CMMC assessment guide: Getting started and what to expect

If your organization is planning to pursue a Cybersecurity Maturity Model Certification (CMMC), you likely have questions. Start here to get the answers you need with our CMMC assessment guide. Find out how to prepare, what to expect and leading practices for success.

Identify the required CMMC level

What are your goals? At the outset of CMMC, your organization should determine the certification level (i.e., Level 1, Level 2 or Level 3) necessary to achieve your business objectives. At a minimum, CMMC Level 1 certification is required to perform work for the government and handle federal contract information (FCI). Level 2 will be required if your contract involves the handling of controlled unclassified information (CUI). Level 3 will be required if your contract involves the handling of highly sensitive information, such as CUI for Department of Defense (DOD) programs with highest priority.

Before CMMC: Get a Supplier Performance Risk System (SPRS) score 

Used by the DOD as a precursor to CMMC to assess the risk of a contractor’s cybersecurity position, the SPRS score is a numerical value that measures a defense contractor’s compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security controls.  

To determine SPRS scores, organizations are rated on their ability to meet multiple practices, with each practice worth one, three or five points. A total of 110 points may be earned for a perfect score. For any practices an organization does not meet, points are deducted from 110, rendering the lowest possible score of -203. Lower scores indicate the DOD will need to assume greater risk and defense contractors with low SPRS scores may not be awarded contracts.  

A strong system security plan (SSP) is the road map for CMMC 

A SSP is your organization’s road map to NIST 800-171 and CMMC compliance. This comprehensive document details the scope of your environment, including all systems and applications that contain CUI data, and outlines the security controls in place to protect your organization’s IT systems and the CUI data contained therein. A robust SSP allows your assessors to level and determine adequate organizational boundaries for processing and storing CUI data.  

The SSP should also include an implementation statement or control language for each NIST SP-800-171 practice explaining how your organization meets the requirement. Rather than simply restating NIST language, implementation statements should provide the assessor with a general understanding of your organization’s specific process. The implementation statements should address each assessment objective associated with the practice. Each practice should be given an implementation status of “implemented,” “not implemented” or “not applicable.” Ideally, all practices should have the status of “implemented” or “not applicable” before the beginning of the assessment; however, assessors may allow a plan of action and milestones (POA&Ms) for select practices not fully implemented at the time of the assessment.