[Upcoming Linkedin Live] AI Regulation Keeps Evolving. Your Governance Framework Should Adapt. | April 30th

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
ENS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

A Practical Guide to CMMC Compliance, Implementation, and Certification

By: Schellman

Print/Save as PDF

A Practical Guide to CMMC Compliance, Implementation, and Certification

Federal Assessments | CMMC

Published: Apr 28, 2026

The Cybersecurity Maturity Model Certification (CMMC) has officially shifted from proposed framework to an enforceable requirement for organizations supporting the U.S. Department of Defense (DoD). With the Final Rule now in effect and contractual mandates accelerating, defense contractors and subcontractors can no longer treat CMMC as a future initiative.

To meet this newly enforceable compliance obligation, defense contractors are increasingly exploring what CMMC implementation requires, what certification entails, and how to maintain compliance once certified. Through risk3sixty’s advisory services as a Registered Practitioner Organization (RPO) and Schellman’s assessment and certification expertise as a Certified Third-Party Assessment Organization (C3PAO), organizations can navigate the full CMMC journey with clarity.

In this guide, Andrew Parks, Manager, Advisory at risk3sixty, and Jay Molnar, Manager at Schellman, break down CMMC compliance from end to end, including key CMMC dates and milestones, certification assessment phases, and actionable best practices to help your organization prepare, implement, and sustain compliance with confidence.

What is CMMC?

CMMC is a framework created by the US Department of Defense (DoD) that includes a list of cyber security requirements you must implement if you’re handling federal contract information (FCI) or controlled unclassified information (CUI). CMMC applies to contractors and their supply chain, including subcontractors or the people those contractors are working with, that fulfils DoD contracts.

Why is CMMC Important?

CMMC is important for DoD contract eligibility and customer trust. CMMC is contractually required for any organization doing business with the DoD that processes, stores, or transmits FCI or CUI.

As CMMC is a prescriptive framework, its Implementation improves security posture and reduces breach and ransomware risk. False CMMC compliance claims can trigger the False Claims Act, resulting in legal exposure, monetary liability, and loss of eligibility for future DoD contracts.

Key CMMC Timeline and Milestones

CMMC has been in development since 2019, and the standard’s implementation is evolving and ongoing as the DoD has begun their multi-year, phased rollout.

Key CMMC milestones and dates include:

  • CMMC 1.0 Introduction (2019)
    • The DoD introduced CMMC 1.0 in 2019 as a 5-level model combining NIST SP 800-171 with other standards requiring third-party certifications.
  • CMMC Industry Feedback (2020-2021)
    • The DoD gathered industry feedback on CMMC 1.0 cost and complexity, leading to review and changes.
  • CMMC 2.0 Introduction (November 2021)
    • The DoD released CMMC 2.0 in November 2021, simplifying to three levels (foundational, advanced, and expert), and aligning directly with NIST SP 800-171 and 800-172.
  • CMMC Self-Assessment Addition (2022-2023)
    • Between 2022 and 2023, the DoD refined rulemaking under DFARS 7021 and added the self-assessment portion to CMMC, which was allowed for some Level 1 contractors.
  • CMMC 2.0 Final Rule (2024-2025)
    • The CMMC final rule was published on September 10, 2025, and the certification requirements are starting to appear in DoD contracts.
  • CMMC Phase 1 Rollout (November 2025)
    • As of November 10, 2025, the DoD began including CMMC clauses in solicitations and contracts as a condition of award. Contracts may require Level 1 or Level 2 self-assessment for contractors handling FCI or CUI.
  • CMMC Phase 2 Rollout (November 2026)
    • Beginning on November 10, 2026, DoD contracts will start requiring a CMMC C3PAO Level 2 assessment.
  • CMMC Phase 3 Rollout (November 2027)
    • On November 10, 2027, DoD contracts will start requiring CMMC C3PAO Level 3 assessments.
  • CMMC Phase 4 Rollout (November 2028)
    • By November 10, 2028, all contracts will require CMMC compliance as part of the award process.

Over the next several years, CMMC will start significantly impacting the industry and contract eligibility.

