Navigating CMMC Certification Requirements for DoD Contractors

Protecting the organization’s infrastructure is a critical priority for IT departments in every sector. Cybercrime statistics are sobering. Attacks occur at the rate of one attack every 39 seconds, and 81% of organizations surveyed underwent a successful unauthorized intrusion. Organizations that process and store sensitive data for the government are especially vulnerable to attacks and must ensure an airtight infrastructure to prevent intrusions. Thus, making CMMC certification necessary.

Why CMMC Certification Is Necessary

For those companies that do business with the DoD, it is even more crucial that sensitive data is kept out of the hands of cybercriminals. To address this issue, the DoD launched the Cybersecurity Maturity Module Certification (CMMC) program to ensure that the companies they do business with are thoroughly protected from cyber activity. These businesses include all suppliers, commercial item contractors as well as subcontractors to larger companies. Prior to this certification requirement, companies were not subject to external audits to verify stringent data security measures.

The CMMC program, released on January 31st, 2020, officially went into effect on November 30th, 2020. By October 20th, 2025, all DoD suppliers must carry this certification. Without this certification, organizations will ultimately no longer be able to compete for DoD contracts.

The Roadmap to CMMC Certification

The roadmap given below can assist organizations in completing a successful path to CMMC certification.

Understand the Requirements of the Certification

Obtaining CMMC certification requires meticulous planning, which should start at least six months ahead of the anticipated completion date. If the company does not have a cybersecurity team, outside professionals for guidance will be needed to assist in the project.

  • A readiness assessment is the first step that can address the following concerns:
  • The impact of cybersecurity threats on the business.
  • Upcoming contracts that will affect timelines.
  • If the current IT tools and policies in place meet requirements.
  • The possibility of requiring outside resources to assist in certification.
  • Lastly, budgetary requirements for the required audits and, if applicable, costs of remediation action.

As part of assessing contractor implementation, the Defense Federal Acquisition Regulation Supplement (DFARS) requires cyber self-assessment. Complete this assessment against the National Institute of Standards and Technology (NIST) 800-171 and submit it to the DoD’s Supplier Performance Risk System (SPRS).

Identification of the Scope of the Certification

Identify if the certification is an enterprise, organizational unit, or program enclave. This will depend on the percentage of business involved in DoD projects or works with Controlled Unclassified Information (CUI).

Identification of the Required Maturity Level

According to the Chief Information Security Officer for Acquisition, Katie Arrington, “cybersecurity is not one-size-fits-all.” Therefore, there are five levels of CMMC maturity to consider.

  • Level 1- Basic Cyber Hygiene. The focus is on protecting FCI and practice basic safeguarding requirements. These measures are basic and minimal practices such as anti-virus protection and the use of strong passwords.
  • Level 2- Intermediate Cyber Hygiene. The organization can more effectively protect assets against more threats than level 1. Expect organization established policies, procedures, and plans in the implementation of their cybersecurity program at this level.
  • Level 3- Good Cyber Hygiene. This level works with CUI. At level 3, organizations consistently protect their assets and CUI. Plus, they include protection against persistent threats. This level follows all NIST SP 800-171 security controls to protect CUI as part of their overall security plan.
  • Level 4- Proactive. Level 4 organizations have substantial and proactive cybersecurity protection. Activities will be regularly reviewed, and management informed of any issues.
  • Level 5- Advanced/Progressive. Organizations at level 5 have additional practices in place with sophisticated cybersecurity protection.

Goal Level

The following factors are to be taken into consideration when determining an organization’s goal level. A level 1 Organization Seeking Certification (OSC) does not necessarily indicate it is a small, obscure company. It is possible to have a Fortune 500 organization at a level 1 if it only stores, transmits, or processes Federal Contact Information (FCI). Conversely, a small company can be as high as a level 3 OSC with a remote IT workforce model. While identifying the appropriate level, there are two approaches to consider. If the organization is a prime contractor, the bids determine the contract levels. As a sub-contractor, work with the prime to gain an understanding of what to expect to determine the level of maturity needed. Additionally, they share a Data Flow Diagram (DFD) of what regulated FCI or CUI information and with whom the information is shared can help determine this level. This diagram is also a requirement within the CMMC Certification.

