Starting January 2025, federal contracts, particularly those with the DoD, are expected to require compliance with the Cybersecurity Maturity Model Certification (CMMC), meaning companies bidding on these contracts will need to demonstrate their cybersecurity posture through CMMC certification to be eligible. This guide provides a 12-step CMMC compliance checklist (Skip to the checklist ») to help your organization understand and prepare for certification, meet cybersecurity requirements, and safeguard controlled unclassified information (CUI).
Contractors and businesses have heard a lot about CMMC. What is different now?
Why should we pay attention where this has just been noise for the last 3-5 years?
The U.S. Department of Defense’s final regulations for CMMC 2.0 have officially taken effect, requiring defense contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to meet specific cybersecurity standards. Once the rule is fully implemented, CMMC compliance will be a mandatory requirement for new DoD contracts.
Third-party CMMC assessments began on January 2, 2025, meaning businesses that fail to achieve the necessary certification risk losing eligibility for future defense contracts.
What is Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification (CMMC) is a framework established by the Department of Defense (DoD) to enhance cybersecurity across the defense industrial base (DIB). If your company works with the DoD OR is a subcontractor for a company that works with the DoD, you may be required to meet CMMC compliance to handle sensitive government information securely. The goal of the CMMC program is to strengthen national security by ensuring contractors follow NIST cybersecurity standards to protect sensitive DoD data from potential threats.
What CMMC Level Do You Need?
CMMC 2.0 consists of three levels, each with increasing security requirements:
Level 1 (Foundational): Basic cybersecurity practices for companies handling federal contract information (FCI). Basic safeguarding requirements for Federal Contract Information (FCI), with 17 cybersecurity practices.
Level 2 (Advanced): NIST 800-171 controls required for companies dealing with controlled unclassified information (CUI). Alignment with NIST SP 800-171, requiring 110 security practices to protect CUI.
Level 3 (Expert): The highest level for organizations handling highly sensitive government data. Incorporates additional requirements from NIST SP 800-172, targeting critical national security programs.
Much fewer companies are expected to be required to meet the more stringent Level 3 requirements.
Which Types of Companies are Affected in the St. Louis Area?
This is impacting Prime Contractors who work directly with DoD as well as their subcontractors. It also impacts defense manufacturers in the defense supply chain. Lastly it impacts IT service providers and software developers that manage defense data or create DoD software solutions.
In the St. Louis area, CMMC compliance requirements from Boeing, Siemens, Ameren and Fort Leonard Wood are impacting our clients. For example, Siemens is required to flow down their CMMC requirement to all subcontractors who execute or who may execute on their federal contracts.
If your company works with the DoD OR is a subcontractor for a company that works with the DoD, you may be required to meet CMMC compliance to handle sensitive government information securely.
What do I need to do if I want to comply?
Complying with CMMC is about complying with standard CyberSecurity Frameworks like NIST. There is a defined combination of Policies, Procedures and Tools that show you are adhering to standard Cybersecurity Best Practices.
More specifically there is an annual audit with evidence that is required. Also defined corporate cybersecurity policies are reviewed and signed by employees each year in order to be in compliance. CMMC Level 2 may require a formal third party audit.
The 12-Step CMMC Compliance Checklist
Step 1: Determine Your CMMC Level
The first step is to understand your organization’s CMMC requirements.
To determine your required level, review your contract obligations, customer relationships, and the type of information you process to determine if you or they handle FCI or CUI.
Identifying the CMMC level needed will determine your next steps.
Step 2: Conduct a Readiness Assessment
Before pursuing certification, conduct a gap analysis to assess your current cybersecurity maturity.
Conduct regular breach simulations to test response effectiveness.
Step 8: Train Your Employees on Cybersecurity Best Practices
Human error is a major cause of data breaches, so security awareness training is critical.
Train employees on recognizing phishing attacks and social engineering.
Conduct periodic security training and simulated attack exercises. If you don’t have an in-house IT cybersecurity team, work with a cybersecurity company that is well-versed in these techniques.
Step 9: Ensure Compliance with NIST 800-171 Requirements
CMMC Level 2 aligns with NIST 800-171, which outlines 110 security controls.
Implement policies for audit logging, system monitoring, and risk management.
Maintain compliance documentation to support certification.
Step 10: Conduct an Internal Audit
Before scheduling an official CMMC assessment, perform an internal audit.
Review security documentation and test control effectiveness.
Identify any remaining gaps and remediate them.
Step 11: Engage a Certified Third-Party Assessor Organization (C3PAO)
CMMC Level 2 and 3 require third-party assessments by a C3PAO (Certified Third-Party Assessor Organization).
Select an accredited C3PAO from the Cyber AB marketplace.
Prepare for the official audit by finalizing all documentation.
Step 12: Maintain Compliance and Continuous Monitoring
CMMC compliance is not a one-time certification—it requires ongoing cybersecurity measures.
Implement continuous security monitoring and risk assessments.
Keep your SSP, POA&M, and security controls updated as threats evolve.
How Does Certified NETS help?
At Certified NETS we help our clients determine if they are required to be CMMC compliant and what level is required. Ensuring that gaps are known, mitigating those gaps, and documenting all for proof of compliance can take months. We work with our customers providing Compliance as a Service to ensure the appropriate Policies, Procedures and Tools are in place. We perform the self-assessment or ensure our clients are prepared for a formal third party audit.
Preparation starts with assessing your current cybersecurity posture, training employees, and working with a CMMC compliance consultant if needed.
Is CMMC Certification Worth It?
If your business works with the DoD, CMMC certification is mandatory. Compliance also enhances your cybersecurity and gives you a competitive advantage in government contracting.
How Long Does It Take to Get CMMC Certified?
Preparation phase: Several months
Certification audit: 3-6 months, depending on readiness
How Do I Get CMMC Level 1 Certification?
Level 1 requires a self-assessment following 17 basic security controls—a third-party audit is not needed.
Is CMMC Only for DoD Contractors?
Currently, yes. However, other federal agencies may adopt similar cybersecurity frameworks.
What Were the 5 Levels of CMMC Before?
Level 1 – Basic Cyber Hygiene
Level 2 – Intermediate Cyber Hygiene
Level 3 – Good Cyber Hygiene
Level 4 – Proactive
Level 5 – Advanced/Progressive
CMMC originally had five levels, but CMMC 2.0 simplified it to three levels to streamline compliance.
CMMC compliance is critical for defense contractors and subcontractors working with the Department of Defense. By following this 12-step compliance checklist, organizations can strengthen their cybersecurity posture and meet DoD requirements.
Need Expert Guidance with CMMC Compliance Requirements?
Certified NETS provides CMMC compliance consulting to help businesses navigate the process smoothly.
Contact us today to get started.
