INSIGHT

Achieving CMMC compliance: Essential steps 

Sarah A. Lynn • March 26, 2025

Services: IT Security & Compliance

---

For defense contractors handling sensitive information, Cybersecurity Maturity Model Certification (CMMC) compliance is not just a regulatory requirement—it’s a critical business imperative. As cybersecurity threats continue to evolve, the Department of Defense (DoD) requires organizations throughout the defense industrial base to demonstrate robust security measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  

This article explores the key steps organizations must take to achieve CMMC compliance, navigate assessment requirements and implement effective cybersecurity practices across their operations. 

Understanding CMMC fundamentals 

The CMMC framework, introduced by the DoD in 2019, strengthens enforcement of existing cybersecurity requirements. Unlike previous approaches that allowed self-assessment, CMMC requires independent verification through third-party assessments for most contractors. 

“Many try the self-assessment first, which is great, but also miss the CUI they do have and get in the wrong level. It is easy to at least have an Advisor review your self-assessment so that it does not become rejected. This is much less costly solution. You do it, have an Advisor review and advise, have more confidence that it is valuable.” – Sarah A. Lynn, BPM Advisory Partner, IT Security & Compliance Subject Matter Expert       

The framework consists of three compliance levels: 

• Level 1: Applies to organizations handling only FCI, requiring basic safeguarding measures outlined in FAR 52.204-21 with annual self-assessments 
• Level 2: Targets organizations handling CUI, requiring adherence to 110 security controls specified in NIST SP 800-171 with triennial third-party assessments
• Level 3: For organizations handling CUI under Advanced Persistent Threats, mandating compliance with Level 2 requirements plus 24 enhanced controls from NIST SP 800-172 

Organizations must achieve the CMMC level specified in their contracts, and this requirement flows down to subcontractors throughout the supply chain. 

Essential steps to CMMC compliance 

Assess your current security posture 

The first step toward CMMC compliance involves conducting a thorough assessment of your current cybersecurity practices. This assessment helps identify gaps between your existing controls and CMMC requirements. 

Start by determining which CMMC level applies to your organization based on the information you handle. Map your existing security controls against the relevant CMMC requirements, paying particular attention to areas such as access control, identification and authentication, system and communications protection and incident response. 

Document your findings in detail, noting areas of compliance and non-compliance. This documentation will serve as the foundation for your System Security Plan and Plan of Action and Milestones. 

Develop a comprehensive implementation plan 

Based on your assessment, develop a structured implementation plan to address identified gaps. Prioritize actions based on criticality and resource requirements, establishing realistic timelines for each task. 

Your implementation plan should include: 

• Specific technical controls to implement 
• Policies and procedures to develop or update
• Training requirements for staff 
• Resource allocation and budgeting 
• Timeline for completion with key milestones 

Remember that CMMC compliance is not a one-time effort but an ongoing commitment to cybersecurity. Your plan should account for continuous monitoring and improvement of security controls. 

Create required documentation 

Documentation plays a crucial role in demonstrating CMMC compliance. At minimum, you must develop: 

1. System Security Plan: A comprehensive document describing your information system, security requirements and implemented controls 

2. Plan of Action and Milestones: Details identified gaps, planned remediation actions, responsibilities and timelines 

3. Policies and procedures: Formal documentation of security practices aligned with CMMC requirements 

4. Evidence of implementation: Artifacts demonstrating that controls are in place and functioning as intended 

“Many companies do the assessment and stop not realizing that the DoD can ask for your other 4 LARGE type documents – SSP, POA&M, P&P and Artifacts at any time, even on a self-assessment. In addition, the on-going maintenance is very structured.” – Sarah A. Lynn 

The quality and completeness of your documentation directly impact your assessment outcome. Ensure all documents are clear, accurate and regularly updated to reflect changes in your security environment. 

Implement technical solutions 

Achieving CMMC compliance requires implementing appropriate technical solutions to protect FCI and CUI. This includes: 

• Secure email and file-sharing platforms that comply with DFARS 7012 
• Access control systems that enforce least privilege principles 
• Encryption for data at rest and in transit 
• Multi-factor authentication for critical systems 
• Continuous monitoring tools for threat detection 
• Backup and recovery solutions 

When selecting technology solutions, prioritize those designed specifically for CMMC compliance, as they often include pre-configured controls and documentation that can accelerate your certification journey. 

Prepare for assessment 

As your implementation progresses, begin preparing for your CMMC assessment. This preparation includes: 

• Conducting internal audits to verify control effectiveness 
• Training staff on security procedures and assessment expectations 
• Organizing evidence to demonstrate compliance with each requirement
• Performing mock assessments to identify and address potential issues 

For Level 2 and Level 3 assessments, engage with a CMMC Third Party Assessment Organization (C3PAO) early to understand their specific assessment methodology and expectations. 

Working with BPM for CMMC compliance 

Achieving CMMC compliance requires careful planning, comprehensive implementation and ongoing maintenance of cybersecurity controls. While the process may seem daunting, working with BPM can significantly streamline your compliance journey. BPM offers specialized guidance through each phase of CMMC implementation, from initial assessment to certification preparation, helping defense contractors protect sensitive information while meeting DoD requirements.  

By partnering with BPM, organizations can navigate the complexities of CMMC compliance efficiently and cost-effectively, ensuring continued participation in the defense industrial base supply chain. To find out more, contact us.