Pre-Assess Using a Registered Provider Organization (RPO) or Third-Party Assessor Organization (C3PAO)

Regardless of the certification level goal, a pre-assessment can help an organization identify where improvement is needed in their cybersecurity environment. We recommend connecting with either an RPO or C3PAO to pre-assess readiness and what necessary steps to take towards CMMC certification.

Identify and Resolve Data Flow Gaps

Since every level of control must be met for CMMC certification, a more robust response than the System Security Plan (SSP) and Plans of Action and Milestones/Mitigations (POAMS) is required. The elimination of any identifiable vulnerabilities is a vital step before continuing with CMMC certification. All policies must be up-to-date with processes in place to enforce them. Strategic planning for upgraded hardware and software installations, if necessary, and training for increased cybersecurity awareness will be conducted as part of the remediation. Organizations can consider opting for cybersecurity-as-a-solution services to assist in automating security processes.  Smaller businesses who lack the do-it-yourself resources to complete the necessary tasks to pass certification can benefit from these providers. Experienced providers can supply the IT tools and policy templates as necessary.

Select a Certified C3PAO From the CMMC-AB Marketplace

There is a vast choice of companies offering assistance and advice for CMMC certification. However, it is crucial to select Certified Assessors because they are the only ones who can perform the certification audit. The CMMC-AB Marketplace provides an extensive, easily searchable database of current certified partner organizations.

Conduct the Assessment With the Certified C3PAO Team

Navigating CMMC Certification Requirements for DoD Contractors The amount of time the assessment takes is dependent on the certification level goal and the size and complexity of the organization’s system. The examination can be as short as one day for a level 1 certification or up to several weeks for higher levels for more complex studies. However, the average assessment time for an organization seeking a level 3 is approximately one week. Upon completion of the assessment, the CMMC-AB will review the results. The AB verifies the proper completion and performs a quality check. In time, the AB expects to move to a sampling approach to ensure consistency in the manner the assessments are conducted.

Resolution of Findings, If Applicable, Within 90 Days

Should the assessment reveal any issues, the organization has 90 days to resolve them.

The CMMC-AB Conducts a Repeat Review Following the Resolution of Issues

After the organization has resolved the issues found on the first assessment, the CMMC-AB will verify the results. Indeed, if the review board finds this satisfactory, they approve the certification.

The CMMC Issues a Three-Year Certification Upon Final Approval

While the end goal is the three-year CMMC certification, organizations must continue to stay up-to-date with their cybersecurity policies to continually remain in compliance. Doing so will also reduce costs and time spent on future assessments.


The Defense Industrial Base (DIB) consists of 300K companies worldwide that handle sensitive data pertaining to the development, design, production, delivery, and maintenance of U.S. defense systems and their components. CMMC certification is an essential tool that will protect the infrastructure of these vital companies from increasing cybersecurity threats.

Cybercriminals are attempting more sophisticated attacks on remote employees with security clearances that can eventually compromise DoD components. The BYOD (Bring Your Own Device) factor increases the opportunities for intrusions as most mobile devices lack necessary protection. CMMC certification will enable organizations to effectively protect their FCI and CUI information from these type of attacks. CMMC compliance also gives companies a competitive edge in securing additional contracts as they are able to demonstrate proactive measures in cybercrime threat monitoring.

As details regarding CMMC certification are continuously updated, it is important to keep updated on the latest news and information. This can be done by regularly reviewing the website for the Office of the Under Secretary of Defense for Acquisition and Sustainment.

Agile IT is a 4x Microsoft Partner of the Year, and one of only 10 AOS-G partners authorized to license, migrate, and manage GCC High. We provide ongoing strategic services to help DOD contractors close gaps, meet CMMC and NIST 800-171 compliance requirements, and maintain their security posture. Thus, contact us to find out how we can simplify your compliance journey and schedule a free consultation.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon

Don’t want to wait for us to get back to you?