Skip to main content

CMMC Primer

How to Get CMMC Certified: A 7-Step Guide for DoD Contractors

For organizations seeking certification (OSCs) — or contractors expanding into the Defense Industrial Base — the CMMC certification process is a defined path. Level 1 organizations self-assess; Level 2 and Level 3 organizations undergo third-party or government assessment. Here are the seven steps that carry you end-to-end, from establishing scope through remediating gaps.

Step 1 — Establish Scope

As the OSC, you first identify your Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), then define the CMMC environment around the assets relevant to that data. In-scope assets include anything that:

  • Processes FCI or CUI — accesses, enters, edits, generates, manipulates, stores, or prints it.
  • Stores FCI or CUI at rest — electronic media, component memory, SSDs, magnetic media, or paper.
  • Transmits FCI or CUI — any physical or digital transport method.
  • Supports security functions for the above, whether or not it touches CUI itself.
  • Has exposure to CUI — Contractor Risk Managed Assets (CRMAs), Operational Technology, and other specialized assets.

Build a detailed inventory of in-scope assets. Extend that inventory to External Service Providers (ESPs) — including cloud service providers. ESPs that are CSPs must hold FedRAMP Moderate authorization or documented FedRAMP equivalency. Non-CSP ESPs handling CUI may present CMMC certification and can participate alongside the OSC. In either case, a Shared or Customer Responsibility Matrix (SRM/CRM) is essential.

Note: ESPs included in your assessment scope do not themselves receive a CMMC certificate — the certificate belongs to the OSC.

Step 2 — Identify a C3PAO Partner

Your C3PAO is the independent organization that conducts the assessment and submits results to CMMC eMASS. The Cyber AB Marketplace lists all authorized C3PAOs, along with:

  • Registered Practitioners & Organizations (RPs / RPOs) — typically aid in CMMC preparation.
  • Approved Training Partners (ATPs) — deliver authorized training on the ecosystem.
  • C3PAOs, CCPs, and CCAs — perform assessment activities.

C3PAO capacity is limited. Engage early — wait times will grow as Phase 2 requirements come online.

Step 3 — Develop Your SSP and Verify Implementation

The System Security Plan (SSP) is the backbone of your assessment. It captures:

  • Points of contact responsible for the environment and its security.
  • A description of the environment with diagrams showing data flows and in-scope components.
  • Detailed implementation notes for each practice and sub-practice defined in NIST SP 800-171A r2.

Writing the plan is not enough — every practice must be evidenced. Validate implementation and gather artifacts before the assessment. Use the OUSD assessment objectives guide to align your evidence with how the C3PAO will test each control.

Practical tip: encryption used for CMMC practices must be backed by FIPS 140-2 or 140-3 validated cryptography. Build a catalog of your cryptographic modules and Cryptographic Module Validation Program (CMVP) numbers — what each module encrypts (VPN, storage, backups, OS) and how it is configured against its CMVP Security Policy.

Step 4 — Define Your Internal Assessment Team

Your C3PAO performs the assessment, but your organization drives it. Field these roles:

  • Assessment Official (AO) — senior owner accountable for the assessment.
  • Point of Contact (POC) — day-to-day coordinator with the C3PAO.
  • Subject Matter Experts (SMEs) — the people who actually operate the systems, controls, and procedures being assessed.

If your POC is external, avoid any conflict of interest with the C3PAO — the same firm cannot both prepare and assess you.

Step 5 — Plan the Assessment With Your C3PAO

Bring the C3PAO the parameters they need to plan effectively:

  • Prior self-assessment results and SPRS scores.
  • Target start window for the assessment.
  • Information-system architecture, boundary, and asset inventory.
  • Physical location of in-scope assets.
  • Inheritance — controls satisfied by another organization's status (e.g., AWS GovCloud or Microsoft GCC High providing physical access controls for PE.L1-3.10.1).

The C3PAO will define methods for collecting evidence — examination of artifacts (policies, procedures, reports, inventories, configurations), interviews with SMEs, and observation of tests or demonstrations. Their approach drives the effort required from your team, so weigh it into scheduling and budgeting.

Step 6 — Conduct the Assessment

The CMMC assessment runs in two phases:

  • Phase 1 — Readiness & intake: The C3PAO samples evidence to confirm readiness and captures organizational elements — CAGE codes, UEI, scope description, and points of contact — into eMASS.
  • Phase 2 — Evidence review and testing: Every practice is evaluated for evidence that is both adequate ("does the team have the right evidence?") and sufficient ("does the team have enough of the right evidence?").

When results are presented, the OSC has five business days to submit additional supporting evidence for any adverse finding. Only previously undisclosed documentation is admissible — you cannot restructure the control after the fact. Failing a sensitive or critical control means no certification without remediation and re-assessment.

Step 7 — Remediate Gaps

CMMC allows conditional certification through a Plan of Action and Milestones (POA&M), valid for no more than 180 days from assessment completion. The POA&M cannot cover the highest-weight or most sensitive controls — those must be met outright.

Once remediated, the OSC re-engages the C3PAO to verify the affected controls. Confirmed compliance results in a CMMC certificate; failure to close the POA&M within the window forfeits the conditional status.

Moving forward

Whether the outcome is a final or conditional certificate, these seven steps define the path. The organizations that move first — early scoping, early C3PAO engagement, disciplined SSP work — will have the least friction as Phase 2 broadens and assessor capacity tightens.

Need help getting CMMC-ready?

Desra Secure runs CMMC scoping workshops, gap assessments, SSP and POA&M builds, and pre-assessment readiness aligned to Level 2 and Level 3 — with the cleared personnel and secure IT engineering to sustain compliance after the certificate is issued.

This guide is provided for general informational purposes only and does not constitute legal or compliance advice. Specific obligations depend on your contracts and the data you handle. Portions of this content are adapted from publicly available CMMC guidance from the DoD, the Cyber AB, and C3PAO educational materials.