Share this
How to Prepare for CMMC Certification and Strengthen Cybersecurity
by QT9 Software on November 04, 2025
If you’ve heard, “We can’t award the PO until your CMMC status shows up in SPRS,” you already know how real the pressure is for defense suppliers and contractors.
The Cybersecurity Maturity Model Certification (CMMC) is reshaping how the Department of Defense (DoD) ensures its supply chain protects sensitive data. For QT9 Software customers, understanding how to address CMMC readiness is essential to maintaining compliance and earning future defense work, especially since Phase 1 enforcement begins November 10, 2025.
In a recent QT9 Q-CAST episode, QT9 spoke with Rhia Dancel, Senior Manager of Information Security at NSF, to demystify CMMC and share what businesses can do to prepare.
Contents
How to prepare for CMMC compliance
How long should CMMC readiness take?
Why CMMC was created
Before CMMC, DoD contractors self-attested compliance with NIST 800-171, a set of cybersecurity guidelines from the U.S. National Institute of Standards and Technology for protecting Controlled Unclassified Information (CUI) in non-federal systems. Unfortunately, many lacked verification data.
As Dancel noted, while intentions may have been sound, good intentions do not equate to secure. CMMC was created to fix that gap by introducing third-party validation.
With CMMC, each organization must demonstrate cybersecurity maturity through documented evidence and certified assessments. CMMC ensures that organizations handling government data can prove their systems and processes are secure.
There are three levels of CMMC certification follow:
1. Level 1: Basic safeguarding
Focus: 15 foundational cybersecurity controls
Applies to: Companies handling Federal Contract Information (FCI)
2. Level 2: Advanced
Focus: Aligns with NIST 800-171;includes all 320 objectives
Applies to: Companies handling Controlled Unclassified Information (CUI)
3. Level 3: Expert
Focus: Adds NIST 800-172 protections for advanced persistent threats (APTs)
Applies to: High-priority defense programs; assessed by Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
Most QT9 customers working in defense, life sciences or manufacturing likely fall under Level 1 or Level 2, depending on the type of information managed.
Who needs CMMC certification?
Any contractor, subcontractor or supplier in the U.S. Department of Defense supply chain that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must be CMMC compliant. This includes companies of all sizes, from prime contractors to small businesses and even cloud service providers that process or store this data.
Major primes (think Boeing or Lockheed Martin) are already flowing down CMMC requirements to their supplier, said Dancel. By 2028, every new DoD contract will require CMMC compliance.
Two federal rules define this rollout:
- 32 CFR, Part 170: Implements the CMMC framework
- 48 CFR: Makes CMMC a contractual requirement starting November 10, 2025
How to prepare for CMMC compliance
CMMC readiness takes planning, documentation and structure. Dancel recommends beginning preparations now, before the 48 CFR rule drives up demand for certified assessors.
Here’s a five-step starting point:
-
Conduct a self-assessment
Review your practices against NIST 800-171 controls to identify and document security gaps.
- Build a System Security Plan (SSP)
Your SSP should describe how each control is implemented and how data is protected.
- Create a network diagram and asset inventory
Define the systems, software and hardware that process or store FCI or CUI. Make sure the documentation aligns across all sources.
- Document everything
“If it’s not documented, it didn’t happen,” says Dancel. Even informal practices must be recorded and supported with evidence.
- Engage a Certified Third-Party Assessment Organization (C3PAO)
Schedule a mock assessment or readiness review with an approved C3PAO like NSF to verify that you’re ready for an official audit.
How long should CMMC readiness take?
Even if you don’t handle CUI, completing a Level 1 self-assessment helps demonstrate a mature cybersecurity posture. It signals trust to partners, primes and customers across regulated markets.
QT9’s Quality Management System (QMS) and Enterprise Resource Planning (ERP) solutions already help companies document, track and manage compliance tasks seamlessly, supporting the same documentation discipline required under CMMC.
The bottom line
CMMC is all about making sure sensitive information is protected.
For QT9 customers, the best steps now are to understand their data – FCI or CUI – and prepare detailed documentation and evidence of security controls. And, as Dancel notes, engage with a C3PAO before assessment demand peaks.
