A self-paced toolkit for DoD contractors and subcontractors — with the gap assessment tools, SSP templates, policy documents, and readiness guidance your team needs to build your CMMC Level 1 or Level 2 compliance program internally, without outsourcing the work to a consultant.
Full-service consulting engagements can cost substantially more than a self-directed toolkit, depending on scope, organization size, current readiness, technical complexity, documentation maturity, and implementation needs. This kit gives DoD contractors and subcontractors a lower-cost alternative they can start immediately and manage internally.
A self-directed toolkit costs substantially less than a full-service consulting engagement. Many contractors use structured templates and trackers to build their own program internally and reduce what they eventually need outside help for. Actual consulting costs vary by scope, size, and readiness.
The kit is a digital download. Your team can access all tools, templates, and materials immediately after purchase — no waiting for a contract to be scoped, signed, or staffed.
SSP template, gap assessment tool, POAM template, cybersecurity policy templates, and a phase-by-phase roadmap — organized so your team can build required documentation and track progress without starting from a blank page.
A phase-by-phase implementation roadmap guides your team from gap assessment through documentation, policy development, evidence organization, and readiness confirmation — without needing outside help to know what to do next.
CMMC 2.0 is a DoD framework built into acquisition regulations — not a voluntary certification. Organizations subject to a CMMC requirement in an applicable DoD solicitation, contract, task order, delivery order, or subcontract must maintain the required CMMC status to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC applicability depends on the specific contractual requirement, the information handled, and the required CMMC level. Requirements are being phased into DoD contracts over time.
The Washington Process Group CMMC Level 1 & Level 2 Readiness Kit gives your organization the structured tools and templates to build your documentation, policies, and compliance structure independently — so you are ready when an assessment comes.
Full NameCybersecurity Maturity Model Certification (CMMC) 2.0
Issuing AuthorityU.S. Department of Defense (DoD)
Current VersionCMMC 2.0 (implementation began November 10, 2025)
BasisNIST SP 800-171 (Level 2); NIST SP 800-172 (Level 3)
Who It Applies ToOrganizations in the DoD supply chain handling FCI or CUI
Result SubmissionSupplier Performance Risk System (SPRS)
Your required CMMC level is determined by the type of information your organization handles and will be specified in applicable DoD RFPs and contracts.
Annual self-assessment for contractors that handle Federal Contract Information. Focuses on 17 basic cybersecurity practices aligned to FAR Clause 52.204-21.
For organizations handling CUI. Requires implementation of all 110 practices from NIST SP 800-171. Depending on the applicable contract requirement, Level 2 may require a self-assessment or a triennial third-party (C3PAO) certification assessment.
For organizations supporting the most sensitive DoD programs. Based on a subset of NIST SP 800-172 practices above the Level 2 baseline.
DoD is implementing CMMC through a phased rollout. The required CMMC level and assessment type depend on each solicitation, contract, or subcontract and the applicable flow-down requirements. Some Level 2 requirements may require a C3PAO assessment, while others may permit self-assessment depending on the specific contract.
Organizations handling FCI or CUI should begin organizing documentation and evidence — SSP, POA&M, policies, procedures, and assessment records — before requirements appear in applicable opportunities. Starting early gives your team more room to organize gaps, evidence, and documentation without pressure.
The kit supports readiness preparation but does not determine contractual applicability and does not guarantee compliance, certification, assessment success, or contract eligibility.
Subcontractors: If your prime contractor flows CMMC requirements down, applicable obligations may extend to your organization. Review your subcontract and applicable flow-down requirements to confirm your scope.
Organizations should review their specific contract requirements and seek appropriate legal, contractual, cybersecurity, or assessment guidance when necessary.
This is not a consulting engagement. No project manager is assigned, no consultant writes your SSP, and there is no managed delivery. The kit is a self-directed resource — structured so your team runs the gap assessment, builds required documentation, and manages the process at your own pace, with a clear roadmap that does not require outside help to follow.
Structured templates, gap assessment tools, an SSP framework, a POAM template, policy templates, and a step-by-step implementation roadmap — organized for your team to customize and apply.
Run the gap assessment, customize the documentation to your environment, build out your SSP, close your POAM items, and prepare your evidence package — with the kit as your guide throughout.
