CMMC compliance: Complete planning & resource guide [2026]

Cybersecurity Maturity Model Certification (CMMC) is essential for contractors that do business with the U.S. Department of Defense (DoD) or may do so in the future. Given the broad range of services that an expansive organization like the DoD needs, earning CMMC compliance is a good strategic move for organizations across nearly every industry.

This guide is designed to help contractors understand what CMMC compliance entails and how to plan for it. You can see this as your CMMC compliance checklist, but it’s not a breakdown of technical controls, and it does not replace the official standards or the input from expert assessors. Learn more about the requirements with our CMMC 2.0 overview.

While meeting CMMC compliance requirements can be complex, this guide simplifies the process, making it easier to achieve CMMC readiness.

Editor's note: As of April 2026, ISACA is the new CMMC Assessor & Instructor Certification Organization (CAICO). Learn how this affects your compliance journey in our webinar with ISACA.

Understanding CMMC compliance requirements

CMMC compliance requires contractors to show that they have implemented and are maintaining cybersecurity systems that align with federal standards. The objective is to weave effective cybersecurity practices into the fabric of each organization with which the DoD does business. This reduces the risk of breaches and other cyber incidents for the DoD.

Therefore, a CMMC implementation plan may involve:

• Meeting security requirements based on the National Institute of Standards and Technology Special Publication (NIST SP) 800-171.
• Ensuring your organization implements all of the security practices according to the level required by your contract. For instance, you may have to maintain 15 requirements for CMMC Level 1, 110 for Level 2 or 134 for Level 3.
• Building formal documentation and providing objective evidence of compliance.
• Ensuring ongoing adherence, not just achieving compliance once and slipping out of line over time.

Check out our CMMC Levels guide for a more detailed breakdown of what each level involves.

To get the most up-to-date technical details, you can refer to these official sources for exploring how to achieve CMMC compliance:

• NIST SP 800-171 documentation
• CMMC Assessment Guide from The Cyber AB
• CMMC Model documentation
• The DoD Procurement Toolbox
• The Department of War’s breakdown of the CMMC Program

Determining your required level

The CMMC level you need to achieve depends on your contract and the types of information you handle. You may have to:

• Review your contract’s specifications to figure out which kinds of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) you may have to handle.
• Connect with a contracting officer from the department you’ll be working with to clarify details about the FCI and CUI you'll be managing.

At a high level, here’s what each CMMC level focuses on:

• Level 1: Basic protection of FCI and a relatively limited mix of cybersecurity practices. Organizations can self-assess their compliance at Level 1.
• Level 2: Handling CUI according to the full set of NIST SP 800-171 requirements. This is a big step up from Level 1 because it involves adhering to all 110 controls in 800-171. Since November 10, 2025, applicable solicitations have required a Level 2 self-assessment. Starting November 10, 2026, applicable solicitations will require Level 2 Certification by a C3PAO.
• Level 3: Implementing the 134 requirements — 110 controls in NIST SP 800-171 Rev 2, plus 24 from NIST SP 800-172 — and additional strategies for safeguarding data related to highly sensitive DoD programs. The Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) assesses compliance at Level 3.

The DoD is rolling out CMMC requirements in four phases. Phase 1 began November 10, 2025, requiring Level 1 or Level 2 self-assessment. Phase 2 begins November 10, 2026, adding Level 2 C3PAO certification. Phase 3 begins November 10, 2027, adding Level 3 certification. Phase 4 begins November 10, 2028, when all solicitations and contracts will include applicable CMMC requirements as a condition of award.

For a complete list of required security practices, refer to the official NIST 800-171 overview. You can also reference this page for a breakdown of government solutions.

CMMC compliance journey

Breaking your compliance journey into phases makes it easier to perform a CMMC gap assessment and use it to boost organizational readiness.

Phase 1: Assessment and planning

This is where you evaluate your current cybersecurity posture and identify gaps. In this phase, you also start drawing up a CMMC remediation plan to address weak areas.

