System Assessments and Testing

Cyber Risk

CMMC Certification Preparedness Assessment

Kroll’s Cybersecurity Maturity Model Certification (CMMC) preparedness assessment leverages frontline expertise to examine an organizations’ maturity in accordance with its desired CMMC level and deliver actionable steps to satisfy DoD requirements.


Kroll has extensive experience assessing compliance with the underlying regulatory and cyber security frameworks that make up CMMC, having conducted hundreds of assessments based on NIST 800-171, 800-53, ISO 27002, and many others. We have a deep bench of experts with backgrounds in a variety of industries, law enforcement and governmental agencies who can assess compliance and assist organizations with determining what is reasonable for their organizations size and sectors.

Designed to provide additional assurance to the Department of Defense (DoD) that a Defense Industrial Base (DIB) contractor follows basic cyber hygiene and is able to protect controlled unclassified information (CUI) at a level commensurate with the size, type, and sensitivity of the contracts it bids on, the CMMC helps create justified confidence in DIB partners.

With over 300,000 businesses, non-profits, and academic institutions of all sizes conducting development, research, development, design, delivery and maintenance of military weapon systems the DIB represents a treasure trove to domestic and foreign cybercriminals. It is imperative that the DoD better understand the cyber security maturity level and overall resilience of its supply chain. 

CMMC Compliance in Five Levels

The latest version of the CMMC includes 171 controls divided across five distinct maturity levels, from basic cyber hygiene (level 1) to advanced/progressive (level 5), mostly geared toward protection of CUI from nation-state-level threats. Each level has specific controls that will be in scope for a CMMC audit.

DOD CMMC Certification Preparedness Assessment – Kroll

Kroll’s CMMC Certification Preparedness Assessment

While there is no current guidance on what official certifying organizations will use for CMMC assessments, it is commonly accepted the criteria will be based on the National Institute of Standards and Technology (NIST) requirements, a well-established government controls framework.  Kroll has conducted hundreds of NIST based assessments and understands that the initial focus ahead of a CMMC audit should be to assess your current state of compliance, determine your required level of future compliance and then prepare a clear, concise Plan of Actions & Milestones (POA&M) to meet that goal ahead of your audit. 

Evaluate Current Maturity and Develop Roadmap to Meet Desired CMMC Level Requirements

Once we understand your organizations’ goals and the level of maturity needed for its DoD work, our cyber risk experts:

  • Request and review relevant IT security policies, procedures and technical documents
  • Conduct interviews with key business and technology stakeholders
  • Review workflows involving Controlled Unclassified Information (CUI)
  • Assess access controls and processes for systems handling CUI data
  • Review the entire lifecycle of CUI data in all its forms (physical and electronic)

Finally, our team identifies gaps in critical security controls according to your desired CMMC maturity level for each of the 17 domains and creates clear instructions for both improving your security posture and meeting CMMC requirements:

  • Access Control
  • Asset Management
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Recovery
  • Risk Management
  • Security Assessment
  • Situational Awareness
  • Systems and Communication Protection
  • Systems and Information Integrity


CMMC Breakdown: People, Process and Technology

An organization aiming at high levels of CMMC compliance must understand its scope and responsibilities go far beyond the information security and IT teams. Once the CMMC Certification Preparedness Assessment is complete, your team is able to easily map each of the  controls in your desired maturity level to its owner group, which will help streamline implementation ahead of the audit. Control owners can be segmented by:

  • Administrative (for policies, standards and procedures)
  • Technical configurations (likely owned by information security or IT)
  • Software solutions
  • Hardware solutions
  • Tasks assigned to information security team
  • Tasks assigned to IT team
  • Tasks assigned to application or process owner
  • Configuration, software, or outsourced solution


Toward a Stronger Defense Industrial Base

As the DoD transitions to the CMMC, DIB contractors will be forced to internalize cyber security across the entire organization, a shift long overdue for most. Regardless of your existing maturity level or the standards currently adopted by your team, our experts can help you prepare for the CMMC. Talk to a Kroll expert today via our 24x7 cyber incident hotlines or our contact page.

/en/services/cyber-risk/assessments-testing/cmmc-certification-preparedness-assessment /-/media/feature/services/cyber-risk/assessments-testing-desktop-banner.jpg service

System Assessments and Testing

Contact Us

Other Areas We Can Help

Cyber Risk

Cyber Risk

Global, end-to-end cyber risk solutions.

Cyber Risk
Incident Response and Litigation Support

Cyber Litigation Support

Expert witnesses on any cyber topic including forensic data collection and analysis.

Cyber Litigation Support
Kroll Responder

Kroll Responder

Mature your cyber security with unparalleled visibility and constant protection.

Kroll Responder
Cyber Risk Retainers

Cyber Risk Retainers

Secure a true cyber risk retainer with elite digital forensics and incident response capabilities.

Cyber Risk Retainers



ALM Intelligence Pacesetter Research – Cybersecurity Services 2020


Kroll Ransomware Attack Trends – 2020 YTD


CVE-2020-1472 (Zerologon) Exploit Detection Cheat Sheet


CVE-2020-1472: Microsoft Releases Unusual Two-Phase Patch to Enforce Secure RPC