The CMMC Level 1 & Level 2 Readiness Kit is for organizations that want to build their compliance program independently — with the right tools and structure, not a third party doing the work for them.
Your contracts involve Federal Contract Information and you need to meet Level 1 requirements. The kit gives you the assessment tool, readiness checklist, and documentation structure to work through the 17 Level 1 practices internally.
Your contracts involve Controlled Unclassified Information and you need the documentation structure to build a Level 2-ready program internally — SSP, POAM, policies, and evidence — on your own timeline.
You are a small or mid-size contractor preparing for Level 1 or Level 2 requirements and need a practical, structured approach your team can work through without the overhead of a large consulting engagement.
Your prime contractor is flowing Level 1 or Level 2 CMMC requirements down and you need to understand your scope, build the required documentation, and meet the applicable level independently.
You have not yet built a formal cybersecurity program and need a clear Level 1 or Level 2 starting point — documented policies, a system security plan template, and a structured roadmap your team can follow.
You have an upcoming Level 2 third-party assessment and need to close documented gaps, organize your evidence, and confirm your SSP and POAM are in assessor-ready condition.
The CMMC Level 1 & Level 2 Readiness Kit includes structured tools and templates organized around the full readiness process — from gap assessment through evidence organization and assessment preparation.
Mapped to all 110 NIST SP 800-171 practices across all 14 domains. Run the assessment yourself to identify what is implemented, partially implemented, or not yet in place.
A structured checklist covering Level 1 and Level 2 practices — organized so your team can track readiness status across each domain without starting from scratch.
Structured for assessor review and aligned to NIST SP 800-171 requirements. Your team customizes it to describe how each practice is implemented in your specific environment.
Documents gaps identified in the assessment with milestones and responsible owners. Required for Level 2 and reviewed by assessors as part of the assessment process.
Core policies and procedures aligned to CMMC practice families, ready for your team to customize. Covers access control, incident response, media protection, configuration management, and more.
A phase-by-phase roadmap aligned to Level 1 and Level 2 requirements. Gives your team a logical sequence for working through gap closure, documentation, and assessment preparation.
Practical guidance for identifying, organizing, and labeling evidence that supports each practice. Helps your team build an evidence package that meets assessor expectations.
This product is a self-paced DIY kit and does not include ongoing support. Paid advisory services are available separately if additional guidance is needed.
The kit is organized around a logical progression. Your team works through each step using the included tools — at your own pace, on your own schedule.
Identify which CMMC level applies based on your contracts and the type of information you handle. Review existing contracts for CUI handling clauses and FCI obligations. Your required level is specified in applicable DoD RFPs — this step confirms your scope before you run the assessment.
Use the included gap assessment tool — mapped to all 110 NIST SP 800-171 practices across all 14 domains — to document what your organization currently has implemented, what is partially in place, and what still needs to be addressed. This becomes the basis for your POAM.
Using the SSP template, document how each required practice is implemented in your specific environment. The SSP is the primary artifact assessors review. Work through each practice domain systematically, customizing the template language to accurately describe your environment and controls.
Apply the policy and procedure templates to your organization, customizing each document to reflect your actual practices. Populate the POAM template with gaps identified during the assessment, assign owners, and set target completion dates for each item.
Work through your POAM to address identified gaps — technical changes, policy updates, configuration management, and access control measures. Use the evidence organization guidance to collect and label artifacts that demonstrate each practice is in place. Evidence quality matters as much as what you have implemented.
Use the readiness checklist to confirm all required documentation is complete before engaging an assessor or submitting your SPRS score. Level 1: Complete the required self-assessment, submit the assessment results in SPRS, and have the organization’s Affirming Official submit the required affirmation. Level 2: complete the assessment type required by the applicable solicitation or contract. Depending on the specific requirement, this may involve a Level 2 self-assessment or a C3PAO certification assessment.
Why CMMC Readiness Matters
Contract Eligibility — Without the required CMMC level, your organization cannot compete for or be awarded applicable DoD contracts.
Flow-Down Requirements — Prime contractors must flow applicable CMMC requirements to subcontractors when the subcontract involves FCI or CUI and includes a required CMMC level. Review the specific terms flowed down to confirm what applies to your organization.
Documentation Is Reviewed — Assessors examine your SSP, policies, and evidence. Incomplete or informal documentation is a finding — not a minor gap.
