Preparing for DoD Compliance with the CMMC Framework

Any organization that works with the U.S. Department of Defense (DoD) must prove it can protect sensitive information by achieving DoD compliance. The Cybersecurity Maturity Model Certification (CMMC) is the framework the DoD uses to measure and enforce that compliance.

Preparing for DoD compliance involves understanding the CMMC framework, determining the certification level your organization needs, and implementing the required security controls before assessment.

Is your business ready for DoD compliance? Schedule a consultation today

How to Prepare for CMMC Implementation

The Cybersecurity Maturity Model Certification (CMMC) is the foundation of DoD compliance. Every organization in the Defense Industrial Base (DIB) must meet CMMC requirements to demonstrate they can safeguard sensitive information that protects U.S. military operations and national security.

Achieving certification can be complex, but preparation becomes manageable when broken into three key steps:

• Understand the CMMC 2.0 framework and how it aligns with DoD compliance requirements
• Determine the scope of certification (the CMMC Level) your organization needs
• Implement required controls based on the DoD’s official assessment guidance
  

Partnering with an experienced CMMC advisor streamlines the entire process, helping your organization move confidently toward full DoD compliance.

 

Understanding the CMMC Framework

The Department of Defense (DoD) relies on the Cybersecurity Maturity Model Certification (CMMC) to ensure that its contractors can protect sensitive defense information. Meeting these requirements is a critical step toward achieving DoD compliance.

Contractors must implement a defined set of security controls based on the CMMC Level required by their contract. Depending on the Level, organizations may need to complete either a self-assessment or a third-party assessment to verify compliance.

The original CMMC framework was introduced in 2020 under the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S). Oversight has since shifted to the DoD Chief Information Officer (CIO), with input from OUSD Intelligence and Security (I&S).

In 2021, CMMC 2.0 replaced the earlier version, simplifying the Level structure, updating security controls, and adjusting assessment protocols to be more flexible and accessible. Despite these improvements, many organizations still find navigating the framework challenging without expert guidance.

Request a Consultation

 

Implementation: What Controls Do You Need?

CMMC functions as a cybersecurity maturity model, measuring the depth and complexity of an organization’s security practices. Each maturity Level represents a stage of readiness for DoD compliance.

The controls required at each Level are derived from the National Institute of Standards and Technology (NIST) Special Publications 800-171 and 800-172:

• CMMC Level 1: Foundational Security
  Requires 15 baseline practices from NIST SP 800-171, covering essential safeguards to protect Federal Contract Information (FCI).
• CMMC Level 2: Advanced Security
  Requires 110 practices adapted from the full NIST SP 800-171, focusing on protecting Controlled Unclassified Information (CUI).
• CMMC Level 3: Expert Security
  Builds on Levels 1 and 2, with additional practices drawn from NIST SP 800-172 (still being finalized), addressing the most advanced threats.
  

The specific Level your organization needs will depend on contract requirements. In some cases, scoping exercises are also used to determine which Level of CMMC certification is necessary based on the sensitivity of the data you handle.

 

Assessment: How to Verify Security Maturity

Verification is a critical part of DoD compliance. The Department of Defense requires contractors to undergo different assessment protocols depending on their CMMC Level. These assessments confirm that organizations meet the security standards needed to protect defense information.

Here’s how the requirements currently break down:

• CMMC Level 1:  Self-Assessment
  Organizations conduct annual self-assessments and provide affirmation documentation, with or without assistance.
• CMMC Level 2:  Third-Party or Self-Assessment
  Most organizations must complete a third-party assessment every three years. However, certain contractors with limited exposure to Controlled Unclassified Information (CUI) may be allowed to self-assess triennially.
• CMMC Level 3: Government-Led Assessment
  Organizations will undergo government-led assessments every three years. (The full infrastructure for Level 3 assessments is still being developed.
  

To support this process, the Cyber AB (formerly the CMMC Accreditation Body) now oversees the training and certification of third-party assessors for most Level 2 organizations.

 

Determining Your Implementation Scope

The CMMC Level your organization must achieve is typically defined in the DoD contract you’re pursuing. However, if you want to prepare proactively, you can estimate your likely scope based on the types of data your organization handles. Partnering with a compliance advisor can make this process clearer and more accurate.

Here’s how data type impacts CMMC Levels, and ultimately, DoD compliance:

• CMMC Level 1: Federal Contract Information (FCI)
  Covers information related to government contracts that is not intended for public release.
• CMMC Level 2: Controlled Unclassified Information (CUI) + FCI
  Expands protections to include sensitive but unclassified information, such as technical data or research that, if exposed, could impact national security. The Information Security Oversight Office (ISOO) maintains the full registry of CUI categories and their governing regulations.
• CMMC Level 3: Advanced Guidance Pending
  Applies to the most sensitive unclassified information. The DoD has not yet finalized scoping guidance for Level 3 assessments.
  

