Purpose: Provide a step-by-step roadmap for achieving CMMC Level 2 compliance, aligned with NIST SP 800-171 and DFARS requirements.
Phase 1 — Readiness & Planning (Month 0–2)
• Establish governance and accountability.
• Define scope and Controlled Unclassified Information (CUI) boundaries.
• Appoint roles: Executive Sponsor, Compliance Lead, IT/Security Lead, Project Manager.
• Inventory systems, users, and vendors handling CUI.
• Conduct NIST SP 800-171 gap assessment.
• Calculate SPRS score and document baseline.
• Draft Plan of Action & Milestones (POA&M) with priorities.
Deliverables: Governance charter, SSP, Initial SPRS score report, POA&M with owners and timelines
Phase 2 — Policy, Architecture & Technical Controls (Month 2–6)
• Author or update policies for all 14 control families.
• Deploy technical safeguards: MFA, FIPS-validated encryption, Centralized logging/SIEM, Vulnerability management.
• Establish secure configuration baselines.
• Create Evidence Library (configs, logs, screenshots, training records).
Deliverables: Policy pack, Technical control implementation evidence, Updated SSP and POA&M
Phase 3 — Internal Audit & SPRS Uplift (Month 6–9)
• Conduct internal control testing.
• Run Incident Response tabletop exercise.
• Complete annual security training and record rosters.
• Update POA&M and raise SPRS score.
Deliverables: Internal audit report, IR tabletop report, Training completion evidence, Revised POA&M and SPRS score
Phase 4 — C3PAO Pre-Assessment & Sustainment (Month 9–12)
• Select C3PAO and schedule pre-assessment.
• Conduct mock audit and remediate findings.
• Prepare Readiness Packet for primes: Policy index, Evidence matrix, SPRS screenshots, IR drill reports.
• Publish sustainment plan (monthly vulnerability scans, quarterly audits, annual training).
Deliverables: Pre-assessment report, Readiness packet for primes, Sustainment roadmap
Artifacts Checklist
• System Security Plan (SSP) + network/data flow diagrams
• POA&M with owners and dates
• Policies & procedures for all control families
• Configuration baselines and change records
• SIEM/logging evidence and retention settings
• Vulnerability scans, patch metrics, EDR console reports
• Training rosters and IR tabletop reports
• CUI handling instructions; crypto module evidence
• Supply-chain flow-down clauses; vendor due diligence
• SPRS baseline and uplift documentation
• C3PAO pre-assessment findings and remediation