Guide / ReportCMMC

CMMC Certification: A checklist to get you started

Written by
No items found.
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Regularly working with the Department of Defense (DoD) means you may have heard of the Cybersecurity Maturity Model Certification (CMMC) program. While it’s been under revision for several years to upgrade the DoD’s cybersecurity requirements, the final rule for the CMMC program passed in October 2024. With this, the DoD is beginning to enforce CMMC through implementation phases over the next three years.

If you’re looking to secure your place in the future of DoD contracting, it’s time to get CMMC certified. Depending on where you are in your security and compliance journey, achieving CMMC certification may require implementing additional security standards, processes, and reporting mechanisms.
 

We created this checklist to make the process of becoming CMMC certified easier by focusing on why the CMMC certification matters, the steps to becoming certified, and how to successfully implement and maintain the certification. 

What CMMC means for you 

What exactly is CMMC? It’s a program designed to ensure that defense contractors and subcontractors in the Defense Industrial Base (DIB) have the proper cybersecurity protocols to responsibly and safely handle sensitive unclassified information and government data.
  

What is the DIB?  

According to the Congressional Research Service, the DIB is “The network of organizations, facilities, and resources that provides the U.S. government—particularly the Department of Defense (DOD)—with defense-related materials, products, and services."
 

To help the DoD verify that its contractors are meeting cybersecurity standards, the CMMC program is organized into three levels. Each level has a corresponding set of requirements based on the type of data a company handles. And as you’ve probably already guessed: the more sensitive information you handle, the more stringent assessments and cybersecurity requirements your company must meet.

Level 1: Basic safeguarding of FCI

Level 1 for CMMC deals with basic cyber hygiene and has the least amount of requirements. Its goal is to protect Federal Contract Information (FCI). This is information that isn’t intended for public release, such as contract details, communication records, or anything the government creates, uses, or shares for a contractor to develop or deliver a product or service. 

Level 2: Broad protection of CUI 

The goal of level 2 is to protect Controlled Unclassified Information (CUI). CUI covers anything that’s sensitive government information but isn’t classified. What is or isn’t considered CUI can vary due to laws and regulations, but usually it’s information that’s created or possessed by the government. Some general examples include personally identifiable information (PII), critical technology, software documentation, and contractor performance evaluations. 

Level 3: Higher-level protection of CUI against advanced persistent threats

Companies that deal with extremely sensitive CUI and are at risk for advanced persistent threats (APTs) are required to meet level 3 requirements. The DoD determines which type of CUI is most sensitive and at risk for APTs, but if you’re working on a high-priority contract or program for the DoD, you’re likely handling level 3-worthy CUI.
 

Pro tip: Knowing what level you need to achieve will depend on the type of contracts you handle. Your contracting officer can provide more information on your current contract’s level, but as CMMC phases are implemented, contracts will also contain CMMC level requirements. 

Checklist: How to become CMMC certified 

The DoD is rolling out CMMC in four phases over the next three years. The phases are designed to add CMMC requirements incrementally to reduce the financial impact on contractors, avoid overwhelming them, and give them time to implement CMMC while ensuring the program runs smoothly. 

  • Phase one: Begins 60 days after the final rule becomes effective. Solicitations will require a level 1 or level 2 self-assessment when applicable. 
  • Phase two: Begins 12 months after phase one starts. Solicitations will require level 2 certification when applicable. 
  • Phase three: Begins 24 months after phase one. Solicitations will require a level 3 certification when applicable. 
  • Phase four: Begins 36 months after phase one. All solicitations and contracts will include CMMC level requirements as a condition to winning a contract award. 

While these phases give you time to assess your current security posture and determine your next steps, you don’t want to wait until the final phase to become certified. Even if you meet federal cybersecurity requirements of other programs, like FedRAMP, it doesn’t mean you’re fully compliant across all government agencies.
 

By following our checklist, you can confidently navigate the CMMC certification process and ensure your business is prepared to continue working with the DoD.

{{cmmc="/checklists"}}

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Security
Events

From Insights to Action: Measuring and Advancing Security Maturity

Discover how Vanta’s customizable reporting and dashboarding can help you assess and improve security maturity with real-time insights, better risk visibility, and data-driven decision-making.

Vanta in Action: ISO 27001 & SOC 2 Compliance Automation
Compliance
Events

Live Product Demo: ISO 27001 & SOC 2 Compliance Automation

Join Vanta’s 45-minute live product demo on 21 February at 11 am AEDT. Two of our team members will walk you through the platform and answer questions throughout the session.

NIS 2
Events

Simplify Your Path to NIS 2 Compliance

Explore Vanta’s NIS 2 solution, which automates up to 65% of compliance tasks through pre-built controls, templates, and cross-framework integrations—all with continuous monitoring for complete visibility over your security posture.

ISO 42001 cover image
ISO 42001
Guide / Report

ISO 42001 Compliance Checklist

The ISO 42001 compliance checklist helps to lay the foundation for what your organization should expect when working towards certification.

Related Resources

CMMC
Blog
The final CMMC rule is here—enforcement starts November 10

This fall, CMMC will be a contractual requirement for companies working with the DoD.

CMMC Checklist cover image
CMMC
Guide / Report
CMMC Checklist

This checklist will guide you through the steps to take to get CMMC certified and how to successfully implement and maintain the certification.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products