Anthony Cecchini is the President and CTO of Information Technology Partners (ITP), an ERP technology consulting company headquartered now in Virginia, with offices in Herndon. ITP offers comprehensive planning, resource allocation, implementation, upgrade, and training assistance to companies. Anthony has over 25 years of experience in SAP business process analysis and SAP systems integration. ITP is a Silver Partner with SAP, as well as an Appian, Pegasystems, and UIPath Low-code and RPA Value Added Service Partner. You can reach him at [email protected].
Just like we do with our other blogs, we’re going to take a practical, plain-English dive into something critical for businesses operating in or aspiring to enter the defense sector, the Cybersecurity Maturity Model Certification, or CMMC.
This isn’t going to be another jargon-heavy compliance lecture. Instead, I’ll take you step-by-step through what CMMC is, why it matters, and what your business actually needs to do to comply—all in a way that makes sense. I know first hand how this works as IT Partners has passed our CMMC 2.0 audit a few months back.
Why CMMC Exists 
Let’s start with the why.
The Department of Defense (DoD) created CMMC to raise the bar on cybersecurity across the Defense Industrial Base (DIB). We’re talking about hundreds of thousands of contractors and subcontractors who may have access to Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). In the past, adherence to security requirements—like those outlined in NIST SP 800-171—was largely self-attested. Predictably, this led to gaps and, unfortunately, breaches.
With CMMC, the DoD is saying: “Enough. You have to prove you’re protecting sensitive data if you want to keep doing business with us.”
The Evolution: From CMMC 1.0 to 2.0
CMMC 2.0 is the refined version. The original framework had five levels, but the DoD heard industry feedback and simplified it to three more streamlined tiers:
Level 1: Foundational
This is your entry-level tier. It includes 17 basic cyber hygiene practices that align with FAR 52.204-21, like using antivirus software, enforcing password complexity, and limiting access to information. Think of this as the basics everyone should be doing anyway. If you’re handling only FCI, this is your floor.
Level 2: Advanced
This is where things get serious. Level 2 aligns with all 110 practices from NIST SP 800-171. If your company deals with CUI—and most defense contractors do—you’ll likely need to certify at this level. Some programs allow for self-assessment, but many require a third-party C3PAO (Certified Third-Party Assessment Organization) audit. This was the level here at IT Partners we passed.
Level 3: Expert
This tier incorporates additional requirements from NIST SP 800-172. It’s designed for organizations supporting critical programs where the threat of Advanced Persistent Threats (APTs) is high. This is not for the faint of heart—it requires continuous monitoring, advanced threat detection, and government-led assessments.
What Does CMMC Mean for Your Business?
Let’s move from theory to reality. What does this mean for your business, practically speaking?
1. If You’re Not Compliant, You’re Not Eligible
This is the non-negotiable part. Without the appropriate level of certification, you won’t be able to bid on, win, or maintain DoD contracts once the rule is fully in place. The rulemaking is progressing under DFARS, and enforcement is expected to phase in gradually through 2025.
2. CMMC Forces You to Know Your Security Posture
You can’t address what you don’t understand. One of the first things CMMC pushes you to do is conduct a thorough gap analysis. You’ll map your existing controls against what’s required and identify where you fall short.
3. It’s a Culture Shift, Not Just a Checklist
This is a big one. Achieving compliance isn’t about checking boxes. It’s about embedding cybersecurity into your company culture. That means regular training, leadership buy-in, role-based access controls, incident response playbooks, and the resources to support continuous improvement.
Let’s Break Down the Path to Compliance
Step 1: Inventory What You Touch
Start by identifying where FCI and CUI live in your environment. What systems are they on? Who accesses them? Do you know how data flows across your business—from subcontractors to internal teams to cloud storage providers?
Tip: If you don’t know your CUI boundaries, you’ll never scope your compliance project correctly.
Step 2: Perform a Gap Analysis
Compare your current security practices to the requirements of your target CMMC level. There are tools to help with this—Exostar’s Certification Assistant is one, but there are others out there too.
