Charting Your CMMC Path

CMMC Knowledge Hub

Get to know the clearly documented steps that can take you through assessment and certification.

As we’ve already discussed, once all requirements are put into place over the next few years, companies will be required to comply with CMMC certification.

We’ve talked about the basics of the Cybersecurity Maturity Model Certification and how the higher levels of maturity in the three-level certification model build on the ones below. For organizations that plan to respond to DoD solicitations, it’s essential to understand the requirements for each level and how to achieve them, which we cover in the related article, “Understanding and Leveling Up Your CMMC Maturity.”

But it’s also valuable for those seeking certification to get acquainted with the varied organizations and roles that can support them within the CMMC ecosystem. And when it’s time to set out on your CMMC journey, you should get acquainted with the experienced guides standing by to help, and take a trail map that represents the practical steps leading to certification.

So let’s get familiar with:

Who Determines CMMC Requirements?

In military actions, the President of the United States calls the shots as commander in chief.

In military purchasing, the DoD group known as the “Office of the Under Secretary of Defense for Acquisition & Sustainment” is in charge. See their And the framework of the CMMC was developed and released by this organization, which goes by the snappy initialism “OUSD (A&S).”

As the branch of the DoD responsible for buying defense-related things, OUSD (A&S) is responsible for upgrading and validating the security of suppliers who sell them things “to enhance the protection of controlled unclassified information (CUI) within the supply chain.”

However, as you’ve read from previous articles, the CMMC certification was recently revamped to version 2.0, and this was led by the overarching Department of Defense (DoD).

Though they’re still finalizing the requirements for CMMC 2.0, they have already defined a variety of supporting organizations and roles in the certification ecosystem. Let’s meet the players.

The ABCs of AB

Behind every teacher, engineer, college, and hospital—plus many other critical roles and institutions—stands a third party that sets up, oversees, and validates credentials that back up someone or something’s claims of legitimacy, fitness, or quality based on formal standards.

And CMMC has one, too: the CMMC Accrediting Body, or CMMC-AB.

As soon as it released the original CMMC standard, OUSD (A&S) gave an exclusive contract to a Maryland-based not-for-profit group that formed under the name CMMC-AB, an organization whose core mission is to implement the CMMC objectives for the DoD.

To be even more specific, “The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.”

Keep reading to learn more or bookmark another article from our CMMC Knowledge Hub series:

CMMC Knowledge Hub

CMMC Organizations and Roles

The CMMC ecosystem has no shortage of stakeholders. Let’s start with the most important (you) along with three others you’re likely to encounter along the way. Hover over each box for a brief description.


At the center of it all is you, the OSC, or Organization Seeking Compliance. OSCs can take advantage of all the resources listed above, or figure it out on their own. Although it’s not scheduled to roll out until late 2021, CMMC-AB is also working on a Licensed Software Provider program and some vendors are already going to market with solutions that can provide automated assistance for users preparing for assessment.

Registered Provider Organization

The RPOs and the Registered Practitioners within them (RPs) provide advice, consulting, and recommendations to their clients. While they can help you implement CMMC, they don’t conduct Certified CMMC assessments. They’ve received the required basic CMMC-AB training and adhere to the CMMC-AB Code of Professional Conduct, “the performance standards by which the roles of the CMMC ecosystem will be held accountable, and the procedures for addressing violations of those performance standards.”


There’s a lot to learn about CMMC, so CMMC-AB created the Licensed Training Provider program for the universities, community colleges, and other learning institutions who train Certified CMMC Professionals and Certified CMMC Assessors. LTPs might also be part of internal corporate training departments, or even direct-to-consumer training providers.


Ever get the feeling that Star Wars fans have infiltrated every sector of society? There’s some evidence in the abbreviation “C3PAO” used to refer to Certified Third-Party Assessment Organization. To fulfill the need of organizations seeking assessment, C3PAOs hire and train Certified CMMC Assessors (ensuring that they adhere to the Code of Professional Conduct), schedule assessments through the CMMC-AB portal, and review and submit completed assessments for certification by the CMMC-AB.

Steps for DoD CMMC Certification

The DoD publishes a simple diagram showing the steps that lead to certification. Let’s consider it a sort of trail map that can lead you on an invigorating hike to the picturesque summit of certification.

01 /

Understand CMMC requirements.

You’ve already started to take this step by reading this and related articles from Onspring about CMMC. But for specific information about what you’ll need to do to achieve the certification level you want, we recommend reading the latest CMMC model and assessment guides available on the website of the Department of Defense.

02 /

Identify your scope.

Enterprise, Organization Unit, or Program Enclave: This step reminds organizations seeking certification (OSCs) that they can seek certification for their entire company or just the part of their business where “the information to be protected is handled and stored.”

03 /

Identify the desired maturity level.

As we mentioned before, there’s no point in getting a level of certification higher than you’ll need for the types of projects you plan to bid on or be a subcontractor for. Check with your Registered Provider Organization (RPO) for more information.

04 /

Pre-Assess with an RPO or C3PAO (Certified Third-Party Assessment Organizations).

This step is optional, but it could help you identify gaps in your readiness. Of course, you could do this step on your own if you had the right tools and know-how, like software that defines and documents everything necessary to reach your desired maturity level.

05 /

Close any identified gaps.

It’s listed as one step, but this simple, breezy phrase could represent considerably more work than those four words represent. Again, consult with an RPO or try to find some sort of tool that can help you break down the concrete steps you have to take, something that goes beyond a big, ugly spreadsheet we’ve seen a lot of companies using.

06 /

Find a C3PAO in the CMMC-AB marketplace.

Now that you know the lingo, this one shouldn’t be hard to interpret. You need an assessor to get the certification, and the marketplace section of the CMMC-AB site lists nearly 500 options for that service alone.

07 /

Conduct the proper assessment based on your level.

It’s showtime, and you’re either ready to perform a self-assessment or ready to turn over all your documentation and proof of compliance with all the standards embedded within CMMC requirements to the assessment team.

08 /

Allowance of up to 90 days to resolve findings (if any).

According to one expert, this step isn’t quite as simple as it looks. This step is meant for things like giving you time to produce supporting documentation or arrange for interaction with personnel who were not initially available to the assessors, if necessary. Again, your RPO should be able to guide you through this step.

09 /

CMMC-AB reviews submitted assessment.

If you’ve done your job correctly, and your C3PAO has done theirs, the next step should be . . .

10 /

Upon approval, three-year certification issued.

This is the big prize, the point of all the hard work that will qualify your company to bid on DoD solicitations at whatever level you’ve earned.

And remember, keeping the certification for the whole three-year term is dependent on your organization maintaining what you’ve documented. So, keep your virtual hiking boots laced up and your cybersecurity campsite tidy as you ponder and profit from the journey you’ve completed.

Schedule a demo

Find your CMMC compass

Onspring is your tool for the CMMC process and continued compliance. 
Schedule a demo