πŸ›‘οΈ CMMC Compliance Journey Roadmap

Your step-by-step guide from contract discovery to certification

⚠️ Disclaimer: This site is an unofficial, open-source project for learning and supplementing CMMC compliance knowledge. It is not affiliated with or endorsed by CMMC. Use for educational purposes only.
πŸ“‹ Assessment Tool
Required - Must complete
Recommended - Highly beneficial
Optional - Situational

Select Your Organization Size

View All

Complete roadmap

Micro

1-10 employees

3–6 month timeline

Small

11-50 employees

6–12 month timeline

Medium

51-250 employees

12–18 month timeline

Large

250+ employees

18–24 month timeline

1

DISCOVER - Business Case & Obligation Analysis

Understand your DoD contract obligations and CMMC requirements

Identify Your Contracts
Required
Review all existing and planned DoD contracts to identify CMMC requirements.
πŸ“‹ What: Gather all DoD prime and subcontracts
⏱️ Time: 1-2 hours
πŸ‘€ Who: Contracts manager, Legal
SAM.gov Portal USASpending.gov
Identify DFARS Clauses
Required
Review contracts for DFARS clauses 252.204-7012, 252.204-7019, 252.204-7020, 252.204-7021.
πŸ“‹ What: Search contracts for DFARS cybersecurity clauses
⏱️ Time: 2-4 hours
🎯 Output: List of contracts with CMMC requirements
DFARS 252.204-7012 DFARS 252.204-7019 DFARS 252.204-7020
Determine Required CMMC Level
Required
Based on contract data type (FCI, CUI) and criticality, determine if you need Level 1, 2, or 3.
πŸ“Š Level 1: FCI only (15 controls)
πŸ“Š Level 2: CUI protection (110 controls)
πŸ“Š Level 3: Critical CUI (110 + 24 controls)
CMMC 2.0 Model CMMC Documentation
Calculate Business Impact
Required
Determine total DoD contract value at risk and ROI of CMMC compliance investment.
πŸ’° Calculate: Annual DoD contract revenue
πŸ’° Estimate: Compliance costs vs. contract value
πŸ“ˆ Decide: Go/No-Go decision on CMMC pursuit
Executive Briefing
Recommended
Present business case, timeline, and budget to executive leadership for approval.
πŸ“Š Include: Cost-benefit analysis, timeline, resource needs
2

SCOPE - Boundary Definition & Asset Inventory

Define your CMMC assessment boundary and identify all assets

Identify CUI & FCI Data
Required
Locate all Controlled Unclassified Information and Federal Contract Information in your organization.
πŸ” What is CUI: Technical data, contract info, export-controlled data
πŸ” What is FCI: Contract details, pricing, proprietary info
⏱️ Time: 1-2 weeks
CUI Registry (NARA) 32 CFR Part 2002 (CUI) NIST Guide to CUI
Create Asset Inventory
Required
Document all systems, applications, and infrastructure that process, store, or transmit CUI/FCI.
πŸ’» Include: Servers, workstations, mobile devices, cloud services
πŸ“± Apps: Email, file storage, collaboration tools, specialized software
🌐 Network: Firewalls, routers, switches, VPN
NIST 800-171 Rev 2
Define CMMC Assessment Boundary
Required
Establish the logical and physical boundary of your CMMC assessment scope.
🎯 In-Scope: All assets that touch CUI/FCI
🚫 Out-of-Scope: Assets isolated from CUI/FCI
πŸ“ Document: Network diagrams, data flows, access points
CMMC Assessment Guide
Evaluate Enclave Options
Recommended
Decide whether to implement a CUI enclave (isolated environment) or enterprise-wide compliance.
🏰 Enclave: Separate, hardened environment for CUI only
🌐 Enterprise: Apply controls across entire organization
πŸ’° Trade-off: Enclave = higher initial cost, lower ongoing; Enterprise = lower initial, higher ongoing
Document Data Flows
Optional
Create detailed data flow diagrams showing how CUI/FCI moves through your organization.
πŸ“Š Benefit: Identifies hidden CUI exposure points
3

