A self-paced toolkit with the gap assessment tools, documentation templates, SSP structure, and readiness guidance your team needs to prepare internally for CMMC Level 1 or Level 2 requirements without outsourcing the work.
CMMC 2.0 is a Department of Defense (DoD) framework that requires organizations to demonstrate that their cybersecurity practices meet a defined level of maturity. It is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the defense industrial base (DIB) supply chain.
Unlike a voluntary certification, CMMC is built into DoD acquisition regulations. If your contract specifies a CMMC level, your organization must meet and maintain that level to remain eligible to compete or perform. Implementation began November 10, 2025, and requirements are being phased across DoD contracts.
The Washington Process Group CMMC Level 1 & Level 2 Readiness Kit gives your organization the structured tools and templates to build your documentation, policies, and compliance structure independently — so you are ready when an assessment comes.
Full NameCybersecurity Maturity Model Certification (CMMC) 2.0
Issuing AuthorityU.S. Department of Defense (DoD)
Current VersionCMMC 2.0 (implementation began November 10, 2025)
BasisNIST SP 800-171 (Level 2); NIST SP 800-172 (Level 3)
Who It Applies ToOrganizations in the DoD supply chain handling FCI or CUI
Result SubmissionSupplier Performance Risk System (SPRS)
Your required CMMC level is determined by the type of information your organization handles and will be specified in applicable DoD RFPs and contracts.
Annual self-assessment for contractors that handle Federal Contract Information. Focuses on 17 basic cybersecurity practices aligned to FAR Clause 52.204-21.
For organizations handling CUI. Requires implementation of all 110 practices from NIST SP 800-171. Most programs require a triennial third-party assessment by a C3PAO.
For organizations supporting the most sensitive DoD programs. Based on a subset of NIST SP 800-172 practices above the Level 2 baseline.
This is not a consulting engagement. There is no project manager assigned to your account, no consultant writing your System Security Plan, and no managed delivery service. The CMMC Level 1 & Level 2 Readiness Kit is a self-directed resource — structured so your team can run the gap assessment, build the required documentation, and work through the process at your own pace.
It is designed for organizations that want to own the process internally — with clear structure, practical tools, and a roadmap that does not require outside help to follow.
Structured templates, gap assessment tools, an SSP framework, a POAM template, policy templates, and a step-by-step implementation roadmap — organized for your team to customize and apply.
Run the gap assessment, customize the documentation to your environment, build out your SSP, close your POAM items, and prepare your evidence package — with the kit as your guide throughout.
The CMMC Level 1 & Level 2 Readiness Kit is for organizations that want to build their compliance program independently — with the right tools and structure, not a third party doing the work for them.
Your contracts involve Federal Contract Information and you need to meet Level 1 requirements. The kit gives you the assessment tool, readiness checklist, and documentation structure to work through the 17 Level 1 practices internally.
Your contracts involve Controlled Unclassified Information and you need the documentation structure to build a Level 2-ready program internally — SSP, POAM, policies, and evidence — on your own timeline.
You are a small or mid-size contractor preparing for Level 1 or Level 2 requirements and need a practical, structured approach your team can work through without the overhead of a large consulting engagement.
Your prime contractor is flowing Level 1 or Level 2 CMMC requirements down and you need to understand your scope, build the required documentation, and meet the applicable level independently.
You have not yet built a formal cybersecurity program and need a clear Level 1 or Level 2 starting point — documented policies, a system security plan template, and a structured roadmap your team can follow.
You have an upcoming Level 2 third-party assessment and need to close documented gaps, organize your evidence, and confirm your SSP and POAM are in assessor-ready condition.
The CMMC Level 1 & Level 2 Readiness Kit includes structured tools and templates organized around the full readiness process — from gap assessment through evidence organization and assessment preparation.
Mapped to all 110 NIST SP 800-171 practices across all 14 domains. Run the assessment yourself to identify what is implemented, partially implemented, or not yet in place.
A structured checklist covering Level 1 and Level 2 practices — organized so your team can track readiness status across each domain without starting from scratch.
Structured for assessor review and aligned to NIST SP 800-171 requirements. Your team customizes it to describe how each practice is implemented in your specific environment.
Documents gaps identified in the assessment with milestones and responsible owners. Required for Level 2 and reviewed by assessors as part of the assessment process.
Core policies and procedures aligned to CMMC practice families, ready for your team to customize. Covers access control, incident response, media protection, configuration management, and more.
A phase-by-phase roadmap aligned to Level 1 and Level 2 requirements. Gives your team a logical sequence for working through gap closure, documentation, and assessment preparation.