Be honest here. You’re not doing yourself any favors by glossing over the hard stuff. Capture what you’re doing, what you’re partially doing, and what you’re not doing at all.
Step 3: Build Your System Security Plan (SSP) and Plan of Action & Milestones (POA&M)
The SSP documents how your company implements security practices. The POA&M is a living document that outlines how and when you’ll address deficiencies.
Pro tip: A mature SSP/POA&M is not just good hygiene—it’s mandatory at Level 2 and above.
Step 4: Implement Controls
This is where the rubber meets the road. You’ll need to:
- Enable multi-factor authentication
- Encrypt CUI in transit and at rest
- Enforce least privilege access
- Log and monitor all system activity
- Conduct regular vulnerability assessments
- Build and test an incident response plan
If you already follow frameworks like NIST SP 800-171, ISO 27001, or FedRAMP, you might be in better shape than you think. But don’t assume—validate.
Step 5: Conduct a Mock Assessment
Before bringing in a C3PAO (if required), conduct a mock audit. This is your dress rehearsal. Whether led by internal staff, a consultant, or an external readiness firm, a pre-assessment helps uncover gaps you might miss.
Step 6: Schedule and Pass the Official Assessment
Once you’re ready, you’ll schedule your assessment through the CMMC-AB Marketplace. If your organization is handling CUI and requires a third-party review, you’ll undergo a comprehensive audit by a C3PAO.
Expect documentation reviews, interviews, technical demonstrations, and policy examinations.
Real-World Benefits of Compliance
Compliance isn’t just about avoiding disqualification. It’s about setting your organization up for long-term resilience.
Risk Reduction
Implementing CMMC practices improves your security posture. You’ll have stronger defenses against ransomware, phishing, insider threats, and supply chain vulnerabilities.
Competitive Edge
More and more RFPs will require CMMC compliance, just to bid. Even if your not a prime, more primes and large contractors are mandating their subs be CMMC-compliant. Even if your contract doesn’t explicitly require it today, it might tomorrow. Being ahead of the curve pays off.
Operational Maturity
Many companies that undertake CMMC find that their internal operations improve. By tightening up processes, formalizing documentation, and building awareness across teams, you increase efficiency—not just security.
Cost and Complexity: The Elephant in the Room
Let’s be real—compliance takes work. It’s not free, and it’s not instant. Depending on your size, infrastructure, and starting point, the cost could range from tens of thousands to hundreds of thousands of dollars.
But ask yourself this: what’s the cost of getting breached? What’s the cost of losing a prime contract? What’s the cost of non-compliance?
Investing in cybersecurity isn’t just regulatory—it’s strategic.
What About the Supply Chain?
If you rely on subcontractors or vendors, their compliance matters too. The CMMC framework pushes responsibility upstream and downstream. Make sure your partners understand what’s expected and that they’re taking steps to meet those expectations.
This is especially important if you share or transmit CUI to those partners.
Tools That Help
Several platforms can ease the compliance journey. These include:
Exostar Certification Assistant: Automates assessments, tracks progress, and helps generate required documentation.
Microsoft GCC High: Meets security requirements for handling CUI and supports compliance for cloud-based infrastructure.
NIST 800-171 Compliance Checklists: Useful for mapping requirements and verifying controls.
Preveil – Encrypted Email and file sharing for CMMC compliance (Very cost effective as opposed to GCC High)
Summary
CMMC isn’t something you can ignore if you plan to do business with the DoD. It’s also not something you can fake your way through. The bar has been raised, and the companies that meet it will be the ones with the contracts, the reputations, and the resilience to grow.
Compliance is a journey, not a one-time event. If you think of it as a living, evolving part of your business strategy—not just a hurdle to clear—you’ll come out stronger on the other side.
Take this step-by-step, lean on the right tools, and don’t be afraid to ask for help. The sooner you start, the better positioned you’ll be when CMMC becomes non-negotiable.
