How IT Directors Can Implement CMMC Level 2 In-House: A Practical Outline for IT Directors

Leave a Comment / Compliance, Cybersecurity, Federal Contracting, GCCH, MSSP / By

Introduction

As CMMC requirements become mandatory across Department of Defense (DoD) contracts, many IT Directors and security leaders are asking a critical question:

Can we implement CMMC Level 2 ourselves without hiring a full external consulting firm?

The answer is yes: with the right strategy, tooling, and understanding of NIST SP 800-171. However, it is important to set expectations clearly.

This is not a step-by-step implementation guide. Instead, this article is an expert-informed outline of the critical considerations, decision points, and functional areas organizations must address when pursuing CMMC Level 2 in-house.

CMMC implementation varies significantly based on your environment, contracts, and risk tolerance. This overview is designed to help IT Directors and Stakeholders understand the scope and complexity of the effort so they can plan appropriately, ask the right questions, and avoid common pitfalls.

This article provides a structured outline for thinking about CMMC Level 2 implementation internally, using proven practices and Microsoft-native tools where applicable.

Understanding What “CMMC Level 2” Really Requires

CMMC Level 2 aligns directly with NIST SP 800-171 Rev. 2, which includes 110 security controls across 14 control families.

Key areas include:

  • Access Control (AC)
  • Audit & Accountability (AU)
  • Configuration Management (CM)
  • Identification & Authentication (IA)
  • Incident Response (IR)
  • System & Communications Protection (SC)

For IT Directors, this means your responsibility is not just technical deployment—but also documentation, policy enforcement, and continuous monitoring.

Step 1: Establish Executive Ownership and Accountability

Before any technical work begins, it is critical to understand that CMMC is not an IT project—it is an organization-wide compliance program.

A successful implementation requires active involvement from:

  • Executive leadership (CEO, COO, or equivalent)
  • The designated CMMC Attesting Official
  • Legal and compliance stakeholders
  • IT and security leadership
  • Users

Why Leadership Involvement Matters

Under CMMC, the Attesting Official is legally responsible for affirming that the organization meets required controls. This means:

  • Decisions about risk acceptance cannot be made solely by IT
  • Budget, staffing, and operational impacts must be approved at the executive level
  • Policies must be enforced across the entire organization—not just technical systems

Key Responsibilities of Leadership

  • Approving the System Security Plan (SSP)
  • Reviewing and accepting risk documented in the POA&M
  • Ensuring resources are allocated for compliance
  • Driving a culture of security and accountability

Organizations that treat CMMC as “just IT” often fail audits due to gaps in governance, policy enforcement, and documentation.

Step 2: Define Your CUI Boundary

Before implementing any controls, you must clearly define:

  • Where Controlled Unclassified Information (CUI) is stored
  • Where it is processed
  • Who has access to it

This is known as your CMMC scope or boundary.

Best practices:

  • Segment CUI systems from corporate IT
  • Limit access to only required personnel
  • Document all systems within scope

Failing to properly scope your environment is one of the most common causes of audit failure.

Step 3: Perform a NIST 800-171 Gap Assessment

A gap assessment identifies where your current environment does not meet required controls.

Approach:

  • Review all 110 controls in NIST 800-171
  • Score each as: Implemented, Partially Implemented, or Not Implemented
  • Document evidence for each control

Tools you can use:

  • Microsoft Compliance Manager
  • NIST 800-171 assessment templates
  • SSP/POA&M tracking spreadsheets

The output should include a Plan of Action and Milestones (POA&M).

Step 4: Build Your System Security Plan (SSP)

Your System Security Plan (SSP) is the central document auditors will review.

It must define:

  • System architecture
  • Control implementations
  • Roles and responsibilities
  • Policies and procedures

Key tip: Write your SSP as you implement controls—not after.

Step 5: Implement Core Technical Controls

For most organizations, Microsoft 365 (especially GCC or GCC High) provides a strong foundation.

Identity & Access Control

  • Enforce MFA for all users
  • Implement Conditional Access policies
  • Use least privilege principles

Endpoint Security

  • Deploy endpoint detection and response (EDR)
  • Enforce device compliance policies
  • Maintain patch management

Data Protection

  • Implement Data Loss Prevention (DLP)
  • Encrypt data at rest and in transit
  • Use sensitivity labels for CUI

Logging & Monitoring

  • Enable audit logging
  • Centralize logs (SIEM)
  • Monitor for anomalies

Step 6: Develop Required Policies and Procedures

CMMC is not just technical—it is heavily policy-driven.

You must create and maintain policies for:

  • Access control n- Incident response
  • Configuration management
  • Media protection
  • Personnel security

Policies must be:

  • Documented
  • Approved by leadership
  • Enforced and reviewed regularly

Step 7: Establish Incident Response Capabilities

You must be able to:

  • Detect security incidents
  • Respond quickly
  • Document actions taken
  • Report incidents when required (DFARS 7012)

This includes creating:

  • Incident response plan
  • Playbooks
  • Communication procedures

Step 8: Continuous Monitoring and Maintenance

CMMC compliance is not a one-time project.

You must continuously:

  • Monitor security events
  • Review logs
  • Update systems
  • Reassess controls

Automation tools (like Microsoft Defender and Sentinel) significantly reduce workload.

Common Challenges for DIY CMMC Implementation

While self-implementation is possible, IT Directors should be aware of common obstacles:

  • Underestimating documentation requirements
  • Misinterpreting control requirements
  • Misconfiguring technical controls
  • Lack of internal compliance expertise
  • Time constraints on IT teams
  • Difficulty preparing for third-party audits

Many organizations start internally but eventually require expert validation.

When to Consider External Support

Even if you implement most controls internally, external expertise can help with:

  • Gap validation before audit
  • SSP and documentation review
  • Technical Controls Consulting
  • Remediation & Implementation
  • CMMC readiness assessments
  • Ongoing monitoring (SOC services)

This hybrid approach balances cost with assurance.

Conclusion

Implementing CMMC Level 2 in-house is achievable for organizations with strong IT leadership and disciplined processes. The key is to approach it as a structured program—not just a technical deployment.

By focusing on scope, controls, documentation, and continuous monitoring, IT Directors can build a compliant environment that supports both regulatory requirements and long-term security maturity.

About Rolle IT Cybersecurity

Rolle IT Cybersecurity helps DoD contractors navigate CMMC implementation—whether you need full-service support or expert validation of your in-house efforts.

If you are working toward CMMC compliance, Rolle IT can help ensure your environment is audit-ready. [email protected]

Leave a Comment

Your email address will not be published. Required fields are marked *