How to Develop a CMMC Security Plan: The 5 Step Guide

Table of Contents

The Cybersecurity Maturity Model Certification (CMMC) framework is designed to make sure that companies that work with the Department of Defense (DoD) supply chain have appropriate cybersecurity measures in place. In order to meet CMMC requirements, manufacturing companies are required to create and execute a comprehensive security plan that encompasses all relevant CMMC controls.

The security plan must cover all systems, networks, and assets that are involved in the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), whether or not those systems are owned or operated by the company or by a third-party service provider. Failure to comply with CMMC requirements can result in the loss of DoD contracts, fines, and reputational damage.

Developing a CMMC security plan can be a complex process, but it is critical for companies that wish to continue doing business with the DoD.

In this article, we will provide a step-by-step guide to help companies develop a comprehensive CMMC security plan that meets all applicable requirements. We will also provide a template that companies can use to document their plan and ensure that all necessary information is included.

What is CMMC and is it a Requirement?

The CMMC framework is designed to ensure that companies that do business with the DoD implement security controls to protect CUI and FCI. These controls are based on best practices from various cybersecurity frameworks, including NIST SP 800-171 and ISO 27001. With that in mind, if you’re in the DoD supply chain, CMMC compliance will become a requirement for your business.

Effective as of January 1, 2020, CMMC requirements have started to be included in requests for proposals for DoD contracts. This means that companies that do business with the DoD need to be certified to the appropriate level of CMMC to be eligible for contract awards. The DoD has indicated that CMMC will be rolled out over a five-year period, with all new contracts requiring certification by 2026.

cmmc security plan
How to Develop a CMMC Security Plan: The 5 Step Guide 1

What are the Five Levels of CMMC?

CMMC is a tiered certification program, with five levels of certification that measure an organization’s maturity in cybersecurity practices. Each level requires compliance with a set of controls, with higher levels requiring more advanced security controls and processes.

Level 1 – Basic Cyber Hygiene: This level is the entry point for the CMMC and requires an organization to have basic cybersecurity measures in place to protect Federal Contract Information (FCI). This includes the implementation of 17 basic cyber hygiene controls that are derived from NIST SP 800-171. Examples of these controls include the use of antivirus software, the creation of user accounts with strong passwords, and regular security awareness training for employees.

Level 2 – Intermediate Cyber Hygiene: At this level, an organization is required to have an institutionalized management plan for cybersecurity that includes the implementation of 93 controls. These controls include requirements for the review of policies and procedures, the creation of an incident response plan, and the implementation of access control management. This level is designed to protect CUI.

Level 3 – Good Cyber Hygiene: This level requires an organization to have a comprehensive and standardized cybersecurity program in place and will be based on a subset of NIST SP 800-172 requirements. This level is designed to protect CUI.

Level 4 – Proactive: At this level, an organization is required to have a proactive approach to cybersecurity that includes advanced threat intelligence, continuous monitoring of networks and systems, and regular vulnerability assessments. The controls at this level are focused on protecting CUI and other sensitive government information.

Level 5 – Advanced/Progressive: This level is the highest level of the CMMC and requires an organization to have an advanced and sophisticated approach to cybersecurity. The controls at this level are focused on protecting CUI and other sensitive government information from the most advanced and persistent cyber threats.

It’s important to note that the level of certification required for a particular contract will depend on the type of information being handled and the risks associated with that information. Companies should carefully review the requirements of each level and determine which level is appropriate for their organization based on their specific business needs and cybersecurity risks.

The 5 Step CMMC Security Plan Template

There are 5 steps to ensuring that you have a robust CMMC security plan. The steps include scoping your plan, performing a risk assessment, identifying and implementing security controls, developing an incident response plan, and compliance monitoring.

cmmc security plan template
How to Develop a CMMC Security Plan: The 5 Step Guide 2

Step 1: Scope the Plan

The first step in developing a CMMC security plan is to scope the plan. To scope the plan, companies should begin by conducting a thorough inventory of all systems, networks, and assets that are involved in the handling of CUI or FCI. This should include both physical and virtual assets, such as servers, workstations, laptops, mobile devices, and cloud-based systems.

Once the inventory is complete, companies should map the flow of CUI or FCI through their systems and networks. This will help to identify all touchpoints where security controls must be implemented to protect the information.

It is important to note that scoping the plan is an ongoing process. As new systems, networks, and assets are added to the environment, the plan must be updated to ensure that all applicable controls are in place.

Step 2: Perform a Risk Assessment

The risk assessment should consider both internal and external threats, including threats from malicious insiders, hackers, and other external actors. It should also consider the potential impact of each risk on the confidentiality, integrity, and availability of CUI or FCI.

To perform a risk assessment, companies should begin by identifying all potential threats to CUI or FCI. This could include threats such as phishing attacks, malware infections, and unauthorized access to systems or networks. Once the threats have been identified, the company should evaluate the likelihood and potential impact of each threat.

After evaluating the risks, companies should develop a risk management plan that outlines the steps they will take to mitigate or eliminate each identified risk. This plan should include a prioritization of the risks based on their likelihood and potential impact, as well as a timeline for implementing the necessary security controls.

Step 3: Identify and Implement Security Controls

To identify the appropriate security controls, companies should review the CMMC framework and identify the controls that are applicable to their systems and networks. The controls should be selected based on the results of the risk assessment, as well as any other relevant factors, such as industry best practices.

Once the appropriate controls have been identified, companies should begin implementing them in their environment. This may involve deploying new software or hardware, configuring existing systems and networks, and training employees on new security protocols.

Step 4: Develop an Incident Response Plan

An incident response plan should include procedures for detecting, reporting, and responding to security incidents. It should also outline the roles and responsibilities of each member of the incident response team, as well as procedures for communicating with stakeholders, such as customers, vendors, and regulatory agencies.

To develop an incident response plan, companies should begin by identifying the types of security incidents that are most likely to occur in their environment. Once the potential incidents have been identified, companies should develop a plan to respond to each incident. This plan should include steps for containing the incident, mitigating the damage, and restoring normal operations.

Step 5: Implement Compliance Monitoring and Review

Compliance monitoring and review should be performed regularly to ensure that the security controls are operating effectively and that the company remains in compliance with CMMC requirements. This may involve conducting regular audits, vulnerability scans, and penetration tests.

Regular compliance monitoring and review can help companies identify areas where security controls are not working effectively, and take corrective action to address any deficiencies. This can help to minimize the risk of a security breach and ensure that the confidentiality, integrity, and availability of CUI or FCI are protected.

In addition to monitoring and review, companies should also ensure that their security controls and incident response plan are regularly updated to reflect changes in the environment or emerging threats. This may involve deploying new security technologies, updating policies and procedures, and providing additional training to employees.


Developing a comprehensive CMMC security plan is essential for any organization that handles CUI or FCI. The five steps outlined in this article provide a framework for developing a plan that meets CMMC requirements and protects the confidentiality, integrity, and availability of sensitive data.

An IT team can play a critical role in helping a manufacturing company become CMMC compliant. Given that the CMMC framework is focused on cybersecurity and the protection of sensitive government information, IT professionals are often the most knowledgeable and experienced when it comes to implementing the technical controls and security measures required by the CMMC.

Sabre IT Solutions has been providing IT services to industrial and commercial businesses since 1998. Our sister company Sabre Limited are expert in manufacturing ERP systems and as such we understand supply chain like few other IT businesses. If you want to learn more about our manufacturing Managed Services Offerings or just find out more about what we can offer, don’t hesitate to reach us at 226-336-6259 or contact us at itsales@sabrelimited.com today to learn more.

Related Posts