Understanding CMMC: A Comprehensive Assessment Guide

Reading Time: 6 minutes


For defense contractors, a CMMC Assessment guide is critical to identify the gaps to get your organization CMMC compliant.  As a defense contractor, you’re not just a player; you’re a guardian of national security. This is where the Cybersecurity Maturity Model Certification (CMMC) steps in, a framework ensuring that you’re not just playing the game but mastering it. Let’s dive into the world of CMMC Assessment, a crucial checkpoint in your journey of compliance and resilience.

CMMC Assessments - what you need to know

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) was established by the DoD in response to the increasing threats posed by cyberattacks on the defense industrial base. CMMC is designed to standardize and measure the cybersecurity capabilities and maturity of defense contractors. It provides a framework that contractors must adhere to. This ensures the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). By implementing the appropriate security controls and practices, defense contractors can demonstrate their commitment to cybersecurity and their ability to protect sensitive data.

Key Features of CMMC 2.0

CMMC Model 2.0 Key Features

CMMC Levels

CMMC comes with five levels, each a step up in the cybersecurity ladder. Starting from Level 1, ‘Basic Cyber Hygiene’, to Level 5, ‘Advanced/Progressive’, each level is a milestone in your cybersecurity journey. Think of it like a video game – each level gets progressively challenging, but as you level up, so does your defense capability. Determining which level applies to you depends on the nature of your work with the DoD. It’s like picking the right gear for a mission; you need to know what you’re gearing up for.

Level 1: Basic Foundation Cyber Hygiene

Level 1 focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause

At Level 1, defense contractors must implement basic cybersecurity practices. This establishes a foundation for future cybersecurity improvements. Level 2 focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST SP 800-171 Rev 2.

This level focuses on safeguarding Federal Contract Information (FCI). It is designed to provide a starting point for organizations with limited resources and cybersecurity capabilities.

Level 2: Advanced

Level 2 builds upon the requirements of Level 1. It introduces additional security controls to protect Controlled Unclassified Information (CUI). Defense contractors at this level are expected to have a more mature cybersecurity program, with enhanced capabilities to detect and respond to common cyber threats.

Level 3: Expert

Level 3 represents a significant step up in terms of cybersecurity maturity. At this level, defense contractors must implement a comprehensive set of security controls to protect CUI. These controls are based on industry best practices and require organizations to have proactive and well-documented cybersecurity policies and procedures.

Level 3 will be based on a subset of NIST SP 800-172 requirements. Details will be released at a later date. If your plan is to obtain Level 3 compliance, I recommend using NIST SP 800-172 as the framework as a starting point.

In my experience, defense contractors should determine their required CMMC level based on their contracts and the sensitivity of the information they handle. This determination is critical. Also, it guides them in implementing the necessary security controls and practices. This helps them to achieve compliance.

How to Find Your CMMC Level

The level you need is based on the type of data/information handled by your business.

CMMC 2.0 Level

Type of Data


Assessment Frequency

Level 1


Data is not critical for national security

Self Assessment


Level 2


Prioritized acquisitions with data critical to national security

3rd Party Assessments

Every 3 Years

Level 2


Non-prioritized acquisitions with data not critical to national security

Self Assessment


Level 3


Government Led Assessment

Every 3 Years

CMMC Assessment Process

Now, let’s talk about the main event – the CMMC Assessment. It’s like preparing for a big exam. Pre-assessment is your study phase, where you conduct internal audits and identify gaps. The assessment itself is like game day. A Certified Third-Party Assessment Organization puts your practices to the test. Post-assessment is your result day, where you learn how well you did and what needs improvement.

The assessment involves a comprehensive evaluation of an organization’s cybersecurity controls and practices to determine its level of compliance with the Cybersecurity Maturity Model Certification (CMMC).

Pre-Assessment Preparation

Preparation is key. Start with an internal audit. It’s like looking in the mirror and being honest about what you see. Identify where you’re lacking and work on it. Implementing CMMC controls and practices isn’t just ticking boxes; it’s about building a culture of cybersecurity. I have also found that companies often forget about cyber awareness training for your team. After all, a chain is only as strong as its weakest link. All of this helps develop a roadmap for achieving the desired CMMC level.

