CMMC Preparedness Assessment

Kroll’s Cybersecurity Maturity Model Certification (CMMC) preparedness assessment leverages frontline expertise to examine organizations’ maturity in accordance with its desired CMMC level and deliver actionable steps to satisfy U.S. Department of Defense (DoD) requirements.

Contact Cyber Experts
/en/services/cyber-risk/assessments-testing/cmmc-certification-preparedness-assessment service

Kroll has extensive experience assessing compliance with the underlying regulatory and cyber security frameworks that make up CMMC, having conducted hundreds of assessments based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, 800-53, ISO 27002 and many others. We have a deep bench of experts with backgrounds in a variety of industries, including law enforcement and governmental agencies, that can assess compliance and assist organizations with determining what is reasonable for their organization’s size and sector.

Designed to provide additional assurance to the DoD that a Defense Industrial Base (DIB) contractor follows basic cyber hygiene and is able to protect controlled unclassified information (CUI) at a level commensurate with the size, type and sensitivity of the contracts it bids on, the CMMC helps create justified confidence in DIB partners.

With over 300,000 businesses, non-profits and academic institutions of all sizes conducting development, research, development, design, delivery and maintenance of military weapon systems, the DIB represents a treasure trove to domestic and foreign cybercriminals. It is imperative that the DoD better understand the cyber security maturity level and overall resilience of its supply chain.

CMMC 2.0

Version 2.0 of the CMMC offers three maturity levels, reduced from version 1.0’s five levels, for DIB contractors. Maturity Level 1 covers 17 practices, just as the previous version of the framework did. Organizations will be able to self-assess at Maturity Level 1. Maturity Level 2 focuses on the 110 controls from NIST SP 800-171. Third-party assessors will conduct assessments at this level, while certain exceptions will allow some organizations to self-assess at Level 2 as well. Maturity Level 3 will be based on NIST SP 800-172, and government-led technical assessments will be required. In a departure, CMMC 2.0 removes entirely the maturity processes that were previously required above Maturity Level 1.

Kroll’s CMMC Preparedness Assessment

Kroll has conducted hundreds of NIST-based assessments and understands that the initial focus ahead of a CMMC audit should be to assess your current state of compliance, determine your required level of future compliance and then prepare clear, concise plan of actions and milestones (POA&M) to meet that goal ahead of your audit. 

Evaluate Current Maturity and Develop Roadmap to Meet Desired CMMC Level Requirements

Once we understand your organization’s goals and the level of maturity needed for its DoD work, our cyber risk experts will:

  • Request and review relevant IT security policies, procedures and technical documents
  • Conduct interviews with key business and technology stakeholders
  • Review workflows involving CUI
  • Assess access controls and processes for systems handling CUI data
  • Review the entire lifecycle of CUI data in all its forms (physical and electronic)

Finally, our team identifies gaps in critical security controls according to your desired CMMC maturity level, organized by the appropriate domains or families, along with clear recommendations for both improving your security posture and meeting CMMC requirements. Our deliverables for a Maturity Level 2 assessment are organized using the NIST SP 800-171 families:

  • Access control
  • Audit and accountability
  • Awareness and training
  • Configuration management
  • Identification and authentication
  • Incident response
  • Maintenance
  • Media protection
  • Personnel security
  • Physical protection
  • Risk management
  • Security assessment
  • Systems and communication protection
  • Systems and information integrity

CMMC Breakdown: People, Process and Technology

An organization aiming at high levels of CMMC compliance must understand its scope and responsibilities go far beyond the information security and IT teams. Once the CMMC Preparedness Assessment is complete, your team is able to easily map each of the controls in your desired maturity level to its owner group, which will help streamline implementation ahead of the audit. Control owners can be segmented by:

  • Administrative (for policies, standards and procedures)
  • Technical configurations (likely owned by information security or IT)
  • Software solutions
  • Hardware solutions
  • Tasks assigned to the information security team
  • Tasks assigned to the IT team
  • Tasks assigned to the application or process owner
  • Configuration, software or outsourced solution

Toward a Stronger Defense Industrial Base

As the DoD updates the CMMC, DIB contractors must internalize cyber security across the entire organization. Regardless of your existing maturity level or the standards currently adopted by your team, our experts can help you prepare for the CMMC. In addition to assistance with the CMMC, our highly trained information security professionals offer penetration testing, cloud security assessments and vCISO services. Talk to a Kroll expert today via our 24x7 cyber incident hotlines or our contact page.

Connect with us

Keith Novak
Keith L Novak
Managing Director
Cyber Risk
New York
Steve Scarince
Steve Scarince
Associate Managing Director
Cyber Risk
Los Angeles
Yvette Gabrielian
Yvette Gabrielian
Data Insights and Forensics
Los Angeles
Samuel Jacobs is Associate Managing Director with the Cyber Risk practice of Kroll, a division of Duff & Phelps, based in Washington, D.C.
Samuel P. Jacobs
Associate Managing Director
Cyber Risk
Washington D.C.

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.


Q4 2021 Threat Landscape: Software Exploits Abound

Feb 16, 2022

by Keith WojcieszekLaurie Iacono George Glass


ALM Intelligence Pacesetter Research – Cybersecurity Services 2020

Oct 28, 2020

by Jason N. SmolanoffAndrew BeckettMarc Brawner


Kroll Ransomware Attack Trends – 2020 YTD

Oct 06, 2020

by Devon AckermanKeith Wojcieszek Laurie Iacono


CVE-2020-1472 (Zerologon) Exploit Detection Cheat Sheet

Oct 22, 2020

by William Rimington Carlos Garcia, Simone Marinari, Roman Guillermo

Press Release

Gartner Names Kroll a Representative Vendor for Managed Security Incident and Event Management

Jan 09, 2023

Press Release

Kroll Expands Partnership with CrowdStrike for Advanced Cybersecurity Offerings

Nov 10, 2022

Press Release

Kroll Adds Complimentary $1 Million Incident Protection Warranty to Managed Detection and Response (MDR) Service

Oct 26, 2022


Chief Financial Officers Ignoring Cyber Risk Worth Millions of Dollars According to Kroll Report

Sep 13, 2022


A Kroll Data Breach Masterclass: 6 Key Mistakes Organizations Must Avoid

In-Person Feb 02, 2023 | in-person


Q4 2022 Threat Landscape Virtual Briefing: Tech. and Manufacturing Targeted As Ransomware Peaks for 2022

Online Event Feb 15 - Feb 16, 2023 | Online Event