
Achieving CMMC compliance can be complex due to the program’s extensive requirements. To get CMMC certified, you’ll need to implement various procedures across multiple areas of your organization, making it challenging to find a good starting point and prioritize effectively.
This is particularly true for organizations with low-maturity security programs and limited resources, which can find CMMC compliance overwhelming due to a lack of internal expertise or resources to manage the necessary workflows.
This guide will walk you through the compliance process, outlining the seven key steps to achieve CMMC compliance and reach readiness efficiently.
CMMC requirements: A quick overview
The specific steps required to achieve CMMC compliance depend on the certification level required for your organization. CMMC is structured into the following three certification levels:
- Level 1 (Foundational): Applies to organizations that handle Federal Contract Information (FCI) and focuses on basic cyber hygiene practices. Achieving Level 1 certification requires your organization to conduct an annual self-assessment against the 15 practices outlined by FAR clause 52.204-21.
- Level 2 (Advanced): Intended for organizations that handle FCI and Controlled Unclassified Information (CUI) and introduces more stringent requirements. To achieve Level 2 certification, your organization needs to implement the 110 requirements outlined by NIST SP 800-171 R2.
- Level 3 (Expert): Reserved for organizations that handle highly sensitive CUI and require the most comprehensive security measures. Achieving Level 3 certification requires first completing Level 2 certification then implementing an additional 24 requirements from NIST SP 800-172, as outlined in 32 CFR 170.14.
If your organization is small or resource-constrained, achieving Level 1 certification should be sufficient until higher-level certification is needed. This allows you to familiarize yourself with CMMC and its key benefits before scaling compliance efforts as necessary.
This guide outlines the universal compliance steps applicable to all three levels, along with the specific actions necessary to meet individual certification requirements.
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
An end-to-end CMMC compliance checklist: 7 steps to follow
Our CMMC compliance checklist helps you approach every aspect of CMMC certification more efficiently by breaking it down into seven actionable steps:

- Identify the suitable CMMC level for your business
- Define your CUI and FCI boundaries to establish the scope
- Perform a gap assessment
- Document POA&M and SPRS
- Address your POA&M gaps
- Conduct the assessment
- Maintain CMMC certification
In the sections below, we’ll explore each step in detail and explain how they apply to your organization.
Step 1: Identify the suitable CMMC level for your business
Your organization’s required CMMC level primarily depends on the type of information you handle within the supply chain, which can be divided into two main categories:
- Federal Contract Information: This information is provided for or created by the government as part of a contract to provide a service or develop a product. It doesn’t include publicly available information, such as that which is available on websites, or transaction details. Organizations that handle FCI need Level 1 CMMC certification.
- Controlled Unclassified Information: This is information created or possessed by the government or handled by an entity on the government’s behalf, requiring protection according to laws, regulations, or government policies. Depending on its sensitivity, handling CUI can require a Level 2 or Level 3 CMMC certificate.
CMMC certification is required for contractors and subcontractors in the government supply chain that handle FCI and CUI, except for suppliers of commercial off-the-shelf (COTS) items. However, subcontractors may not require the same level of certification as prime contractors. If your organization handles less sensitive information, you won’t have to meet the same CMMC requirements as your prime contractor.
The required level of CMMC certification for your organization should be listed in the Department of Defense (DoD) contract or solicitation documents. If you’re unsure about your organization’s required CMMC level, contact your contracting officer or prime contractor for clarification.
Step 2: Define your CUI and FCI boundaries to establish the scope
Before you start your CMMC certification process, it’s essential that you clearly outline which of your organization’s assets will be assessed. Doing this will provide you with actionable insight into where to invest your resources to meet CMMC requirements.
For Level 1, all assets that process, store, or transmit FCI are scoped by default. For example, stakeholders, servers, computers, physical locations like offices, and external service providers (ESPs) are considered in scope for Level 1 CMMC requirements.
Specialized assets are those that handle FCI but cannot be fully secured—like devices or systems with vulnerabilities. They are usually not scoped for Level 1 assessment, but depending on the sensitivity of the CUI your organization handles, they may be included in Level 2 and 3 certification assessments.
The scoping criteria for Level 2 and 3 certification are more comprehensive. Assets are divided into several categories, which can be considered in scope or out of scope depending on whether they handle CUI:
Step 3: Perform a gap assessment
Before moving forward with CMMC certification, you should conduct a gap assessment against the requirements for your organization’s chosen CMMC level. This will allow you to more easily identify which of your existing measures don’t meet CMMC criteria.
Conducting this assessment involves performing several key activities, including:
- Interviewing stakeholders
- Reviewing implemented mechanisms, practices, and processes
- Testing implemented practices to ensure they meet the requirements
A common mistake organizations make during the self-assessment phase is that they don’t fully evaluate implemented practices. While interviewing stakeholders and reviewing practices can give you insight into how processes are supposed to work, you still need to test them to ensure that they are implemented effectively.