The DoD provides scoping guidance for Levels 1 and 2 to help contractors identify which systems and assets fall within assessment scope. Reviewing this guidance early,  ideally with expert support, ensures your organization stays on track toward DoD compliance.

 

CMMC Level 1 Scoping Guidance

At CMMC Level 1, the Department of Defense requires contractors to focus primarily on Federal Contract Information (FCI) assets. These are any virtual or physical assets that:

• Process FCI:  allow access, input, editing, generation, or printing of data
• Store FCI:  hold data “at rest” in physical or digital form
• Transmit FCI:  send data between assets or locations, whether physically or digitally
  

Only assets that perform these functions are considered in scope for Level 1 assessments. Assets that fall outside of these functions do not need to be assessed.

In addition, some Specialized Assets do not require assessment if they are properly documented. These may include:

• Government-owned property
• Internet of Things (IoT) devices
• Test or evaluation equipment
  

Understanding and correctly scoping Level 1 assets is critical for meeting DoD compliance requirements, as it ensures your organization is securing the right systems without wasting resources on out-of-scope areas.

 

CMMC Level 2 Scoping Guidance

For CMMC Level 2, the Department of Defense focuses on Controlled Unclassified Information (CUI) assets. These include any hardware or software that process, store, or transmit documents containing CUI. In addition to the Level 1 requirements, organizations must also provide a network diagram of all CUI assets and other in-scope systems during pre-assessment.

Beyond CUI assets, Level 2 scoping also requires organizations to account for:

• Security Protection Assets:  systems that provide or contribute to CUI protections
• Contractor Risk-Managed Assets:  assets that might come into contact with CUI
• Specialized Assets:  such as IoT devices or test equipment, which are now in-scope at Level 2 (unlike Level 1)

The only assets considered fully out of scope are those that are physically or logically separated from CUI, with no potential for connection or interaction.

Proper scoping at Level 2 is critical for contractors handling CUI, as it ensures they are meeting the requirements for DoD compliance and protecting sensitive defense-related information.

 

CMMC Level 3 Scoping Speculation

Currently, the Department of Defense has not released final guidance on what specific thresholds will trigger a CMMC Level 3 assessment. However, it is widely expected that organizations handling larger volumes or more sensitive categories of Controlled Unclassified Information (CUI) will fall under this requirement.

Looking back at earlier versions of the framework provides some insight. Before CMMC 2.0, there were five Levels instead of three. The current Level 3 aligns most closely with the old Level 5, which applied to organizations facing advanced persistent threats (APTs) to CUI.

This suggests that Level 3 assessments under CMMC 2.0 may be required not only for the amount and type of CUI an organization manages but also for the level of cyber risk it faces. Contractors preparing for DoD compliance at this tier should expect stricter security requirements once formal guidance is released.

 

Implementing and Assessing Security Practices

Once your organization has defined its assessment scope, the next step is implementing the required security controls and preparing for evaluation. Depending on the contract and certification level, assessments may be self-conducted, performed by a third-party, or led by the Department of Defense.

The CMMC 2.0 framework is built on existing NIST standards, particularly NIST SP 800-171 and NIST SP 800-172. These publications outline specific requirements for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). While NIST distinguishes between Basic, Derived, and Enhanced requirements, CMMC consolidates these into practices aligned with Levels 1, 2, and 3.

Although formal guidance for CMMC Level 3 is not yet finalized, becoming familiar with NIST SP 800-172’s Enhanced Requirements will give contractors an advantage in preparing for the highest level of DoD compliance. Proactive adoption of these controls helps organizations strengthen their security posture and avoid costly delays when assessments begin.

CMMC Level 1 Implementation Requirements

CMMC Level 1 is the foundation of DoD compliance, ensuring organizations can safeguard Federal Contract Information (FCI). These requirements are adapted from NIST SP 800-171, which outlines 110 controls across 14 Families. At Level 1, only a subset of 17 practices is required, focusing on essential protections.

The practices are grouped into core security areas:

• Access Control (AC)
  • AC.L1-3.1.1: Authorized Access Control
  • AC.L1-3.1.2: Transaction and Function Control
  • AC.L1-3.1.20: External Connections
  • AC.L1-3.1.22: Control of Public Information
• Identification and Authentication (IA)
  • IA.L1-3.5.1: Identification
  • IA.L1-3.5.2: Authentication
• Media Protection (MP)
  • MP.L1-3.8.3: Media Disposal
• Physical Protection (PE)
  • PE.L1-3.10.1: Limit Physical Access
  • PE.L1-3.10.3: Escort Visitors
  • PE.L1-3.10.4: Physical Access Logs
  • PE.L1-3.10.5: Manage Physical Access
• System and Communications Protection (SC)
  • SC.L1-3.13.1: Boundary Protection
  • SC.L1-3.13.5: Public Access System Separation
• System and Information Integrity (SI)
  • SI.L1-3.14.1: Flaw Remediation
  • SI.L1-3.14.2: Malicious Code Protection
  • SI.L1-3.14.4: Update Malicious Code Protection
  • SI.L1-3.14.5: System and File Scanning
    

Meeting these 17 practices demonstrates your organization’s ability to protect FCI and positions you for higher maturity. Contractors targeting more sensitive DoD contracts should consider adopting additional NIST SP 800-171 controls early, since all 110 will be required at CMMC Level 2.

