CMMC: What Contractors Need to Know, Assessment Preparation

The following article was provided by Whittlesey. It is reposted here with permission.

---

You just heard that one of your contracts will require Cybersecurity Maturity Model Certification compliance … now what?

If your company is part of, or wants to be part of, the Defense Industrial Base, CMMC will play an ongoing role in your operations.

To help simplify what can feel like a complex process, (spoiler alert: it is!) we’ve outlined the most frequently asked questions about CMMC compliance and how your organization can start preparing now.

What Is CMMC? Why is it Important?

CMMC was developed by the U.S. Department of Defense to ensure contractors handling sensitive information—such as Controlled Unclassified Information and Federal Contract Information—implement adequate cybersecurity practices.

Being CMMC-compliant is quickly becoming a prerequisite for winning and maintaining DoD contracts.

Compliance is no longer optional if your company is part of the defense supply chain—or hopes to be.

Who Needs to Comply?

Any organization within the DoD supply chain that processes, stores, or transmits CUI or FCI must comply.

This includes prime contractors, subcontractors, and service providers—even those handling just a small portion of a project.

What Are the CMMC Levels?

CMMC has three levels, built upon one another (with four functional stages):

• Level 1: Basic cybersecurity practices; annual self-assessment. Applies when handling only FCI. (15 required practices)
• Level 2 (Self-Assessment): Aligns with NIST SP 800-171 Rev. 2. Applies when handling FCI and/or CUI. (110 practices; 320 assessment objectives)
• Level 2 (C3PAO): Requires a triennial third-party assessment. (110 practices; 320 assessment objectives)
• Level 3: Adds NIST SP 800-172 controls. Requires a government-led assessment every three years. (134 practices)

Your required level depends on the type of data you handle and your role in the supply chain.

When Does CMMC Go Into Effect?

DoD is implementing CMMC in phases:

• December 2024: Level 1 self-assessments and select Level 2 programs begin
• December 2025: Third-party assessments required for most Level 2 organizations
• December 2026: Level 3 implementation and assessments begin

By late 2025, all new DoD contracts will include CMMC requirements.

How Do I Know If I Handle CUI?

Many businesses don’t realize they manage Controlled Unclassified Information.

Start by reviewing contract language and consulting the CUI Registry from the National Archives. Work with your contracting officer to verify the scope and classification of the data your team manages.

What Does the Certification Process Look Like?

Achieving compliance involves several key steps:

• Determine your required level based on contract needs
• Conduct a gap assessment against CMMC requirements
• Address gaps and begin documentation, including the System Security Plan. A consultant may be necessary
• Conduct a mock assessment
• Engage a certified third-party assessor organization for Level 2 or Level 3
• Complete the self- or third-party assessment and upload your results to SPRS

What Will This Cost?

Costs vary depending on your organization’s size and current cybersecurity posture.

According to DoD estimates, a Level 2 assessment may cost up to $100,000—excluding preparation and remediation expenses.

Creating a focused “compliance enclave” within your business can help reduce overall costs.

How Often Are Assessments Required?

• Level 1: Annual self-assessments
• Level 2: Triennial third-party assessments + annual affirmations
• Level 3: Triennial government assessments + annual affirmations

Can I Limit Compliance to Just One Part of My Business?

Yes. You can establish a CMMC enclave—a defined part of your network or operation where CUI is handled.

Narrowing the scope of assessment can reduce both complexity and cost.

What Happens If I Don’t Comply?

Noncompliance can result in losing existing contracts, being ineligible for new awards, and damaging your reputation within the federal ecosystem.

Even unintentional noncompliance can carry serious legal and financial consequences.

How Do We Get Started?

The Cyber-AB provides valuable resources. While the path to CMMC compliance can feel overwhelming, it doesn’t have to be.

Whether you’re conducting your first self-assessment or preparing for a third-party evaluation, our team can help define your scope, implement required controls, and maintain compliance.

One of our CMMC experts or certified cybersecurity professionals is available for consultation.

Who Is Qualified to Help Us?

Help can come from several sources.

Here’s a breakdown of qualifications, starting from the highest CMMC-specific credential.

It’s worth noting that even professionals at the lower tiers can provide valuable support, especially during preparation—C3PAOs are not permitted to assist with pre-assessment readiness:

1. CCA: Certified CMMC Assessor
   • Credentialed to lead third-party assessments on a C3PAO team.
2. CCP: Certified CMMC Professional
   • Credentialed to assess compliance on a C3PAO team; a top choice for assessment preparation.
3. RPA: Registered Practitioner Advanced
   • Helps organizations prepare for CMMC assessments.
4. RP: Registered Practitioner
   • Supports CMMC preparation; at least one RP is required for a firm to be considered a Registered Provider Organization.
5. Cybersecurity Consultants
   • Especially valuable for gap assessments and implementing required IT controls, based on the relevant practice level.
6. IT Service Providers/Internal IT Departments
   • Essential for implementing technical controls and managing ongoing control activities.

---

About the author: Mark Torello is partner-in-charge of technology in Whittlesey’s Hamden, Hartford, and Holyoke offices. Torello founded Whittlesey’s technology division, originally established as The Technology Group, LLC in 1997. He brings over 25 years of consulting experience with a specialized focus on security and accounting systems technology.