How to Get CMMC Certified: A Step-by-Step Guide for Defense Contractors

Navigating CMMC certification can feel overwhelming, but with a clear roadmap, defense contractors of any size can achieve compliance. Here’s your step-by-step guide to getting CMMC certified.

Understanding CMMC Certification

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s mandatory framework for ensuring defense contractors meet cybersecurity standards. Whether you need Level 1 or Level 2, the certification process follows a predictable path — if you know the steps.

With Phase 2 enforcement beginning November 2026, the window to prepare is narrowing. Here’s exactly how to get from where you are today to CMMC certified.

Step 1: Determine Your Required CMMC Level

Your required level depends on the type of information you handle:

• Federal Contract Information (FCI) only → Level 1 (15 controls, self-assessment)
• Controlled Unclassified Information (CUI) → Level 2 (110 controls, third-party assessment after Phase 2)
• Critical CUI / Advanced Persistent Threats → Level 3 (government-led assessment)

Review your current DoD contracts and subcontracts. Look for DFARS clauses 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021 — these indicate CMMC applicability and the level of CUI you handle.

Step 2: Conduct a Readiness Assessment

Before you can close gaps, you need to know where they are. A CMMC readiness assessment evaluates your current cybersecurity posture against the applicable NIST SP 800-171 controls (for Level 2) or FAR 52.204-21 requirements (for Level 1).

What a readiness assessment covers:

• Current security control implementation status
• Documentation review (policies, procedures, system security plan)
• Technical infrastructure evaluation
• SPRS score calculation
• Gap identification and severity ranking

Many companies partner with a managed IT provider like Brightworks IT for this step — an outside perspective catches blind spots your internal team may miss.

Step 3: Perform a Gap Analysis

The gap analysis translates your readiness assessment into a prioritized action plan. For each unmet control, you’ll document:

• What’s required vs. what’s currently in place
• The remediation steps needed
• Estimated cost and timeline
• Dependencies between controls

This becomes your Plan of Action and Milestones (POA&M) — a living document that tracks your path to full compliance.

Step 4: Implement Security Controls

This is where the real work happens. For Level 2, you’re implementing 110 security controls across 14 domains:

• Access Control — Limit system access to authorized users
• Awareness & Training — Security training for all personnel
• Audit & Accountability — Logging and monitoring system activity
• Configuration Management — Secure baseline configurations
• Identification & Authentication — Multi-factor authentication, strong passwords
• Incident Response — Documented IR plan and procedures
• Maintenance — Controlled system maintenance
• Media Protection — Secure handling of digital and physical media
• Physical Protection — Physical access controls
• Personnel Security — Background checks, termination procedures
• Risk Assessment — Regular vulnerability assessments
• Security Assessment — Periodic evaluation of controls
• System & Communications Protection — Encryption, network segmentation
• System & Information Integrity — Malware protection, patching

Prioritize quick wins first — MFA deployment, encryption enablement, and policy documentation can often be accomplished quickly and significantly improve your score.

Step 5: Build Your Documentation Package

CMMC assessors don’t just check that controls are implemented — they verify that they’re documented. Critical documents include:

• System Security Plan (SSP) — Describes your information system and security controls
• Plan of Action & Milestones (POA&M) — Tracks remediation of identified gaps
• Security policies and procedures — Covering all 14 control domains
• Incident Response Plan — How you detect, respond to, and recover from incidents
• Evidence artifacts — Screenshots, configurations, training records, logs

Step 6: Submit Your SPRS Score

The Supplier Performance Risk System (SPRS) is where you report your self-assessment score. This is required even before your formal C3PAO assessment. Your score ranges from -203 to 110, with 110 representing full compliance with all NIST 800-171 controls.

Step 7: Engage a C3PAO (For Level 2)

When you’re ready, schedule your formal assessment with a Certified Third-Party Assessment Organization (C3PAO). Important: C3PAO availability is limited and demand is surging as Phase 2 approaches. Book early.

The assessment typically involves:

• Document review
• Interviews with key personnel
• Technical testing and evidence collection
• Findings report and certification recommendation

Step 8: Maintain Your Certification

CMMC certification isn’t a one-time event. You must maintain compliance through:

• Continuous monitoring of security controls
• Annual self-assessments (between formal assessments)
• Ongoing documentation updates
• Regular security training
• Incident response testing

How Long Does CMMC Certification Take?

Realistic timelines:

• Level 1: 1-3 months (if starting from basic cybersecurity)
• Level 2: 6-18 months (depending on current posture)
• Level 3: 12-24 months

Get Expert Help

Most small and mid-sized defense contractors don’t have in-house cybersecurity teams. Partnering with an experienced managed IT provider like Brightworks IT can dramatically accelerate your timeline and reduce the burden on your team.

Schedule a free CMMC readiness consultation →