A Step-by-Step CMMC Guide

Preparing for CMMC Deadline: A Step-by-Step CMMC Guide

Step 1: Identify IT Systems in Scope

The foundation of CMMC preparation is understanding exactly what systems and environments fall within the scope of certification requirements. A critical concept that many contractors initially misunderstand is that CMMC certification applies to specific IT systems rather than to entire organizations. This distinction has important implications for how contractors approach compliance and where they focus their resources.

The process of identifying in-scope systems begins with understanding what information those systems will handle. Systems that process, store, or transmit Federal Contract Information or Controlled Unclassified Information must meet CMMC requirements appropriate to the sensitivity of that information. Systems that have no access to FCI or CUI fall outside the scope of CMMC assessment, even if they’re part of the same organization.

This system-specific approach enables companies to tailor their compliance efforts by creating dedicated environments for handling sensitive government information, rather than bringing their entire corporate IT infrastructure up to CMMC standards. A contractor might, for instance, establish a separate network segment with enhanced security controls specifically for work involving CUI, while maintaining less stringent controls on corporate networks used for commercial business. This boundary-drawing exercise, often referred to as CUI scoping, is one of the most crucial strategic decisions companies make during CMMC preparation.

Effective CUI scoping requires careful analysis of business processes to understand where government information flows and what systems must access it. Many companies discover through this analysis that CUI has been created more widely than they realized, residing on employee laptops, email systems, file shares, and cloud services that weren’t originally intended to house sensitive information. Addressing this sprawl by consolidating CUI into defined, controlled systems is often a significant undertaking, but is essential for both security and efficient compliance.

Step 2: Obtain a CAGE Code

Before proceeding far into CMMC preparation, businesses need to ensure they have a Commercial and Government Entity Code, the unique identifier used throughout the federal contracting system. The CAGE code serves as the key that links an organization to its contracts, past performance records, and compliance information in various government databases, including the Supplier Performance Risk System, where CMMC assessment results are recorded.

Companies new to defense contracting can obtain a CAGE code through the System for Award Management registration process. The registration requires providing basic organizational information, identifying points of contact, and completing representations and certifications regarding business size, ownership, and other characteristics relevant to federal contracting. While obtaining a CAGE code is relatively straightforward, the process can take several weeks, so organizations should initiate registration early rather than waiting until they need to submit CMMC assessment results.

For businesses that already have CAGE codes from previous government contracting, it’s important to verify that the code information is current and accurate. Changes to a company’s name, address, ownership, or structure may require updating CAGE code information. Additionally, businesses operating multiple facilities or business units must determine whether they need separate CAGE codes for each location or if a single code will suffice for the entire organization. These administrative details may seem mundane, but incorrect or outdated CAGE code information can create complications when attempting to register assessment results or respond to contract solicitations.

Step 3: Determine Your Required Maturity Level

Understanding the level of CMMC certification your organization requires is essential for planning the scope, timeline, and budget of your compliance efforts. This determination isn’t always as straightforward as it may seem, particularly for companies that work on multiple contracts with varying information handling requirements or that serve as subcontractors to various prime contractors with differing security expectations.

The starting point for determining the required maturity level is assessing your data footprint, specifically, what types of government information you handle or expect to handle in the course of your work. Businesses that handle only Federal Contract Information, such as contract pricing or delivery schedules, will typically require only Level 1 certification. Those who receive or generate Controlled Unclassified Information will need Level 2 certification at a minimum. Level 3 requirements are generally specified explicitly in contracts involving the most sensitive programs and technologies.

For prime contractors, the contract solicitation itself will specify the required CMMC level, eliminating ambiguity about what’s needed. However, businesses pursuing multiple contracts may find that different opportunities require different levels, necessitating either numerous certifications for other systems or a decision to achieve the highest level needed across all systems to maximize flexibility.

Subcontractors face additional complexity in determining the required levels because their requirements are derived from the prime contractor’s obligations. A subcontractor needs to understand not just what level the prime contract requires but what level of information will actually be passed to the subcontractor. A thoughtful prime contractor will clearly communicate flow-down requirements. However, subcontractors should proactively discuss CMMC expectations during the subcontracting negotiation process, rather than discovering these requirements after contracts are signed.

Step 4: Conduct a Gap Analysis

Once you understand the level of certification you need, the next critical step is to assess your current cybersecurity posture honestly relative to those requirements. This gap analysis serves as a roadmap for your compliance journey, identifying what needs improvement, what can remain as-is, and what priorities should guide your remediation efforts.

A thorough gap analysis evaluates each required security control against your current implementation to identify any gaps. For Level 1, this means examining your practices against the 15 foundational requirements, documenting how each is currently addressed, and determining where practices fall short. For Level 2, the analysis becomes substantially more complex, requiring evaluation against all 110 NIST SP 800-171 controls across 14 security domains. Each control must be examined not only for whether something related to it exists, but also whether the implementation fully meets the intent and specifics of the requirement.

