INSIGHT

Inside the CMMC Framework: Core components and implementation strategies

Sarah A. Lynn • April 22, 2025

Services: Managed IT Security

---

The Cybersecurity Maturity Model Certification (CMMC) Framework represents a critical shift in how the Department of Defense (DoD) approaches cybersecurity across its supply chain. Organizations working with the DoD face increasing pressure to strengthen their security posture as cyber threats grow more sophisticated.  

This article explores the essential elements of the CMMC Framework and provides practical implementation strategies for organizations seeking certification. 

Understanding the CMMC Framework

The CMMC Framework serves as a unifying standard that supports consistent implementation of cybersecurity controls throughout the DoD supply chain. Designed to protect sensitive information, particularly Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), the framework establishes clear requirements for contractors and subcontractors. 

The DoD developed CMMC in response to persistent threats targeting their supply chain. After releasing CMMC 1.0 in 2019, the DoD gathered feedback and launched a streamlined CMMC 2.0 in 2021, making the framework more accessible for smaller organizations while maintaining robust security expectations.  

Core components of the CMMC Framework 

The three-tiered maturity model 

CMMC 2.0 defines three distinct maturity levels that build upon each other: 

• Level 1 (Foundational): Includes 15 basic security requirements with annual self-assessment 
• Level 2 (Advanced): Encompasses 110 requirements from NIST SP 800-171 with either triennial third-party assessment or self-assessment for select programs 
• Level 3 (Expert): Extends beyond Level 2 with additional requirements from NIST SP 800-172 and requires government-led assessment 

Each level’s requirements are cumulative, meaning organizations must implement all practices from previous levels to achieve certification at higher levels. 

Assessment methodology 

Under CMMC 2.0, assessment requirements vary by level: 

• Level 1 requires annual self-assessment and affirmation 
• Level 2 typically requires assessment by a Certified Third-Party Assessment Organization (C3PAO) every three years 
• Level 3 requires government-led assessment every three years 

These assessments thoroughly evaluate an organization’s cybersecurity controls, including policy review, evidence examination and stakeholder interviews. 

Alignment with NIST standards 

While CMMC is a DoD framework, it draws heavily from NIST standards: 

• Level 1 incorporates basic safeguarding requirements 
• Level 2 adopts all 110 requirements from NIST SP 800-171
• Level 3 includes additional controls from NIST SP 800-172 

This alignment helps organizations leverage existing NIST compliance efforts when pursuing CMMC certification. 

Implementation strategies for success 

Determine your appropriate CMMC level 

Start by assessing which CMMC level applies to your organization based on: 

• The types of information you handle (FCI or CUI) 
• Your position in the DoD supply chain 
• Your contractual requirements 

Organizations handling only FCI typically need Level 1, while those processing CUI generally require Level 2 or higher. 

Conduct a comprehensive gap analysis 

Before pursuing certification, perform a thorough gap assessment against your target CMMC level. This helps you: 

• Identify existing controls that satisfy requirements 
• Highlight areas needing improvement 
• Prioritize remediation efforts based on criticality  

“The documentation and the assessment, once your reach the C3PAO, are quite rigorous. Having that gap assessment by a subject matter expert or team,  like BPM, could assist in reducing or eliminating non-conformities or findings on your first C3PAO certification audit.” – Sarah A. Lynn, BPM Advisory Partner, IT Security & Compliance Subject Matter Expert         

Develop a strategic implementation roadmap 

Create a detailed plan that addresses: 

• Resource allocation for implementation 
• Realistic timelines for control implementation 
• Budget considerations for necessary technology investments 
• Training requirements for security personnel and general staff 

Establish continuous monitoring practices 

CMMC certification isn’t a one-time achievement. Implement systems to: 

• Monitor control effectiveness regularly 
• Document compliance evidence continuously 
• Conduct periodic internal assessments 
• Update security practices as threats evolve  

“The periodic internal assessments, monitoring effectiveness and reviewing the ongoing documentation and practice updates is a group of tasks our BPM team is very skilled at performing, and guiding companies to do in their own future.” – Sarah A. Lynn 

Leverage technology solutions 

Consider specialized tools that can: 

• Automate compliance monitoring 
• Track progress toward certification
• Document evidence for assessment
• Streamline the assessment process 

Working with BPM for CMMC success 

While the CMMC Framework presents challenges, partnering with BPM provides a clear path to compliance. Our dedicated team understands the intricate requirements of the CMMC Framework and can guide your organization through the entire certification process. From initial gap analysis to remediation planning and pre-assessment preparation, BPM delivers tailored solutions that align with your specific needs. 

BPM supports organizations at every stage of CMMC implementation, offering practical strategies that minimize disruption while maximizing security effectiveness. Our approach combines technical knowledge with business acumen, ensuring your CMMC journey enhances your overall security posture while maintaining operational efficiency. To transform your CMMC compliance challenges into opportunities for strengthening your cybersecurity program, contact us.