Guide / ReportCMMC

CMMC Certification: A checklist to get you started

Written by
No items found.
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

If you’re planning to compete for Department of War (DoW) contracts moving forward, now is the time to get serious about CMMC certification.

After several years of updates, the Cybersecurity Maturity Model Certification (CMMC) program was finalized in October 2024 to strengthen DoD cybersecurity requirements. The DFARS acquisition rule took effect on November 10, 2025, kicking off a phased rollout of CMMC requirements across contracts over the next three years.

What this means for you depends on where you are today. Achieving CMMC certification may require new security controls, formalized processes, and ongoing reporting. To simplify that path, this checklist breaks down why CMMC matters, the steps to get certified, and how to implement and maintain compliance effectively.

What CMMC means for you 

What exactly is CMMC? It’s a program designed to ensure that defense contractors and subcontractors in the Defense Industrial Base (DIB) have the proper cybersecurity protocols to responsibly and safely handle sensitive unclassified information and government data.
  

What is the DIB?  

According to the Congressional Research Service, the DIB is “The network of organizations, facilities, and resources that provides the U.S. government—particularly the Department of Defense (DOD)—with defense-related materials, products, and services."
 

To help the DoW verify that its contractors are meeting cybersecurity standards, the CMMC program is organized into three levels. Each level has a corresponding set of requirements based on the type of data a company handles. And as you’ve probably already guessed: the more sensitive information you handle, the more stringent assessments and cybersecurity requirements your company must meet.

Level 1: Basic safeguarding of FCI

Level 1 for CMMC deals with basic cyber hygiene and has the least amount of requirements. Its goal is to protect Federal Contract Information (FCI). This is information that isn’t intended for public release, such as contract details, communication records, or anything the government creates, uses, or shares for a contractor to develop or deliver a product or service. 

Level 1 requires:

  • Annual affirmation and compliance with the 15 basic safeguarding requirements in FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems
  • Annual self-assessment that’s entered in the Supplier Performance Risk System (SPRS)

Level 2: Broad protection of CUI 

The goal of Level 2 is to protect Controlled Unclassified Information (CUI). CUI covers anything that’s sensitive government information but isn’t classified. What is or isn’t considered CUI can vary due to laws and regulations, but usually it’s information that’s created or possessed by the government. Some general examples include personally identifiable information (PII), critical technology, software documentation, and contractor performance evaluations. 

Level 2 requires:

  • Annual affirmation and compliance with the 110 security requirements in NIST SP 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • Either a self-assessment or a C3PAO certification assessment—depending on contract requirements—performed every three years and recorded in SPRS or the CMMC Enterprise Missions Assurance Support Service (eMASS), as applicable

Level 3: Higher-level protection of CUI against advanced persistent threats

Companies that deal with extremely sensitive CUI and are at risk for advanced persistent threats (APTs) are required to meet Level 3 requirements. The DoW determines which type of CUI is most sensitive and at risk for APTs, but if you’re working on a high-priority contract or program for the DoW, you’re likely handling Level 3-worthy CUI.


Level 3 requires:

  • Maintenance of final Level 2 status through a C3PAO certification assessment every three years
  • Assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years
  • Annual affirmation and compliance with 24 identified requirements from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171

Knowing what level you need to achieve will depend on the type of contracts you handle. Your contracting officer can provide more information on your current contract’s level, but as CMMC phases are implemented, contracts will also contain CMMC level requirements. 

Checklist: How to become CMMC certified 

The DoW is rolling out CMMC in four phases. The phases are designed to add CMMC requirements incrementally to reduce the financial impact on contractors, avoid overwhelming them, and give them time to implement CMMC while ensuring the program runs smoothly. 

  • Phase 1 (Nov. 10, 2025 – Nov. 9, 2026): Applicable solicitations may require Level 1 or Level 2 self requirements
  • Phase 2 (Beginning Nov. 10, 2026): Applicable solicitations may require Level 2 C3PAO certification
  • Phase 3 (Beginning Nov. 10, 2027): Applicable solicitations may require Level 3 certification
  • Phase 4 / Full implementation (Beginning Nov. 10, 2028): CMMC becomes the default requirement for covered solicitations and contracts involving contractor systems that process, store, or transmit FCI or CUI, excluding COTS-only contracts

While these phases give you time to assess your current security posture and determine your next steps, you don’t want to wait until the final phase to become certified. Even if you currently meet federal cybersecurity requirements of other programs, like FedRAMP, that does not automatically mean you satisfy CMMC requirements for DoW contracts.
 

By following our checklist, you can confidently navigate the CMMC certification process and ensure your business is prepared to continue working with the DoW.

Here are the steps to become CMMC certified:

  • Step 1: Confirm which CMMC level your business needs
  • Step 2: Establish your CUI and FCI boundaries
  • Step 3: Perform a gap assessment
  • Step 4: Document plan of action and milestones and SPRS
  • Step 5: Execute your plan of action and milestones 
  • Step 6: Conduct assessment
  • Step 7: Maintain certification 

{{cmmc-2="/checklists"}}

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Vendor Risk Management
Events

Demo: Navigating Third-Party Risk Through Vanta’s Vendor Risk Management

Watch this on-demand demo to learn how Vanta’s Vendor Risk Management solution automates and streamlines security reviews so that you can spend less time on repetitive work and more time strengthening your security posture.

Compliance
Events

How to Automate ISO 27001 & SOC 2 Compliance

Curious about why compliance is so important, which businesses need it, and how Vanta's automation can help you quickly achieve it? Join Vanta’s 45-minute live product demo.

A purple logo with the word iso2000 on it.
ISO 27001
Blog

Who needs ISO 27001 certification?

Read our blog to learn more about what is ISO 27001 certification and who needs ISO 27001. We're here to help make the process simple and straightforward.

Company news
Blog

London calling: Join us at VantaCon UK on 23 April

VantaCon UK brings together CISOs & security leaders, AI experts, and Vanta customers to share their insights on the intersection of AI and trust.

Related Resources

CMMC
Blog
The final CMMC rule is here—enforcement starts November 10

This fall, CMMC will be a contractual requirement for companies working with the DoD.

CMMC Checklist cover image
CMMC
Guide / Report
CMMC Checklist

This checklist will guide you through the steps to take to get CMMC certified and how to successfully implement and maintain the certification.

Get compliant and build trust—fast

Request a demo
G2 Badge Winter 2026 LeaderG2 Badge Winter 2026 Enterprise LeaderG2 Badge Milestone 'Users Love Us'