Many organizations work with CMMC-registered provider organizations (RPOs) to conduct gap assessments and plan their next steps. Whether you engage with a third party or handle it internally, you want to exit phase 1 with a prioritized remediation roadmap.

Phase 2: Remediation and implementation

In the remediation and implementation phase, you establish technical security controls, such as encryption, network segmentation and next-generation firewalls.

You also enact policies to protect your digital assets, such as keeping passwords secure and always using the principle of least privilege when assigning access roles. Learning the policies and tools will require training and awareness programs.

While it’s possible to handle this internally, many companies engage with:

• CMMC RPOs
• Managed Security Service Providers (MSSPs)
• Specialized IT consultants

You can also lean on internal cybersecurity teams with CMMC knowledge. And in some cases, by training your internal staff around CMMC-specific protections, you can fill crucial skills gaps.

Phase 3: Documentation & evidence (ongoing)

Your documentation and evidence strategy centers around developing a system security plan (SSP). You can then link the cybersecurity technologies and policies you built in phase 2 to facets of your SSP.

Another crucial element of phase 3 is ensuring that each policy and procedure is formally documented rather than spread by word of mouth. For instance, instead of simply telling network admins to segment databases containing sensitive project information, you would create a document outlining the types of data that need segmentation and basic architectural principles to ensure they’re adequately isolated.

As with all documentation efforts, you need to collect evidence demonstrating adherence to CMMC requirements. This could include higher-level evidence, such as network maps, or more granular proof, such as firewall configurations and real-time network monitoring logs.

Phase 4: Validation and testing (1–2 months)

Your validation and testing approach should focus on:

• Performing a deep internal validation of the effectiveness of each tool and policy. This can be done using penetration testing and scenario-based assessments.
• Executing a CMMC readiness assessment. The backbone of your readiness assessment involves systematically going through the requirements and then checking and documenting how your controls and technologies align.
• Pre-assessment preparation. This is where you get ready for an assessment, typically by consulting with an RPO or readiness consultant, regarding what they’ll be looking for and the kinds of evidence they need to see.

Organizations often turn to RPOs for CMMC compliance consulting, asking them to help conduct mock assessments to assess their readiness.

Phase 5: Assessment (varies by level)

As mentioned earlier, the party that performs the assessment process depends on the level — and for Level 2, the contract — you’re aiming for:

• Level 1: Self-assessment by internal employees
• Level 2: Most Level 2 contracts require a third-party assessment organization (C3PAO), which is an independent provider accredited by The Cyber AB; however, select programs allow a self-assessment for a CMMC Status of Level 2 (Self).
• Level 3: Government assessment performed by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC)

Phase 6: Ongoing compliance (continuous)

Your ongoing compliance system should include continuous monitoring, regular reviews and updates to your systems to ensure they stay compliant.

Also, if your organization earned organization certification from a C3PAO or the government, you’ll need to renew it in accordance with the prescribed standards.

It’s also important to respond to any changes in CMMC compliance requirements. For instance, if a newer encryption protocol is added to the list of expected protections, you would need to ensure that all sensitive data is protected by this new tool.

Planning your compliance project

Planning your project centers on CMMC scoping, setting a CMMC implementation timeline and budget and allocating resources. Resource allocation is key to CMMC preparation because it ensures you have the tools needed to execute your implementation.

The most important decision around resources is often whether to implement your CMMC compliance strategy internally or with external support. An external provider can be a powerful CMMC compliance guide because they may have several years of experience helping organizations in your industry meet the necessary standards.

Another consideration is compliance project management, which supports a smoother, comprehensive approach to your readiness implementation. For some organizations, taking an Agile approach makes the most sense. For instance, you can organize sprints around high-priority practices, or you can perform a mock assessment and build sprints to address the gaps it identifies.

Creating your compliance roadmap

Your compliance roadmap should consist of:

• Identifying milestones
• Setting priorities based on needs or weaker areas
• Allocating resources
• Managing risks, such as running over timeline or taking on technical debt
• Establishing what success looks like

“Success” should involve more than checking off a number of boxes. A successful CMMC compliance initiative should prepare you to pass an objective assessment and maintain compliance for years to come.

