A CMMC Compliance Checklist to Prepare for a CMMC Assessment

Corserva blog

Since the initial announcement of CMMC, suppliers working in federal supply chains have been anxious to take the steps required to achieve CMMC compliance. Unfortunately, it's been a "hurry up and wait" situation.

Until now.

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is starting to approve Certified 3rd Party Assessor Organizations (C3PAO) as authorized C3PAOs. As more candidate C3PAOs become authorized C3PAOs, Organizations Seeking Compliance (OSC) will be able to step up their compliance efforts and get a CMMC assessment.

The process to achieve CMMC compliance is as follows.


CMMC Compliance Checklist

  1. Evaluate your readiness for a CMMC assessment by a C3PAO.
  2. Perform remediation to fix the gaps in compliance.
  3. Hire a C3PAO to perform a CMMC assessment of your company.


1. Evaluate Your Readiness for a CMMC Assessment by a C3PAO

Your first step on the path to CMMC compliance is to take stock of the "as is" IT environment — the current security in managing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). You can perform a self-assessment or hire an outside consulting company to do this for you.


1.1 CMMC Levels

The CMMC framework contains 5 maturity processes and 171 cybersecurity best practices progressing across 5 maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality.

CMMC compliance

The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding of information at Level 1, moving to the broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) at Level 4 and Level 5.

CMMC compliance

It is expected that most small businesses will need to meet either Level 1 controls or Level 2 controls of CMMC.

There is a direct correlation to the NIST 800-171 requirements and the Level 3 controls of CMMC.

NIST 800-171, which became effective December 31, 2017, is the foundation for CMMC. Both NIST 800-171 and CMMC were created to strengthen the cybersecurity defenses of the Defense Industrial Base (DIB).

Level 1 - Safeguard Federal Contract Information (FCI)

Level 1 Practices
  • Firewall with monitoring
  • Segment and control public facing connections
  • Anti-virus
  • Device inventory
  • Software inventory
  • User and access management
  • Log and escort visitors
  • Badges and keys
  • Data disposal
  • Update systems
Level 1 Supporting Documentation
  • Acceptable Use Policy
  • Access Control Policy
  • Physical Security Policy
  • Asset Management Policy

Level 2 - Serve as transition step in cybersecurity maturity progression to protect CUI

Level 2 Practices
  • CMMC Level 1 completion
  • System event logging/retention
  • Awareness and role training
  • Hardware/software inventory
  • Secure baselines
  • Multi-factor authentication (MFA) for remote access
  • Conduct, test, and encrypt backups
  • Vulnerability scanning and remediation
  • Identify unauthorized use
  • Incident response procedures
  • more...
Level 2 Supporting Documentation
  • Vulnerability Management Policy
  • Data Transfer Policy
  • Incident Response Policy
  • Password Policy
  • Secure Baseline Procedures
  • Change Management Procedure
  • Teleworker Policy
  • Data Classification Policy
  • Information Security Policy

Level 3 - Protect CUI

Level 3 Practices
  • CMMC Level 2 completion
  • 800-171 controls
  • No POA&M items
  • Offsite backups
  • Centralized logging
  • Risk assessments
  • Continuous monitoring
  • DNS filtering
  • more...
Level 3 Supporting Documentation
  • Social Media Policy
  • CUI Handling Procedure
  • Information Security Plan

Level 4 - Protect CUI and reduce risk of Advanced Persistent Threats (APT)

Level 4 Processes: Reviewed

Includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.

Level 4 Practices: Proactive

Practices protection of CUI for APTs. It includes NIST SP 800-171B and enhanced detection and response capabilities.

Level 5 - Protect CUI and reduce risk of APTs

Requires an organization to take corrective action towards improving process implementation across the organization. Increases the depth and sophistication of cybersecurity capabilities.


1.2 CMMC Requirements

There are 17 CMMC requirements, or capability domains.

