DoD Cybersecurity Framework

The CMMC Level 1 & Level 2 DIY Readiness Kit —
Build Your Compliance Program Internally

A self-paced toolkit for DoD contractors and subcontractors — with the gap assessment tools, SSP templates, policy documents, and readiness guidance your team needs to build your CMMC Level 1 or Level 2 compliance program internally, without outsourcing the work to a consultant.

A More Affordable Path to CMMC Readiness — For Contractors That Want to Own the Work

Full-service consulting engagements can cost substantially more than a self-directed toolkit, depending on scope, organization size, current readiness, technical complexity, documentation maturity, and implementation needs. This kit gives DoD contractors and subcontractors a lower-cost alternative they can start immediately and manage internally.

Lower Cost

A Lower-Cost Alternative

A self-directed toolkit costs substantially less than a full-service consulting engagement. Many contractors use structured templates and trackers to build their own program internally and reduce what they eventually need outside help for. Actual consulting costs vary by scope, size, and readiness.

Instant Download

Start the Same Day

The kit is a digital download. Your team can access all tools, templates, and materials immediately after purchase — no waiting for a contract to be scoped, signed, or staffed.

Complete Templates

Built for Internal Use

SSP template, gap assessment tool, POAM template, cybersecurity policy templates, and a phase-by-phase roadmap — organized so your team can build required documentation and track progress without starting from a blank page.

Structured Roadmap

Clear Direction at Every Step

A phase-by-phase implementation roadmap guides your team from gap assessment through documentation, policy development, evidence organization, and readiness confirmation — without needing outside help to know what to do next.

A Contractual Cybersecurity Standard for the DoD Supply Chain

CMMC 2.0 is a DoD framework built into acquisition regulations — not a voluntary certification. Organizations subject to a CMMC requirement in an applicable DoD solicitation, contract, task order, delivery order, or subcontract must maintain the required CMMC status to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC applicability depends on the specific contractual requirement, the information handled, and the required CMMC level. Requirements are being phased into DoD contracts over time.

The Washington Process Group CMMC Level 1 & Level 2 Readiness Kit gives your organization the structured tools and templates to build your documentation, policies, and compliance structure independently — so you are ready when an assessment comes.

Framework Quick Reference

Full NameCybersecurity Maturity Model Certification (CMMC) 2.0

Issuing AuthorityU.S. Department of Defense (DoD)

Current VersionCMMC 2.0 (implementation began November 10, 2025)

BasisNIST SP 800-171 (Level 2); NIST SP 800-172 (Level 3)

Who It Applies ToOrganizations in the DoD supply chain handling FCI or CUI

Result SubmissionSupplier Performance Risk System (SPRS)

Three Levels of Compliance

Your required CMMC level is determined by the type of information your organization handles and will be specified in applicable DoD RFPs and contracts.

Level 1 — Foundational

Federal Contract Information (FCI)

Annual self-assessment for contractors that handle Federal Contract Information. Focuses on 17 basic cybersecurity practices aligned to FAR Clause 52.204-21.

Assessment: Annual self-assessment & affirmation by the organization’s Affirming Official
Level 2 — Advanced

Controlled Unclassified Information (CUI)

For organizations handling CUI. Requires implementation of all 110 practices from NIST SP 800-171. Depending on the applicable contract requirement, Level 2 may require a self-assessment or a triennial third-party (C3PAO) certification assessment.

Assessment: Triennial C3PAO assessment (some programs allow self-assessment)
Level 3 — Expert

Highest-Priority CUI Programs

For organizations supporting the most sensitive DoD programs. Based on a subset of NIST SP 800-172 practices above the Level 2 baseline.

Assessment: Triennial government-led assessment by DCMA DIBCAC
Kit scope: This kit is designed for CMMC Level 1 and Level 2 readiness only. It is not designed for Level 3 requirements.

Prepare Before CMMC Requirements Reach Your Contract

DoD is implementing CMMC through a phased rollout. The required CMMC level and assessment type depend on each solicitation, contract, or subcontract and the applicable flow-down requirements. Some Level 2 requirements may require a C3PAO assessment, while others may permit self-assessment depending on the specific contract.

