Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

CMMC 1.0 Is Out, Now What? The Five Critical Steps Everyone Must Follow

The Department of Defense (DoD) has officially published version 1.0 of its Cybersecurity Maturity Model Certification (CMMC) approach. DoD contractors are now trying to figure out what comes next. Since all DoD contractors will need to obtain a CMMC certification at some point, all of them must spend time to create a strategy and develop/implement a plan to get there. To help you jumpstart the process, we've put together the five steps you’ll need to follow. These can be used as milestones as part of an implementation project plan.

Step #1. Determine where you are (pre-assessment).

You can't plan to get somewhere without first knowing where you are. Since DFARS requires compliance with NIST SP 800-171, you should already have some documentation in place regarding your practices concerning 800-171 controls. You can and should leverage this documentation, so you're not starting from scratch. The goal is to validate your 800-171 implementation, but also figure out what CMMC level you currently map to.

Before CMMC, compliance with 800-171 was mostly a "yes or no" question. With the various CMMC levels, the number and types of controls get more involved. There is also a set of process requirements in CMMC you must demonstrate at each of the levels. While evaluation criteria for the CMMC Certified Third Party Assessors (C3PAOs) are still in development, it is clear that a "yes or no" approach is insufficient.

It is not enough to say you have a control implemented; you must be able to prove it to a third party (the C3PAO). Assessors will be looking for evidence that you have implemented controls effectively and consistently. A pre-assessment must take evidence into account and your ability to generate evidence.

Step #2. Determine where you need to be.

Once you know where you are, the next step is to figure out where you need to be. Since DoD has not released yet any indication of what types of contracts a given CMMC level will respond to, you can still begin answering this question now with available information.

CMMC concerns two types of unclassified information within the supply chain. The first is Federal Contract Information (FCI), which is information provided by or generated for the Government under contract not intended for public release. The second type is Controlled Unclassified Information (CUI), which is more sensitive information requiring specific safeguarding or dissemination controls depending on the sub-type of CUI used.

Do you have CUI? How do you know? Answers to these questions will help drive your decision making. If you don’t have CUI, odds are your type of contract will be limited to a level 1 or a level 2. If you have CUI, CMMC tells us you'll be at least a level 3 or more. Determining what your target level is will require discussions with your contracting officers, those currently managing your 800-171, and business leaders to figure out what kinds of contracts you want to go after in the future.

Step #3. Develop and implement a plan of action.

This is where the hard work starts. By this time, you've approximated what level you currently are and have determined a preliminary target level where you'd like to be. Your work is now to look hard at the gaps between the two and develop a plan of action. You will identify the necessary people, process, and technology resources and break down your plan into a series of prioritized tasks. The goal of these controls is to more effectively manager your cyber risk. It is easier to think of CMMC compliance as a byproduct of a solid security program. Focus on the program and compliance will come naturally.

The plan of action is the most challenging part of this process because it can take a significant amount of time to affect the needed change in your organization to move up the CMMC ladder. Knowing the most efficient and effective way to implement this change is where expertise in security and process will be most valuable. You don't want to overspend, but you also don't want to come in short of where you need to be.

Your action plan should include tests to verify successful completion to increase the confidence, then you are ready to proceed with certification.

Step #4. Get certified.

Once you’re ready to see your hard work pay off and get your certification, you'll select and hire a C3PAO for a formal assessment against the targeted CMMC level. If you've done your homework, you'll know ahead of time what kind of documentation you will need to provide. However, since this will be the first time you've gone through a formal CMMC assessment, you should take good notes and capture any lessons learned throughout the process. Since CMMC is a permanent requirement, this assessment will only be the first of many you'll need to go through as a business.

Step #5. Stay certified.

Congratulations! You've gotten certified at your target CMMC level. Unfortunately, it doesn't end there. Your job now is to keep all of those newly implemented processes and technologies going and continuously look to ensure they're still implemented effectively. If your target level was one or more levels above where you started, it'd be easy for things to drift back to where they were before. It takes effort and dedication to prevent this from happening.


Remember that everyone must complete the above five steps to some degree, so you're not alone. Like any goal worth pursuing, hard work and consistent dedication will get you where you need to be. The fruit of your labors will enable you to win the contracts you want and significantly reduce your risk of a cyber breach. Good luck and check back for more updates on the Cybersecurity Maturity Model Certification (CMMC).

Darren Van Booven is a lead principal consultant at Trustwave and former CISO of the U.S. House of Representatives.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More