CMMC Assessment SOP

Standard Operating Procedure for Cybersecurity Maturity Model Certification readiness assessments

Service Pillar: Protect Service Category: Compliance Gap Assessment Target Duration: 8-12 weeks (Level 2) Related Pricing: See Pricing & Positioning

---

Service Overview

Purpose

Conduct comprehensive CMMC (Cybersecurity Maturity Model Certification) readiness assessments evaluating organization controls against DoD requirements, preparing defense industrial base (DIB) contractors for successful certification.

Target Personas

Persona	Primary Pain Point	Value Case
Solo IT Director	Complex DoD requirements, limited resources	Expert guidance through certification
CFO/Controller	Contract eligibility risk, compliance investment	Maintain DoD contract eligibility
Managing Partner (Legal)	False Claims Act liability, subcontractor compliance	Legal risk mitigation

Business Justification

Metric	Value	Source
DIB companies requiring CMMC	300,000+	DoD CMMC Program
Average CMMC Level 2 compliance cost	$100,000-$500,000	NIST MEP Analysis 2024
DoD contracts at risk without CMMC	$165 billion annually	DoD Budget FY2024
SMB DIB contractors	76% of supply chain	RAND Corporation DIB Study
Companies failing initial assessment	40-50%	CyberAB Assessment Data 2024

---

Pricing Reference

Tier	Scope	Price Range	Duration
Level 1	Self-attestation preparation	$15,000-$25,000	4-6 weeks
Level 2	<100 employees, limited CUI	$75,000-$100,000	12-16 weeks
Level 2+	100-300 employees, complex CUI environment	$100,000-$150,000	16-24 weeks
Level 3	Highest criticality (requires government assessment)	Custom	18-24 months

See Pricing & Positioning for complete pricing structure.

---

Pre-Engagement

Qualification Checklist

• DoD contract or subcontract in place or pending
• CUI handling requirements confirmed
• CMMC level requirement identified from contract
• Executive sponsorship committed
• IT infrastructure ownership clarified
• SPRS score current (if applicable)

Required Information Gathering

Category	Documents Needed
Contract	DoD contracts, FAR/DFARS clauses, CUI requirements
Organizational	Org chart, employee count, locations, IT responsibilities
Technical	Network diagrams, system inventory, cloud services
Current State	System Security Plan (SSP), POA&M, SPRS score
CUI	CUI asset inventory, data flows, handling procedures

CUI Scope Determination

Scope Factor	Description
CUI Categories	What types of CUI are handled (CTI, ITAR, etc.)
CUI Locations	Where CUI is stored, processed, transmitted
CUI Flow	How CUI moves through the organization
CUI Boundaries	System boundaries and enclave definition
CUI Personnel	Who has access to CUI

---

CMMC Framework

CMMC 2.0 Level Structure

Level	Assessment Type	Requirements	Applies To
Level 1	Self-assessment	17 FAR 52.204-21 practices	FCI only
Level 2	C3PAO assessment	110 NIST 800-171 requirements	CUI handling
Level 3	Government assessment	110+ practices + additional controls	Critical CUI

NIST SP 800-171 Control Families

Family	Controls	Key Focus Areas
Access Control (AC)	22	Account management, least privilege, remote access
Awareness & Training (AT)	3	Security training, threat awareness
Audit & Accountability (AU)	9	Logging, audit review, protection
Configuration Management (CM)	9	Baseline configurations, change control
Identification & Authentication (IA)	11	Password policies, MFA, authenticator management
Incident Response (IR)	3	Incident handling, reporting
Maintenance (MA)	6	System maintenance, tools
Media Protection (MP)	9	Media access, marking, sanitization
Personnel Security (PS)	2	Screening, personnel termination
Physical Protection (PE)	6	Physical access, monitoring
Risk Assessment (RA)	3	Risk assessments, vulnerability scanning
Security Assessment (CA)	4	Assessments, POA&M, continuous monitoring
System & Communications Protection (SC)	16	Boundary protection, encryption, CUI protection
System & Information Integrity (SI)	7	Flaw remediation, malware protection, monitoring

