Site navigation

CMMC Consulting

Cherry Bekaert can assist with CMMC compliance gap assessments, provide oversight and management of remediation and reporting efforts, or certification as an authorized CMMC Third-Party Assessment Organization (C3PAO).

On this page:

CMMC Compliance Consulting for DoD Contractors

CMMC Third-Party Assessment Organization Authorization (C3PAO) and Registered Practitioner Organization (RPO)

Cherry Bekaert, an authorized CMMC Third-Party Assessment Organization (C3PAO) and certified Registered Practitioner Organization (RPO) by The Cybersecurity Maturity Model Certification Accreditation Body, Inc. (The Cyber AB), provides comprehensive CMMC services and solutions, guiding your organization through compliance gap assessments, oversight and management of remediation and reporting efforts. We also offer CMMC Level 2 certification assessments and issue Level 2 certificates of CMMC Status as an authorized C3PAO. 

Our team of CMMC-certified assessors brings a comprehensive approach, leveraging IT and cybersecurity experience to deliver practical and effective recommendations and solutions for your CMMC needs. We meet you where you are to advise, assist and support your CMMC compliance efforts regardless of your current state.

Risk & Cybersecurity

Get Started with CMMC Compliance Today

As a CMMC C3PAO, we're committed to helping contractors navigate and prepare for CMMC certification. 

Schedule Consultation

Our CMMC Compliance Consulting Services

CMMC Compliance GAP and Readiness Assessment Process

Preparing for CMMC’s stringent compliance requirements can be challenging and may take longer than anticipated. Companies often underestimate the time and resources needed for certification and should plan for at least six months of preparation and remediation. This timeline can vary based on gap assessment results. 

  • Engagement Readiness & Project Initiation

    • Determine and set CMMC Compliance Level (1, 2 or 3).
    • Meet with engagement stakeholders to confirm scope and engagement timing.
    • Agree on project management model, including status updates format, frequency and depth.
    • Agree on executive communication and/or status updates.

  • CMMC Environment Scoping

    • Document the relevant in-scope environment and control expectations (CMMC Compliance Level).
    • Recommend approaches to reduce scope of CMMC.
    • Confirm CMMC Environment as well as recommended changes with stakeholders and executive leaders.

  • CMMC Gap Assessment

    • Perform workshops with key stakeholders.
    • Identify and document controls in place relative to the control requirements, as determined by CMMC Compliance Level.
    • Document gaps and work with stakeholders on a remediation plan.
    • Report gap assessment and remediation tasks to stakeholders and executive leaders.

  • CMMC Gap Remediation

    • Develop project plan for remediation.
    • Ensure that project and task dependencies are documented and accounted for.
    • Report remediation to stakeholders and executive leadership.

CMMC Certifications and Attestations

Our Firm is fully equipped to provide comprehensive certification assessments to help organizations achieve Level 2 Status with the CMMC requirements. Our CMMC assessments are streamlined from planning and testing through reporting and submission to CMMC eMASS, to ensure an efficient assessment from beginning to end.

Phase 1: Pre- Assessment

Planning and preparing for a CMMC assessment is crucial for ensuring your organization's cybersecurity practices meet the required standards. In this phase, we:

  • Establish roles and responsibilities
  • Validate CMMC assessment scope
  • Confirm availability of assessment artifacts
  • Verify readiness to conduct the assessment
  • Submit Pre-Assessment Form to CMMC eMASS

Phase 2: Conducting the Assessment

Conducting a CMMC assessment involves a thorough evaluation of your organization's cybersecurity practices to ensure compliance with the required standards. During this phase we:

  • Examine evidence
  • Conduct interviews
  • Assess External Service Providers (ESPs) and Cloud Service Providers (CSPs)
  • Score Organizations Seeking Assessment (OSC) practices and validate preliminary results
  • Conduct Quality Assurance review

Phase 3: Complete and Report Assessment Results

The following steps outline the process for reporting recommended assessment results and ensuring compliance.

  • Compile assessment results
  • Conduct Out-Brief Meeting to communicate assessment results
  • Upload assessment results to CMMC eMASS

Phase 4: Issue Certificate and Close Out POA&M (if necessary)

  • Generate and issue certificate of status (if applicable)
  • If necessary, perform a Plan of Action and Milestones (POA&M) close-out assessment and update assessment results

Phase 1: Pre- Assessment

Planning and preparing for a CMMC assessment is crucial for ensuring your organization's cybersecurity practices meet the required standards. In this phase, we:

  • Establish roles and responsibilities
  • Validate CMMC assessment scope
  • Confirm availability of assessment artifacts
  • Verify readiness to conduct the assessment
  • Submit Pre-Assessment Form to CMMC eMASS

Phase 2: Conducting the Assessment

Conducting a CMMC assessment involves a thorough evaluation of your organization's cybersecurity practices to ensure compliance with the required standards. During this phase we:

  • Examine evidence
  • Conduct interviews
  • Assess External Service Providers (ESPs) and Cloud Service Providers (CSPs)
  • Score Organizations Seeking Assessment (OSC) practices and validate preliminary results
  • Conduct Quality Assurance review

Phase 3: Complete and Report Assessment Results

The following steps outline the process for reporting recommended assessment results and ensuring compliance.

