Schellman Announces Strategic Partnership with Goldman Sachs Alternatives

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

What Is CMMC? Requirements, Levels, and Who Needs Certification Blog Feature
Todd Connor

By: Todd Connor

Print/Save as PDF

What Is CMMC? Requirements, Levels, and Who Needs Certification

Federal Assessments | CMMC

Published: Oct 24, 2023

Last Updated: Mar 3, 2026

The Cybersecurity Maturity Model Certification (CMMC) is a framework that aims to better secure federal contract information (FCI) and controlled unclassified information (CUI) that is stored, processed, or transmitted by defense contractors and the entire defense industrial base (DIB).

American defense data is incredibly valuable, and that includes highly sensitive personnel records and technical data. As such, the DIB continues to be a prime target for exploitation, and because a leak of such information could endanger the lives of government personnel and service members—not to mention the risk of billions of financial losses. Now, with the enactment of 32 CFR and 48 CFR, the Department of War (DoW) has established the legal basis of CMMC.

As a premier CMMC third-party assessor organization (C3PAO) among the first authorized, we’re going to provide a complete introductory overview of this newer certification, including insight into what it constitutes, who will need CMMC, the requirements, and how to get certified so that as we approach the phased enforcement dates, you’ll be able to proceed with confidence.

What is CMMC?

Initially announced on January 31, 2020, CMMC was promulgated to mitigate federal data risk, standardize protection practices, and improve cybersecurity preparedness among those involved with the U.S. government and the country’s defense.

As overseen by the DoW together with CMMC’s governing body Cyber AB, the certification builds upon previously introduced initiatives. As per Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 issued on September 2017, DoW contractors—were required to comply with the controls specified in the NIST SP 800-171 Rev 2. DFARS 7019 was later implemented, further requiring them to self-assess and enter their scores into SPRS (Supplier Performance Rating System).

Under the self-assessment program enacted under DFARS 7012, suspicion grew that these organizations weren’t always attesting correctly or truthfully, and so came the genesis for CMMC, under which DIB contractors are required to implement certain cybersecurity protection standards and as required, obtain CMMC certification by way of a C3PAO assessment in order to be eligible for a DoW contract award.

The DFARS rule aligns with the CMMC program rule issued under 32 CFR in December 2024 and formally integrates CMMC into defense contracting requirements. It introduces DFARS clause 252.204-7021, outlining the cybersecurity obligations of contractors and subcontractors, and adds solicitation provision 252.204-7025, which makes CMMC status a prerequisite for contract award eligibility.

The long-awaited CMMC Final Rule, 48 CFR, was published in the Federal Register on September 10, 2025, with a specified effective date of November 10, 2025. Since its publication, CMMC has followed a phased implementation timeline expected to progress through November 2028, at which point full implementation of the CMMC requirements will be included in all applicable solicitations and contracts.

Who Needs CMMC Compliance?

There are hundreds of thousands of defense contractors that participate in and make up the current DIB, and if you’re currently doing business as part of that base, you’ll soon need to become CMMC certified as a contractual requirement tied to award eligibility. That includes:

  • Any organization that is a contractor or subcontractor within the DIB and possesses FCI
  • Organizations that deal with CUI—especially those considered particularly high-risk

Moreover, if you’re not yet part of the DIB but have been—or perhaps may in the future—considering expanding your trade to the DoW or supporting organizations that do, you’ll also need to start making arrangements to comply with the stringent requirements.

What are the CMMC Compliance Requirements?

CMMC compliance requirements vary based on what level of CMMC compliance you’ll be required to achieve, which is dictated by the type of information you handle. Once you’ve determined whether that data is either FCI or CUI, you’ll be able to hone on the level you need.

There are three CMMC levels with increasingly expanded requirements:

Level

Details

Level 1: Foundational
  • Focused on the protection of FCI
  • Does not require assessment by C3PAOs—but instead requires organizations to self-assess.

Requirements Include: 17 of the NIST SP 800-171 requirements as specified in FAR Clause 52.204-21 with no other additional practices. This requirement essentially calls on organizations to demonstrate basic cyber hygiene practices that help protect FCI.

Level 2: Advanced
  • Focused on the protection of CUI
  • Requires assessment by a C3PAO

Requirements Include: The 110 requirements from NIST 800-171, which involve creating an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI.

Level 3: Expert
  • Focused on the protection of high-impact CUI
  • Requires assessment by C3PAO (against L2 controls), and further assessment by DIBCAC of further controls intended to protect against advanced persistent threats.

Requirements Include: The 110 requirements from NIST 800-171, plus a subset of 24 additional controls from NIST SP 800-172, and involves:

  • The implementation of standardized and optimized processes and resources to monitor, scan, and process data forensics.
  • Enhanced practices that detect and respond to changing tactics, techniques, and procedures (TTPs) of advanced persistent threats (APTs).

How Do You Get CMMC Certified?

If you’ve concluded that you need to undergo some level of CMMC certification, you can expect the process to follow at least these key steps.

1. Determine Scope

You’ll need to create a comprehensive inventory of all assets that store, process, or transmit either FCI or CUI (depending on your assessment level), which may also include systems or services provided by third parties.

Inventories should identify what function assets fulfill in the enclave, which could be a CUI or security protection asset (SPA), or an IoT/Operational Technology (OT) or Contractor Risk Managed Asset, the latter two of which may co-exist in the enclave with CUI assets but are not directly handling CUI.