SPRS Score Visibility — Where a self-assessment score is submitted to SPRS, it may be visible to contracting officers and can factor into contracting decisions.
Time to Implement — Organizations that underestimate how long this takes often face contract pressure with insufficient runway. Starting early with a structured kit gives your team more room to work.
CMMC 2.0 implementation began November 10, 2025. Requirements are being phased into DoD contracts across the supply chain. Organizations that are not prepared risk losing contract eligibility and failing required assessments.
Organizations that wait until a contract requires CMMC typically underestimate how long gap closure and documentation take. Starting before contract pressure arrives gives your team the runway to do the work right.
Book a Paid Advisory CallThe CMMC Level 1 & Level 2 Readiness Kit is a self-directed resource. It is not a consulting service, a managed implementation program, or a done-for-you delivery. If your organization needs active expert involvement at key milestones, optional advisory support is available separately — but the kit itself is designed for internal use by your team.
There is no project manager or CMMC consultant managing your account. Your team owns the process and drives the timeline using the kit tools.
The kit provides templates and structure. Your team writes the content, customizing the SSP, POAM, and policies to accurately reflect your organization's environment and controls.
The kit does not include live advisory or review sessions. Paid advisory services are available separately if additional guidance is needed.
Washington Process Group does not coordinate with C3PAOs on your behalf. Engaging an assessment body for Level 2 is your organization's responsibility.
Most contractors that use this kit do not start by hiring outside help. They start by building what they can internally — then assess what, if anything, still requires expert involvement.
Full-service consulting can cost substantially more than a self-directed toolkit, and actual costs vary widely by scope, organization size, and current readiness. Running the gap assessment internally first gives your organization a clearer picture of your position before committing to outside spend — and many contractors find they can close more gaps independently than initially expected.
Without structured tools, many teams underestimate the volume and organization of documentation required — an SSP, POAM, policies, procedures, and evidence files across 14 practice domains. The kit brings that structure without requiring an outside party to provide it, so your team understands the full scope before committing further resources.
Organizations that depend on a consultant to build their program often struggle to maintain or update it after the engagement ends. Teams that work through the kit themselves build institutional familiarity with what they implemented — making ongoing compliance, annual affirmations, and future assessments more manageable.
CMMC resources vary widely in specificity. This kit provides a gap assessment tool mapped to all 110 NIST SP 800-171 practices, a structured SSP template, cybersecurity policy templates, and a phase-by-phase roadmap — so your team spends less time figuring out what to build and more time actually building it.
See a limited sample of what is included in the Washington Process Group CMMC Level 1 & Level 2 DIY Kit. The preview shows the structure, format, and type of readiness tools included in the full kit without giving away the complete product.
This is a limited sample preview. The full CMMC DIY Kit includes the complete template library, readiness tools, trackers, and implementation support materials.
Everything your team needs to build your CMMC Level 1 or Level 2 compliance program independently — without a blank page or a consultant.
One-time purchase · Instant digital download · Self-paced
A self-paced readiness toolkit designed for organizations that need a practical way to organize documentation, manage activities internally, and track progress using structured tools and guidance materials aligned to Level 1 and Level 2 readiness work.
Digital product. Due to immediate electronic delivery, sales are final except for duplicate charges, delivery failures, defective or missing files, or where required by law. View Refund Policy
Many organizations pursuing CMMC Level 1 or Level 2 compliance also need a certified Quality Management System. Washington Process Group supports both frameworks. Learn about the ISO 9001:2015 Readiness Kit.
For organizations that want limited strategic input while still managing the work internally, advisory help may be available separately. The primary offer, however, is the DIY kit itself.
Need custom advisory support? Email yolanda@washingtonprocessgroup.com to discuss scope, availability, and pricing.
Advisory help is intended as limited guidance only and is not positioned as full implementation or done-for-you support.
CMMC requirements are being phased into DoD contracts, and the required level and assessment type depend on each specific contract. The documentation work — SSP, POA&M, policies, evidence — takes time to organize. The kit gives your team a structured starting point they can access and begin using immediately after purchase.
One-time purchase. Instant digital download. Self-paced. Your team implements.
Answers to common questions about the CMMC Level 1 & Level 2 Readiness Kit, how the program works, and what to expect.