CMMC Certification Assessment Phases

The CMMC certification assessment process follows four phases of formal activities:

  1. Phase 1: Planning
    The Organization Seeking Certification (OSC) provides documentation for the C3PAO to review, including policies, procedures, and the System Security Plan (SSP). Both parties validate and agree on assessment scope, and the OSC completes a formal Pre-Assessment Form, which includes the details required to be entered in the Enterprise Mission Assurance Support Service (eMASS) system. This planning phase helps the OSC determine their readiness to continue forward in the CMMC process.

  2. Phase 2: Conditional Assessment
    Phase two is where the actual assessment takes place, starting with a formal In-Brief Meeting and presentation to outline assessment expectations. Assessors then conduct interviews, observations, and evidence inspection of the artifacts around the NIST SP 800-171 controls to determine their implementation status (e.g., MET, NOT MET, N/A). The C3PAO evaluates all 110 controls and 320 assessment objectives at this time.

  3. Phase 3: Reporting
    The C3PAO compiles all assessment results from phase two and completes required quality assurance reviews, resulting in a CMMC certification status of final, conditional, or none. A conditional certificate status is issued if an organization achieves a minimum score of 80%, the C3PAO has determined that the OSC has “MET” all controls with a value of (3) or (5), and the C3PAO has determined that the OSC has “MET” the critical controls.

    A formal Out-Brief Meeting or Assessment Results Briefing takes place to communicate the formal assessment results. Lastly, following a final or conditional certificate, the C3PAO completes the eMASS upload process to publish the deliverables to both the OSC and Cyber AB, resulting in the physical certificate demonstrating CMMC compliance.

  4. Phase 4: Remediation (if necessary) and Final Assessment
    Phase four is only needed in instances of conditional or no final certificate status, during which the OSC has 180 days to remediate and close out their POA&M (Plan of Actions and Milestones) for controls marked as “NOT MET” and reengage their C3PAO for a retest. This is where the C3PAO validation of closure and issuance of final certificate of status takes place.

It’s important to understand what’s involved in each phase as stakeholders often underestimate the amount of time and effort required to achieve full CMMC certification.

Maintaining CMMC Compliance

Achieving CMMC certification is a significant milestone, but maintaining compliance requires ongoing discipline.

Unlike many other frameworks that require annual third-party assessments, a C3PAO assessment occurs once every three years for CMMC. However, organizations must annually affirm their continued compliance in the SPRS (Supplier Performance Risk System), involving a formal attestation to the DoD that required controls remain implemented and effective.

To support annual attestation for maintaining CMMC compliance, organizations should:

  • Conduct internal assessments at least annually (as required by control 3.12.1)
  • Re-evaluate controls when significant system changes occur
  • Perform targeted reviews following incidents
  • Monitor for “compliance drift” caused by shifting priorities or personnel changes
  • Maintain updated documentation aligned to actual operational practices

Compliance drift is common across long certification cycles. Competing business priorities, infrastructure changes, or organizational restructuring can gradually move systems away from their originally certified scope. The most successful organizations build CMMC into operational governance, rather than treating it as a one-time initiative.

Many companies leverage independent advisory support to conduct annual internal reviews to provide the Authorized Official with confidence before submitting their SPRS affirmation.

CMMC Advisory Services: Building the Right Foundation

Given the rigor of the CMMC certification process, proper preparation is critical. As an RPO, risk3sixty helps organizations design and operationalize their CMMC programs before formal assessment. Advisory services typically include:

  • Initial gap assessments
  • Scoping workshops and asset categorization
  • CUI flow mapping
  • Documentation development and refinement
  • Remediation planning and execution support
  • Pre-assessment readiness reviews

One of the most critical focus areas is scoping because improper scoping — especially “all-in” approaches or convenience-based scope decisions — can dramatically increase assessment burden and risk. The most defensible scopes are:

  • Driven by actual CUI and FCI data flows
  • Technically enforced through segmentation and access controls
  • Aligned with how the business truly operates

Organizations that engage advisory support early often reduce assessment friction, avoid rework, and enter the C3PAO phase with greater clarity and confidence.