  • Compile assessment results
  • Conduct Out-Brief Meeting to communicate assessment results
  • Upload assessment results to CMMC eMASS

Phase 4: Issue Certificate and Close Out POA&M (if necessary)

  • Generate and issue certificate of status (if applicable)
  • If necessary, perform a Plan of Action and Milestones (POA&M) close-out assessment and update assessment results

Enhance Assurance with Comprehensive CMMC Attestation Services

In addition, Cherry Bekaert offers organizations the ability to undergo an attestation to the CMMC Level 1 and Level 2 Standard, NIST 800-171, for those looking for further assurance beyond just a self-assessment. These engagements can be performed individually or in conjunction with an existing SOC 2 audit, e.g., SOC 2+ NIST 800-171.  

With proven experience navigating NIST SP 800-171 and related standards and our commitment to excellence, we are a trusted partner in guiding organizations towards CMMC certification. Our team is equipped to support your organization’s mission to meet DoD cybersecurity standards and secure valuable defense information.

Connect with Our CMMC Consultants

Our dedicated consultants are prepared to offer a personalized assessment to help you succeed in the CMMC certification process.

Start Assessment

Why Choose Cherry Bekaert for CMMC Compliance Consulting?

Our focus is on helping clients manage, respond and overcome their biggest challenges, making cybersecurity a business enabler and compliance a differentiator.

  • C3PAO & RPO Accredited

    CMMC Third-Party Assessment Organization Authorization (C3PAO) and Registered Practitioner Organization (RPO)

  • Proven Track Record

    Early leader in assisting government contractors with CMMC readiness and compliance

  • DoD-Focused Compliance Approach

    Notable experience assisting organizations with CMMC readiness as an RPO

  • Aligned with NIST & DFARS

    Conducted numerous security reviews in conjunction with various NIST-based standards (800-53, 800-171, 800-37 and Cybersecurity Framework (CSF)), as well as IT security services and reviews related to DFARS 52.204-7012 (7012)/NIST 800-171

  • Active Role in CMMC Working Groups

    Involvement in the CMMC Assessment Process (CAP) Working Group formed to help develop the CAP Guidebook for CMMC assessors

  • Broad Cybersecurity Experience

    Decades of experience in helping companies identify cybersecurity risks across a wide array of industries, systems and networks

Preparing for Continuous CMMC Compliance and Monitoring CMMC Regulatory Updates

Preparing for continuous compliance with CMMC is an ongoing commitment that requires a proactive approach. It is important for companies to establish robust processes for annually assessing risk, reviewing controls and affirming continuous compliance with CMMC standards. This includes conducting regular audits and updates to reflect any changes in cybersecurity practices.

Cherry Bekaert's team consists of CMMC-certified assessors and practitioners with extensive information technology (IT) and cybersecurity leadership experience. We provide a comprehensive range of cybersecurity and risk mitigation services, assisting your company with continuous monitoring and periodic risk assessments. Our services are aligned with NIST 800-171 and other security frameworks to ensure compliance and consistently meet regulatory requirements.

“With our recent CMMC C3PAO reauthorization, Cherry Bekaert reaffirms our unwavering commitment to supporting our clients’ efforts to build trust through compliance and security. This achievement highlights our dedication to upholding the highest standards in cybersecurity. Together, we continue to drive client success and commitments in protecting and securing our Nation's critical supply chains.”
Kurt Manske
Partner | Information Assurance and Cybersecurity Leader

CMMC Frequently Asked Questions

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard for Department of Defense (DoD) acquisitions, aimed at securing the Defense Industrial Base (DIB) supply chain by increasing the protection of controlled unclassified information (CUI) and federal contract information (FCI) and implementing the NIST SP 800-171 rev. 2 security requirements. The CMMC Programmatic Rule, CFR 32 Part 170, was published to the Federal Register and went into effect on December 16, 2024.

The CMMC framework comprises of three levels and may require an independent third-party certification by an accredited organization. The DoD plans to implement CMMC requirements in four phases over three years, mandating compliance from all DoD contractors bidding on contracts by the final phase.

CMMC Program requirements apply to all DoD contract and subcontract awardees that, in performance of a DoD contract, will process, store or transmit information that meets the standard for FCI and CUI on contractor information systems. CMMC requirements may also extend to private sector businesses that support defense contractors, including cloud service providers (CSPs) and external service providers (ESPs).

CMMC Program requirements can extend to private-sector businesses and other entities that support defense contractors, such as CSPs and ESPs.

A CSP is an external company offering cloud computing services as defined by NIST SP 800-145, Sept 2011. An ESP includes external personnel, technology, or facilities used by an organization to provide and manage IT and/or cybersecurity services. For an entity to be considered an ESP under the CMMC Program, Controlled Unclassified Information (CUI) or security protection data must be processed, stored or transmitted on the ESP's assets.

