
Recent Articles
- Why so few Defense contractors are compliant๐๐จ๐ฐ ๐ฅ๐จ๐ง๐ ๐๐จ๐๐ฌ ๐ข๐ญ ๐ญ๐๐ค๐ ๐ ๐๐จ๐ฆ๐ฉ๐๐ง๐ฒ ๐ญ๐จ ๐ ๐จ ๐๐๐ง๐ค๐ซ๐ฎ๐ฉ๐ญ ๐ข๐ญ ๐ฐ๐ก๐๐ง ๐๐๐ง’๐ญ ๐ฐ๐ข๐ง ๐ฐ๐จ๐ซ๐ค? One year? Two? Three? Let me tell you a story about how a system of perverse incentives caused our current cybersecurity situation in the Defense Industrial Base. Back in 2017 (six years ago), new and renewing DoD contracts started including โฆ Read more
- Podcast – increasing the likelihood of passing CMMC assessmentsThis podcast by Omnistruct features Amira Armond, John Riley, and George Usi. Recorded in May-June 2023. They discuss the basics of CMMC, the “hardest” requirement (FIPS of course), the aspects that contractors have the most difficulty with, and the status of the roll-out. Check it out! The link below has the full text transcript: Omnistruct: โฆ Read more
- CMMC Breaking News – July 25, 2023Today we had two big events in #CMMC and US Federal Contractor Cybersecurity. The Rule for CMMC moved to the Office of Management and Budget. That means a timer has started, 90 days or less, for the review to complete. Expect the text to be published by mid-October. There is still a possibility that it will come โฆ Read more
- 3.13.9 FIPS 140-2 Validated CryptographyIt is time, finally, to talk about the #1 “Other than Satisfied” requirement in 800-171, per historic DIBCAC assessments. ๐ฑ ๐ฅ ๐ฅ ๐ ๐๐๐ 140-2 ๐๐๐ฅ๐ข๐๐๐ญ๐๐ ๐๐จ๐๐ฎ๐ฅ๐๐ฌ ๐ฅ ๐ฅ ๐ฑ Listen up – I’m going to tell you how to succeed at this requirement. It might take money, it might take time, but it CAN be โฆ Read more
- 3.5.3 Multifactor AuthenticationMultifactor Authentication: #2 of the top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. ๐๐ฌ๐ ๐ฆ๐ฎ๐ฅ๐ญ๐ข๐๐๐๐ญ๐จ๐ซ ๐๐ฎ๐ญ๐ก๐๐ง๐ญ๐ข๐๐๐ญ๐ข๐จ๐ง ๐๐จ๐ซ ๐ฅ๐จ๐๐๐ฅ ๐๐ง๐ ๐ง๐๐ญ๐ฐ๐จ๐ซ๐ค ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐๐ ๐๐ ๐๐๐๐จ๐ฎ๐ง๐ญ๐ฌ ๐๐ง๐ ๐๐จ๐ซ ๐ง๐๐ญ๐ฐ๐จ๐ซ๐ค ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ ๐ง๐จ๐ง-๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐๐ ๐๐ ๐๐๐๐จ๐ฎ๐ง๐ญ๐ฌ. My theory is that most of the time when this requirement is failed, it is because the IT department didn’t know โฆ Read more
- What are Spot Checks for?๐๐๐๐ ๐๐ฌ๐ฌ๐๐ฌ๐ฌ๐ฆ๐๐ง๐ญ ๐๐ฉ๐จ๐ญ ๐๐ก๐๐๐ค๐ฌ “๐๐ง ๐ค๐ฐ๐ฏ๐ต๐ณ๐ข๐ค๐ต๐ฐ๐ณ’๐ด ๐ณ๐ช๐ด๐ฌ-๐ฃ๐ข๐ด๐ฆ๐ฅ ๐ด๐ฆ๐ค๐ถ๐ณ๐ช๐ต๐บ ๐ฑ๐ฐ๐ญ๐ช๐ค๐ช๐ฆ๐ด, ๐ฑ๐ณ๐ฐ๐ค๐ฆ๐ฅ๐ถ๐ณ๐ฆ๐ด, ๐ข๐ฏ๐ฅ ๐ฑ๐ณ๐ข๐ค๐ต๐ช๐ค๐ฆ๐ด ๐ฅ๐ฐ๐ค๐ถ๐ฎ๐ฆ๐ฏ๐ต๐ข๐ต๐ช๐ฐ๐ฏ ๐ฐ๐ณ ๐ฐ๐ต๐ฉ๐ฆ๐ณ ๐ง๐ช๐ฏ๐ฅ๐ช๐ฏ๐จ๐ด ๐ณ๐ข๐ช๐ด๐ฆ ๐ฒ๐ถ๐ฆ๐ด๐ต๐ช๐ฐ๐ฏ๐ด ๐ข๐ฃ๐ฐ๐ถ๐ต ๐ต๐ฉ๐ฆ๐ด๐ฆ ๐ข๐ด๐ด๐ฆ๐ต๐ด, ๐ต๐ฉ๐ฆ ๐ข๐ด๐ด๐ฆ๐ด๐ด๐ฐ๐ณ ๐ค๐ข๐ฏ ๐ค๐ฐ๐ฏ๐ฅ๐ถ๐ค๐ต ๐ข ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ ๐ต๐ฐ ๐ช๐ฅ๐ฆ๐ฏ๐ต๐ช๐ง๐บ ๐ณ๐ช๐ด๐ฌ๐ด. ๐๐ฉ๐ฆ ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ(๐ด) ๐ด๐ฉ๐ข๐ญ๐ญ ๐ฏ๐ฐ๐ต ๐ฎ๐ข๐ต๐ฆ๐ณ๐ช๐ข๐ญ๐ญ๐บ ๐ช๐ฏ๐ค๐ณ๐ฆ๐ข๐ด๐ฆ ๐ต๐ฉ๐ฆ ๐ข๐ด๐ด๐ฆ๐ด๐ด๐ฎ๐ฆ๐ฏ๐ต ๐ฅ๐ถ๐ณ๐ข๐ต๐ช๐ฐ๐ฏ ๐ฏ๐ฐ๐ณ ๐ต๐ฉ๐ฆ ๐ข๐ด๐ด๐ฆ๐ด๐ด๐ฎ๐ฆ๐ฏ๐ต ๐ค๐ฐ๐ด๐ต. ๐๐ฉ๐ฆ ๐ญ๐ช๐ฎ๐ช๐ต๐ฆ๐ฅ ๐ด๐ฑ๐ฐ๐ต ๐ค๐ฉ๐ฆ๐ค๐ฌ(๐ด) ๐ธ๐ช๐ญ๐ญ ๐ฃ๐ฆ ๐ธ๐ช๐ต๐ฉ๐ช๐ฏ ๐ต๐ฉ๐ฆ ๐ฅ๐ฆ๐ง๐ช๐ฏ๐ฆ๐ฅ โฆ Read more
