Everything You Need to Prepare for CMMC
Navigating the Cybersecurity Maturity Model Certification (CMMC) process is complex, but you don’t have to do it alone. As a Certified Third-Party Assessment Organization (C3PAO), Monarch ISC provides CMMC resources to help you move from uncertainty to certification with confidence.
Whether you are seeking to understand the CMMC framework, define your scope, or prepare for an official assessment, you will find expert-curated guidance and essential tools right here.
CMMC Basics: Understanding the Framework
Start here if you are new to the CMMC framework. A foundational understanding will make the rest of the CMMC checklist more effective:
Define Your Assessment Scope
Scoping is a critical part of your CMMC list. Before beginning the assessment process, clearly define the scope for your organization – what systems, users, and data fall under CMMC requirements. This will save time and reduce errors later. Choose your level:
Prepare for Your CMMC Assessment
This step includes guidance and tools for aligning with the specific expectations of Level 1, 2 or 3 certification:
Not sure if you’re ready for an official assessment? Request a readiness review to identify gaps before your official assessment.
Other Services
Monarch ISC is a Certified Third-Party Assessment Organization (C3PAO) supporting organizations across regulated industries with expert guidance for CMMC compliance. Whether you are preparing for assessment or need help identifying gaps, our team delivers practical, audit-ready support tailored to your environment.
See How We Can Help
Understanding Controlled Unclassified Information (CUI)
Proper handling of Controlled Unclassified Information is a core part of CMMC compliance. These official CMMC resources provide critical guidance on classification, marking, and handling:
Reporting Cyber Incidents:
72-Hour Rule
In the event of a cyber incident, the Department of Defense requires reporting within 72 hours. These links outline what you need to do:
- DFARS 252.204-7012 reporting requirements
- Report an incident via DIBNet Portal
- If you require access, apply for a Medium Assurance Certificate to use the portal
Find full reporting details and contact our knowledgeable staff with questions.
Cloud Security:
What CMMC Requires
If your organization stores sensitive data in the cloud, these security controls must be validated to meet CMMC requirements. Add these CMMC resources to your checklist to avoid audit delays:
- FedRAMP Marketplace: Verify Cloud Solutions Provider (CSP) compliance
Microsoft environments such as 365 and Azure are commonly used in defense contracting. Ensure secure configuration and compliance, another critical item on your CMMC compliance checklist, by following the latest federal guidance on secure data storage:
Self-Attestation & SPRS Submissions
Before undergoing a formal assessment, some organizations must submit self-attestations through the Supplier Performance Risk System (SPRS). Regardless of CMMC Level or use of a C3PAO, every organization must annually re-attest to their compliance on SPRS.
If you need more guidance, explore more tools and official insights directly from the DoD:
If you are unsure whether self-attestation applies to you, Monarch ISC can help clarify the process. Reach out to request support.
FIPS Validated Cryptography
The most misunderstood CMMC practice is the applicability of FIPS Validated Modules when using encryption. When do I need them? How do I figure out if FIPS is enabled? What products support FIPS?
First, read our blog post on FIPS Validated Encryption where we dig into the do’s and don’ts of encryption in CMMC. Then visit the NIST Cryptographic Module Validation Program (CMVP) where you can search to find your product.
Get Your CAGE Code Right
The CyberAB and the people who run EMASS have relayed to us that using the wrong CAGE code, or the wrong hierarchy, is the top reason that CMMC assessment results do not flow through to the SPRS system. This means that after all your hard work, the DoD might still not be able to use your company if they can’t find you in SPRS!
Take the time to validate your CAGE code is active and identify the new UEI number assigned to your organization. If you are part of a larger organization, the Highest Level Owner (HLO) CAGE code is also required:
- Check SAM Registration Status & Expiration Date UEI CAGE Code
- If you need to renew or apply for a new CAGE code, do so at https://sam.gov/
Note that many sites will attempt to mislead you into paying a fee to renew or register your business. Its FREE! You can certainly elect to pay a company to register for you, but it’s not needed. Once you are registered, your information is public data, so expect a lot of spam emails attempting to ask you to sign up for their paid renewal services when your renewal comes around.