Here are some questions to ask as you build your roadmap:

• Do we have in-house cybersecurity expertise?
• Do we need RPO consulting support?
• What’s our timeline for compliance?
• What’s our budget?
• Who will own this internally?

Understanding NIST 800-171 control families

The NIST SP 800-171 documentation organizes its requirements into 14 control families. They’re grouped by security practices, which can make CMMC audit preparation and compliance simpler.

Access control

Purpose: Protect your systems by limiting the people and processes that have access to them.

Types of controls: Account management, principles of least privilege, automatic session termination and restrictions around who can access resources remotely.

Notes: This requires a combination of technical tools and concisely documented procedures. It’s common for an organization to get professional support with configuring access controls.

Awareness and training

Purpose: Make sure personnel understand the risks and responsibilities around building strong cybersecurity protections.

Types of controls: Security awareness training and training according to individual roles or job titles.

Notes: You must document your training so you can repeat it for new hires or to refresh current staff.

Audit and accountability

Purpose: Evaluate system activity to identify misuse or security incidents.

Types of controls: Maintaining and retaining activity and incident logs, auditing and evaluating the results of audits.

Notes: Configuring logging systems can be technically challenging, so some companies enlist the help of third-party experts.

Configuration management

Purpose: Maintain system configurations that bolster your security and control all configuration changes.

Types of controls: Establishing baseline configurations, monitoring the need for changes and keeping track of all changes over time.

Notes: This can be difficult when working with legacy systems that don’t output data that integrates with automatic monitoring tools.

Identification and authentication

Purpose: Verify the integrity of user and system identities.

Types of controls: Credential management, multi-factor authentication (MFA), certificate management and TLS authentication.

Notes: It may be necessary to segment MFA from certificate and TLS authentication during your implementation, because while they all verify identities, certificate management and TLS involve automated verification for machines and systems, whereas MFA verifies user identities.

Incident response

Purpose: Detect and respond to incidents as well as recover from breaches and other impactful events.

Types of controls: Incident response strategies, penetration testing, reporting policies.

Notes: All staff should have access to training instruction and written materials to which they can refer to refresh their memories or teach others.

Maintenance

Purpose: Establish maintenance activities that prevent unauthorized access due to lapses in protections.

Types of controls: Maintenance logs and systematic, periodic reviews.

Notes: Maintenance systems should be in place from day one, as soon as you start choosing tools and building policies, but some neglect to check maintenance until it’s time for an audit.

Media protection

Purpose: Protect data stored on physical and digital media.

Types of controls: Storage protections, encryption at rest and in transit and scans to check for data integrity.

Notes: If storage media includes a complex network of cloud assets, enlisting the help of cloud security professionals can be helpful.

Personnel security

Purpose: Make sure individuals can be trusted before you grant them access to your systems.

Types of controls: Background checks, systems that trigger automatic termination when trust levels fall beneath certain thresholds.

Notes: Personnel security should also incorporate behavioral analysis to catch suspicious activity, such as logging at odd times of the day or from suspicious IP addresses, as well as visiting your physical facilities at random times. Coordination with physical security teams is essential.

Physical protection

Purpose: Prevent physical access to facilities, systems and infrastructure.

Types of controls: Facility access controls, such as key cards, visitor logs and equipment room security.

Notes: You can streamline the process of collecting evidence of physical protections using video surveillance, which can take snapshots of physical protection mechanisms, including locks, card scanners and other physical security measures.

Risk assessment

Purpose: Identify cybersecurity risks and evaluate their severity and potential impact.

Types of controls: Vulnerability identification, risk assessments and continuous risk monitoring using risk matrices.

Notes: It can be challenging to align risk documentation with all of your controls, and in complex security systems, you may want to hire external help.

Security assessment

Purpose: Evaluate security controls to gauge their effectiveness.

