Who needs CMMC
The Cybersecurity Maturity Model Certification applies to organisations in the US Department of Defense supply chain that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — prime contractors, subcontractors, and the Indian and GCC firms serving them. Level 1 covers FCI; Level 2 aligns to the 110 controls of NIST SP 800-171 for CUI.
The implementation path
1. Scope your environment
Identify where FCI and CUI are stored, processed and transmitted. Narrowing the CUI boundary (enclaves, segmentation) is the single biggest cost lever — it reduces the systems an assessor must evaluate.
2. Assess against NIST 800-171
Gap-assess all 110 controls across the 14 families (access control, awareness/training, audit/accountability, configuration management, identification/authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system/communications protection, system/information integrity).
3. Build the SSP and POA&M
The System Security Plan documents how each control is met; the Plan of Action & Milestones tracks gaps and remediation timelines. These are mandatory artefacts — an assessor and the DoD both expect them, and your SPRS score is derived from them.
4. Remediate and score
Close prioritised gaps, implement MFA, encryption, logging and access controls, and improve your Supplier Performance Risk System (SPRS) score toward the required threshold.
5. C3PAO assessment
Level 2 certification is performed by an authorised C3PAO. Readiness means every control is implemented, evidenced and documented before the assessor arrives, with flow-down requirements addressed for subcontractors.
Common pitfalls
- Over-scoping — treating the whole network as CUI instead of building an enclave.
- SSP as an afterthought — it should drive the programme, not document it at the end.
- Ignoring flow-down — prime contractors must ensure subcontractors handling CUI are compliant.
- Point-in-time mindset — CMMC expects controls to operate continuously.
How CyberSigma helps
We map the 110 controls to your environment, build the SSP and POA&M, run remediation and prepare you for the C3PAO assessment — for primes, subcontractors and offshore suppliers in the US defense supply chain.
