A 3-Step Path to Achieving CMMC Compliance

BLOG

 5 min.

As Department of War (DoW) contractors and their suppliers prepare for evolving cybersecurity requirements, Cybersecurity Maturity Model Certification (CMMC) compliance has become a critical part of maintaining eligibility for federal work.

For many organizations, CMMC compliance can feel complex, especially for organizations new to DoW contracting requirements. The challenge is not just understanding the requirements, but turning them into a structured, defensible path toward certification.

TL;DR: CMMC compliance is best achieved through a structured, phased approach that takes organizations from defining scope to identifying gaps and ultimately remediating issues to prepare for certification.

  • Phase 1 (Scoping): Establish the CMMC boundary by identifying where FCI and CUI exist and mapping data flows across systems, applications, users and third parties
  • Phase 2 (Gap Analysis & Documentation): Assess current security posture against NIST SP 800-171 requirements and develop required documentation such as the SSP, POA&M and SPRS score
  • Phase 3 (Remediation & Planning): Prioritize and address compliance gaps, assign ownership and build a structured remediation plan to achieve

A phased approach helps reduce uncertainty, control scope and build a clear and defensible path to compliance readiness.

Below are practical phases organizations can follow to prepare for CMMC compliance, whether they handle Federal Contract Information (FCI), Controlled Unclassified Information (CUI) or both.

Phase 1

Phase 1: Scoping

Scoping establishes the foundation for any successful CMMC effort. Before assessing controls or building documentation, organizations must clearly define what is in scope and how data flows through the environment.

Key activities in this phase include:

  • Reviewing contracts to identify language related to Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
  • Identifying DFARS clauses (for example, 2019, 2020, 2021 versions) that impose cybersecurity obligations
  • Performing a scoping exercise, either internally or with the support of a Registered Provider Organization (RPO)
  • Determining whether the organization processes, stores or transmits FCI or CUI and identify all systems, applications, software and personnel involved
  • Mapping data flows to understand how FCI and CUI enter the organization, move internally and flow out to external parties

Accurate scoping ensures that compliance efforts are appropriately focused, helping avoid both under-scoping and unnecessary expansion of the compliance boundary.

Phase 2

Phase 2: Gap Analysis and Documentation

Once scope is defined, organizations evaluate their current cybersecurity posture against applicable CMMC requirements.

This phase focuses on assessing gaps and aligning documentation to NIST SP 800-171 requirements.

Gap Assessment Requirements

  • A gap assessment for the FCI environment should always be performed, regardless of whether CUI is present
  • A gap assessment for CUI should only be performed when:
    • The CUI environment is segmented and all systems that process, store or transmit CUI are known, or
    • The entire network environment is in scope and expected to be certified for CUI.

Compliance Focus Areas

  • FCI (CMMC Level 1)
    • Organizations must comply with 17 Level 1 requirements derived from NIST SP 800-171
    • For Level 1 self-attestation
    • Self-attestation is required and must be submitted to the Supplier Performance Risk System (SPRS)
  • CUI (CMMC Level 2)
    • Organizations must address all 110 NIST SP 800-171 requirements
    • At least 88 of 110 requirements (80%) must be compliant
    • No DoD value 3 or 5 requirements may be marked as non-compliant
    • These 110 requirements break down into 320 assessment objectives
    • For a requirement to be considered “Met,” all associated objectives must be compliant
    • Develop a System Security Plan (SSP), Plan of Actions and Milestones (POA&M) and SPRS score.

During this phase, organizations should also collect existing policies and procedures to determine how well they support NIST SP 800-171 requirements and where gaps exist.

Phase 3

Phase 3: Remediation and Planning

Phase 3 translates assessment findings into action. Organizations prioritize gaps, assign accountability and build a structured plan to close deficiencies.

To remediate gaps and prepare for certification, organizations should:

  • Develop a POA&M that lists gaps at the objective level under each requirement.
  • Document all identified gaps in the POA&M, including:
    • Remediation approach
    • Responsible point of contact
    • Target remediation date
    • Description of the fix
  • Begin or complete the SSP for the system being certified, documenting:
    • How each objective is met or not met
    • The current security posture of the environment
  • Ensure the SSP and POA&M contain no “Not Met” objectives with DoD value 3 or 5
  • Establish a remediation plan with executive buy-in, prioritizing DoD value 3 and 5 items first
  • If the CUI environment is not yet fully established or enclaved, determine whether a local or cloud-based architecture is the most appropriate path forward

This phase positions the organization for a successful assessment by ensuring gaps are clearly defined, tracked and actively addressed.

Bringing it All Together

A structured, phased approach helps organizations move from scoping to assessment to remediation in a clear and defensible way. Each phase builds on the last, creating a repeatable path toward CMMC compliance and certification readiness.

To get started, organizations should begin by defining their CMMC scope and identifying where FCI and CUI exist across their environment. This foundational step enables accurate assessment and informs all downstream compliance activities.

For organizations beginning their CMMC journey or preparing for certification, establishing clear scope and readiness is the critical first step toward a successful outcome.

Linkedin X-twitter Facebook
Categories:

Jason Spencer

SENIOR SECURITY CONSULTANT, COMPLIANCE,
GUIDEPOINT SECURITY
Jason Spencer is a Cybersecurity Consultant with more than a decade of experience in security assessments, compliance and risk management. Since beginning his cybersecurity career in 2010, he has specialized in network security, wireless security, vulnerability management and regulatory compliance assessments across commercial, banking and federal environments. Jason has extensive experience conducting NIST 800-171 and CMMC assessments, having led and participated in more than 100 assessments since 2017. He is a Certified CMMC Professional (CCP) and also supports organizations with NIST 800-53, HITRUST, DFARS, HIPAA and PCI compliance initiatives. Additionally, Jason has served as a Qualified Security Assessor (QSA) since 2019 and is trained on PCI DSS 3.2.1 and 4.0.1. His technical expertise includes perimeter, network, wireless and firewall security assessments, database auditing, workstation reviews, social engineering and security operations support within both Network Operations Center (NOC) and Security Operations Center (SOC) environments. Jason holds a Bachelor of Arts degree in Geology with teacher certification and maintains several industry certifications, including CISSP. He has also presented at Converge in Anaheim, California.

Search

Categories

Recent Posts

Related Articles

View All >

BLOG

 8 min.

Blurry code on screen
The Birth and Death of “LoopyTicket” – Our Story on CVE-2025-33073
June 27, 2025
Read More

BLOG

 3 min.

Floating Numbers Banner
When to Call for Backup: How to Know It’s Time for IR Support
June 4, 2025
Read More

BLOG

 2 min.

The Importance of a Clearly Defined Pentesting Scope
Incident Response: Can Your Organization Survive the Next Cyber Crisis?
June 10, 2025
Read More