Types of controls: Remediation tracking, mean time to resolution reports, self-assessments, interdepartmental assessments, penetration testing and simulated attacks.

Notes: Security assessments should be one of your primary sources of data as you measure both the security of your systems and compliance readiness. Documenting assessment results can be valuable when you need to prove the effectiveness of your safeguards.

System and communications protection

Purpose: Safeguard data while in transit and establish security tools that protect your network from eavesdroppers and thieves.

Types of controls: Network segmentation, encryption, firewalls and network monitoring and threat detection tools.

Notes: This may involve adjustments to your network, which can be easier with the help of outside experts.

System and information integrity

Purpose: Make sure your systems operate as they should and provide adequate security.

Types of controls: Malware protection, patch management and network behavior monitoring tools.

Notes: It’s common to hire a managed security service provider (MSSP) to bolster system information integrity.

Important: Each control family consists of a number of detailed practices. It’s best to consult NIST SP 800-171 when trying to determine requirements. It’s also common for an organization to turn to NIST security experts to ensure all controls are implemented correctly.

When to engage professional help

You may need professional assistance if you have:

• Limited in-house cybersecurity expertise
• Complicated IT environments, such as those involving a mix of on-premise and remote access
• Aggressive timelines
• Challenges around producing compliant documentation
• Concerns around whether you’re ready for an assessment or if your controls provide the needed protections

Types of professional services

You can turn to a range of professional services if any of the above issues arise, but the services you choose will depend on your in-house capabilities. Here are some common options:

CMMC Registered Provider Organizations (RPOs)

The right RPO can be a one-stop shop for meeting your CMMC compliance needs because they:

• Perform gap assessments and assess readiness
• Implement security plans or provide advisory support
• Document your controls
• Help you provide evidence to support your CMMC compliance
• Help with pre-assessment preparation and perform mock assessments

Dig deeper into what an RPO does in this article.

Managed security service providers (MSSPs)

MSSPs focus on protecting your assets, providing services, such as:

• Implementing security controls
• Keeping track of the patches you need to implement to avoid vulnerabilities
• Supporting your security operations team
• Monitoring your system and managing alerts

IT and cybersecurity consultants

Consultants can be helpful when it comes to:

• Designing network architecture
• Advising you as to the best ways to segment your network
• Upgrading your infrastructure to protect against the most recent threats

Finding qualified providers

The process of finding the right providers is similar to vetting other professional services because you should:

• Check the Cyber-AB marketplace, which can give you access to pre-vetted RPOs
• Verify each provider’s credentials and verify the legitimacy of their CMMC experience
• Check references from organizations like yours

Check out our article on the different services available in the CMMC marketplace for more info.

Key resources for compliance

You can use the following resources to ground your CMMC compliance efforts:

• NIST SP 800-171 Revision 3
• CMMC model documentation
• The Department of War’s CMMC assessment guide
• The Defense Industrial Base Cybersecurity Strategy

Professional development

Like other organizations, your company may benefit from having a Certified CMMC Professional (CCP) on your staff. CCP training can take place over just five days and give your candidate everything they need to earn their cert.

In addition, many organizations benefit from Certified CMMC Assessor (CCA) training because it deepens knowledge around the actual assessments conducted by C3PAO teams.

Tools and platforms

You don’t have to design your CMMC compliance mechanism from scratch because you can turn to:

• Compliance management platforms, which come with pre-made modules that provide compliance guardrails
• Governance, risk and compliance (GRC) tools, which help with a range of compliance issues, including CMMC
• Gap assessment templates, which walk you through the gap identification process
• Documentation frameworks, which ensure your documentation is compliant and meets the expectations of assessors

Common compliance challenges

To make it easier to avoid roadblocks, here are some compliance challenges many organizations face:

