Understanding the CMMC Framework

CMMC 2.0 Level Structure

Level 1 (Foundational): 17 practices for FCI protection, annual self-assessment allowed
Level 2 (Advanced): 110 practices aligned with NIST 800-171, third-party or self-assessment depending on criticality
Level 3 (Expert): 110+ practices with additional controls from NIST 800-172, government-led assessment required
Assessment frequency: Annual self-assessments for applicable levels, triennial third-party certifications
Subcontractor flow-down: CMMC requirements flow to subcontractors handling covered information

1
Gap Assessment
Conduct an internal gap assessment comparing current security posture against required CMMC level. Identify missing controls, incomplete implementations, and documentation gaps. This assessment forms the basis for your remediation roadmap.
2
Remediation Planning
Develop a Plan of Action and Milestones (POA&M) addressing identified gaps. Prioritize based on risk and assessment timeline. Budget for technology, personnel, and consulting support needed to close gaps.
3
Control Implementation
Implement required security controls across people, processes, and technology. Document policies and procedures. Train personnel on security responsibilities. Deploy technical controls and configure systems appropriately.
4
Documentation Development
Create a System Security Plan (SSP) documenting your security environment and control implementations. Prepare evidence artifacts demonstrating control effectiveness. Organize documentation for assessor review.
5
Readiness Assessment
Conduct a mock assessment using CMMC assessment guides. Test that controls work as documented. Verify evidence is complete and accessible. Address any issues before the formal assessment.
6
Formal Assessment
Engage a Certified Third-Party Assessment Organization (C3PAO) for formal certification assessment. Provide access to systems, documentation, and personnel. Respond to assessor questions and evidence requests.

Access Control (AC): Limit access to authorized users and control what they can do
Awareness and Training (AT): Ensure personnel understand security responsibilities
Audit and Accountability (AU): Track and review system activities and user actions
Configuration Management (CM): Establish and maintain secure system configurations
Identification and Authentication (IA): Verify identity of users and devices
Incident Response (IR): Detect, respond to, and recover from security incidents
Maintenance (MA): Maintain systems securely including remote maintenance
Media Protection (MP): Protect information on digital and physical media
Personnel Security (PS): Screen and manage personnel with access to CUI
Physical Protection (PE): Control physical access to systems and facilities
Risk Assessment (RA): Identify and assess security risks
Security Assessment (CA): Assess effectiveness of security controls
System and Communications Protection (SC): Protect information in transit and at rest
System and Information Integrity (SI): Identify and correct security flaws

Technology costs: Security tools, infrastructure upgrades, cloud services meeting FedRAMP requirements
Personnel costs: Security staff, training, and potential new hires for compliance roles
Consulting costs: Gap assessments, remediation support, documentation development assistance
Assessment costs: C3PAO assessment fees varying by scope and complexity
Ongoing costs: Continuous monitoring, annual self-assessments, triennial recertification