The gap analysis process typically reveals several categories of findings. Some controls may be fully implemented and well-documented, requiring little additional work. Others may be partially implemented, requiring enhancements or formalization of informal practices. Still others may be absent, requiring new investments in technology, process development, or policy creation. Understanding the distribution of findings across these categories enables organizations to prioritize remediation efforts and allocate their budget effectively.

Many businesses struggle during gap analysis with understanding what “fully implemented” actually means for each control. The NIST SP 800-171 controls, while comprehensive, are sometimes written in general terms that allow for interpretation. Should multi-factor authentication be required for all users or just privileged accounts? What constitutes adequate encryption? How frequently must security assessments be conducted? These questions often require expertise in both cybersecurity and the specific expectations of CMMC assessors. Companies that attempt gap analysis without adequate expertise usually develop unrealistic assessments of their readiness, either underestimating the work required or implementing controls that don’t fully satisfy requirements.

Step 5: Develop Required Documentation

CMMC compliance isn’t just about implementing security controls; it’s about documenting those implementations in a way that demonstrates to assessors that the requirements are met. The documentation requirements for CMMC are substantial, requiring organizations to create detailed plans, procedures, and evidence repositories that may represent a significant departure from previous informal approaches to security.

The System Security Plan serves as the cornerstone of CMMC documentation. The SSP is a comprehensive document that describes the information system being assessed, the security controls implemented to protect that system, and how those controls satisfy CMMC requirements. A well-developed SSP includes detailed descriptions of the system boundary, the sensitivity of information processed, network architecture and components, security control implementations, and responsibilities for maintaining security. The SSP isn’t a one-time deliverable but rather a living document that must be maintained and updated as systems change or new risks emerge.

Creating an effective SSP requires both technical knowledge and documentation skills that many organizations lack internally. The document must be detailed enough to demonstrate thorough control implementation, but organized and written in a way that allows assessors to evaluate it efficiently. Poor SSP quality is one of the most common reasons organizations struggle during assessments, as assessors waste time trying to understand incomplete or poorly organized documentation rather than efficiently validating controls.

The Plan of Actions and Milestones addresses a reality that many organizations face: achieving 100% compliance before the first assessment may not be feasible. The POA&M documents security controls that are planned but not yet fully implemented, identifying specific gaps, the planned remediation approach, resources required, responsible parties, and target completion dates. A well-developed POA&M demonstrates to assessors and government customers that, although a business may not be perfect today, it has a credible plan for achieving full compliance within a reasonable timeframe.

Beyond the SSP and POA&M, companies need to develop numerous supporting documents including incident response plans detailing how security events will be detected, analyzed, and addressed; risk assessments identifying threats, vulnerabilities, and impacts to organizational systems; security policies and procedures governing everything from access control to media protection; and system inventories documenting all hardware, software, and data in the assessed environment. The documentation burden should not be underestimated, particularly for organizations without existing mature cybersecurity programs.

Step 6: Perform Self-Assessments

Whether your ultimate compliance path requires third-party assessment or not, conducting a thorough self-assessment is a critical step in CMMC preparation. For Level 1 and Level 2 non-prioritized acquisitions, the self-assessment serves as your official compliance documentation. For Level 2 prioritized acquisitions requiring C3PAO assessment, the self-assessment serves as essential preparation, helping identify and remediate issues before the formal evaluation.

The self-assessment process requires systematically evaluating each security requirement, documenting its implementation, gathering evidence of implementation, and honestly scoring compliance. The Department of Defense provides assessment methodologies and scoring guidance that organizations must follow, with specific evaluation objectives for each control. The assessment isn’t simply a checklist exercise; it requires a critical evaluation of whether implementations are effective and sustainable.

Accessing the official self-assessment process requires registration in the Supplier Performance Risk System, the Department of Defense system of record for contractor cybersecurity information. Organizations log into SPRS using their CAGE code credentials, select the appropriate assessment type based on their required level, and work through the assessment methodology. The system guides users through each requirement, prompting them to provide implementation descriptions and scoring.

One of the most common mistakes organizations make during self-assessment is inflating scores to present a rosier picture than reality warrants. This temptation is understandable given the competitive pressures of contracting, but it’s ultimately counterproductive. For self-assessments that serve as official compliance documentation, inaccurate scoring constitutes misrepresentation that can result in serious consequences. For self-assessments that precede third-party evaluation, inflated scores can delay the identification of issues that will eventually be discovered during the formal assessment, potentially leading to assessment failures or requiring costly remediation under time pressure.

Step 7: Submit to SPRS

Once assessment results are finalized, companies must submit these results, along with supporting documentation, to the Supplier Performance Risk System. The SPRS submission includes the assessment score, the actual assessment documentation that shows how each requirement was evaluated, the System Security Plan, the Plan of Action and Milestones (if applicable), and an affirmation that the information submitted is accurate and complete.