Additionally, any external third-party service providers (ESP), be they Cloud Service Providers (CSP) or otherwise, should be identified, with a supplier responsibility matrix defined describing the delineation of their roles vis-a-vis the OSC.

CSPs may require either FedRAMP Moderate authorization or equivalency, and non-CSP providers that handle CUI may either require CMMC certification on their own or engage within the OSC’s assessment.

2. Create Your System Security Plan SSP and Verify Implementation of Practices

This plan is critical to your assessment, and it should contain the following elements:

  • A description of the system environment and the technologies used to manage it.
  • Descriptions and diagrams of the sources and paths of CUI and FCI contained within the environment, including any servers that may contain it, endpoints that may access it, backup systems that may support it, and security devices that may protect it.
  • Documentation of encryption mechanisms used to protect CUI in process, transit, and at rest. This will additionally require details for the mechanisms’ FIPS 140-2 CMVP certificates and that encryption mechanisms are operating in FIPS mode.
  • Explanations of how each of the NIST 800-171 controls have been implemented

Note that the SSP does not satisfy the assessment, in itself. Within the assessment, your C3PAO will require that you provide evidence to demonstrate that controls that have been implemented and are effective.

3. Engage a C3PAO

At this point, you should be fairly ready to undergo a CMMC assessment. The Cyber AB provides a marketplace that lists those C3PAOs that are authorized to perform them. perform them.

4. Define Your Internal Assessment Team

Because your assessment will be a collaborative effort with your C3PAO, you’ll also need to identify and assign at least two other roles along with subject matter experts (SMEs) that will be required to participate in the assessment, including:

  • An assessment official (AO): The “owner” of the OSC’s CMMC enclave, who leads and manages the engagement (a decision-making authority).
  • A point of contact (POC): Responsible for daily coordination between your organization and the C3PAO assessors.
5. Plan Your Assessment with Your C3PAO

During this phase, you should disclose details regarding the following with your C3PAO:

  • Any previous self-assessments
  • Your estimated timeframe for beginning the assessment
  • Information system architecture, boundaries, and inventory
  • Where your in-scope assets are physically located. It may be necessary for the C3PAO to perform on-site inspections for physical facility and media controls to assess their effectiveness. The availability of facilities and resources to support this should be considered in the planning stage.
  • Any inheritance or shared responsibility with a managed service provider, cloud service provider, etc.
  • Your C3PAO will also establish how they’ll collect and review your evidence, which may include documentation, interviews, and planned observations/tests.
  • The C3PAO will require that the SSP and some basic evidence be provided in the preliminary “phase 1” portion of the assessment. The C3PAO will also require a great deal of more evidence to be provided prior to commencing work in phase 2 of the assessment. Time should be budgeted to ensure that phase 1 and 2 evidence gathering and provisioning is accounted for.

6. Conduct the Assessment

At this point, the attestation of your adherence to the required practices will begin, and your C3PAO will determine if you’ve met or not met the CMMC standard.

If you disagree with anything that the C3PAO determines to not meet the standard, you may have an opportunity to appeal first to the C3PAO and then appeals may be escalated to the Cyber AB accreditation board for final adjudication.

7. Remediate Gaps

In order for an OSC to obtain final CMMC certification, they must achieve compliance with each of the 110 controls specified in NIST 800-171.

It is possible that an OSC is found to not be in compliance with certain low-impact controls, which will result in the C3PAO issuing a conditional certification, but the OSC must register un-met controls on a Plan of Action and Milestones (POA&M), remediate those controls, and be re-assessed by a C3PAO within 180 days to achieve final certification.

Determination of which controls are considered high or low impact controls may be found in the text of 32 CFR.

Our whitepaper titled “How to Get CMMC Certified” provides greater detail on each of these steps and will help paint a more thorough picture of the CMMC process.

Moving Forward with CMMC

CMMC is no longer a proposed framework for future consideration, it’s now an enforceable contractual requirement. For defense contractors and subcontractors across the DIB, waiting is no longer a viable strategy as the pool of authorized C3PAOs remains limited, and assessment demand is expected to accelerate.

Organizations that put off CMMC certification risk scheduling constraints and potential gaps in contract readiness. Whereas contractors that achieve certification sooner can demonstrate proactive cybersecurity maturity, strengthen trust with federal partners, and position themselves favorably in competitive procurements.

Organizations should treat CMMC as a strategic initiative to be better positioned to maintain eligibility, protect sensitive information, and succeed in an increasingly security-driven federal marketplace.

Confidence in CMMC starts with the right partner. If you feel ready to begin your CMMC journey, our experts at Schellman are ready to help you navigate the process with clarity. If you’re not ready to dive into the full CMMC certification assessment, you may choose to have us perform an assessment using the NIST 800-171 standard or a CMMC gap assessment in preparation.

To learn more about how Schellman can help, contact us today.

About Todd Connor

Todd Connor is a Senior Associate with Schellman based in Jacksonville, FL. Prior to joining Schellman in 2022, Todd worked as a technology manager for a maritime shipping company responsible for architecting and developing their NIST / CMMC compliance program. Todd has over twenty years of information technology leadership experience across various industries including transportation & logistics, pharmacy benefits management, retail pharmacy and big-box retail, during which time, he has been responsible for responding to NIST 800-171, HIPAA, PCI, ISO and Sarbanes Oxley audits. Todd is now focused primarily on Schellman’s FedRAMP practice, specializing in CMMC compliance for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.