The Five Step Roadmap for Tackling CMMC
CMMC has rolled out, and if you work with the Department of Defense, you need to be CMMC compliant to continue getting contracts. Here's five easy steps to tackle CMMC.
CMMC
CMMC has rolled out, and if you work with the Department of Defense, you need to be CMMC compliant to continue getting contracts. Here's five easy steps to tackle CMMC.
The countdown has officially ended. As of November 2025, the Cybersecurity Maturity Model Certification (CMMC) is no longer just a "coming soon" warning from the Department of Defense (DoD), it’s here and required of everyone who does business with the DoD.
If you are part of the Defense Industrial Base (DIB), your ability to win or renew contracts now hinges on your ability to meet CMMC requirements. So, how do you meet these requirements?
In this blog, SecurityMetrics experts Gary Glover and Matt Halbleib (a CMMC Certified Professional) break down exactly what contractors need to do this year to stay competitive.
Gary explains that, "The government already thinks you’re compliant because they started talking about this years ago. If you want this year’s money and future money, you have to start now."
Ready for CMMC compliance? Talk to a CMMC expert today.
The DoD is using a four-phase approach to bring all 300,000+ contractors into compliance.
We are currently in Phase 1, which runs through November 9, 2026. This phase is unique because it relies heavily on self-assessments. However, do not let the term “self-assessment" fool you into a false sense of security. These entries in the Supplier Performance Risk System (SPRS) are legal attestations.
As we move toward Phase 2 in late 2026, the transition to mandatory third-party audits begins.
If you are targeting a contract with a Level 2 requirement during this time, you may find yourself in a bottleneck as thousands of companies scramble to book a limited number of C3PAOs (Certified Third-Party Assessment Organizations).
Starting now isn't just about security; it's about securing your spot in the audit queue to avoid a lapse in contract eligibility.
Don’t wait, start your CMMC compliance now.
CMMC 2.0 has been streamlined into three tiers, each building upon the last. Understanding where you sit is essential for resource planning.
This level is designed for companies handling Federal Contract Information (FCI).
This is government data that isn't intended for public release but also isn't sufficiently sensitive to affect national security.
Think of a small machine shop that receives specs for a simple bolt. You must implement 15 basic cyber hygiene practices, such as basic antivirus and password requirements. While you only need an annual self-assessment, it must be affirmed by a senior official.
This is where the majority of the DIB lives. If you handle Controlled Unclassified Information (CUI)—such as technical drawings, blueprints, or proprietary designs for the warfighter—you fall into Level 2.
This level aligns directly with NIST SP 800-171. You must document 110 different controls and, for most, undergo a third-party assessment every three years.
Reserved for high-priority programs and high-value assets (like the F-35 program), Level 3 adds enhanced security requirements to protect against Advanced Persistent Threats (APTs). These assessments are conducted directly by the DoD's DIBCAC team.
Scoping is the foundation of your entire compliance project. If you over-scope, you waste money securing coffee machines; if you under-scope, you fail your audit.
You must categorize your assets into four categories:
Before you ever hire a consultant or an auditor, perform an honest internal audit. Use the NIST 800-171A (the assessment guide). It doesn't just tell you the requirement; it tells you what an auditor will ask for as proof.
This step is about identifying "low-hanging fruit"—the controls you thought you had but actually don't. It’s better to find a missing policy yourself than to have an auditor find it and fail you.
The SSP is the single most important document in your CMMC journey. It is a living document that explains exactly how you meet every single control.
"Vague language like 'We use antivirus' will result in a failure," warns Halbleib. "An auditor wants to see the specific product, the auto-update configuration, and the person responsible for monitoring it."
If you have gaps, you must also maintain a Plan of Action and Milestones (POA&M), but remember: for Level 2, you generally have only 180 days to close those gaps.
A Gap Analysis is like a dress rehearsal. This is where you bring in an expert to poke holes in your plan. After remediating those gaps, perform a Mock Assessment. This helps your IT staff practice providing the facts.
In a real audit, the assessor is an observer, not a coach. If your team fumbles for a password or starts talking about out-of-scope systems, they can actually widen the scope of your audit, potentially leading to failure.
If you are a Prime contractor, the DoD has shifted the burden of proof onto you. You are legally required to ensure every subcontractor in your chain is compliant at the appropriate level.
"Tracking hundreds of subs with spreadsheets is a nightmare," says Gary Glover. "You need a system to track SPRS scores, affirmation dates, and evidence." Primes are increasingly requiring subs to provide a screenshot of their SPRS entry or an SSP executive summary before they will even allow them to bid on a team.
This is something SecurityMetrics excels at– we focus not just on getting your environment CMMC compliant but ensuring your flowdown meets the DoD’s requirements.
Compliance is no longer just a technical checkbox; it is a legal one.
Under the Civil Cyber-Fraud Initiative, the Department of Justice is actively using the False Claims Act (FCA) to target contractors who misrepresent their security.
When a senior executive signs off in SPRS, they are making a legal attestation to the US Government. If a breach occurs and it's discovered that those 110 controls weren't actually in place, the company faces treble damages (3x the contract value), and the executive could face personal liability.
"This rises above the IT department," says Halbleib. "If senior management doesn't buy in, the program won't be successful, and the risk to the business is massive."
The biggest mistake contractors make is waiting for a contract to demand CMMC before starting. The transition to Level 2 can take 6 to 18 months, depending on your starting point. If you wait until the contract is on your desk, you will likely lose the bid to a competitor who is already certified.
You don’t have to tackle CMMC compliance alone– partner with an expert who knows how to ensure you and your flowdown meet the standard so you can continue getting your contracts.
.svg)