The submission process requires careful attention to detail, as contracting officers rely on SPRS information when making award decisions. Companies should ensure that submissions are associated with the correct CAGE code, particularly if they have multiple codes for different business units or facilities. The assessment type should accurately reflect whether it’s a self-assessment or a third-party assessment, as well as the level of certification being documented. Documentation uploaded to SPRS should be current, complete, and properly formatted for government review and analysis.

The affirmation of compliance represents a significant responsibility. By affirming that assessment results are accurate, organizations are making representations to the government that could trigger False Claims Act liability if materially false. This underscores the importance of conducting thorough and honest assessments rather than inflating scores to improve a competitive position. Businesses should make sure that senior leadership understands what’s being affirmed and has reviewed assessment results before submission.

SPRS submissions aren’t one-time events but require ongoing maintenance. Self-assessments must be updated annually for Level 1 and Level 2 non-prioritized acquisitions, requiring businesses to re-evaluate their security posture and update documentation. Even for organizations that have undergone third-party assessment, changes to systems or security controls may require updating SPRS information. Maintaining current, accurate SPRS data is an ongoing compliance obligation that organizations must incorporate into their security management processes.

Step 8: Engage Third-Party Assessors When Required

For Level 2 prioritized acquisitions and all Level 3 requirements, third-party assessment by authorized companies is mandatory. Even in situations where self-assessment is technically permitted, many organizations opt to pursue a third-party assessment to provide additional assurance to customers and gain competitive differentiation in the marketplace.

Certified Third-Party Assessment Organizations are independent entities that have been authorized by the CMMC Accreditation Body to conduct CMMC assessments. C3PAOs employ certified assessors who have been trained and credentialed in CMMC assessment methodology and are subject to quality assurance and oversight to ensure consistent, rigorous evaluations. The Department of Defense maintains a registry of authorized C3PAOs. Companies seeking assessment should engage only with authorized entities to ensure the government will recognize their assessment.

Engaging a C3PAO early in the compliance journey offers several advantages beyond the obvious benefit of securing assessment slots before schedules fill. Many C3PAOs offer readiness assessments or pre-assessment services that help businesses identify gaps and prioritize remediation before the formal evaluation. These preliminary engagements are conducted under less formal terms than official assessments and provide valuable feedback without the risk of a failed assessment. Companies can use this feedback to address weaknesses and enter the formal assessment with greater confidence.

The formal C3PAO assessment process typically spans multiple phases. The pre-assessment phase involves document review, where assessors examine the System Security Plan and supporting documentation to understand the environment being assessed. The on-site or virtual assessment phase involves interviews with personnel, examination of system configurations, testing of security controls, and validation that documented implementations match reality. The post-assessment phase consists of analyzing the findings, developing the assessment report, and determining whether certification can be recommended. For companies that receive findings during assessment, a follow-up phase may be implemented to validate that issues have been addressed before final certification is granted.

Selecting the right C3PAO is an important decision that goes beyond simply finding availability. Companies should consider factors including the assessor’s experience with similar environments and industries, their understanding of specific technologies in use, their assessment methodology and approach to working with organizations during the process, and feedback from other organizations they’ve assessed. The relationship with the C3PAO should be professional yet collaborative, with a shared goal of achieving certification while genuinely enhancing security posture.

The Role of Registered Practitioner Organizations

How RPOs Support CMMC Preparation

For many organizations, particularly smaller contractors without dedicated cybersecurity staff, navigating CMMC compliance represents a significant challenge. Registered Practitioner Organizations fill a critical gap in the ecosystem by providing expert guidance and hands-on support throughout the compliance journey. Unlike C3PAOs, who conduct assessments but cannot provide implementation support to the organizations they assess, RPOs serve as advisors and implementers, helping organizations achieve readiness.

One of the fundamental ways RPOs support compliance is by helping organizations interpret the CMMC framework and understand how abstract requirements translate into practical implementations. The NIST SP 800-171 controls that form the basis of Level 2 certification are written in general terms that can be satisfied through various technical and procedural approaches. An RPO with deep expertise in both the standards and practical security implementation can help organizations understand what implementations will satisfy requirements while fitting their specific operational context, technology environment, and resource constraints.

RPOs typically begin engagements with readiness assessments or gap analyses, which provide companies with a clear understanding of their current compliance status relative to requirements. These assessments examine current security practices, compare them against applicable CMMC requirements, identify gaps and weaknesses, and prioritize remediation efforts based on risk and resource availability. The output is typically a detailed roadmap that breaks down the path to compliance into manageable phases with realistic timelines and resource estimates.

Why Work With Tanner Security

CMMC compliance is a multi-year operational commitment, not a one-time audit—Tanner Security partners with defense contractors to design audit-ready programs that scale with business growth.

We provide:

• CMMC readiness assessments
• CUI scoping expertise
• NIST 800-171 implementation
• Documentation development
• Assessment preparation support

Our approach reduces risk, controls cost, and positions your business as a trusted defense partner, before compliance becomes a barrier to winning work. Contact us today if you want to start the CMMC journey.