Organizations handling FCI or CUI should begin organizing documentation and evidence — SSP, POA&M, policies, procedures, and assessment records — before requirements appear in applicable opportunities. Starting early gives your team more room to organize gaps, evidence, and documentation without pressure.

The kit supports readiness preparation but does not determine contractual applicability and does not guarantee compliance, certification, assessment success, or contract eligibility.

Common Readiness Preparation Steps

  • Review your specific contract requirements to determine which CMMC level applies
  • Run a gap assessment against all applicable NIST SP 800-171 practices
  • Build and complete a System Security Plan (SSP)
  • Document gaps and remediation milestones in a POA&M
  • Develop and customize required cybersecurity policies and procedures
  • Organize assessment records and evidence to support each practice

Subcontractors: If your prime contractor flows CMMC requirements down, applicable obligations may extend to your organization. Review your subcontract and applicable flow-down requirements to confirm your scope.

Organizations should review their specific contract requirements and seek appropriate legal, contractual, cybersecurity, or assessment guidance when necessary.

For Organizations That Want to Build This Themselves

This is not a consulting engagement. No project manager is assigned, no consultant writes your SSP, and there is no managed delivery. The kit is a self-directed resource — structured so your team runs the gap assessment, builds required documentation, and manages the process at your own pace, with a clear roadmap that does not require outside help to follow.

What you get

Structured templates, gap assessment tools, an SSP framework, a POAM template, policy templates, and a step-by-step implementation roadmap — organized for your team to customize and apply.

What you do

Run the gap assessment, customize the documentation to your environment, build out your SSP, close your POAM items, and prepare your evidence package — with the kit as your guide throughout.

Built for Organizations Preparing for Level 1 or Level 2

The CMMC Level 1 & Level 2 Readiness Kit is for organizations that want to build their compliance program independently — with the right tools and structure, not a third party doing the work for them.

Organizations Handling FCI (Level 1)

Your contracts involve Federal Contract Information and you need to meet Level 1 requirements. The kit gives you the assessment tool, readiness checklist, and documentation structure to work through the 17 Level 1 practices internally.

Organizations Handling CUI (Level 2)

Your contracts involve Controlled Unclassified Information and you need the documentation structure to build a Level 2-ready program internally — SSP, POAM, policies, and evidence — on your own timeline.

Small Businesses in the DoD Supply Chain

You are a small or mid-size contractor preparing for Level 1 or Level 2 requirements and need a practical, structured approach your team can work through without the overhead of a large consulting engagement.

Subcontractors With Flow-Down Requirements

Your prime contractor is flowing Level 1 or Level 2 CMMC requirements down and you need to understand your scope, build the required documentation, and meet the applicable level independently.

Organizations Starting From Scratch

You have not yet built a formal cybersecurity program and need a clear Level 1 or Level 2 starting point — documented policies, a system security plan template, and a structured roadmap your team can follow.

Contractors Preparing for a Level 2 C3PAO Assessment

You have an upcoming Level 2 third-party assessment and need to close documented gaps, organize your evidence, and confirm your SSP and POAM are in assessor-ready condition.

Everything Your Team Needs to Build Your CMMC Level 1 or Level 2 Program

The CMMC Level 1 & Level 2 Readiness Kit includes structured tools and templates organized around the full readiness process — from gap assessment through evidence organization and assessment preparation.

Gap Assessment Tool

Mapped to all 110 NIST SP 800-171 practices across all 14 domains. Run the assessment yourself to identify what is implemented, partially implemented, or not yet in place.

CMMC Readiness Checklist

A structured checklist covering Level 1 and Level 2 practices — organized so your team can track readiness status across each domain without starting from scratch.

System Security Plan (SSP) Template

Structured for assessor review and aligned to NIST SP 800-171 requirements. Your team customizes it to describe how each practice is implemented in your specific environment.

Plan of Action and Milestones (POAM) Template

Documents gaps identified in the assessment with milestones and responsible owners. Required for Level 2 and reviewed by assessors as part of the assessment process.

Cybersecurity Policy and Procedure Templates

Core policies and procedures aligned to CMMC practice families, ready for your team to customize. Covers access control, incident response, media protection, configuration management, and more.