Practical guidance for identifying, organizing, and labeling evidence that supports each practice. Helps your team build an evidence package that meets assessor expectations.
Email-based support for questions that come up as your team works through the kit — clarifying requirements, interpreting assessment findings, or navigating template customization.
The kit is organized around a logical progression. Your team works through each step using the included tools — at your own pace, on your own schedule.
Identify which CMMC level applies based on your contracts and the type of information you handle. Review existing contracts for CUI handling clauses and FCI obligations. Your required level is specified in applicable DoD RFPs — this step confirms your scope before you run the assessment.
Use the included gap assessment tool — mapped to all 110 NIST SP 800-171 practices across all 14 domains — to document what your organization currently has implemented, what is partially in place, and what still needs to be addressed. This becomes the basis for your POAM.
Using the SSP template, document how each required practice is implemented in your specific environment. The SSP is the primary artifact assessors review. Work through each practice domain systematically, customizing the template language to accurately describe your environment and controls.
Apply the policy and procedure templates to your organization, customizing each document to reflect your actual practices. Populate the POAM template with gaps identified during the assessment, assign owners, and set target completion dates for each item.
Work through your POAM to address identified gaps — technical changes, policy updates, configuration management, and access control measures. Use the evidence organization guidance to collect and label artifacts that demonstrate each practice is in place. Evidence quality matters as much as what you have implemented.
Use the readiness checklist to confirm all required documentation is complete before engaging an assessor or submitting your SPRS score. Level 1: complete a self-assessment and submit through SPRS with a senior official affirmation. Level 2: engage a C3PAO for a triennial third-party assessment.
Contract Eligibility — Without the required CMMC level, your organization cannot compete for or be awarded applicable DoD contracts.
Flow-Down Requirements — Prime contractors must flow CMMC requirements to subcontractors. Readiness is a supply chain obligation, not just a prime contractor issue.
Documentation Is Reviewed — Assessors examine your SSP, policies, and evidence. Incomplete or informal documentation is a finding — not a minor gap.
SPRS Score Visibility — Your self-assessment score is visible to contracting officers in SPRS and can affect contract decisions before formal CMMC requirements appear in your contract.
Time to Implement — Organizations that underestimate how long this takes often face contract pressure with insufficient runway. Starting early with a structured kit gives your team more room to work.
CMMC 2.0 implementation began November 10, 2025. Requirements are being phased into DoD contracts across the supply chain. Organizations that are not prepared risk losing eligibility for contract opportunities and failing required assessments.
Organizations that wait until a specific contract requires CMMC typically underestimate how much time is needed to close gaps, build required documentation, and prepare for an assessment. The best time to start is before you are under contract pressure — and working through the kit on your own timeline gives you that flexibility.
Book a Paid Advisory CallThe CMMC Level 1 & Level 2 Readiness Kit is a self-directed resource. It is not a consulting service, a managed implementation program, or a done-for-you delivery. If your organization needs active expert involvement at key milestones, optional advisory support is available separately — but the kit itself is designed for internal use by your team.
There is no project manager or CMMC consultant managing your account. Your team owns the process and drives the timeline using the kit tools.
The kit provides templates and structure. Your team writes the content, customizing the SSP, POAM, and policies to accurately reflect your organization's environment and controls.
The kit does not include live advisory or review sessions. The 30 days of email support covers questions as they arise during kit use. Structured advisory is available as a separate add-on.
Washington Process Group does not coordinate with C3PAOs on your behalf. Engaging an assessment body for Level 2 is your organization's responsibility.
Everything your team needs to build your CMMC Level 1 or Level 2 compliance program independently — without a blank page or a consultant.
One-time purchase · Self-paced
A self-paced readiness toolkit designed for organizations that need a practical way to organize documentation, manage activities internally, and track progress using structured tools and guidance materials aligned to Level 1 and Level 2 readiness work.
Many organizations pursuing CMMC Level 1 or Level 2 compliance also need a certified Quality Management System. Washington Process Group supports both frameworks. Learn about the ISO 9001:2015 Readiness Kit.
For organizations that want limited strategic input while still managing the work internally, advisory help may be available separately. The primary offer, however, is the DIY kit itself.
Advisory help is intended as limited guidance only and is not positioned as full implementation or done-for-you support.
Get the kit and start organizing your Level 1 or Level 2 readiness work with the templates, trackers, and structure your team needs to move forward internally.
Answers to common questions about the CMMC Level 1 & Level 2 Readiness Kit, how the program works, and what to expect.