How Sikich’s STARS Program Assists DoD Contractors with CMMC Compliance Efforts

The Department of Defense (DoD) recently announced an update for its Cybersecurity Maturity Model Certification (CMMC) program, a program designed to make sure that contractors working with Controlled Unclassified Information (CUI) are protected against cyber attacks. The update will simplify the CMMC standard and make certification more attainable for companies working alongside the DoD.

In announcing this, Jesse Salazar, the Deputy Assistant Secretary of Defense for Industrial Policy, said, “CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base. By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”

While this is good news for many, those working with the DoD must be prepared to meet CMMC requirements 60 days after the Interim Rule is published in 2023 to continue bidding on government contracts.

Certification takes time, and prime contractors, such as Lockheed Martin, Raytheon, General Dynamics, and others, are already pushing for subcontractors to meet these standards. With less than a year remaining, contractors working on DoD projects must begin the process now to make sure that they are ready before the rule takes effect.

To help support DoD contractors in meeting their goals related to CMMC compliance, Sikich has developed the STARS program. The program will help organizations understand their requirements, plan and implement a strategic roadmap, and achieve and maintain compliance well into the future.

What is Sikich’s STARS Program for CMMC Compliance?

Sikich developed its STARS program for CMMC readiness and continuous compliance with the goal of working with individuals, suppliers and other service providers to mature cybersecurity resilience in the U.S. supply chain and Defense Industrial Base Sector.

STARS is an acronym that describes the five pillars of CMMC readiness, implementation and compliance: Scope, Train, Assess, Remediate, and Support.

Sikich has taken a holistic approach to its CMMC and government contractual requirements efforts. Whereas other security providers may only supply clients with a basic assessment, Sikich professionals follow the STARS program to help clients understand their security gaps and scope, develop an actionable roadmap, implement system changes, and maintain compliance.

Five Phases to CMMC Compliance with STARS

The STARS program includes five phases that will take your organization from defining the initial enclave scope to remediation and compliance maintenance. Depending on the maturity of your existing security plan, the process could be initiated at one of the later phases. By aligning your CMMC maturity with the appropriate phase, we can integrate established processes and documentation into the program, saving you time and money.


In the first phase, we focus on the fundamentals, such as identifying the CUI scope of your network. To do this, we review your data types and how that data comes into your systems. We also look at the people you work with, the technologies you use, and the resources you share with your business partners. Afterward, our team will develop and share a CMMC scoping document with detailed breakdowns of every business area that may be subject to CMMC requirements.

Because many DoD contractors, suppliers, and partners work with several companies with their own network of connections, keeping track of CUI and preventing it from falling into the wrong hands can be challenging. Understanding how information is shared and who has access to it will enable your business to put the right security measures in place to achieve compliance.


The next phase is training. We will provide training so your team understands CMMC contractual obligations and requirements. All training is done remotely via video conferencing or webinars for your convenience and safety.

Training includes:

  • An overview of the 320 determination statements and 110 controls outlined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and 800-171a
  • Best practices for classifying, labeling and handling CUI
  • Security awareness


Scoping and training are the two preliminary means for establishing your cybersecurity readiness foundation. The next phase is to begin the assessment.

To start, we will review NIST SP 800-171 controls, including by performing interviews, documentation reviews and controls validation. We will also run tests to identify any gaps in your existing security program and develop a remediation plan you can use to guide your remediation efforts. Sikich’s remediation plan differs from a traditional PDF report; it is an interactive CMMC compliance solution powered by Exostar’s Certification Assistant that breaks down the steps required to achieve compliance. You can use this tool to track your efforts throughout the remediation phase.

As part of the assessment, we will also provide an executive presentation. This presentation describes where your company is in its CMMC compliance efforts and outlines the steps it must take to achieve compliance. In addition, the executive presentation helps to align board members and C-suite executives with CMMC-related goals and timelines.


In this phase, we use the information gathered to build a Plan of Action and Milestones. In addition, we provide detailed gap remediation recommendations and create in-depth system security and incident response plans.

The system security plan outlines a company’s scope, the assessment outcome (including an assessment score), an overview of practices in place for the 110 CMMC controls and the steps needed to achieve compliance. The system security plan is a living document, similar to the remediation plan, that you can update as your team completes milestones. The Defense Federal Acquisition Regulation Supplement (DFARS) requires that DoD contractors provide a system security plan for compliance consideration.

Altogether, building and implementing remediation efforts can take anywhere from one to three years. Since the CMMC deadline is less than three years away, it is vital to begin this process as early as possible.


In the last phase of the Sikich STARS program, Sikich provides compliance support. Once you have built a plan to fill any security gaps and remediate your risks to achieve CMMC compliance and certification, you must develop a strategy to implement controls to achieve and maintain compliance. Sikich helps companies working alongside the DoD by providing:

  • A CMMC compliance and controls measure playbook
  • Risk remediation advisory services
  • Quarterly compliance reports
  • Quarterly executive management updates
  • Annual incident response training and testing
  • Annual security awareness training
  • Optional subcontractor compliance reports

Sikich is much more than just an auditing firm. Instead of providing a one-time performance review, our team of experts will walk you through every step of the implementation process and help you achieve and maintain compliance into the future. Contact our team of experts to learn more about the Sikich STARS program and how working with a trusted partner can streamline and support your efforts to meet CMMC goals.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author