Implementation Roadmap

A phase-by-phase roadmap aligned to Level 1 and Level 2 requirements. Gives your team a logical sequence for working through gap closure, documentation, and assessment preparation.

Evidence Organization Guidance

Practical guidance for identifying, organizing, and labeling evidence that supports each practice. Helps your team build an evidence package that meets assessor expectations.

Paid Advisory Available Separately

This product is a self-paced DIY kit and does not include ongoing support. Paid advisory services are available separately if additional guidance is needed.

Six Steps to Assessment Readiness

The kit is organized around a logical progression. Your team works through each step using the included tools — at your own pace, on your own schedule.

1

Determine Your Scope and Required Level

Identify which CMMC level applies based on your contracts and the type of information you handle. Review existing contracts for CUI handling clauses and FCI obligations. Your required level is specified in applicable DoD RFPs — this step confirms your scope before you run the assessment.

2

Run the Gap Assessment

Use the included gap assessment tool — mapped to all 110 NIST SP 800-171 practices across all 14 domains — to document what your organization currently has implemented, what is partially in place, and what still needs to be addressed. This becomes the basis for your POAM.

3

Build Your System Security Plan

Using the SSP template, document how each required practice is implemented in your specific environment. The SSP is the primary artifact assessors review. Work through each practice domain systematically, customizing the template language to accurately describe your environment and controls.

4

Customize Policies and Populate the POAM

Apply the policy and procedure templates to your organization, customizing each document to reflect your actual practices. Populate the POAM template with gaps identified during the assessment, assign owners, and set target completion dates for each item.

5

Close Gaps and Organize Evidence

Work through your POAM to address identified gaps — technical changes, policy updates, configuration management, and access control measures. Use the evidence organization guidance to collect and label artifacts that demonstrate each practice is in place. Evidence quality matters as much as what you have implemented.

6

Prepare for Assessment and Submit to SPRS

Use the readiness checklist to confirm all required documentation is complete before engaging an assessor or submitting your SPRS score. Level 1: Complete the required self-assessment, submit the assessment results in SPRS, and have the organization’s Affirming Official submit the required affirmation. Level 2: complete the assessment type required by the applicable solicitation or contract. Depending on the specific requirement, this may involve a Level 2 self-assessment or a C3PAO certification assessment.

Why CMMC Readiness Matters

Contract Eligibility — Without the required CMMC level, your organization cannot compete for or be awarded applicable DoD contracts.

Flow-Down Requirements — Prime contractors must flow applicable CMMC requirements to subcontractors when the subcontract involves FCI or CUI and includes a required CMMC level. Review the specific terms flowed down to confirm what applies to your organization.

Documentation Is Reviewed — Assessors examine your SSP, policies, and evidence. Incomplete or informal documentation is a finding — not a minor gap.

SPRS Score Visibility — Where a self-assessment score is submitted to SPRS, it may be visible to contracting officers and can factor into contracting decisions.

Time to Implement — Organizations that underestimate how long this takes often face contract pressure with insufficient runway. Starting early with a structured kit gives your team more room to work.

CMMC Requirements Are Active and Expanding

CMMC 2.0 implementation began November 10, 2025. Requirements are being phased into DoD contracts across the supply chain. Organizations that are not prepared risk losing contract eligibility and failing required assessments.

Organizations that wait until a contract requires CMMC typically underestimate how long gap closure and documentation take. Starting before contract pressure arrives gives your team the runway to do the work right.

Book a Paid Advisory Call

What the Kit Does Not Include

The CMMC Level 1 & Level 2 Readiness Kit is a self-directed resource. It is not a consulting service, a managed implementation program, or a done-for-you delivery. If your organization needs active expert involvement at key milestones, optional advisory support is available separately — but the kit itself is designed for internal use by your team.

No Consultant Assigned

There is no project manager or CMMC consultant managing your account. Your team owns the process and drives the timeline using the kit tools.

No SSP or Policy Writing

The kit provides templates and structure. Your team writes the content, customizing the SSP, POAM, and policies to accurately reflect your organization's environment and controls.