After identifying gaps in your security posture, the next step is to document them and outline a remediation plan. This is where the Plan of Action and Milestones (POA&M) comes into play, which we’ll elaborate on in the next step.
Step 4: Document POA&M
Maintaining extensive evidence of control implementation is essential for supporting your compliance efforts. Thoroughly maintained documentation will make it easier for your organization to demonstrate compliance to auditors.
A POA&M is a required document for organizations preparing for Level 2 or 3 certification that have met at least 80 percent of the criteria but still have gaps they need to remediate. These organizations may receive a Conditional Certificate, allowing them to close the remaining gaps within 180 days.
Your POA&M needs to include the following information:
- Identified gaps and associated risks
- Planned remediation actions
- Timelines
- Required resources
- Milestones
- Responsible parties
{{cta_withimage22="/cta-blocks"}} | The audit ready checklist
Step 5: Address your POA&M gaps
Once your POA&M is in place, you need to execute your plan to ensure all documented gaps are closed within 180 days. The key activities you’ll need to conduct to execute the POA&M effectively include:
- Assigning tasks to responsible parties and tracking their progress
- Collecting evidence of control implementation, such as access control policies, penetration testing results, and audit logs
- Updating relevant documentation, such as the System Security Plan (SSP) and Customer Responsibility Matrix (CRM) to reflect remediation efforts
Maintaining comprehensive documentation during this process is essential to effectively track POA&M progress and have evidence of CMMC efforts available for assessors.
Still, manually collecting all of the necessary evidence can be laborious and will limit your compliance team members' time for other important workflows. Leveraging automation can reduce the time investment necessary for this step.
Step 6: Conduct the assessment
If you’re preparing for a Level 1 certificate, passing a self-assessment is sufficient to get CMMC certification. However, for higher levels, you might need specific third-party assessments:
- Level 2: Level 2 focuses on advanced cybersecurity measures intended for protecting CUI. A certified third-party assessor organization (C3PAO) will audit your practices and processes, compare them to the relevant CMMC criteria, and determine whether they meet the required level.
- Level 3: For Level 3, you need to meet the criteria for Level 2 and implement additional practices to ensure effective protection of highly sensitive CUI. To achieve certification, you will undergo a government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), which will determine whether your measures meet CMMC requirements.
Finding a reputable C3PAO (or the DIBCAC for Level 3) and maintaining clear communication with them throughout the assessment process is essential for making the compliance process as smooth as possible.
Once the assessment is complete, you should document the results in the Supplier Performance Risk System (SPRS). Your organization’s SPRS score needs to be updated at least once every three years to maintain an accurate record of your security posture.
To maintain your CMMC certificate, you’ll need to submit annual affirmations to stay compliant and undergo a new third-party assessment every three years.
Step 7: Maintain CMMC certification
Ensuring continuous CMMC compliance is essential for retaining existing DoD contracts and maintaining eligibility to bid on new ones in the future. To achieve this, your organization must regularly affirm that its implemented practices meet CMMC requirements.
One of the biggest setbacks organizations face is a lack of continuous monitoring to ensure they stay CMMC compliant. By implementing a robust, comprehensive monitoring system, you can proactively mitigate any risks that could arise during self-assessments, making maintaining compliance more efficient.
Tracking the necessary requirements can be time-intensive and inefficient, and lead to increased administrative work for your compliance team members. You can streamline the process and maintain compliance more efficiently by leveraging a dedicated solution that enables centralized requirements tracking.
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
Organize and achieve CMMC compliance with Vanta
Vanta is a trust management platform that helps you become CMMC-compliant more efficiently by providing structured guidance, built-in resources, and real-time tracking of compliance requirements.
The platform’s dedicated CMMC solution comes with various features that will automate up to 50% of your CMMC compliance workflows, including:
- Out-of-the-box support for all CMMC certification levels
- Automated evidence collection supported by 375+ integrations
- Automated gap assessments
- A dashboard for centralized tracking of CMMC requirements
- Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172
Vanta partners with reputable C3PAOs to help you prepare for a Level 2 or 3 certification, ensuring you meet all the necessary requirements for the assessment. Browse Vanta’s partner network to find a C3PAO that can support you on every step of your CMMC compliance journey.
Schedule a custom demo to see how Vanta streamlines CMMC compliance to save you time and resources.
{{cta_simple33="/cta-blocks"}} | CMMC product page
A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.
CMMC compliance checklist: A step-by-step guide

Looking to automate up to 50% of the work for CMMC?
Achieving CMMC compliance can be complex due to the program’s extensive requirements. To get CMMC certified, you’ll need to implement various procedures across multiple areas of your organization, making it challenging to find a good starting point and prioritize effectively.
