The Department of Defense (DoD) estimates

at least 350,000 U.S. businesses in the Defense Industrial Base (DIB) who contract with the DoD must undergo a cybersecurity assessment and certification to participate in upcoming contracts. 

This program, referred to as the Cybersecurity Maturity Model Certification or CMMC, is being rolled out in phases from 2021-2025, and is already showing up as a requirement for award in some “pilot” contracts. Each year, more contracts will begin to include CMMC requirements. Organizations Seeking Certification (or OSCs), as well as their subcontractors and 3rd party service providers, may be required to achieve an assessment certification at either CMMC Level 1 or CMMC Level 3, depending on the type of information they handle as part of servicing DoD contracts to continue working with the DoD.

This is not new information, but it is the first time OSCs will be required to prove their cybersecurity maturity level before being awarded a contract. Many small businesses who hold long-standing DoD contracts are concerned about the resources (both staff and funding) needed to meet these requirements. After all, cybersecurity is all we hear about these days, and most small businesses who receive proposals to get their cyber controls in order are overwhelmed and under-funded. It’s difficult to break the problem into digestible pieces and make progress. So, below is my breakdown for CMMC fitness – monthly goals to aim for CMMC preparedness in a year.


Understand the type of information (FCI or CUI) you maintain and how it flows throughout your company. This is demonstrated best in a data flow diagram, which is different from an infrastructure diagram.  A data flow diagram will include information systems, business units, connections, and permissions.  Ask yourself – where does FCI or CUI enter our business?  Trace it through each application, user, device, business unit, and storage.


From your data flow diagram, create the infrastructure diagram and complete an inventory of all systems, users, devices, and services.



Clearly identify the systems, users, devices, and services that interact with the FCI or CUI data. This is the initial scope. Can that be reduced as a footprint?  Is there remote access capability to store the data on the prime contractor site without storing it on your network?  Is there a way to limit access to fewer people?  How about having only one location handle the data instead of multiple sites?  And, do you have the ability to set up an “enclave” that only certain people have access to, both digitally and physically?


Identify risks and vulnerabilities on the network with a full security assessment.


Conduct an 800-171 assessment along with the CMMC Delta20 assessment, and generate a Plan of Action and Milestones (POA&M).


Take the POA&M and determine how to best clear priority items (items that have the most impact by checking off multiple boxes) and assign resources (funding and staff) over a five month period. You are at the six month mark – use this time to align resources, secure leadership support, and plan for success using project management skills.


Tackle the biggest POA&M items over months seven through ten. Be sure to schedule weekly meetings to monitor progress and keep your goals in the forefront.


Review the Information Security policies to see how they match up with the CMMC domains. If you want to achieve Maturity Level 3 certification or higher, each domain and practice must align with a policy.


Work with the team to create procedures for each practice as it is confirmed or implemented according to the POA&M. Make sure the procedures map back to at least one policy.


Work with the business unit leader responsible for each policy (or even at the procedure level) to understand future resourcing needs. Develop a resourcing plan to prove commitment to each practice. The plans can be one-to-many for the practices, as it makes sense.


Send at least one team-member to a Certified CMMC Professional (CCP) course for training. The target audience for this course is internal IT, IT consultants, and assessors themselves.  This foundational level course covers the CMMC assessment process end to end, so your team will know exactly what to expect in the formal assessment (and is well worth the one-time cost). That individual (or multiple team members) might also consider participating in a formal assessment with a C3PAO as a 1099 contractor, to gain experience in an actual assessment.  Network with C3PAOs to determine if this makes sense for your business.


Bring in an RPO or C3PAO to confirm your readiness for the CMMC assessment. Your on-staff CCP will help reduce the work involved in this, saving you money.


Depending on the size of your business and the level of certification you seek, this 12-month plan might be unrealistic. However, the general flow and steps remain the same for most OSCs, whether the timeframe is shorter or longer. Some OSCs bring in an RPO or C3PAO to help with the 800-171 and CMMC Delta 20 assessment early on; but if your internal team is robust, you may not need this. There will be caveats for every business as no two businesses are the same, especially when it comes to cybersecurity.  Nevertheless, having a roadmap to follow and setting goals for each milestone will help immensely.

Be sure to communicate with the stakeholders in every step. And, if you need assistance, reach out – at Edwards Performance Solutions, we are here to shepherd this process, because we’re all in this together.


This blog was originally written for PROCAS Accounting Software, by Edwards Senior Cybersecurity Consultant and Instructor Joy Beland.


Joy is the CMMC Program Manager for Edwards Performance Solutions, delivering live training for all areas of CMMC, as well as an active participant of the Commercial Cybersecurity Assessment Team. Before joining Edwards, Joy served the MSP community as a cybersecurity education instructor, educating 3,000+ on cybersecurity fundamentals from 2019-2020. In addition to her facilitation experience, Joy owned a successful MSP in Los Angeles for 21 years.