No Scheduled Advisory Sessions

The kit does not include live advisory or review sessions. Paid advisory services are available separately if additional guidance is needed.

No Assessment Body Engagement

Washington Process Group does not coordinate with C3PAOs on your behalf. Engaging an assessment body for Level 2 is your organization's responsibility.

Why Organizations Take the Internal Path Before Hiring a Consultant

Most contractors that use this kit do not start by hiring outside help. They start by building what they can internally — then assess what, if anything, still requires expert involvement.

The Consulting Cost Is Often Too High Before You Know Your Gap

Full-service consulting can cost substantially more than a self-directed toolkit, and actual costs vary widely by scope, organization size, and current readiness. Running the gap assessment internally first gives your organization a clearer picture of your position before committing to outside spend — and many contractors find they can close more gaps independently than initially expected.

Documentation Structure Makes the Scope Visible

Without structured tools, many teams underestimate the volume and organization of documentation required — an SSP, POAM, policies, procedures, and evidence files across 14 practice domains. The kit brings that structure without requiring an outside party to provide it, so your team understands the full scope before committing further resources.

Internal Ownership Supports Long-Term Compliance

Organizations that depend on a consultant to build their program often struggle to maintain or update it after the engagement ends. Teams that work through the kit themselves build institutional familiarity with what they implemented — making ongoing compliance, annual affirmations, and future assessments more manageable.

The Kit Provides a Defined Starting Point, Not Vague Guidance

CMMC resources vary widely in specificity. This kit provides a gap assessment tool mapped to all 110 NIST SP 800-171 practices, a structured SSP template, cybersecurity policy templates, and a phase-by-phase roadmap — so your team spends less time figuring out what to build and more time actually building it.

Preview the CMMC DIY Kit Before You Purchase

See a limited sample of what is included in the Washington Process Group CMMC Level 1 & Level 2 DIY Kit. The preview shows the structure, format, and type of readiness tools included in the full kit without giving away the complete product.

Sample readiness checklist format
Sample evidence tracking structure
Sample POA&M tracker layout
Sample policy and template preview
Overview of what is included in the full kit
↓ Download CMMC Sample Preview

This is a limited sample preview. The full CMMC DIY Kit includes the complete template library, readiness tools, trackers, and implementation support materials.

Self-Paced. One-Time Purchase. Your Team Implements.

Everything your team needs to build your CMMC Level 1 or Level 2 compliance program independently — without a blank page or a consultant.

Self-Paced · One-Time · Instant Digital Download
$1,697

One-time purchase · Instant digital download · Self-paced

A self-paced readiness toolkit designed for organizations that need a practical way to organize documentation, manage activities internally, and track progress using structured tools and guidance materials aligned to Level 1 and Level 2 readiness work.

  • Instant digital download — available immediately after purchase
  • Gap assessment tool mapped to all 110 NIST SP 800-171 practices
  • System Security Plan (SSP) and POAM templates
  • Cybersecurity policy and procedure templates
  • Phase-by-phase implementation roadmap
  • Evidence organization guidance and readiness checklist
Get the CMMC Level 1 & Level 2 Kit →

Digital product. Due to immediate electronic delivery, sales are final except for duplicate charges, delivery failures, defective or missing files, or where required by law. View Refund Policy

Also Pursuing ISO 9001:2015?

Many organizations pursuing CMMC Level 1 or Level 2 compliance also need a certified Quality Management System. Washington Process Group supports both frameworks. Learn about the ISO 9001:2015 Readiness Kit.

View the ISO 9001:2015 DIY Kit →

Optional Advisory Help

For organizations that want limited strategic input while still managing the work internally, advisory help may be available separately. The primary offer, however, is the DIY kit itself.

Advisory
60-Minute Advisory Call
Starting at $250
Book 60-Minute Call →
Advisory
90-Minute Advisory Call
Starting at $375
Book 90-Minute Call →
Advisory
Two-Call Advisory Package
Starting at $700
Book Two-Call Package →
Advisory
Custom Advisory Support
Scope-based pricing

Need custom advisory support? Email yolanda@washingtonprocessgroup.com to discuss scope, availability, and pricing.