Learn more about the CMMC requirements for Cloud Service Providers.

The CMMC Program, CFR 32 Part 170, rule was published to the Federal Register and went into effect on December 16, 2024. CMMC will not be enforced in contracts until the acquisition rule, 48 CFR 252.204-7021, Cybersecurity Maturity Model Certification Requirements, is finalized and published to the Federal Register. Once the acquisition rule goes into effect, there will be a phased implementation approach over three years to enforce the CMMC requirements. The acquisition rule is not expected to go into effect until mid-2025.

Once 48 CFR 252.204-7021 becomes effective, certain DoD contractors handling FCI and CUI will be required to achieve a CMMC Status at the applicable level as a condition of contract award. The level required for contract award will be specified within the contract solicitation.

Graphic of the CMMC levels 1 through 3

CMMC Level 1 (Self-Assessment): This level applies to contracts that involve only FCI. Contractors are required to conduct a self-assessment against the requirements specified in the FAR clause 52.204-21 to ensure compliance. The requirements focus on the basic safeguarding of FCI, excluding publicly available government-provided information and simple transactional data.

CMMC Level 2 (Self-Assessment or Certification): This level applies to contracts involving CUI. Compliance may be demonstrated through either a self-assessment or certification by third-party assessors. The level of assessment will be determined by the DoD or prime Contracting Officers. Entities must implement all NIST 800-171 security requirements to receive a CMMC Status of Final. POA&Ms are allowed for self and third-party assessments, however, they must be remediated within 180 days of the CMMC Status Date. 

CMMC Level 3 (Certification): This level applies to contracts requiring a higher-level of protection against Advanced Persistent Threats (ATP). The level of assessment will be determined by the DoD or prime Contracting Officers. Contractors with a Level 3 requirement will first be required to obtain a CMMC Status of Final Level 2 (C3PAO) based on the Level 3 scoping requirements. Then, the contractor will engage with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to perform a Level 3 assessment over the 24 select NIST 800-172 security requirements. 

To assess the CMMC Level needed for your organization, you should consider the type of information you handle, and the requirements specified in your contracts. For instance, if your organization handles FCI, you will likely need to meet CMMC Level 1, which involves basic safeguarding of FCI. If you handle CUI, you will likely need to meet CMMC Level 2 (Self) at a minimum, which includes protecting CUI. For those managing CUI within the DoD’s highest priority programs, CMMC Level 3 may be required, which involves protecting CUI and reducing the risk of advanced persistent threats (APT). 

Ultimately, the CMMC Level required by your organization will be specified within the DoD solicitation. The applicable CMMC Level is determined by the DoD or prime Contracting Officers. However, by understanding the types and classification levels of the data your organization is handling as a result a DoD contract, you will be able to get ahead of the requirements before they become a contractual obligation. If you are a subcontractor, it is recommended that you reach out to the prime Contracting Officers to begin discussions on which CMMC Level they would require for your organization.

Our CMMC advisory professionals are available to help you determine the CMMC Level needed for your organization.

The CMMC Program implementation date is 60 days after the publication of the final Title 48 CFR CMMC acquisition rule. The CMMC assessment requirements will be implemented using a four-phase plan over three years. The phases add CMMC Level requirements incrementally, starting with self-assessments in Phase 1 and ending with full implementation of program requirements in Phase 4. Contractors should understand this phased approach and create a timeline to meet the requirements. This includes prioritizing affected contracts and ensuring all necessary certifications are in place.

Once the final acquisition rule becomes effective, where applicable, solicitations will require Level 1 or 2 self-assessments. One year after the acquisition rule’s effective date, where applicable, solicitations will require Level 2 certification. Two years after the acquisition rule’s effective date, where applicable, solicitations will require Level 3 certification. Beginning 3 years after acquisition rule’s effective date, all solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award. In some procurements, the DoD may implement CMMC requirements in advance of the planned phase.

Non-compliance with CMMC requirements can have significant consequences for DoD contractors. Non-compliant contractors risk losing future business opportunities with the DoD, as CMMC certification will become a mandatory condition for contract awards. Ensuring compliance not only protects your current contracts but also positions your organization for continued success in the defense sector.

Our Professionals

Connect With Us

Kurt Manske headshot

Kurt Manske

Information Assurance & Cybersecurity Leader

Partner, Cherry Bekaert Advisory LLC

Steven J. Ursillo headshot

Steven J. Ursillo, Jr.

Information Assurance & Cybersecurity

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC

Neal W. Beggan

Risk Advisory Services

Partner, Cherry Bekaert Advisory LLC

Dan Sembler headshot

Dan Sembler

Advisory Services

Partner, Cherry Bekaert LLP
Partner, Cherry Bekaert Advisory LLC

Brian Kirk headshot

Brian Kirk

Information Assurance & Cybersecurity

Sr. Manager, Cherry Bekaert Advisory LLC

Contact Our CMMC Consultants