Total NIST 800-171 Requirements: 110 practices

---

Assessment Process

Phase 1: Scoping and Planning (Weeks 1-2)

Objective: Define CUI boundaries and assessment scope

Activity	Deliverable	Duration
Kickoff meeting	Aligned expectations	0.5 day
Contract/DFARS review	Compliance requirements	1 day
CUI asset identification	CUI inventory	2 days
Network boundary definition	System boundary document	2 days
SSP review (if exists)	Current state analysis	1 day

Scoping Activities

Activity	Purpose
CUI categorization	Identify CUI types and marking requirements
Data flow mapping	Document CUI movement through systems
Enclave definition	Define assessment boundary
Cloud scoping	Identify FedRAMP/CMMC cloud requirements
Subcontractor identification	Determine flow-down requirements

Phase 2: Documentation Assessment (Weeks 2-4)

Objective: Evaluate existing documentation against CMMC requirements

Activity	Deliverable	Duration
Policy review	Policy gap matrix	3 days
Procedure assessment	Procedure gap analysis	3 days
SSP evaluation	SSP completeness review	2 days
POA&M review	Current remediation status	1 day
Evidence inventory	Documentation completeness	2 days

Required Documentation Review

Document	CMMC Requirement
System Security Plan (SSP)	Required for all levels
Plan of Action & Milestones (POA&M)	Required if gaps exist
Network Diagrams	Required for boundary definition
Asset Inventory	Required for scoping
Policies & Procedures	Evidence for practice implementation
Training Records	Evidence for AT controls
Incident Response Plan	Evidence for IR controls

Phase 3: Technical Assessment (Weeks 4-8)

Objective: Validate technical control implementation

Activity	Deliverable	Duration
Access control testing	AC findings	3 days
Authentication validation	IA findings	2 days
Encryption verification	SC findings	2 days
Audit/logging review	AU findings	2 days
Configuration validation	CM findings	3 days
Vulnerability assessment	RA findings	2 days

Technical Validation Areas

Control Area	Validation Methods
MFA	Verify MFA for all CUI access, privileged accounts
Encryption	FIPS 140-2 validated, TLS 1.2+, data at rest
Logging	Audit log configuration, retention, protection
Endpoint Protection	EDR/AV configuration, patch management
Network Segmentation	CUI enclave isolation, firewall rules
Access Control	Least privilege, account reviews, terminations

Phase 4: Gap Analysis and Remediation Planning (Weeks 8-10)

Objective: Document gaps and create remediation roadmap

Activity	Deliverable	Duration
Finding consolidation	SPRS score calculation	2 days
POA&M development	Detailed remediation plan	3 days
Remediation prioritization	Risk-based priority matrix	2 days
Resource planning	Budget and timeline estimates	2 days

Phase 5: Reporting (Weeks 10-12)

Objective: Deliver comprehensive assessment and roadmap

Activity	Deliverable	Duration
Report drafting	Draft assessment report	3 days
Internal QA	Quality reviewed report	2 days
Client review	Feedback incorporation	3 days
Final delivery	Complete CMMC readiness package	1 day

---

SPRS Scoring

Score Calculation

Element	Description
Starting Score	110 points
Deductions	1-5 points per unmet requirement (severity-based)
Minimum for CMMC L2	110 (all requirements met or on POA&M)

Severity Values

Severity	Point Deduction	Criteria
5	Very High	No implementation, critical control
3	High	Partial implementation, significant gap
1	Low	Minor gap, largely implemented

POA&M Requirements

Element	Requirement
Timeframe	Maximum 180 days for all POA&M items
Specificity	Detailed action items with owners and dates
Progress	Demonstrated progress toward completion
Constraints	Max 80% of controls can be on POA&M

---

Deliverables

CMMC Readiness Assessment Report

Structure:

1. Executive Summary
2. Assessment scope and approach
3. SPRS score (current and projected)
4. Certification readiness assessment