ASSESS - Gap Analysis & Control Evaluation

Evaluate current security posture against CMMC requirements

Download CMMC Assessment Guide
Required
Obtain official CMMC 2.0 assessment materials and NIST 800-171 documentation.
CMMC 2.0 Model NIST 800-171 Rev 2 NIST 800-171A Rev 2
Conduct Self-Assessment
Required
Perform control-by-control assessment of current implementation status.
πŸ“‹ Level 1: Assess 15 basic safeguarding requirements
πŸ“‹ Level 2: Assess 110 NIST 800-171 controls
⏱️ Time: 2-4 weeks for Level 2
DIB CAC Resources
Calculate SPRS Score
Required
Calculate your Supplier Performance Risk System (SPRS) score based on assessment.
🎯 Formula: (Implemented Controls Γ— 5 + Planned Γ— 1) / Total Controls Γ— 110
πŸ“Š Target: Minimum 88-110 for Level 2
SPRS Portal
Identify Gaps & Prioritize
Required
Document all control deficiencies and prioritize remediation based on risk and implementation complexity.
πŸ”΄ Critical: Controls protecting CUI directly
🟑 High: Foundation controls, quick wins
🟒 Medium/Low: Can defer to POA&M
Engage Gap Assessment Consultant
Recommended
Consider hiring a Registered Practitioner (RP) for professional gap assessment (especially for first-time organizations).
πŸ’° Cost: $15,000-$35,000 for professional assessment
βœ… Benefit: Expert validation, faster remediation planning
Find Registered Practitioners
Create Remediation Plan
Required
Develop detailed plan to address gaps, including timeline, budget, and resource allocation.
πŸ“… Include: Milestones, responsible parties, dependencies
πŸ’° Budget: Estimate costs for tools, training, services
4

IMPLEMENT - Control Deployment & Remediation

Deploy security controls and close identified gaps

Implement Access Controls
Required
Deploy authentication, authorization, and access management controls across all in-scope systems.
πŸ” Key Controls: Multi-factor authentication (MFA), role-based access, least privilege
⏱️ Time: 2-4 weeks
🎯 Priority: Tier 1 Critical - implement first
NIST 800-171 AC Controls
Deploy Security Tools
Required
Install and configure required security technologies (SIEM, EDR, encryption, etc.).
πŸ›‘οΈ Tools: Antivirus, firewall, encryption, logging, backup
πŸ’° Cost: $10,000-$50,000 depending on org size
Establish Incident Response Plan
Required
Create and test incident response procedures, including breach notification to DoD.
πŸ“‹ Include: Roles, escalation, containment, recovery procedures
NIST 800-61 IR Guide
Conduct Security Awareness Training
Required
Train all personnel on CUI handling, security practices, and their responsibilities.
πŸ‘₯ Frequency: Initial training + annual refreshers
πŸ“Š Track: Completion records, test scores, certificates
Implement Audit Logging
Required
Enable comprehensive logging and monitoring across all systems handling CUI/FCI.
πŸ“ Log: Access attempts, changes, security events
πŸ” Review: Regular log review and correlation
Conduct Vulnerability Scanning
Recommended
Perform regular vulnerability scans and penetration testing to identify weaknesses.
πŸ” Frequency: Monthly scans, annual penetration test
Document All Implementations
Required
Keep detailed records of all control implementations, configurations, and evidence.
πŸ“Έ Capture: Screenshots, configs, policies, procedures
πŸ—‚οΈ Organize: By control family for easy C3PAO review
6

DOCUMENT - System Security Plan (SSP)