1. Access Control (AC)

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users and processes

2. Asset Management (AM)

  • Identify and document assets
  • Manage asset inventory

3. Audit and Accountability (AU)

  • Define audit requirements
  • Perform auditing
  • Identify and protect audit information
  • Review and manage audit logs

4. Awareness and Training (AT)

  • Conduct security awareness activities
  • Conduct training

5. Configuration Management (CM)

  • Establish configuration baselines
  • Perform configuration and change management

6. Identification and Authentication (IA)

  • Grant access to authenticated entities

7. Incident Response (IR)

  • Plan incident response
  • Detect and report events
  • Develop and implement a response to a declared incident
  • Perform post incident reviews
  • Test incident response

8. Maintenance (MA)

  • Manage maintenance

9. Media Protection (MP)

  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

10. Personnel Security (PS)

  • Screen personnel
  • Protect CUI during personnel actions

11. Physical Protection (PE)

  • Limit physical access

12. Recovery (RE)

  • Manage backups
  • Manage information security continuity

13. Risk Management (RM)

  • Identify and evaluate risk
  • Manage risk
  • Manage supply chain risk

14. Security Assessment (CA)

  • Develop and manage a system security plan
  • Define and manage controls
  • Perform code reviews

15. Situational Awareness (SA)

  • Implement threat monitoring

16. Systems and Communications Protection (SC)

  • Define security requirements for systems and communications
  • Control communications at system boundaries

17. System and Information Integrity (SI)

  • Identify and manage information system flaws
  • Identify malicious content
  • Perform network and system monitoring
  • Implement advanced email protections



1.3 Determine the CMMC Level of Compliance You Will Need to Meet

Typically, prime contractors are notified by the Department of Defense (DoD) directly that they need to comply with CMMC. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply.

The DoD is in the process of migrating from NIST 800-171 to the CMMC framework and by 2026, all new DoD contracts will require CMMC. No existing contracts will have CMMC requirements inserted into them.

If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").

CMMC compliance checklist


CMMC compliance checklist


If there are future contracts for which you plan to bid, you will want to be certified to the level of cybersecurity required by the contract, RFI, or RFP. You can also base your decision as to which level to certify on internal business goals.

Most companies seeking CMMC compliance will only need to be certified to Level 1, 2, or 3. Very few companies will need to meet CMMC security requirements for Levels 4 or 5. The CMMC-AB expects that 60% of the assessments performed will be for Level 1.



1.4 Refer to the CMMC Publications Issued by the Government

You can refer to the CMMC publication itself, issued by the Department of Defense. Version 1.0 was released on January 20, 2020, and minor updates were made on March 18, 2020, with the release of Version 1.02. The appendices to the CMMC publication provide a matrix of the model, mapping out the CMMC requirements.

 Cybersecurity Maturity Model Certification (CMMC), Version 1.02, March 18, 2020 

 CMMC Appendices, Version 1.02, March 18, 2020


The Office of the Under Secretary of Defense for Acquisition & Sustainment, OUSD(A&S), has also provided the following helpful materials.

 A spreadsheet listing the CMMC requirements for each of the five levels

 A CMMC Level 1 assessment guide

 A CMMC Level 3 assessment guide 

Request a Quote for CMMC Consulting Services


1.5 Hire a Consulting Company to Prepare You for a CMMC Assessment

You can hire an outside company, such as Corserva, to perform a pre-assessment of your IT environment and determine your CMMC readiness.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to DoD contractors and other Organizations Seeking Certification (OSC).

Corserva has created an easy process to enable you to get ready for a CMMC assessment and protect your government contracts. These are the steps we follow:

  1. Identify the relevant requirements of CMMC you will need to meet.
  2. Perform an "as is" gap analysis of your processes and security controls, identifying areas to be corrected.
  3. Create a list of remediation steps you will need to take before hiring a C3PAO to perform a CMMC assessment.

The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.

Get started today by requesting a quote.

Request a Quote for CMMC Consulting Services


2. Perform Remediation to Fix the Gaps in Compliance

Once you have performed an assessment of your company's compliance to the desired level of CMMC, you will have a list of CMMC practices that you are currently not meeting. 

Keep in mind that, unlike NIST 800-171 compliance, you need to correct all deficiencies before you can meet the compliance requirements of CMMC.

So, you can create documents such as System Security Plans (SSP) and Plans of Action with Milestones (POA&M) to help you with planning. But creating these documents is not sufficient to achieve CMMC compliance.


2.1 Process Changes and Technology Changes

When protecting CUI, processes are just as important as technology. It is likely your list of remediation steps will include process changes to be made as well as technology changes.

You should take a lifecycle approach to security where you define your security policies and specify approved procedures to manage CUI within an IT platform.

CMMC compliance checklist

Moving forward, you need to make sure you are monitoring and validating the IT systems, then periodically perform a management review. Create a plan to make sure you stay in compliance.

Because of Corserva's experience in IT consulting, we can make specific technology recommendations to you as to the most effective way to correct deficiencies, saving you time and money on CMMC compliance.

In addition, there are several best practices that will guide you on the road to CMMC compliance.

