CMMC Compliance Roadmap: How DoD Contractors Prepare for Assessment

Step 1: Determine Your Level

CMMC applies at three levels, each with progressively more demanding control requirements. The level required for a given contractor is determined by the type of information the contractor handles.

Level 1 (Foundational) applies to contractors handling Federal Contract Information — information not intended for public release. Level 1 requires implementation of 17 basic safeguarding practices, attested through annual self-assessment.

Level 2 (Advanced) applies to contractors handling Controlled Unclassified Information. Level 2 requires implementation of all 110 controls in NIST SP 800-171 Rev 2, with assessment by a third-party CMMC Third Party Assessment Organization (C3PAO) for prioritized acquisitions.

Level 3 (Expert) applies to a small subset of contractors handling CUI in highest-priority programs. Level 3 requires implementation of all NIST SP 800-171 controls plus a subset of NIST SP 800-172 enhanced controls, with assessment by the DoD itself.

Most Defense Industrial Base contractors fall under Level 2. The roadmap outlined below assumes Level 2 preparation.

Step 2: Conduct a Gap Assessment

The starting point for any CMMC preparation is a structured gap assessment against the 110 NIST SP 800-171 controls. The assessment evaluates each control across three dimensions: whether the control exists, whether it is operating effectively, and whether it is documented sufficiently to satisfy a C3PAO assessor's evidence review.

The output is a gap inventory with severity ratings, remediation effort estimates, and dependency mapping. For most mid-market contractors entering CMMC preparation for the first time, the gap inventory typically identifies 30-70 controls requiring meaningful remediation work — the gap between the contractor's existing security posture and the specific evidence requirements of the standard.

Step 3: Build the System Security Plan

The System Security Plan (SSP) is the foundational documentation artifact for CMMC compliance. The SSP describes the organization's information system, the boundaries of CUI within that system, and the implementation of each NIST SP 800-171 control. Assessors review the SSP as the primary documentation of the organization's compliance posture.

SSP development is a substantial effort — typically 100-300 hours for a mid-market contractor preparing for Level 2 assessment. The work includes system boundary definition, data flow mapping for CUI, control implementation documentation, and ongoing maintenance procedures. Many contractors engage CMMC consulting specifically for SSP development support, given the documentation depth the assessment requires.

Step 4: Remediate the Gaps

Gap remediation follows the prioritization established by the gap assessment. High-severity gaps that would produce material findings at assessment must close before the C3PAO engagement. Lower-severity gaps may be addressed through Plan of Action and Milestones (POA&M) for resolution within defined timelines, but POA&Ms are limited under CMMC and should not be used as a substitute for actually closing gaps.

Common remediation streams include identity infrastructure modernization (multi-factor authentication, privileged access management, conditional access), network segmentation to establish defensible CUI boundaries, encryption deployment for CUI at rest and in transit, logging and monitoring infrastructure to support audit requirements, and incident response plan documentation aligned to NIST SP 800-171 incident response controls.

Step 5: Pre-Assessment Validation

Before engaging a C3PAO for the formal CMMC assessment, most organizations conduct a pre-assessment validation — internal or third-party review that simulates the C3PAO assessment under realistic conditions. The pre-assessment surfaces remaining gaps that the gap assessment did not identify or that emerged during remediation, and produces the audit-ready posture required for successful C3PAO engagement.

Pre-assessment is the structural difference between organizations that pass CMMC assessment on first attempt and organizations that produce findings requiring remediation and reassessment. The cost of pre-assessment is typically a small fraction of the cost of a failed C3PAO engagement.

Step 6: C3PAO Engagement

The formal C3PAO assessment is the culmination of the preparation roadmap. The assessment includes scope review, control evaluation, evidence review, and a formal report on the contractor's CMMC posture. Successful assessment produces CMMC certification at the appropriate level, valid for three years.

C3PAO engagement pricing varies based on environment complexity and scope, typically running $50,000-$200,000+ for Level 2 assessment of mid-market contractors. The engagement runs 4-8 weeks of fieldwork plus report production.

