving CMMC 2.0 compliance a breeze. SolCyber’s Foundational Coverage GOV Edition services come with the tools and infrastructure you need right now and in the future.

Reach out to the SolCyber experts today to start the process for CMMC 2.0 compliance and future certification.

Update: In May 2024, NIST released a new update to its NIST SP 800-171 and NIST SP 800-171A frameworks, which are tied to CMMC certification requirements. This new revision, titled Revision 3 (or r3 for short), makes some tangible changes to previous versions. However, at the time of this writing, CMMC certification is still reliant on NIST SP 800-171r2, so the below article is still applicable. If that changes, we’ll have a new post detailing how the new revision affects CMMC.

Avatar photo
Charles Ho
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!


Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

SolCyber. All rights reserved
Made with
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo