How DoD Contractors Can Prepare for the CMMC

How Contractors for the Department of Defense Can Get Certified with the Cybersecurity Maturity Model Certification (CMMC)


Why Did the Department of Defense (DoD) Create the CMMC?

Anyone working for the DoD knows how much of an emphasis has been placed on cybersecurity in recent times.

Back in 2015, the DoD published the Defense Acquisition Federal Regulation Supplement (DFARS). This stipulated that all private contractors working for the DoD must abide by the standards of NIST SP 800-171 on cybersecurity.

The rationale behind DFARS is to better guard the nation’s defense supply chain against the threats posed by cyber attackers domestically and internationally.

DFARS has forced more than 300,000 private DoD contractors to adopt these new standards so they can comply with the current law.

A small number of contractors have become compliant using their own resources. Others have chosen third-party cybersecurity companies, like GRS Technology Solutions, to help them adopt NIST SP 800-171 cybersecurity standards.


Compliance has become so important that the DoD actively discriminates against private companies not possessing the necessary cybersecurity standards during contract awards procedures.

Yet despite the urgency whipped up by the DoD, thousands of contractors have yet to comply with the new standards. In fact, some contractors have even made false claims about their compliance.

To deal with this problem, the DoD has created the Cybersecurity Maturity Model Certification (CMMC). The CMMC is expected to guarantee the security standards of contractors and to better control the supply of controlled unclassified information (CUI).

DoD contractors need to be aware of the current status of CMMC, how it will impact them, and how they can prepare for potential CMMC assessments in the future.

This GRS Technology Solutions guide will do all this and enable contractors to start the journey to becoming certified.

What Do You Need to Know About the CMMC Model?

The CMMC is what’s known as a verification component. It’s not a completely new standard but an evolution based on DFARS 252.204-7012.

These maturity levels will be used for RFP sections L/M to distinguish between contractors.

In the long-term, the DoD intends to utilize the CMMC with other cybersecurity standards. They want to combine standards like NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity.

Additionally, the CMMC will serve as a benchmark for measuring how institutionalized a contractor’s cybersecurity standards are.

DoD Contractors – So What Does All of this Mean?

The CMMC is what’s known as a verification component. It’s not a completely new standard but an evolution based on DFARS 252.204-7012.

It’s up to DoD contractors to comply. The CMMC is merely the latest attempt to urge contractors to make their practices compliant with the current demands of the DoD.

So what do DoD contractors have to do?

Firstly, all DoD contractors must prepare to pass a CMMC assessment if they want to continue supplying products and services to the DoD. An uncertified contractor will not be able to hold existing or acquire new contracts to work with the DoD going forward.

Not only that but DoD contractors will need to meet specific levels of cybersecurity, as outlined by the CMMC, which you can find out about below.

What Do We Know about the CMMC and CMMC Assessments?

The CMMC Accreditation Body (CMMC-AB) will use a number of authorized CMMC Third-Party Assessors (C3PAO’s) to carry out assessments and verify certain levels of the CMMC program. These C3PAO’s will be responsible to manage and perform the assessment process, and review the 110 practices aligned with NIST 800-171.

Assessments carried out by the C3PAO’s will determine whether a contractor is awarded the certification.

CMMC Level 1 (Foundational): DoD Contractors who handle FCI, but don’t handle CUI, will be required to perform an annual self-assessment based on the 17 practices outlined below.

CMMC Level 2 (Advanced): DoD Contractors who handle CUI or information critical to national security will be required to undergo a tri-annual CMMC assessment conducted by a C3PAO.

CMMC Level 3 (Expert): DoD Contractors who handle the most critical information to national security as part of their defense program will be required to undergo tri-annual government-led assessments.


GRS Technology Solutions sponsoring the Annual Review 2020 event at the MGM National Harbor

About the Different CMMC Levels



With the implementation of CMMC 2.0, the Department is introducing several key changes that build on and refine the original program requirements. These are:


  • Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments
  • Higher accountability: Increases oversight of professional and ethical standards of third-party assessors


  • Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
  • Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards


  • Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
  • Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances.

What Should DoD Contractors Do to Prepare for a CMMC Assessment?

Different CMMC levels will require contractors to comply with different security controls, as outlined earlier in this guide.

Contractors who already have full NIST SP 800-171 controls shouldn’t experience any problems achieving CMMC Level 2.

However, if this has yet to be achieved, there are a number of options for contractors as they prepare for an upcoming assessment.

Outsourcing to a CMMC Consultant

For all but the largest of contractors, the appropriate course of action is to invest in outsourcing the process of getting the CMMC to a qualified third party. In particular, outsourcing to a Managed Security Service Provider (MSSP) will enable contractors to get the expertise required.

However, the responsibility ultimately remains with the contractor to meet the necessary cybersecurity standards. This is why contractors should think long and hard about which MSSP they decide to hire.

Although it may be tempting to do everything in-house, outsourcing the process to a qualified MSSP will likely save you both time and money.

Not only will they be able to pinpoint areas of weakness, but they will be aware of what assesors will be looking at. It’s the best way to prepare for an upcoming CMMC assessment.

Implement NIST SP 800-171 Yourself

For contractors who possess the staff and resources, they may want to consider doing everything in-house.

Contractors can take advantage of the guidance presented in the Self Assessment Handbook – NIST Handbook 162. It’s a workbook compiled by the National Institute of Standards and Technology (NIST) to help DoD contractors.

Be aware that this workbook only includes information up to and including NIST SP 800-171 Rev. 1. It doesn’t include anything more than that, so contractors will only be able to get up to a level 3 certification using this.

For NIST SP 800-171 Rev. B things are more complex as there’s no authorized workbook available.

If a contractor doesn’t have the knowledge or the resources available to implement these cybersecurity controls alone, they should consider outsourcing these tasks to a CMMC consultant.

These consultants may even be able to provide an assessment themselves, as well as supporting contractors in tightening up any areas of weakness.

Steps to CMMC Compliance

The first step is to perform a gap analysis, together with an MSSP. The point of a gap analysis is to deep dive into a contractor’s current cybersecurity standards and then compare them to what’s necessary to achieve the desired CMMC level.

A gap analysis will discover which systems and processes are inadequate. An MSSP will also highlight what may be appropriate but what may also be flagged by a CMMC assesor.

Some of the most common issues a gap analysis may flag include:

  • Information systems access.
  • Staff training.
  • Data record storage.
  • The implementation of cybersecurity controls.
  • Incident response development and implementation.

A gap analysis is the foundation of any journey towards CMMC implementation. Without it, contractors will find it impossible to figure out what changes they need to make to achieve compliance.

Following a gap analysis, the next step is to create a remediation plan. This will be based on the conclusions of the gap analysis.

Despite the grand sounding name, remediation plans may involve small, simple changes to fix any processes/systems within the company. However, sometimes they may include complete foundational changes. It depends entirely on the contractor’s gap analysis.

Outsourcing the CMMC process will also give contractors the benefit of a professional MSSP who can guide them towards success.

Step three begins after contactors implement the guidance found within the remediation plan.

A qualified MSSP will utilize a variety of tools to continually monitor new systems/processes. They will be able to detect any breaches within these systems and provide detailed reports.

The key to CMMC is not to meet CMMC requirements but to prove compliance should an assessment take place.

After complying with the necessary security standards, an MSSP is able to produce legal documentation to prove that the contractor is now fully compliant. This is required by CMMC assesors to certify the contractor.


Why Passing an Initial CMMC Assessment is Critical

Contractors providing services to the DoD often rely on these DoD contracts as a significant source of revenue. To acquire these new contracts from 2020 onwards it will become a minimum requirement to possess the correct CMMC.

It should be considered a priority to pass a CMC assessment at the first attempt. Failing an assessment will mean the contractor is no longer able to continue working for the DoD until they pass.

Outright failing a CMMC assessment could be catastrophic for a company as it takes time to implement the correct controls and to request a further assessment.

For DoD contractors, it’s well worth the investment to bring in a consultant capable of detecting problems outside of a formal assessment.

Preparing for a CMMC Assessment the Right Way

GRS Technology Solutions has provided expert help to DoD contractors in understanding the new CMMC standards and implementing NIST SP 800-171.

Our professionals specialize in helping contractors to prepare for the latest cybersecurity standards in the US.

Get a CMMC Consultation

Call: 703-997-0990
Email us a request