 

CMMC Level 2 Implementation Requirements

CMMC Level 2 is the most common target for contractors seeking DoD compliance, as it covers Controlled Unclassified Information (CUI). At this stage, organizations must implement all 110 practices from NIST SP 800-171.

For companies already aligned with NIST standards, mapping existing protections to CMMC requirements can be relatively straightforward. However, Level 2 requires full documentation and third-party assessments, making preparation more demanding than Level 1.

The required practices fall into multiple security areas, including:

• Access Control (AC)
  Examples: control CUI flow, enforce least privilege, manage remote access, encrypt mobile data.
• Awareness and Training (AT)
  Examples: role-based security training, insider threat awareness.
• Audit and Accountability (AU)
  Examples: system auditing, event reviews, time synchronization, audit protections.
• Configuration Management (CM)
  Examples: baseline configurations, security impact analysis, change control.
• Incident Response (IR)
  Examples: incident handling, reporting, and response testing.
• Maintenance (MA)
  Examples: secure system maintenance, equipment sanitization, remote maintenance controls.
• Media Protection (MP)
  Examples: media markings, accountability, encryption of removable and backup media.
• Personnel Security (PS)
  Examples: screening individuals, personnel action tracking.
• Physical Protection (PE)
  Examples: facility monitoring, securing alternative work sites.
• Risk Assessment (RA)
  Examples: vulnerability scanning, remediation, risk analysis.
• Security Assessment (CA)
  Examples: system security plans, plans of action, ongoing assessments.
• System and Communications Protection (SC)
  Examples: CUI encryption, network protection, split tunneling restrictions, secure VOIP, cryptographic key management.
• System and Information Integrity (SI)
  Examples: malware alerts, monitoring for attacks, detecting unauthorized use.

Together, these practices create a comprehensive defense framework that ensures organizations can protect CUI effectively. Contractors preparing for CMMC Level 2 should also consider beginning to implement NIST SP 800-172 controls early, since they will become mandatory at Level 3.

CMMC Level 3 Implementation Speculation

CMMC Level 3 represents the highest tier of DoD compliance, designed for organizations handling the most sensitive Controlled Unclassified Information (CUI) and facing advanced persistent threats (APTs). While the DoD has not yet released final specifications, it has confirmed that Level 3 will draw heavily from NIST SP 800-172, which adds 35 enhanced requirements on top of the 110 controls from SP 800-171.

These enhanced practices expand on familiar security families, introducing advanced protections such as:

• Access Control (AC)
  Examples: authorization for critical operations, restricting access to owned resources, controlling information flows.
• Awareness and Training (AT)
  Examples: training on specific threats, practical risk mitigation exercises.
• Configuration Management (CM)
  Examples: automated detection of anomalies, authoritative accountability sources, automated system updates.
• Identification and Authentication (IA)
  Examples: device-level authentication, automated password management, bidirectional access validation.
• Incident Response (IR)
  Examples: establishing a Security Operations Center (SOC), forming a cyber threat response team.
• Personnel Security (PS)
  Examples: continuous reassessment of CUI access, access adjustments based on new intelligence.
• Risk Assessment (RA)
  Examples: proactive cyber threat hunting, supply chain risk management, integrating automation and threat intelligence.
• Security Assessment (CA)
  Example: regular penetration testing to validate defenses.
• System and Communications Protection (SC)
  Examples: isolating critical systems, adding unpredictability to deter attackers, distributing system resources.
• System and Information Integrity (SI)
  Examples: root-of-trust mechanisms, anomaly detection, removal of unnecessary CUI, validation of audit logs.

Organizations processing high volumes of CUI, or those at risk of advanced threats, should begin aligning with NIST SP 800-172 now, even before Level 3 requirements are finalized. This proactive approach reduces future compliance gaps and strengthens defense posture against sophisticated attacks.

Working with a CMMC and NIST advisor is the most effective way to streamline preparation, ensuring your security program meets today’s requirements while anticipating future ones.

 

Optimize Your CMMC Framework Implementation

Preparing for DoD compliance requires a full understanding of the CMMC 2.0 framework. By properly scoping requirements and implementing controls efficiently, your organization can position itself for smooth self-assessments, third-party reviews, or government-led evaluations.

At RSI Security, we’ve guided countless contractors through the path to DoD compliance, helping them secure eligibility for valuable defense contracts. Our team prioritizes service and tailored strategies, ensuring your security framework is not only compliant but also resilient against evolving threats.

If your organization is preparing for CMMC framework implementation or wants expert support for assessments, RSI Security is here to help. Contact us today to begin optimizing your security posture and achieve seamless DoD compliance at any level.

Download Our CMMC Checklist