Sign Up Sign In

How to get CMMC Certification: Step-by-Step in 2025

Are you a defense contractor scrambling to understand the CMMC certification process for 2025? You're not alone.

April 15, 2025

With the Department of Defense (DoD) officially publishing the final CMMC rule on October 15, 2024, thousands of contractors are now facing this cybersecurity hurdle.

The good news?

I've broken down this complex process into manageable steps that will guide you through obtaining your CMMC certification.

In this guide, you'll learn:

  • What CMMC certification is and why it matters to your business
  • How to determine which CMMC level you need
  • A step-by-step process to prepare for and pass your assessment
  • Estimated costs and timelines for each certification level

What is CMMC and Why Does It Matter?

CMMC stands for Cybersecurity Maturity Model Certification.

It's the DoD's comprehensive framework to ensure defense contractors adequately protect sensitive information.

Think of it as a standardized way to verify your company's cybersecurity practices meet government requirements.

Why does it matter?

Simple - without the appropriate CMMC certification level, you can't bid on or maintain DoD contracts that involve handling certain types of information.

The DoD estimates there are 212,650 defense contractors that will need CMMC certification over the next five years.

Are you one of them?

Determining Your Required CMMC Level

Before you begin the certification process, you need to know which level applies to your organization.

CMMC has three progressive levels:

Level 1: Required if you only handle Federal Contract Information (FCI).

  • Implements 15 basic cybersecurity requirements from FAR 52.204-21
  • Approximately 63% of defense contractors only need this level

Level 2: Required if you handle Controlled Unclassified Information (CUI).

  • Implements all Level 1 requirements plus additional controls for a total of 110 requirements
  • Based on NIST SP 800-171 Rev 2

Level 3: Required if you handle CUI related to high-value assets or critical programs.

  • Implements all Level 2 requirements plus 24 additional controls from NIST SP 800-172
  • Less than 1% of contractors need this level
  • Designed to protect against Advanced Persistent Threats (APTs)

Your required level will be specified in the Request for Information (RFI) or Request for Proposal (RFP) for DoD contracts.

Step 1: Create a CMMC Project Plan

Don't underestimate the importance of proper planning.

Your CMMC project plan should include:

  • Project timeline with key milestones
  • Budget allocation for implementation and assessment
  • Resource assignments (internal and external)
  • Project phases and deliverables

Consider organizing a CMMC workshop to educate your team about the requirements and process.

This isn't just another IT project.

It requires coordination across multiple departments including IT, security, legal, and executive leadership.

Step 2: Define Your Assessment Scope

This critical step determines what systems and information will be included in your CMMC assessment.

You'll need to:

  • Identify and document where FCI or CUI data resides
  • Create network diagrams showing how this information flows
  • Develop a comprehensive asset inventory
  • Define your CMMC enclaves (areas that process sensitive information)

Many organizations make the mistake of including too much in their scope.

By properly segmenting your networks and systems, you can potentially reduce the scope of your assessment and lower implementation costs.

Step 3: Perform a Readiness Assessment

Before investing in remediation, you need to know where you stand.

A readiness assessment will:

  • Identify gaps in your current cybersecurity practices
  • Determine your baseline SPRS score
  • Create a Plan of Action & Milestones (POA&M)
  • Provide a realistic estimate of remediation costs

For this step, you can use internal resources or hire external consultants.

Keep in mind that if you use CAICO-certified resources for preparation, they cannot participate in your Level 2 assessment for three years due to conflict of interest rules.

Step 4: Remediate Identified Gaps

Now comes the heavy lifting.

Based on your readiness assessment, you'll need to address all identified gaps.

This typically involves:

  • Creating or revising cybersecurity policies and procedures
  • Implementing new technical controls
  • Configuring systems to meet requirements
  • Acquiring necessary security services or technologies
  • Documenting evidence of compliance

Remember that policies must be approved, not in draft form.

And procedures should be detailed enough that any qualified person could implement them without additional explanation.

Step 5: Prepare Documentation

Documentation is crucial for your CMMC assessment.

At minimum, you'll need:

  • System Security Plan (SSP)
  • Network diagrams and data flow maps
  • Evidence of control implementation
  • Policies and procedures
  • Risk assessments

For Level 1, the documentation requirements are minimal.

For Levels 2 and 3, the documentation becomes significantly more extensive.

Step 6: Undergo the Assessment

The assessment process varies by CMMC level:

Level 1: Self-assessment performed annually

  • Organization conducts its own assessment
  • Results submitted to the Supplier Performance Risk System (SPRS)

Level 2: Two options

  • Self-assessment with annual affirmation (allowed in some cases)
  • Third-party assessment by a C3PAO (Certified 3rd Party Assessment Organization) every three years

Level 3: Government-led assessment

  • Conducted by the Defense Contract Management Agency (DCMA)
  • Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

During the assessment, be prepared to demonstrate how your organization meets each required control through documentation, interviews, and technical testing.

Wrapping up

Achieving CMMC certification isn't a one-time event.

It's an ongoing commitment to cybersecurity that requires continuous monitoring and maintenance.

The DoD has implemented a phased approach to CMMC requirements, with full implementation expected by 2026.

Starting your certification process early gives you time to address gaps methodically rather than rushing to meet contract deadlines.

What did we learn today?

  • CMMC certification is mandatory for defense contractors handling FCI or CUI
  • The three CMMC levels correspond to different types of information and risk levels
  • Proper planning and scoping can significantly reduce certification costs
  • Documentation is as important as technical implementation
  • The assessment process varies by level, from self-assessment to government evaluation

Remember, the goal of CMMC isn't just checking boxes.

It's about implementing meaningful cybersecurity practices that protect our nation's sensitive information.

Are you ready to start your CMMC journey?