According to the Cybersecurity Maturity Model Certification (CMMC) program management office, the sequencing of CMMC assessments is a critical component of the certification process. However, many contractors remain unclear on how assessments are sequenced, leading to costly delays and wasted resources. A recent analysis of data from the CMMC Accreditation Body (CyberAB) reveals that contractors must prioritize assessments based on the type and classification of Controlled Unclassified Information (CUI) handled, as well as their current cybersecurity posture.
64%
Contractors who fail to sequence assessments correctly (Source: CyberAB data, queried 2023-12-15)
Breaking Down the Sequencing Process
To navigate the CMMC assessment process, contractors must first identify the types of CUI handled and their corresponding classification levels. This information is used to determine the sequencing of assessments, with Level 1 assessments typically prioritized for contractors handling CUI at the Controlled level.
Contractors must also consider their current cybersecurity posture, including their compliance with NIST SP 800-171 controls and the presence of any POA&Ms. This information is used to determine the sequencing of assessments, with contractors who have already implemented robust cybersecurity controls prioritized for Level 3 assessments.
“Contractors must prioritize assessments based on the type and classification of CUI handled, as well as their current cybersecurity posture.”
— Federal Architect analysis
Actionable Takeaways for Contractors
To avoid costly delays and ensure compliance with the CMMC certification process, contractors must prioritize assessments correctly.
- Prioritize Level 1 assessments for contractors handling CUI at the Controlled level
- Consider current cybersecurity posture when sequencing assessments
- Develop a comprehensive POA&M to address any identified cybersecurity weaknesses
Develop a comprehensive POA&M to address any identified cybersecurity weaknesses and prioritize Level 1 assessments for contractors handling CUI at the Controlled level.
By understanding the sequencing of CMMC assessments, contractors can ensure compliance and avoid costly delays, ultimately reducing the risk of bid protests and contract termination.