The CMMC Roadmap Timeline

For mid-market contractors entering CMMC preparation, the typical timeline from initial gap assessment through C3PAO certification runs 9-18 months depending on starting posture. The phases roughly distribute as follows:

• Months 1-2: Gap assessment, scope definition, level determination, SSP outline development
• Months 3-6: Initial remediation — identity infrastructure, network segmentation, encryption deployment
• Months 6-9: SSP completion, policy and procedure documentation, control validation testing
• Months 9-12: Pre-assessment validation, gap closure, audit-ready posture confirmation
• Months 12-15: C3PAO engagement and assessment
• Months 15-18: Findings remediation if required, certification issuance

Contractors with mature pre-existing security programs frequently complete the roadmap in 6-9 months. Contractors entering with significant security debt frequently extend to 18-24 months.

CMMC for PE-Backed Defense Industrial Base Companies

For PE operating partners with portfolio companies in the Defense Industrial Base, CMMC compliance is a non-negotiable commercial requirement. The acquired company either has CMMC certification at the required level, has a credible roadmap to certification before commercial deadlines, or loses access to DoD contract revenue. Pre-close diligence on DIB targets must include CMMC posture review with explicit timeline analysis. Post-close, the 100-day plan typically includes CMMC roadmap initiation if the target is not already underway.

Frequently Asked Questions

How much does CMMC compliance cost?
For mid-market contractors preparing for Level 2 certification, total cost typically runs $250,000-$1,500,000+ across consulting, infrastructure investment, internal effort, and C3PAO assessment. The variation reflects starting posture and scope complexity. The cost of non-compliance is loss of DoD contract eligibility, which for many DIB contractors is the entire business.

Can I be CMMC compliant without a C3PAO assessment?
Level 1 contractors self-attest annually without C3PAO assessment. Level 2 contractors handling CUI in prioritized acquisitions must have C3PAO assessment. Level 2 contractors handling FCI-only or in non-prioritized acquisitions may continue with annual self-assessment, though the trajectory of the program is toward third-party assessment becoming the standard.

How long is CMMC certification valid?
CMMC certifications are valid for three years, with annual self-attestations of continued compliance and re-assessment at the three-year mark.

How does CMMC interact with NIST SP 800-171?
NIST SP 800-171 is the foundational standard CMMC builds on. Level 2 CMMC requires implementation of all 110 NIST SP 800-171 controls. NIST SP 800-53 is a separate, broader federal information system standard that overlaps with but is distinct from 800-171.

Should we engage a C3PAO directly or work through a CMMC consultant first?
Most organizations engage CMMC consulting first to develop the SSP and remediate gaps, then engage the C3PAO for formal assessment. The two engagements serve different purposes — consulting prepares the organization for assessment; C3PAO conducts the assessment itself.

Related Reading

• What is CMMC? — the foundational explanation
• What is NIST SP 800-53? — the broader federal control framework
• What is a Compliance Risk Assessment? — the multi-framework diagnostic
• What is Compliance as a Service? — the operational support model

Real-World Example: A Mid-Market Defense Contractor's CMMC Journey

A Cloudskope engagement with a mid-market defense electronics manufacturer illustrates the typical CMMC roadmap. The organization had handled CUI for several years under DFARS clauses but had not been subject to formal CMMC assessment. With the program rollout reaching their contract tier, the organization initiated CMMC preparation.

The initial gap assessment identified 47 controls requiring remediation, 12 of which were structural (identity infrastructure, network segmentation, encryption deployment) and 35 of which were documentation gaps where controls existed operationally but were not documented to assessment standards. Remediation took 11 months and included a Microsoft 365 GCC High migration, deployment of privileged access management, network microsegmentation around CUI processing systems, and SSP development covering approximately 280 pages of documentation.

Pre-assessment validation surfaced 6 additional gaps that the initial assessment had not identified. C3PAO engagement followed three months later, producing certification at Level 2 with 2 minor findings remediated within the assessment cycle. Total elapsed time from gap assessment to certification was 16 months. The organization's DoD contract eligibility was preserved, and the documentation discipline established during CMMC preparation has reduced the cost of subsequent compliance work across other frameworks.