Hello, Guest!
GovConExpert_Payam Pourkhomami_1200x628

GovCon Expert Payam Pourkhomami Explains How to Prepare for a CMMC 2.0 Assessment

By Payam Pourkhomami, President & CEO of OSIbeyond

To ensure adequate preparation for a Cybersecurity Maturity Model Certification 2.0 assessment, the Cyber AB advises contractors to start preparing for it at least six months in advance, depending on their current cybersecurity readiness and resources. In OSIbeyond’s experience, most organizations require 12-18 months to advance from a typical small business cybersecurity posture to one that is assessment-ready.

The good news is that preparing for a CMMC 2.0 assessment is a matter of following a well-structured approach and dedicating the necessary time and resources.

The Potomac Officers Club’s June 6 Cyber Summit is an essential GovCon gathering for those working to uphold the cybersecurity of the defense industry. CMMC will certainly be a topic of discussion. Browse the lineup of expert speakers and register for this can’t-miss event now.

Step 0: Determine your CMMC 2.0 level

At the very start of your preparation for a CMMC 2.0 assessment, you should determine which CMMC level your organization needs to achieve. To do that, you must first identify whether you handle only federal contract information, a.k.a. FCI, or also controlled unclassified information, a.k.a. CUI.

Essentially, if your contract with the Department of Defense involves handling only FCI (information provided by the government that isn’t intended for public release, but it is not classified), achieving Level 1 compliance should be your target. However, if CUI (information that requires safeguarding or dissemination controls) is involved, then Level 2 or Level 3 compliance is mandatory.

Step 1: Start with a readiness assessment and gap analysis

Because CMMC 2.0 is built upon existing sets of cybersecurity standards, such as NIST SP 800-171, many DOD contractors may have already completed some (or perhaps even all) of the necessary work to attain one of the lower CMMC 2.0 levels but may not known about it.

The goal of a readiness assessment and gap analysis is to evaluate the current state of an organization’s cybersecurity measures against the requirements for the desired CMMC 2.0 level. This assessment helps you identify any discrepancies or areas that need improvement to achieve compliance.

Step 2: Create a Plan of Action and Milestones

After conducting a readiness assessment and identifying gaps in your organization’s cybersecurity measures, the next step is to create a comprehensive Plan of Action and Milestones, or POAM. This document outlines the specific tasks required to address the identified deficiencies and the timeline for completing them.

Under CMMC 2.0, the DOD allows for some flexibility through the POAM, but with certain limitations. Companies can proceed with contract awards while still working to meet all CMMC requirements within a defined period, but only for controls with 1 or 3 values. Controls that are 5-point values, which make up approximately 40 percent of the 110 NIST 800-171 controls that comprise Level 2, are not eligible for POAMs. Additionally, there is a time limitation of 180 days for remediation of POAM items. This approach recognizes that immediate full compliance may not be feasible for all contractors but emphasizes the need for a clear commitment and progress toward securing sensitive defense information.

Step 3: Start resolving compliance issues 

With a clear understanding of the gaps in your organization’s cybersecurity measures and a comprehensive POAM in place, you can start resolving the identified compliance issues so that you can meet all requirements associated with the CMMC level you need to achieve.

While the pressure to become compliant quickly is understandable, it is paramount to prioritize long-term security. Rushing through fixes without thoroughly understanding the root causes of gaps can lead to problems down the road. This is especially true for smaller contractors with limited cybersecurity expertise and experience.

To overcome these challenges, partnering with a Managed Security Service Provider, or MSSP, can be an effective solution for contractors. MSSPs offer specialized cybersecurity knowledge, tools and ongoing support to provide a comprehensive and sustainable approach to compliance.


While these three steps are easier said than done, the outlined guiding principles are a start on your path to CMMC 2.0 compliance. If you need additional information, I have linked our full DOD Contractor’s Guide to CMMC 2.0 Compliance here. Also, you can schedule a call with our team of experts at OSIbeyond to ask specific questions.

Video of the Day