• The complexity of requirements. Implementing 110 practices for Level 2 can be daunting. You can address this by engaging experienced RPOs or consultants.
• Resource constraints. Limited staff or budget can slow compliance down or grind it to a halt. By using a phased implementation or the support of an MSSP, you can control costs and limit the risk of staff burnout.
• Technical debt. Legacy systems can be difficult to fit into your compliance framework. It may be necessary to limit the scope of your compliance in the short term while you plan to upgrade legacy systems.
• Documentation burden. It requires extensive documentation of your systems and their effectiveness to meet compliance requirements. Support from RPOs, using templates and dedicating resources just to documentation can make it easier.
• Maintaining compliance. It takes ongoing effort to stay compliant. You can use continuous monitoring tools, regular reviews and staff training to reduce the workload on individuals.

Assessment POA&M (Plan of Action and Milestones)

A POA&M:

• Is available for Level 2 and Level 3, but not Level 1
• Requires a minimum assessment score of 80% (88 of 110 points)
• Is a tool with a maximum remediation window of 180 days
• Requires documented plans and tracking

A POA&M does not:

• Enable you to avoid compliance
• Have an indefinite time frame
• Apply to every practice — certain critical requirements cannot be placed on a POA&M

Developing a POA&M

When developing a POA&M, you should include:

• Specific remediation actions
• Clear timelines and ownership
• Progress tracking and evidence

It’s common for organizations to work with RPOs to ensure POA&Ms meet assessment expectations.

Preparing for C3PAO Assessment (Level 2)

As mentioned earlier, Level 1 always uses self-assessment. Level 2 uses either a self-assessment (for select programs) or a C3PAO certification assessment, depending on your contract. The preparation steps below apply to both pathways, though C3PAO assessments involve additional coordination with the third-party assessor.

To get ready for your C3PAO assessment, you should:

• Make sure all practices have been implemented or are on an eligible POA&M
• Complete your documentation
• Organize your evidence
• Make sure your staff have been trained and are prepared

Pre-assessment activities

Before the assessment, you’ll want to:

• Conduct an internal readiness review
• Perform a mock assessment, which often involves hiring an RPO
• Compile your evidence
• Prepare your staff to be interviewed
• Choose a C3PAO

Maintaining compliance after certification

Once certified, maintaining your compliance is a cyclical process that involves:

• Ongoing requirements, such as continuous adherence to controls, regular self-assessments and updating documentation.
• Adhering to recertification cycles. For Level 1, you can self-assess, but for Levels 2 and 3, you must recertify every three years. Level 2 requires either a C3PAO certification assessment every three years or, for select programs, a self-assessment every three years. Level 3 requires DCMA DIBCAC certification every three years. However, an organization official must also affirm continuous compliance annually and post it to the Supplier Performance Risk System.
• Change management. Any time you implement new systems, change your network, have an organizational change or update policies, you must adjust your systems to ensure they still comply.

Next steps: Your compliance action plan

To start your CMMC compliance journey, you should:

• Determine which CMMC level you need to achieve
• Assess your current security posture
• Identify any security or policy gaps
• Decide whether you’re going to go with internal or external support
• Develop a timeline and budget

As of April 2026, ISACA is the new CMMC Assessor & Instructor Certification Organization (CAICO). Learn how this affects your compliance journey in our webinar with ISACA.

Frequently asked questions (FAQs)

How long does CMMC compliance take?

This varies widely based on the level, organizational maturity and scope.

Can we do this ourselves?

Some organizations can, but many require professional support.

What’s the most difficult part of CMMC compliance?

Documentation, interpretation and sustaining compliance over time are typically the most challenging.

How much does it cost?

Costs vary significantly, so it’s best to perform a gap assessment to gauge what you need to do and how much it will cost.

Can we use cloud services?

Yes, cloud tools can work if they’re configured and documented correctly.

What if we can’t meet all the requirements?

A limited POA&M may be an option for Level 2, but you should check with the DoD agency you’re trying to do business with to be sure.

Do we need CCP-certified staff?

No, this isn’t required, but it can be very beneficial.

Where do we start?

To get started, determine your required level and conduct a gap assessment.