Advisory help is intended as limited guidance only and is not positioned as full implementation or done-for-you support.

yolanda@washingtonprocessgroup.com

Ready to Build Your CMMC Level 1 or Level 2 Program Internally?

CMMC requirements are being phased into DoD contracts, and the required level and assessment type depend on each specific contract. The documentation work — SSP, POA&M, policies, evidence — takes time to organize. The kit gives your team a structured starting point they can access and begin using immediately after purchase.

One-time purchase. Instant digital download. Self-paced. Your team implements.

Get the Readiness Kit Book a Paid Advisory Call

CMMC Level 1 & Level 2 — Frequently Asked Questions

Answers to common questions about the CMMC Level 1 & Level 2 Readiness Kit, how the program works, and what to expect.

The kit is designed for organizations that need to meet CMMC requirements and want to build or formalize their compliance program internally. It is most useful for organizations preparing for Level 1 or Level 2 requirements, small businesses that handle FCI or CUI, and teams that need a structured starting point — including a gap assessment tool, SSP template, and POAM framework — without starting from a blank page or hiring a consultant to do it for them.
No. This kit is designed for Level 1 and Level 2 readiness only. It is not intended for Level 3 requirements. Level 3 is based on a subset of NIST SP 800-172 practices above the Level 2 baseline and involves a government-led assessment by DCMA DIBCAC. If your organization is subject to Level 3 requirements, you will need resources specifically designed for that scope.
The kit includes a gap assessment tool mapped to all 110 NIST SP 800-171 practices, a CMMC readiness checklist for Level 1 and Level 2, a System Security Plan (SSP) template structured for assessor review, a Plan of Action and Milestones (POAM) template, core cybersecurity policy and procedure templates ready for customization, a phase-by-phase implementation roadmap, and evidence organization guidance for assessment preparation.
No. The kit provides templates and structured guidance — your team writes and customizes the content. The SSP template gives you the framework and section structure; your team fills it in to accurately describe how each NIST SP 800-171 practice is implemented in your specific environment. The policy templates are ready for customization, not meant to be used as-is without review and adaptation to your organization. This is a self-directed resource, not a document writing service.
Yes. The kit is designed for self-paced use. Your team works through the gap assessment, SSP, policies, and POAM on your own schedule. There are no required sessions, no project timeline imposed externally, and no dependencies on scheduling with a consultant. If you want structured advisory input alongside the kit, that is available as a separate add-on.
No. The kit provides the tools and documentation structure to support your readiness effort. Certification outcomes depend on whether your organization correctly implements and maintains the required practices, and, for Level 2, on the results of the assessment required by the applicable contract — which may be an authorized self-assessment or a C3PAO certification assessment. No consulting resource or documentation toolkit can guarantee a certification outcome.
Implementation timelines vary significantly based on your current cybersecurity posture, organization size, and the CMMC level required. Organizations with existing NIST SP 800-171 documentation and controls in place may be able to prepare for an assessment in a few months. Organizations starting from scratch may need six months to a year or more. Starting early with a structured kit gives your team the time to work through each phase without contract pressure forcing the timeline.
Yes, as an optional add-on. Advisory call options start at $250 for a 60-minute session and $375 for 90 minutes. A two-call advisory package is available starting at $700. Custom advisory support is also available at scope-based pricing for organizations that want more structured input across multiple phases. Advisory help is limited guidance only — your team still owns and drives the work.
CMMC requirements flow down to subcontractors when the subcontract requires the subcontractor to process, store, or transmit Federal Contract Information or Controlled Unclassified Information and includes a required CMMC level. If that applies to your subcontract, your organization is in scope for the required level. Subcontractors should review the specific terms flowed down by the prime contractor and confirm which systems, information, and assessment requirements apply. Small businesses are not automatically exempt. The kit is designed to be practical for small teams working independently.
If you already have documentation in place, the best starting point is the gap assessment tool — run it against all 110 NIST SP 800-171 practices to confirm where you actually stand before assuming readiness. From there, use the SSP template and evidence organization guidance to ensure your documentation meets assessor expectations. Having the practices implemented is necessary — but assessors also review whether each practice is accurately described in your SSP and supported by appropriate evidence. The kit helps your team validate both.