5. Investment requirements

6. Scope Definition

7. CUI boundary description
8. In-scope systems and personnel

9. Exclusions with justification

10. Control-by-Control Assessment

11. All 110 NIST 800-171 requirements
12. Implementation status
13. Evidence reviewed

14. Gap identification

15. SPRS Score Analysis

16. Current score calculation
17. Score breakdown by control family

18. Impact of remediation efforts

19. System Security Plan (SSP)

20. Complete or updated SSP
21. Meets CMMC SSP requirements

22. Ready for C3PAO review

23. Plan of Action & Milestones (POA&M)

24. All gaps documented
25. Remediation actions
26. Owner assignments

27. Target completion dates

28. Remediation Roadmap

29. Prioritized action items
30. Resource estimates
31. Timeline to certification-ready
32. Quick wins identified

Supporting Materials

Material	Purpose
Policy templates	Address documentation gaps
Procedure templates	Operational process guidance
CUI handling guide	Personnel training resource
Evidence collection checklist	C3PAO assessment preparation
Subcontractor flow-down template	Supply chain compliance

---

Certification Pathway

Timeline to Certification

Phase	Duration	Activities
Gap Assessment	8-12 weeks	This engagement
Remediation	3-9 months	Control implementation
Pre-Assessment	2-4 weeks	Self-assessment, evidence prep
C3PAO Selection	2-4 weeks	RFP and selection
C3PAO Assessment	1-3 weeks	On-site/virtual assessment
POA&M Closure	If needed	Complete remaining items
Certification	2-4 weeks	Certificate issuance

C3PAO Selection Considerations

Factor	Considerations
CyberAB authorization	Must be authorized C3PAO
Industry expertise	Experience with similar DIB contractors
Availability	Lead times for assessment scheduling
Pricing	Assessment day rates
References	Past client experiences

---

Quality Assurance

Internal Review Checklist

• All 110 NIST 800-171 requirements assessed
• SPRS score accurately calculated
• SSP complete and accurate
• POA&M meets CMMC requirements
• CUI boundaries clearly defined
• Evidence requirements documented
• Remediation timeline realistic

Client Review Process

1. Draft report delivery
2. 5 business day review period
3. Questions/clarifications call
4. SPRS score validation
5. Final report delivery
6. C3PAO preparation session

---

Post-Delivery

Remediation Support Options

Option	Scope	Investment
Self-Remediation	Report + templates only	Included
Guided Remediation	Monthly check-ins, Q&A	$5,000-$8,000/month
Full Remediation	Hands-on implementation	Custom scoping
SPRS Monitoring	Ongoing score management	$2,000/month

C3PAO Assessment Preparation

Service	Description
Evidence organization	Prepare evidence for each control
Mock assessment	Simulate C3PAO assessment process
Personnel preparation	Train staff on assessment interviews
SSP/POA&M finalization	Final document review and updates

---

Related Services

Service	Connection	SOP Reference
Penetration Testing	Validates technical controls	pentest-sop.md
Security Awareness Training	Supports AT requirements	security-training-sop.md
Incident Response Planning	IR requirements	incident-response-sop.md
vCISO	Ongoing compliance management	vcto-vciso-engagement-sop.md

---

Evidence Base

Why This Approach Works

Principle	Evidence	Source
DIB contractors need specialized help	76% are SMBs with limited resources	RAND Corporation
Gap assessment reduces certification risk	60% improvement in first-pass rates	CyberAB 2024 Data
SSP/POA&M quality critical	Most common C3PAO finding	CyberAB Assessment Insights
Technical validation essential	45% of gaps are technical implementation	SBK client data

SBK Success Metrics

Metric	Target	Measurement
First-time C3PAO pass rate	90%+	Certification outcomes
SPRS score improvement	+30 points avg	Pre/post assessment
Client satisfaction	4.5+/5.0	Post-engagement survey
Time to certification	<12 months	Client tracking

---

Regulatory References

• CMMC Program - DoD CMMC Official
• NIST SP 800-171 Rev 2
• DFARS 252.204-7012
• CyberAB - CMMC Accreditation Body
• 32 CFR Part 170 - CMMC Final Rule

---

Last Updated: February 2026 Version: 1.0