This is particularly true for organizations with low-maturity security programs and limited resources, which can find CMMC compliance overwhelming due to a lack of internal expertise or resources to manage the necessary workflows.
This guide will walk you through the compliance process, outlining the seven key steps to achieve CMMC compliance and reach readiness efficiently.
CMMC requirements: A quick overview
The specific steps required to achieve CMMC compliance depend on the certification level required for your organization. CMMC is structured into the following three certification levels:
- Level 1 (Foundational): Applies to organizations that handle Federal Contract Information (FCI) and focuses on basic cyber hygiene practices. Achieving Level 1 certification requires your organization to conduct an annual self-assessment against the 15 practices outlined by FAR clause 52.204-21.
- Level 2 (Advanced): Intended for organizations that handle FCI and Controlled Unclassified Information (CUI) and introduces more stringent requirements. To achieve Level 2 certification, your organization needs to implement the 110 requirements outlined by NIST SP 800-171 R2.
- Level 3 (Expert): Reserved for organizations that handle highly sensitive CUI and require the most comprehensive security measures. Achieving Level 3 certification requires first completing Level 2 certification then implementing an additional 24 requirements from NIST SP 800-172, as outlined in 32 CFR 170.14.
If your organization is small or resource-constrained, achieving Level 1 certification should be sufficient until higher-level certification is needed. This allows you to familiarize yourself with CMMC and its key benefits before scaling compliance efforts as necessary.
This guide outlines the universal compliance steps applicable to all three levels, along with the specific actions necessary to meet individual certification requirements.
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
An end-to-end CMMC compliance checklist: 7 steps to follow
Our CMMC compliance checklist helps you approach every aspect of CMMC certification more efficiently by breaking it down into seven actionable steps:

- Identify the suitable CMMC level for your business
- Define your CUI and FCI boundaries to establish the scope
- Perform a gap assessment
- Document POA&M and SPRS
- Address your POA&M gaps
- Conduct the assessment
- Maintain CMMC certification
In the sections below, we’ll explore each step in detail and explain how they apply to your organization.
Step 1: Identify the suitable CMMC level for your business
Your organization’s required CMMC level primarily depends on the type of information you handle within the supply chain, which can be divided into two main categories:
- Federal Contract Information: This information is provided for or created by the government as part of a contract to provide a service or develop a product. It doesn’t include publicly available information, such as that which is available on websites, or transaction details. Organizations that handle FCI need Level 1 CMMC certification.
- Controlled Unclassified Information: This is information created or possessed by the government or handled by an entity on the government’s behalf, requiring protection according to laws, regulations, or government policies. Depending on its sensitivity, handling CUI can require a Level 2 or Level 3 CMMC certificate.
CMMC certification is required for contractors and subcontractors in the government supply chain that handle FCI and CUI, except for suppliers of commercial off-the-shelf (COTS) items. However, subcontractors may not require the same level of certification as prime contractors. If your organization handles less sensitive information, you won’t have to meet the same CMMC requirements as your prime contractor.
The required level of CMMC certification for your organization should be listed in the Department of Defense (DoD) contract or solicitation documents. If you’re unsure about your organization’s required CMMC level, contact your contracting officer or prime contractor for clarification.
Step 2: Define your CUI and FCI boundaries to establish the scope
Before you start your CMMC certification process, it’s essential that you clearly outline which of your organization’s assets will be assessed. Doing this will provide you with actionable insight into where to invest your resources to meet CMMC requirements.
For Level 1, all assets that process, store, or transmit FCI are scoped by default. For example, stakeholders, servers, computers, physical locations like offices, and external service providers (ESPs) are considered in scope for Level 1 CMMC requirements.
Specialized assets are those that handle FCI but cannot be fully secured—like devices or systems with vulnerabilities. They are usually not scoped for Level 1 assessment, but depending on the sensitivity of the CUI your organization handles, they may be included in Level 2 and 3 certification assessments.
The scoping criteria for Level 2 and 3 certification are more comprehensive. Assets are divided into several categories, which can be considered in scope or out of scope depending on whether they handle CUI:
Step 3: Perform a gap assessment
Before moving forward with CMMC certification, you should conduct a gap assessment against the requirements for your organization’s chosen CMMC level. This will allow you to more easily identify which of your existing measures don’t meet CMMC criteria.
Conducting this assessment involves performing several key activities, including:
- Interviewing stakeholders
- Reviewing implemented mechanisms, practices, and processes
- Testing implemented practices to ensure they meet the requirements
A common mistake organizations make during the self-assessment phase is that they don’t fully evaluate implemented practices. While interviewing stakeholders and reviewing practices can give you insight into how processes are supposed to work, you still need to test them to ensure that they are implemented effectively.
After identifying gaps in your security posture, the next step is to document them and outline a remediation plan. This is where the Plan of Action and Milestones (POA&M) comes into play, which we’ll elaborate on in the next step.