CMMC C3PAO Assessments: What to Expect

CMMC is technical, procedural, evidence-driven, and maturity-focused. When you partner with Schellman for your CMMC assessment, you can expect a structured, collaborative process built on deep program expertise and practical guidance.

Schellman was involved at the ground level in the development and rollout of CMMC. As the fifth authorized C3PAO, Schellman performed the first Joint Surveillance Voluntary Assessment alongside the DoD during the early instantiation of the program.

Our history expands beyond experience and provides insight into regulatory intent. Our assessors understand not just what the requirements say, but why they exist and how they are interpreted in practice.

In addition to formal certification assessments, Schellman offers:

  • Gap Assessments to evaluate control design readiness
  • Compliance Assessments to review implementation maturity
  • Full CMMC Certification Assessments (Phases 1–3)

This depth allows organizations to navigate certification with clarity and confidence.

Key Considerations and Best Practices for a Successful CMMC Assessment

Organizations that perform best during CMMC assessment work typically demonstrate:

  • Strong executive leadership involvement
  • Clear control ownership across teams
  • Organized evidence management
  • Well-understood and defensible scope decisions
  • Real operational alignment between documentation and practice

Best practices to ensure a smoother assessment journey include:

  1. Secure Executive Buy-In Early: Leadership alignment ensures organizational prioritization and cross-functional coordination. Without top-level support, projects stall.
  2. Spend Significant Time on Scoping: Scope defines the process. Improper scoping is one of the most common root causes of assessment challenges.
  3. Map CUI Flow Thoroughly: Understanding where CUI enters, moves, and exits your environment reduces surprises and strengthens defensibility.
  4. Avoid “Lift and Shift” Assumptions: Existing certifications (e.g., ISO 27001 or SOC 2) provide a strong foundation but rarely translate directly. CMMC includes prescriptive requirements that demand targeted adjustments.
  5. Validate Before Assessment: A readiness review conducted by an independent advisor reduces risk of “no status” outcomes.
  6. Design for Sustainability: Build governance mechanisms that prevent compliance drift between the three-year C3PAO cycle.
  7. Assign Clear Control Owners: Each control area should have a responsible SME who understands both the control intent and operational implementation.

Pursuing CMMC Compliance with Confidence

CMMC is a high-stakes certification tied directly to contract eligibility. That pressure can create urgency, but success depends on thoughtful preparation.

By combining risk3sixty’s advisory expertise as an RPO with Schellman’s accredited C3PAO assessment capabilities, organizations can navigate the full CMMC lifecycle from readiness and remediation through certification and ongoing maintenance with a unified, coordinated approach.

CMMC is about building a defensible, sustainable security program aligned to how your organization operates and delivers value within the Defense Industrial Base. With the right preparation and partners, compliance becomes achievable and repeatable. Contact risk3sixty to discuss CMMC advisory services and Schellman to learn more about the certification assessment requirements and process today.

In the meantime, discover additional CMMC insights in these helpful resources:

About the Authors

Jay Molnar is a Manager in Schellman's Federal Practice based in Washington, DC, where he focuses on the emerging CMMC program. Prior to joining Schellman in 2021, Jay served as a Senior with Ernst & Young’s Government Contract Services, specializing in NIST SP 800-171 and CMMC compliance. He played a lead role in piloting early DIBCAC High Confidence Assessments under the Joint Surveillance Voluntary Assessment (JSVA) program and continues to support the program as a lead assessor. Jay holds several key certifications, including CISSP, CISA, CMMC Lead CCA, and CCP.

Andrew Parks is a Manager on the Advisory and Assurance team at risk3sixty, specializing in Payment Card Industry (PCI) and CMMC compliance. He has served as a PCI Qualified Security Assessor (QSA) for more than five years and previously held the role of PCI Internal Security Assessor (ISA), bringing his total PCI experience to over a decade.
More recently, Andrew has obtained the CMMC certification of Registered Practitioner (RP).Andrew leverages a strong technical background in his work as both a PCI QSA and CMMC advisor. He holds certifications in cloud technologies and Kubernetes (KCNA), enabling him to effectively support clients operating in complex technical environments to achieve and maintain compliance.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

 

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.