What Contractors Need to Know About CMMC—and How to Prepare for the Assessment
You just heard that one of your contracts will require CMMC compliance… now what? If your company is part of, or wants to be part of, the Defense Industrial Base (DIB), the Cybersecurity Maturity Model Certification (CMMC) will play an ongoing role in your operations. To help simplify what can feel like a complex process (spoiler alert: it is!), we’ve outlined the most frequently asked questions about CMMC compliance and how your organization can start preparing now.
What Is CMMC, and Why Is It Important?
CMMC was developed by the U.S. Department of Defense (DoD) to ensure contractors handling sensitive information—such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI)—implement adequate cybersecurity practices.
Being CMMC-compliant is quickly becoming a prerequisite for winning and maintaining DoD contracts. Compliance is no longer optional if your company is part of the defense supply chain—or hopes to be.
Who Needs to Comply?
Any organization within the DoD supply chain that processes, stores, or transmits CUI or FCI must comply. This includes prime contractors, subcontractors, and service providers—even those handling just a small portion of a project.
What Are the CMMC Levels?
CMMC has three levels, built upon one another (with four functional stages):
-
Level 1: Basic cybersecurity practices; annual self-assessment. Applies when handling only FCI. (15 required practices)
-
Level 2 (Self-Assessment): Aligns with NIST SP 800-171 Rev. 2. Applies when handling FCI and/or CUI. (110 practices; 320 assessment objectives)
-
Level 2 (C3PAO): Requires a triennial third-party assessment. (110 practices; 320 assessment objectives)
-
Level 3: Adds NIST SP 800-172 controls. Requires a government-led assessment every three years. (134 practices)
Your required level depends on the type of data you handle and your role in the supply chain.
When Does CMMC Go Into Effect?
The DoD is implementing CMMC in phases:
-
December 2024: Level 1 self-assessments and select Level 2 programs begin.
-
December 2025: Third-party assessments required for most Level 2 organizations.
-
December 2026: Level 3 implementation and assessments begin.
By late 2025, all new DoD contracts will include CMMC requirements.
How Do I Know if I Handle CUI?
Many businesses don’t realize they manage Controlled Unclassified Information. Start by reviewing contract language and consulting the CUI Registry from the National Archives. Work with your contracting officer to verify the scope and classification of the data your team manages.
What Does the Certification Process Look Like?
Achieving compliance involves several key steps:
-
Determine your required level based on contract needs
-
Conduct a gap assessment against CMMC requirements
-
Address gaps and begin documentation, including the System Security Plan (SSP). A consultant may be necessary
-
Conduct a mock assessment
-
Engage a Certified Third-Party Assessor Organization (C3PAO) for Level 2 or Level 3
-
Complete the self- or third-party assessment and upload your results to SPRS
What Will This Cost?
Costs vary depending on your organization’s size and current cybersecurity posture. According to DoD estimates, a Level 2 assessment may cost up to $100,000—excluding preparation and remediation expenses. Creating a focused "compliance enclave" within your business can help reduce overall costs.
How Often Are Assessments Required?
-
Level 1: Annual self-assessments
-
Level 2: Triennial third-party assessments + annual affirmations
-
Level 3: Triennial government assessments + annual affirmations
Can I Limit Compliance to Just One Part of My Business?
Yes. You can establish a CMMC enclave—a defined part of your network or operation where CUI is handled. Narrowing the scope of assessment can reduce both complexity and cost.
What Happens If I Don’t Comply?
Noncompliance can result in losing existing contracts, being ineligible for new awards, and damaging your reputation within the federal ecosystem. Even unintentional noncompliance can carry serious legal and financial consequences.
How Do We Get Started?
The Cyber-AB provides valuable resources at www.CyberAB.org.
While the path to CMMC compliance can feel overwhelming, it doesn’t have to be. Whether you're conducting your first self-assessment or preparing for a third-party evaluation, our team can help define your scope, implement required controls, and maintain compliance. One of our CMMC experts or certified cybersecurity professionals is available for consultation.
Who Is Qualified to Help Us?
Help can come from several sources. Here’s a breakdown of qualifications, starting from the highest CMMC-specific credential. It’s worth noting that even professionals at the lower tiers can provide valuable support, especially during preparation—C3PAOs are not permitted to assist with pre-assessment readiness:
-
CCA – Certified CMMC Assessor
-
Credentialed to lead third-party assessments on a C3PAO team.
-
-
CCP – Certified CMMC Professional
-
Credentialed to assess compliance on a C3PAO team; a top choice for assessment preparation.
-
-
RPA – Registered Practitioner Advanced
-
Helps organizations prepare for CMMC assessments.
-
-
RP – Registered Practitioner
-
Supports CMMC preparation; at least one RP is required for a firm to be considered a Registered Provider Organization (RPO).
-
-
Cybersecurity Consultants
-
Especially valuable for gap assessments and implementing required IT controls, based on the relevant practice level.
-
-
IT Service Providers / Internal IT Departments
-
Essential for implementing technical controls and managing ongoing control activities.
-
Need Help Preparing for CMMC?
Contact us to schedule a readiness consultation and receive tailored guidance for your business.
About the Author
Mark Torello, CPA
Mark Torello brings over 25 years of consulting experience with a specialized focus on security and accounting systems technology. He is a licensed Certified Public Accountant and the founder of Whittlesey’s technology division, originally established as The Technology Group, LLC in 1997. Under his leadership, the firm’s technology team—comprising seasoned consultants and Microsoft and Cisco engineers—has grown into a recognized leader in cybersecurity and IT solutions for businesses across industries.
Mark is an active member of the Information Systems Audit & Control Association (ISACA), the National Association of Certified Fraud Examiners, the Connecticut Society of CPAs (CTCPA), and the American Institute of CPAs (AICPA). He also chairs the CTCPA Technology Committee and regularly contributes to the CTCPA newsletter. In 2002, he was named one of the “40 Under 40” Young Leaders by the Hartford Business Journal.
Mark holds a Bachelor of Science in Finance and Banking from the University of Bridgeport and is a frequent speaker on cybersecurity and technology-related issues for professional and industry organizations.
Follow Us
For our thoughts on the industries we serve and firm updates, follow us on LinkedIn.
Ready to Connect?
We deliver personalized, expert services. Find out what we can do for you.