Step 4: Document POA&M
Maintaining extensive evidence of control implementation is essential for supporting your compliance efforts. Thoroughly maintained documentation will make it easier for your organization to demonstrate compliance to auditors.
A POA&M is a required document for organizations preparing for Level 2 or 3 certification that have met at least 80 percent of the criteria but still have gaps they need to remediate. These organizations may receive a Conditional Certificate, allowing them to close the remaining gaps within 180 days.
Your POA&M needs to include the following information:
- Identified gaps and associated risks
- Planned remediation actions
- Timelines
- Required resources
- Milestones
- Responsible parties
{{cta_withimage22="/cta-blocks"}} | The audit ready checklist
Step 5: Address your POA&M gaps
Once your POA&M is in place, you need to execute your plan to ensure all documented gaps are closed within 180 days. The key activities you’ll need to conduct to execute the POA&M effectively include:
- Assigning tasks to responsible parties and tracking their progress
- Collecting evidence of control implementation, such as access control policies, penetration testing results, and audit logs
- Updating relevant documentation, such as the System Security Plan (SSP) and Customer Responsibility Matrix (CRM) to reflect remediation efforts
Maintaining comprehensive documentation during this process is essential to effectively track POA&M progress and have evidence of CMMC efforts available for assessors.
Still, manually collecting all of the necessary evidence can be laborious and will limit your compliance team members' time for other important workflows. Leveraging automation can reduce the time investment necessary for this step.
Step 6: Conduct the assessment
If you’re preparing for a Level 1 certificate, passing a self-assessment is sufficient to get CMMC certification. However, for higher levels, you might need specific third-party assessments:
- Level 2: Level 2 focuses on advanced cybersecurity measures intended for protecting CUI. A certified third-party assessor organization (C3PAO) will audit your practices and processes, compare them to the relevant CMMC criteria, and determine whether they meet the required level.
- Level 3: For Level 3, you need to meet the criteria for Level 2 and implement additional practices to ensure effective protection of highly sensitive CUI. To achieve certification, you will undergo a government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), which will determine whether your measures meet CMMC requirements.
Finding a reputable C3PAO (or the DIBCAC for Level 3) and maintaining clear communication with them throughout the assessment process is essential for making the compliance process as smooth as possible.
Once the assessment is complete, you should document the results in the Supplier Performance Risk System (SPRS). Your organization’s SPRS score needs to be updated at least once every three years to maintain an accurate record of your security posture.
To maintain your CMMC certificate, you’ll need to submit annual affirmations to stay compliant and undergo a new third-party assessment every three years.
Step 7: Maintain CMMC certification
Ensuring continuous CMMC compliance is essential for retaining existing DoD contracts and maintaining eligibility to bid on new ones in the future. To achieve this, your organization must regularly affirm that its implemented practices meet CMMC requirements.
One of the biggest setbacks organizations face is a lack of continuous monitoring to ensure they stay CMMC compliant. By implementing a robust, comprehensive monitoring system, you can proactively mitigate any risks that could arise during self-assessments, making maintaining compliance more efficient.
Tracking the necessary requirements can be time-intensive and inefficient, and lead to increased administrative work for your compliance team members. You can streamline the process and maintain compliance more efficiently by leveraging a dedicated solution that enables centralized requirements tracking.
{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist
Organize and achieve CMMC compliance with Vanta
Vanta is a trust management platform that helps you become CMMC-compliant more efficiently by providing structured guidance, built-in resources, and real-time tracking of compliance requirements.
The platform’s dedicated CMMC solution comes with various features that will automate up to 50% of your CMMC compliance workflows, including:
- Out-of-the-box support for all CMMC certification levels
- Automated evidence collection supported by 375+ integrations
- Automated gap assessments
- A dashboard for centralized tracking of CMMC requirements
- Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172
Vanta partners with reputable C3PAOs to help you prepare for a Level 2 or 3 certification, ensuring you meet all the necessary requirements for the assessment. Browse Vanta’s partner network to find a C3PAO that can support you on every step of your CMMC compliance journey.
Schedule a custom demo to see how Vanta streamlines CMMC compliance to save you time and resources.
{{cta_simple33="/cta-blocks"}} | CMMC product page
A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.
Explore more CMMC articles
Introduction to CMMC
CMMC requirements
CMMC certification process
CMMC levels
Get started with CMMC
Start your CMMC journey with these related resources.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
Vanta’s director of US government strategy and affairs shares how current and future contractors for the DoD can get CMMC certified.

CMMC Checklist
This checklist will guide you through the steps to take to get CMMC certified and how to successfully implement and maintain the certification.

The ultimate guide to NIST 800-171
Jumpstart your NIST 800-171 compliance with Vanta's complete guide to this legally required security standard.