What to Expect During a CMMC Assessment

During a CMMC Assessment, a certified third-party assessment organization evaluates your organization’s cybersecurity controls and practices. The assessment includes a review of documentation. It also involves interviews with personnel and technical testing of systems and networks. The provider assesses your organization’s adherence to the specific security controls and practices required for the desired CMMC level.

I have found that defense contractors should follow best practices to ensure a smooth CMMC Assessment process. These include maintaining accurate documentation, regularly reviewing and updating cybersecurity policies and procedures, and providing ongoing training and awareness programs for employees.

CMMC Compliance Requirements

  • Access Control (AC)
  • Audit and Accountability (AU)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

Implementation of the practices described above is a challenging process for contractors to do by themselves unless they have their own well-funded IT department.

Finally, penetration testing is also a critical requirement for CMMC compliance. It goes beyond the scope of a mere vulnerability scan. This robust process involves not only identifying security vulnerabilities but also actively attempting to exploit them, employing the same tools and techniques used by hackers.

Post-Assessment Steps: Implementing Controls and Practices

To achieve compliance with the CMMC, defense contractors must implement the necessary security controls and practices. This involves updating policies and procedures, configuring systems and networks to align with the CMMC requirements, and ensuring that employees are adequately trained to follow the established cybersecurity protocols.

Training and Employee Awareness

An essential aspect of achieving compliance is ensuring that employees are well-trained and aware of their roles and responsibilities in maintaining cybersecurity. Defense contractors should provide regular training sessions to educate employees about the importance of cybersecurity, common threats, and best practices for safeguarding sensitive information.

Download The Complete CMMC Compliance Checklist

Your guide and roadmap to compliance.

  • What is CMMC, who needs it, and when is it required
  • CMMC compliance checklist
  • FAQs
Download Checklist
CMMC Compliance Checklist

Choosing a CMMC Consultant

Selecting a CMMC Consultant is like choosing a personal trainer. You want someone who knows their stuff and can rigorously test your defenses. They’re not just evaluators; they’re your partners in this journey. Look for credibility, experience, and a track record of integrity.

Look for a provider that has first hand experience and is a DoD contractor themselves.

The Role of Consultants in Getting Your CMMC Certification

Consultants play a vital role in the CMMC certification process. They are responsible for conducting assessments, evaluating your organization’s cybersecurity controls and practices, and providing an objective assessment of compliance with the CMMC requirements. Their expertise and certification ensure that you receive accurate and reliable assessment results.

Common Challenges and Solutions in CMMC Assessments

Let’s be real; the road to compliance is rarely smooth. You’ll face challenges, from interpreting the requirements to implementing complex controls. But don’t be discouraged. Every challenge is an opportunity to strengthen your cybersecurity muscle. Stay updated, seek expert advice, and always aim for continuous improvement

In my experience, the journey to CMMC compliance is as challenging as it is rewarding. I recall working with a defense contractor who was initially overwhelmed by the CMMC requirements. The process seemed daunting, and the stakes were high. But with a structured approach, relentless preparation, and a dedicated team, the journey became a story of transformation. From enhancing their cybersecurity posture to fostering a culture of security awareness, the journey was a testament to their commitment to excellence and compliance.


Embarking on the CMMC journey is a commitment to excellence in cybersecurity. It’s not just for the sake of compliance; it’s about being a trusted player in national defense.

Remember, the path to CMMC compliance is not just a regulatory hurdle; it’s a strategic advantage. It’s about setting a standard in cybersecurity and being a leader in the defense industry. So, embrace this journey with determination and pride. Your role is not just about protecting data; it’s about being a vanguard in our nation’s defense.

How can the CMMC Assessment Consulting Team at Cloud9 Data help?

Cloud9 Data’s compliance consulting team of cyber security experts & advisors are ready to help contractors with CMMC readiness assessments.

Our process will not only provide you a roadmap to either build your CMMC program yourself internally or our team can act as an extension of your team to help build and implement your program.



  • Dee Begly

    Dee Begley is an internationally recognized expert on business communications, cybersecurity technologies, and compliance. She has two decades experience with cybersecurity strategy, compliance, and technologies.