Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Compliance & Governance · Download

CMMC Preparation Guide

A practical guide to determining your CMMC level, mapping practices to NIST SP 800-171, and preparing for a C3PAO assessment.

IT KORR Knowledge Center

CMMC Preparation Guide

A practical guide to determining your CMMC level, mapping practices to NIST SP 800-171, and preparing for a C3PAO assessment.

Determine Your CMMC Level

CMMC level is driven by the type of information your organization handles under DoD contracts, not by company size or preference. Start by answering these questions honestly, since the answers determine your certification path.

  • Do you only handle Federal Contract Information (FCI) — basic, non-public information provided by the government under contract? If so, Level 1 (self-assessment) likely applies.
  • Do you create, receive, store, or transmit Controlled Unclassified Information (CUI)? If so, Level 2 applies, and most contracts will require third-party certification.
  • Where does CUI actually flow in your environment — email, file shares, engineering systems, contractor laptops? Map every system that touches it before scoping an assessment.
  • Have you flowed down CMMC requirements to subcontractors who will also handle FCI or CUI on your behalf?

Mapping CMMC Level 2 to NIST SP 800-171

CMMC Level 2 does not introduce new controls. It certifies implementation of the 110 security requirements already defined in NIST SP 800-171. If you have already implemented 800-171, you are assessing against a known standard, not building something new.

  • Each of the 110 NIST SP 800-171 requirements maps directly to a CMMC Level 2 practice — treat your 800-171 System Security Plan as the backbone of your CMMC evidence.
  • Group requirements by the 14 control families (Access Control, Audit & Accountability, Configuration Management, etc.) to organize implementation and evidence collection.
  • Identify any requirements marked "not applicable" and document the justification — assessors will ask for it.
  • Track partial implementations explicitly; CMMC does not accept "in progress" as "met" without a documented POA&M for the allowed subset of practices.

Preparing for a C3PAO Assessment

  • System Security Plan (SSP) — a current, detailed description of your environment, boundaries, and how each of the 110 practices is implemented.
  • Plan of Action & Milestones (POA&M) — documented remediation plans and target dates for any practices not yet fully implemented (limited to the specific practices CMMC allows on a POA&M).
  • Objective evidence per practice — configuration screenshots, policy documents, logs, and interview readiness for each of the 320 assessment objectives underlying the 110 practices.
  • A defined assessment scope — the specific enclave, network segment, or systems where CUI is handled, agreed upon before the C3PAO engagement begins.
  • Assessor expectations — C3PAOs test for consistency between your documentation, your systems, and what your staff describe in interviews; gaps between these are the most common finding.

Related Resources

  • CMMC 2.0 Overview — /knowledge-center/compliance/compliance-governance/cmmc-20-overview
  • NIST SP 800-171 Explained — /knowledge-center/compliance/compliance-governance/nist-sp-800-171-explained

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full Compliance & Governance Hub for the reasoning behind each recommendation, or use the Compliance Readiness Assessment for a personalized review.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT