CMMC compliance process: Six steps to take and what to expect

    aerial view of government buildings

    Version 2.0 of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) stipulates that Defense Industrial Base (DIB) contractors can no longer self-report cybersecurity assessments. Instead, they are required to earn certification from a CMMC Third-Party Assessor Organization (C3PAO). To help DIB contractors meet CMMC Level 2 requirements, the CohnReznick cybersecurity team committed to becoming a C3PAO assessor when the inaugural version of CMMC  was published in January 2020.

    Becoming a C3PAO required that we undergo an assessment from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a unit of the Defense Contract Management Agency (DCMA), which manages all DoD contracts. We’re sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance.

    What DoD contractors can expect:

    When planning an assessment by the DIBCAC, don’t underestimate the timeframe – particularly the preparation phase.

    The CohnReznick CMMC team first discussed the C3PAO accreditation with our executives and board early in the process to help eliminate any surprises to the timeframe. DoD prime contractors that have Level 2 controls in place may have a shorter lead time while organizations that are in the middle to end of the Defense Supply Chain (DSC) may not. It all depends on the company’s exposure to DOD contracts and their level of operational maturity.

    There is also a requirement to create an expanded Asset List  and this can be unexpectedly demanding. In part, that’s because the list is comprised of five comprehensive categories:

    • Controlled unclassified information (CUI) assets
    • Security protection assets
    • Contractor risk managed assets
    • Specialized assets
    • Out-of-scope assets

    Contractors should also know what to expect during the assessment process. In our experience, the assessment process was well organized and straightforward. DIBCAC assessors kicked off the certification process by scheduling several meetings with CohnReznick CMMC stakeholders to explain the procedure, gain an understanding of our technical environment, and finalize the assessment timeline. The assessment was scheduled to be completed within five business days with the assessors requesting a tranche of documents that included:

    • System Security Plan (SSP), with documented policies and procedures covering the 110 Level 2 controls of CMMC.
    • Network diagram
    • Controlled Unclassified Information (CUI) flow diagram
    • System boundary diagram 
    • Asset list 

    Six actionable steps DoD contractors can take to help prepare:

    While it’s important to know what to expect, it’s also important to know what steps contractors can take now to better prepare for the accreditation process.

    Here are six actionable steps:

    1. Get ready for the audit by performing a readiness assessment: Before the CMMC assessment, perform a readiness assessment against the CMMC controls. The preparatory assessment will help make sure that any overlooked gaps are identified and remediated before the audit is under way.
    2. You can – and should – make changes: During the assessment, the assessors may allow businesses to modify their environment and update documentation to meet requirements if the change can be completed and reviewed by the assessors during the agreed upon assessment period. When doing so, be sure to follow your documented procedures to the letter. Making modifications without following your organization’s procedures may result in the assessors penalizing you for not following your procedures resulting in a “NOT MET ” status.
    3. Observe the objectives: The assessors will test all controls objectives associated with each CMMC controls to determine if the control is “met”.  To prepare, review the objectives control by control, ensure that you have two pieces of evidence for each objective, and be sure that experts who can address each objective participate in the assessment sessions.
    4. Coach your service providers: Assessors will dig into third-party managed services. It’s essential that provider representatives are present during the assessment to answer any questions. It’s important to rehearse potential responses and issues with major managed services and Security Operations Center (SOC) providers before the assessment sessions. Also consider rehearsing with stakeholders from IT and human resources.
    5. Test incident response: Make sure to have a tested incident-response plan that specifies the tools and procedures to identify, eliminate, and recover from cybersecurity incidents. If applicable, managed service providers should be present during testing.  The test plan, narrative, and lessons-learned need to be documented and presented to the assessors.
    6. Update documentation: Make sure your documented System Security Plan is accurate, up-to-date, and that it’s documented to strictly adhere to your security processes.

    If you’re considering becoming a C3PAO, knowing what to expect and steps to take now to help prepare for the accreditation assessment is key.

    10 questions to ask before your CMMC assessment

    • Have you identified all DoD contracts?
    • Are you prepared to perform a readiness assessment before the formal assessment? 
    • Have you identified and precisely mapped your CUI? 
    • Have you allowed plenty of time to undergo the assessment process?
    • Are the right stakeholders available and involved during the formal assessment?
    • Have you identified your system boundary based on CUI mapping? 
    • Is your System Security Plan detailed and accurate? 
    • Are your policies and procedures in sync with your System Security Plan?
    • Are the right stakeholders involved in your incident response plan, and has the plan been tested? Are the lessons learned documented?
    • Is CUI training part of your security awareness and training program?

    Get in touch with our specialists

    View All Specialists

    Kristen Soles

    CPA, Partner - Managing Partner, Advisory - Global Consulting Solutions and Government Contracting Industry Leader
    Bhavesh Vadhani

    Bhavesh Vadhani

    CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

    Looking for the full list of our dedicated professionals here at CohnReznick?



    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic

    The Cybersecurity Maturity Model Certification (CMMC)


    Access Our Government Contracting Topic Page for Key Insights & Powerful Tools

    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.