Request a Quote for CMMC Consulting Services


2.2 Isolate CUI

Since CMMC focuses on the protection of CUI, it makes sense to limit the exposure.

Determine where you currently store CUI within your company and its systems. Look for ways to reduce the amount of CUI you have. If a prime contractor or other contractor sends you CUI, try to limit the amount of CUI you receive to only the data required for you to do your work.

The less CUI you have, the easier it will be to protect it.


2.3 Use FIPS Encryption

For an IT system to be CMMC compliant, it must use FIPS validated cryptography to protect data at rest and in transit.

A platform that uses FIPS validated cryptography has been submitted to the National Institute of Standards and Technology (NIST) for validation and certification. NIST maintains a list of FIPS validated cryptographic platforms you can search on to verify a system is compliant.


2.4 Avoid the Shopping Cart Approach

It can be tempting to purchase a compliance tool as a quick solution. But the best technology in the world won't help you if it's not configured properly. CMMC compliance is about technology and processes.

Use caution before purchasing any type of self-analysis tool intended to identify gaps in your CMMC compliance. A survey version of the documents already provided by the government won't help you if you don't have the expertise in-house to use the tools.


2.5 Hire an IT Consulting Company to Perform Remediation

Once you have determined what remediation needs to take place before your CMMC assessment, you can hire an outside IT company, such as Corserva, to execute the process and technology changes needed.

Request a quote for CMMC consulting services to get ready for a CMMC assessment.



3. Hire a C3PAO to Perform a CMMC Assessment

Companies working in federal supply chains can achieve CMMC compliance by successfully passing a CMMC audit. These audits can only be performed by Certified 3rd Party Assessor Organizations (C3PAO).

C3PAOs are authorized by the CMMC-AB to perform assessments.

Unlike with NIST 800-171, there is no option for self-attestation with CMMC. You cannot achieve CMMC certification on your own.


3.1 Research and Hire a C3PAO

The CMMC-AB Marketplace lists C3PAO companies. Only the companies listed here as authorized C3PAOs are approved by the CMMC-AB to perform assessments.

Companies listed in the CMMC-AB Marketplace as candidate C3PAOs have begun the process to become an authorized C3PAO, but not yet completed the process.

Use the CMMC-AB Marketplace to research potential C3PAOs. Only hire a C3PAO that is listed as an authorized C3PAO on the Marketplace.

The CMMC-AB is the only organization that can qualify a C3PAO to perform CMMC assessments. Note that the CMMC-AB does not perform assessments directly. Instead, C3PAO companies are certified by the CMMC-AB to perform assessments.

Your company, as the Organization Seeking Compliance (OSC), hires the C3PAO to perform your CMMC assessment.

The cost for a CMMC assessment will depend upon several factors including to which level the certification is needed and complexity of your IT infrastructure.

The DoD has provided estimated assessment costs, as part of the Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041.


3.2 CMMC Assessment Process

Once you've hired a C3PAO company, you will schedule the assessment with the C3PAO.

The process for a CMMC assessment is as follows:

  1. Hire a C3PAO to perform the assessment.
  2. The C3PAO performs the assessment of your company.
  3. The C3PAO creates an assessment report.
  4. If there are no deficiencies, the C3PAO issues a CMMC certificate.
  5. The C3PAO submits a copy of the assessment report and CMMC certificate to the DoD. The CMMC certificate is valid for three years.
  6. Once the C3PAO submits the CMMC certificate to the DoD, your requirement for CMMC compliance has now been met.

To be eligible for a contract, your CMMC certification will be needed at the time of the award.

There are no fines for non-compliance; however, you will be unable to participate in DoD contracts.


Corserva is a CMMC-AB Registered Provider Organization™ (RPO)

Corserva can prepare you for a CMMC assessment by a C3PAO, greatly reducing your costs and efforts to achieve CMMC compliance.

RPOCorserva offers:

 Pre-assessment readiness services

 Technical remediation to correct gaps in compliance

 Customized security programs

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors.

Get started today. Talk to a CMMC compliance expert by requesting a quote for CMMC consulting.

Request a Quote for CMMC Consulting Services


Post Date: June 28, 2021 // 11:37 AM

Topic category:



Adam Keely

Adam is a security analyst and CMMC-AB Registered Practitioner (RP). He is a member of Corserva’s assessment and compliance team, guiding companies in meeting business objectives with NIST 800-171 and CMMC. Adam spent 5 years in the United States Marine Corps as a Communications Electronics Technician before entering the corporate world, where he has worked in web development and cybersecurity.