CMMC Series: Preparing for your assessment

CMMC Series: Preparing for your assessment

This is our fifth article on this topic and as we bring it to a close, I’d like to first look back at what we’ve covered so far.

We started the series looking at what’s ahead for the Cybersecurity Maturity Model Certification (CMMC) program in 2022. Then we covered tiers one, two and three as they exist in the current 1.0 model of the program. We’re anticipating that tiers two and three will be merged going forward as version 2.0 rolls out (placing a larger burden on defense contractors looking to scale past the beginner controls in tier one and become more competitive in the marketplace).

So, if you’re reading this you’ve hopefully begun the process of implementing the controls within your business and are thinking it’s time to begin the process of obtaining your certification. There are several steps that come before actually obtaining your certification (although it should be noted that the CMMC Accreditation Body is currently in the process of hiring and waiting lists for certification could be lengthy at this time). The sooner you begin implementing the CMMC controls within your business, the sooner you can attempt to get on the waiting list to receive your certification.

The assessment process will follow these steps:

  1. You will need to begin implementing a plan for CMMC within your business, and conduct a self-assessment against the NIST 800-171 (or partner with a provider like Valley Techlogic to assist you with this).
  2. As you improve your processes you can submit your score to the Department of Defenses’ (DoD) Supplier Performance Risk System (SPRS).
  3. From there you will need to identify the scope you wish to obtain for your business (it’s our opinion maturity level 3 will be required for most defense contractors in the future).
  4. Obtain a third-party gap assessment, this will show you where your business is and where it needs to be to achieve your goals.
  5. After addressing the gaps found in the assessment, you can look to the CMMC Accreditation Marketplace and choose a CMMC Third-Party Assessment Organization (C3PAO) to conduct your CMMC assessment.
  6. The CMMC Accreditation Body will review the assessment submitted by your C3PAO and award you your CMMC certification.

Of course, this is boiling down many months (or even years) of preparation into what looks like 6 easy steps.  The process will be time consuming and potentially costly, but for those who wish to continue doing business with the DoD it’s a necessary investment in the future.

As we’ve mentioned in past articles on the topic, defense contractors who refuse to comply with the CMMC process will no longer be eligible for defense contracts in the future. Beyond that, if you reach a higher level of certification, you will be in a better position to receive more contracts as it will be used as a comparative tool going forward.

If you’re like assistance with the CMMC self-assessment process or preparing for your CMMC AB assessment, Valley Techlogic has experience in this area. We have helped businesses begin the process of becoming CMMC ready, if you’d like to learn more schedule a consultation with our experts today.

Looking for more to read? We suggest these other articles from our site.

This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at or on Facebook at . Follow us on Twitter at