We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

Implementation Guide

CMMC Level 2 & NIST 800-171 Implementation Guide

A step-by-step path to CMMC readiness for the US Department of Defense supply chain — scoping, the 110 controls, SSP/POA&M and the C3PAO assessment.

Who needs CMMC

The Cybersecurity Maturity Model Certification applies to organisations in the US Department of Defense supply chain that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — prime contractors, subcontractors, and the Indian and GCC firms serving them. Level 1 covers FCI; Level 2 aligns to the 110 controls of NIST SP 800-171 for CUI.

The implementation path

1. Scope your environment

Identify where FCI and CUI are stored, processed and transmitted. Narrowing the CUI boundary (enclaves, segmentation) is the single biggest cost lever — it reduces the systems an assessor must evaluate.

2. Assess against NIST 800-171

Gap-assess all 110 controls across the 14 families (access control, awareness/training, audit/accountability, configuration management, identification/authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system/communications protection, system/information integrity).

3. Build the SSP and POA&M

The System Security Plan documents how each control is met; the Plan of Action & Milestones tracks gaps and remediation timelines. These are mandatory artefacts — an assessor and the DoD both expect them, and your SPRS score is derived from them.

4. Remediate and score

Close prioritised gaps, implement MFA, encryption, logging and access controls, and improve your Supplier Performance Risk System (SPRS) score toward the required threshold.

5. C3PAO assessment

Level 2 certification is performed by an authorised C3PAO. Readiness means every control is implemented, evidenced and documented before the assessor arrives, with flow-down requirements addressed for subcontractors.

Common pitfalls

  • Over-scoping — treating the whole network as CUI instead of building an enclave.
  • SSP as an afterthought — it should drive the programme, not document it at the end.
  • Ignoring flow-down — prime contractors must ensure subcontractors handling CUI are compliant.
  • Point-in-time mindset — CMMC expects controls to operate continuously.

How CyberSigma helps

We map the 110 controls to your environment, build the SSP and POA&M, run remediation and prepare you for the C3PAO assessment — for primes, subcontractors and offshore suppliers in the US defense supply chain.

Start your CMMC journey

Free NIST 800-171 gap assessment and SPRS-score readiness.

CMMC compliance servicesBook a Consultation