Failing to meet your CMMC level may make you ineligible for contracts associated with the DoD. Preparing now means your organization will be ready when, perhaps, your competitors are not.
FAQs: Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program designed to strengthen cybersecurity across the defense supply chain. It ensures contractors can protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). QT9 customers may be affected if they contract with defense primes or handle sensitive federal data.
Any prime contractor or subcontractor that stores, processes or transmits FCI or CUI must comply with the appropriate CMMC level. Even suppliers indirectly connected to defense projects could have requirements passed down through subcontract agreements.
The 48 CFR rule integrating CMMC into defense contracts takes effect November 10, 2025. A phased rollout continues through 2028, when all new defense contracts will include CMMC requirements.
Level 1: Basic cybersecurity safeguards for handling FCI
Level 2: Advanced controls aligned with NIST 800-171 for handling CUI
Level 3: Expert protections aligned with NIST 800-172, addressing advanced threats
Assessors will review three key documents:
- System Security Plan (SSP)
- Network Diagram
- Asset Inventory
These define your cybersecurity scope and demonstrate how controls are implemented. Inconsistencies among these documents can delay assessment.
QT9’s QMS platforms make compliance documentation easier. Customers can:
- Maintain revision-controlled cybersecurity and training records
- Manage audit trails for assessments
- Store security procedures, supplier documentation, and evidence of compliance
By using QT9’s integrated tools, teams can efficiently document and demonstrate compliance readiness.
A C3PAO (Certified Third-Party Assessment Organization) performs official CMMC assessments and issues certifications. Consultants can help organizations prepare for assessments but cannot perform or approve them.
No. Commercial off-the-shelf (COTS) products, like unmodified software purchased from a retailer, are excluded from CMMC. However, companies using or integrating those products into systems that handle CUI may still fall under CMMC requirements.
Use the FedRAMP Marketplace to verify that your cloud provider is listed as FedRAMP Moderate or FedRAMP Equivalent. These providers already meet many of the same controls required under CMMC Level 2.
Now. Demand for certified assessors will spike once the 48 CFR rule takes effect. Beginning early ensures you can complete documentation, conduct mock audits and schedule assessments before backlogs form.
Share this
- QT9 QMS (31)
- QT9 ERP (21)
- QT9 MRP (14)
- Company News (10)
- Medical Device (8)
- MRP Manufacturing (6)
- Pharma (6)
- QMS Manufacturing (6)
- Document Control (5)
- Inventory Management (5)
- Aerospace (4)
- FDA Compliance (4)
- Life Sciences (4)
- Bill of Materials (3)
- CAPA (3)
- ISO 9001 (3)
- QMS Supplier Management (3)
- AS9100 (2)
- Accounting (2)
- Analytics & Reporting (2)
- Change Control (2)
- EBRs (2)
- ERP Life Sciences (2)
- ERP Manufacturing (2)
- FDA 21 CFR 820 (2)
- ISO 13485 (2)
- ISO Compliance (2)
- Inspections (2)
- Audit Management (1)
- Calibrations (1)
- Cosmetics (1)
- DHF/DMR/DHR (1)
- Design Controls (1)
- EMS (1)
- EU Compliance (1)
- Food & Beverage (1)
- ISO 14001 (1)
- MoCRA (1)
- QMSR (1)
- Quality Culture (1)
- Quality Events (1)
- Risk Management (1)
- cybersecurity (1)
- defense (1)
- November 2025 (1)
- October 2025 (7)
- September 2025 (8)
- August 2025 (8)
- July 2025 (6)
- June 2025 (7)
- May 2025 (5)
- April 2025 (2)
- March 2025 (4)
- February 2025 (4)
- January 2025 (6)
- December 2024 (4)
- November 2024 (4)
- October 2024 (5)
- September 2024 (3)
- August 2024 (3)
- July 2024 (3)
- June 2024 (5)
- May 2024 (2)
- April 2024 (3)
- March 2024 (3)
- February 2024 (5)
- January 2024 (3)