Create comprehensive documentation of your security program

Obtain SSP Template
Required
Download official NIST 800-171 SSP template or use DoD-approved format.
NIST SSP Template NIST 800-171 SSP
Document System Characterization
Required
Complete detailed description of your information system, boundaries, and architecture.
πŸ“‹ Include: System name, purpose, boundaries, authorization
πŸ—ΊοΈ Diagrams: Network topology, data flows, interconnections
πŸ“Š Inventory: Hardware, software, services, personnel
Document Control Implementations
Required
Write detailed control-by-control descriptions of HOW each control is implemented.
πŸ“ Per Control: Implementation status, methods, responsible parties, evidence
⏱️ Time: 40-80 hours for 110 controls (Level 2)
🎯 Quality: Specific, technical details - not generic statements
Attach Supporting Evidence
Required
Compile and reference all evidence documents, policies, procedures, and screenshots.
πŸ“Ž Evidence: Policies, procedures, configs, screenshots, logs, certificates
πŸ—‚οΈ Organize: Folder structure by control family (AC, AU, etc.)
Include POA&Ms in SSP
Required
Attach all POA&M documents as appendix to SSP with current status.
πŸ“‹ Format: Standardized POA&M template with all required fields
Document Policies & Procedures
Required
Create or update all required security policies and operating procedures.
πŸ“š Minimum: 17 domain-specific policies, incident response, acceptable use
✍️ Approval: Management signature and date on all policies
Internal SSP Review
Required
Have internal stakeholders review SSP for accuracy, completeness, and consistency.
πŸ‘₯ Reviewers: IT, Security, Compliance, Legal, Management
πŸ” Check: Technical accuracy, no contradictions, evidence quality
Pre-Assessment SSP Review by RP
Recommended
Have a Registered Practitioner review your SSP before C3PAO assessment.
πŸ’° Cost: $5,000-$15,000
βœ… Benefit: Identify issues before expensive C3PAO engagement
5

POA&M - Plan of Action & Milestones

Document remediation plans for gaps that cannot be immediately closed

Identify Controls for POA&M
Required
Determine which control gaps require POA&M versus immediate remediation.
βœ… POA&M Acceptable: Long-term projects, major investments, vendor dependencies
❌ Not Acceptable: Quick fixes, basic hygiene, low-cost solutions
🎯 Target: 80-85% implemented, 10-15% in POA&M, 5-10% N/A
Create POA&M Documents
Required
Develop comprehensive POA&M for each control gap with detailed remediation plans.
πŸ“‹ Required Elements: Weakness, root cause, risk, plan, milestones, resources, timeline
πŸ“… Timeline: Realistic completion dates (typically 3-12 months)
πŸ’° Budget: Detailed cost estimates for remediation
CMMC POA&M Guidance
Define Milestones & Owners
Required
Establish specific, measurable milestones with clear ownership and accountability.
πŸ‘€ Assign: POA&M owner, approver, and implementation team
πŸ“ Milestones: 3-5 checkpoints per POA&M with target dates
Document Risk Mitigations
Required
For each POA&M, document interim risk mitigation measures until gap is closed.
πŸ›‘οΈ Mitigations: Compensating controls, monitoring, restrictions
πŸ“Š Risk Level: Assess and document residual risk
Get Management Approval
Recommended
Obtain formal approval from senior management for POA&M plans and resource commitments.
✍️ Approval: Signed acknowledgment of POA&M plans and budgets
Track POA&M Progress
Required
Establish tracking mechanism for POA&M status, milestones, and completion.
πŸ“Š Updates: Monthly status reviews and progress documentation
πŸ”„ Changes: Document any timeline or scope adjustments
7

CERTIFY - C3PAO Assessment & Certification

Engage CMMC Third-Party Assessment Organization for formal certification

Research & Select C3PAO
Required
Identify and evaluate authorized C3PAOs, obtain quotes, and select assessor.
πŸ” Criteria: Experience, reputation, availability, cost, location
πŸ’° Cost: $50,000-$118,000+ depending on org size/complexity
πŸ“… Lead Time: 2-6 months from engagement to assessment
C3PAO Marketplace About C3PAOs
Submit SSP Package to C3PAO
Required
Provide complete SSP, evidence, POA&Ms, and supporting documentation to selected C3PAO.
πŸ“¦ Package: SSP, policies, procedures, evidence, network diagrams, POA&Ms
πŸ”’ Security: Secure transmission (encrypted, NDA signed)
C3PAO Document Review
Required
C3PAO conducts initial review of SSP and evidence, identifies gaps or questions.
πŸ“‹ Process: C3PAO reviews all documentation before on-site visit
πŸ’¬ Clarifications: Respond promptly to C3PAO questions
⏱️ Duration: 1-3 weeks
Schedule Assessment Activities
Required
Coordinate assessment dates, interviews, and site visits with C3PAO team.
πŸ“… Activities: Interviews, system demonstrations, site inspection, evidence validation
πŸ‘₯ Participants: System owners, security personnel, management
On-Site/Virtual Assessment
Required
C3PAO conducts formal assessment including interviews, testing, and evidence validation.
⏱️ Duration: 3-10 days depending on org size
πŸ” Activities: Control testing, interviews, system inspection, evidence review
πŸ“