<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

10 steps for DoD contractors to prepare and get certified in CMMC

The Department of Defense(DoD) has decided that self-attestation will no longer be acceptable. They want an accredited third party to certify their contractors or vendors at one of five levels of maturity for the contractor to be eligible for a contract award from the DoD.  This new certification is called CMMC, the full form of which is Cybersecurity Maturity Model Certification.  According to Chief Information Security Officer for Acquisition Katie Arrington, “Given the diversity of the DOD supply chain, the fact that cybersecurity is not one-size-fits-all, CMMC consists of five levels that enable the progression of cybersecurity maturity for defense contractors, as you can see by this, from basic cybersecurity hygiene to advanced.”

The motto of CMMC, according to the Accreditation body, is “Securing our Nation’s Supply Chain.” Undersecretary of Defense Ellen Lord has announced that CMMC is a critical element of DoD’s overall cybersecurity implementation.

How CMMC can help you

Current DoD contractors should see the CMMC as a positive step forward and should use this certification as an opportunity to take an in-depth look at their cybersecurity measures and look at ways to achieve continuous improvement.  This is why our roadmap to CMMC contains optimization as the final step of the path, where organizations should continue to evolve and enhance their cybersecurity controls.   Darren Deslatte, Vulnerability Operations Leader at Entrust Solutions, has said that preparing for the CMMC certification has helped his company achieve a more robust cybersecurity system.  “While it can be tempting for technology companies to grow lax about their cybersecurity protocols, believing they cannot be hacked, this is far from reality. Cybercriminals are continually evolving their hacking techniques, whether they’re thinking up new social engineering techniques, leveraging AI tools to their advantage, or becoming more proficient at hacking mobile devices. That means that our technology experts have to continually evolve our cyber hygiene and defensive measures too”, adds Deslatte.

Since the DoD released the first version of the CMMC model in January 2020, some major DoD contractors got to work right away to prepare themselves for certification. While the path or the steps on the path to certification are reasonably clear, the certifying agencies have not yet been determined.  The CMMC Accreditation Body has started the process of identifying and approving the assessors and practitioners who will work towards getting the Defense Industrial Base (DIB) certified. The Accreditation Body has released program details for Certified Third Party Assessor Organizations (C3PAOs), Registered Provider Organizations (RPOs), and for the credentialed roles working with these organizations.   RPOs are the organizations that can help suppliers in preparing for the CMMC assessment and certification. C3PAOs are the organizations that will be accredited to conduct the assessment of the supplier and issue a certification. 


  • A DoD supplier or contractor should plan for at least a 6-month preparation and certification period.
  • The first contract awards to certified suppliers or contractors are expected to take place in the first quarter of 2021.
  • The CMMC certification is valid for a 3-year period.



10 Steps in the Path to CMMC

Path to CMMC - Infographic from 24By7Security

  1. Gap Assessment
    • 1. Choose your desired level of certification.
    • 2. Identify a Registered Provider Organization (RPO) to help with gap assessment and other steps listed below. As of the date of publication, the CMMC Accreditation Body is in the process of reviewing applications from organizations seeking to be RPOs.
    • 3. Document your organization’s current state.
    • 4. Document gaps between the current state and the desired maturity level.
  1. Remediation
    • 5. Prepare an action plan to address gaps.
    • 6. Remediate or fix the gaps identified according to the action plan.
  1. Audit and Certification
    • 7. Identify a Certified Third Party Assessor Organization (C3PAO) to conduct the audit. As of the date of publication of this blog, the CMMC Accreditation Body is in the process of reviewing applications from organizations seeking to be C3PAOs.
    • 8. Undergo the audit that will be performed by the C3PAO.
    • 9. Achieve certification after any open items are addressed to the satisfaction of the C3PAO.
  1. Optimization
    • 10. Ongoing process to evolve and improve operations and security controls.

The process of complying with the CMMC is a time-consuming one as the anticipated amount of time end-to-end is likely to be at least six months. The effort of preparing for the CMMC can be managed better if you use the services of a Registered Provider Organization (RPO)  to help you through the process.  The RPO can even help you with selecting a C3PAO to conduct the final audit. 24By7Security has performed numerous gap and readiness assessments for multiple frameworks and regulations such as NIST  800-171, ISO 27001, SSAE 18/ SOC2, NIST Cybersecurity Framework.  We can help you get ready for CMMC in an efficient and cost-effective manner.

DoD Contractors - get ready for CMMC - contact 24By7Security

Rema Deo
Rema Deo

Rema Deo is the CEO and Managing Director at 24By7Security, Inc. Rema is certified as a Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2. She is also a Certified Information Security Manager (CISM) from ISACA. She holds a certificate in Cybersecurity: Technology, Application and Policy from the Massachusetts Institute of Technology, and a Certified Data Privacy Practitioner (CDPP) from Network Intelligence. She also has a Master of Business Administration Degree from Symbiosis Institute of Business Management in Pune, India and a Bachelor of Commerce degree from the University of Bombay. Follow along the 24by7Security blog to learn valuable insights from Rema.

Related posts

October 27, 2020
October 20, 2020
October 13, 2020

Comments are closed.

Smishing, Vishing, Spear-phishing - why these types of cyber attacks happen and what can you do
CCPA and GDPR compared
Subscribe to our Blog!