Deretti Cyber Labs CMMC Desk · The Implementation Path

The implementation path.

The order the work tends to happen in, for organizations doing it for real.

CMMC work has a natural order, and most wasted effort comes from doing it out of order — controls before scope, tools before data, an assessment date before an SSP. This page lays out the sequence organizations seeking assessment or certification typically follow, with a plain checklist to keep your place. It explains the path; walking it is yours.

01The sequence, and why this order

1 · Read the contracts. Everything downstream depends on what is actually required, and that is written in clauses and provisions, not vendor material. Start Here lists the signals; The contract clauses maps the instruments, including the 2026 renumbering. The output of this step is one sentence per contract: what level, on what path, by when.

2 · Find the data. Which systems touch FCI, which touch CUI, and where each actually flows — email, file shares, CAD/CAM, ERP, ticketing, backup, MSP tooling. The Data covers definitions and hiding places. Done before boundary-drawing, this step is discovery; done after, it is rework.

3 · Draw the boundary. The enclave-or-whole-company decision, the five asset categories, and the honest version of the network diagram. This is the step that sizes everything after it — assessment cost included. Scope & Boundary.

4 · Sort the provider relationships. Which providers are ESPs under the rule, which are CSPs with FedRAMP obligations, and who does what — written down as a responsibility matrix, because an assessor will read it. Boundary section 04 carries the mechanics.

5 · Write the SSP, or make it true. The document the whole program hangs on, and the reference point every later step checks against. What an SSP typically contains is the shape; writing the implementation statements is where the remaining gaps announce themselves.

6 · Run the gap analysis. Objective-level, evidence-named, honestly scored — Gap analysis is this desk’s full treatment, including the two sorts (by effort, and by POA&M eligibility) that turn findings into a plan.

7 · Remediate in sorted order. Excluded-list and high-weight items first — they cannot ride a POA&M — then config fixes, then the habit gaps that need time to accumulate a record. This is also where the budget conversation belongs, after the sort, not before it.

8 · Build the evidence rhythm. Proof as a side effect of operating: tickets, logs, rosters, review notes, produced by the practices themselves. Every family page’s What evidence may look like section and at-a-glance box describes what this looks like per family (Domains).

9 · Assess on your contract’s path, then maintain. Self-assessment entered in SPRS, or a C3PAO engagement (what that involves, and where its role stops) — then the two standing clocks: the annual affirmation and the triennial reassessment, plus the 180-day closeout if the result was Conditional.

02The reader’s checklist

The same nine steps, compressed to something that fits on one screen and survives a Monday. A reading-and-doing order — not a certification promise.

  1. Every active contract read for its clause signals; required level and path written down per contract.
  2. FCI and CUI located — systems named, flows traced, surprises included (the ticketing system counts).
  3. Boundary drawn and defensible: enclave decision made, five asset categories sorted, diagram matches reality.
  4. ESP / CSP relationships documented, responsibility matrix written, FedRAMP status of CUI-touching cloud services confirmed.
  5. SSP current — boundary, environment, implementation statement (or open gap) per requirement, connections.
  6. Gap analysis run at the objective level, evidence named per requirement, score computed with the 1/3/5 weights.
  7. Findings sorted twice — by effort, and by POA&M eligibility — and the must-fix-first list closed.
  8. Evidence accumulating as routine output, with owners and dates, not as a pre-assessment scramble.
  9. Assessment done on the contract’s path; affirmation calendar and triennial date owned by a named person.

03Who does what

The path is one sequence, but three chairs own different parts of it. The owner or general manager — usually the eventual Affirming Official — owns the decisions with money and signature attached: the enclave question, the provider contracts, the affirmation itself. The technical lead owns steps two through five and the remediation, because scope and implementation are engineering work. The compliance owner — a hat more than a headcount in a small shop — owns the record: SSP currency, the POA&M, the SPRS entries, the two calendars. By role carries a compact summary for each chair; an MSP or ESP supporting any of this enters the assessment story itself (Scope & Boundary, section 04).

04What this desk does here — and doesn’t

This page describes the order the work tends to happen in, so a reader starting from zero can see the whole path before committing to any step of it. It is not a service, a certification promise, or a substitute for the primary sources it links — and the sequence above is a common shape, not the only workable one. An organization with a mature security program enters at step five; one mid-migration may run steps two and three twice. The desk explains; the decisions, the work, and the outcomes belong to you and the assessors the program puts in front of you.

05Sources

Primary sources underlying the implementation sequence
DocumentWhat it’s for
32 CFR 170.15 – 170.22The assessment procedures, POA&M limits, and affirmation obligations the sequence points toward.
CMMC Scoping Guidance (L1 / L2 / L3)The boundary rules behind steps three and four (Source Library).
NIST SP 800-171 Rev. 2 · SP 800-171AThe requirements and the objectives behind steps five and six.
DFARS 252.204-7012 / -7021 / -7025The contract instruments behind step one (The contract clauses).