- 3.14.1 Identify, report, correct system flawsContinuing the Top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC. “๐๐๐๐ง๐ญ๐ข๐๐ฒ, ๐ซ๐๐ฉ๐จ๐ซ๐ญ, ๐๐ง๐ ๐๐จ๐ซ๐ซ๐๐๐ญ ๐ข๐ง๐๐จ๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐ข๐ง๐๐จ๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ ๐๐ฅ๐๐ฐ๐ฌ ๐ข๐ง ๐ ๐ญ๐ข๐ฆ๐๐ฅ๐ฒ ๐ฆ๐๐ง๐ง๐๐ซ.” This is the third most “Other than Satisfied” requirement. 3.14.1 is both misunderstood and very hard to implement. Both problems cause failures. ๐๐ก๐ฒ ๐ข๐ฌ 3.14.1 ๐ฆ๐ข๐ฌ๐ฎ๐ง๐๐๐ซ๐ฌ๐ญ๐จ๐จ๐? Most people read the โฆ Read more
- 3.11.1 Periodically assess the risk to organizational operations3.11.1 ๐๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ ๐๐ฌ๐ฌ๐๐ฌ๐ฌ ๐ซ๐ข๐ฌ๐ค…This is the fourth-most “Other than satisfied” #CMMC requirement. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Not hard to do, but often misunderstood. Let’s break it down. ๐๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ โฆ Read more
- 3.11.2 Scan for VulnerabilitiesScan for vulnerabilities….This the fifth-most “Other than satisfied” #CMMC requirement with an 18% fail rate. 3.11.2 ๐๐๐๐ง ๐๐จ๐ซ ๐ฏ๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ข๐๐ฌ ๐ข๐ง ๐จ๐ซ๐ ๐๐ง๐ข๐ณ๐๐ญ๐ข๐จ๐ง๐๐ฅ ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ๐ฌ ๐๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐ฉ๐๐ซ๐ข๐จ๐๐ข๐๐๐ฅ๐ฅ๐ฒ ๐๐ง๐ ๐ฐ๐ก๐๐ง ๐ง๐๐ฐ ๐ฏ๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ข๐๐ฌ ๐๐๐๐๐๐ญ๐ข๐ง๐ ๐ญ๐ก๐จ๐ฌ๐ ๐ฌ๐ฒ๐ฌ๐ญ๐๐ฆ๐ฌ ๐๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐๐ซ๐ ๐ข๐๐๐ง๐ญ๐ข๐๐ข๐๐. “๐๐๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐”…This is an example of a broadly-applicable requirement – something that is expected to be applied ๐ฉ๐ฐ๐ญ๐ช๐ด๐ต๐ช๐ค๐ข๐ญ๐ญ๐บ from boundary to โฆ Read more
Resources to get started with CMMC
Check the menu above for dozens of articles about CMMC, how to prepare your company, and how to become an assessor yourself.
Below are the top 10 links / resources for CMMC and 800-171, ranging from official to informal.
Official DoD homepage for CMMC
The Department of Defense owns the CMMC program. The Department of Defense is the organization that requires cybersecurity and (in the future) CMMC certification for their contractors. You can find an FAQ, and more importantly, the official documents published by the DoD which identify their expectations for cybersecurity.
Official homepage of the CMMC Accreditation Body
The CMMC Accreditation Body, recently rebranded to “Cyber-AB”, is a private-sector organization which has the responsibility to manage and accredit CMMC assessment companies. The Cyber-AB is mandated to follow the ISO 17011 standard to be an accreditation body. If you want to be a CMMC professional, this organization offers certification and marketplace listings.
Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
This page on the Defense Contract Management Agency’s (DCMA) website has several great resources for defense contractors in the final stages of preparation for 800-171 or CMMC assessment. In particular, the self-assessment database and pre-assessment packages provide insight into the assessment process.
DFARS Cybersecurity FAQs (Official DoD guidance about 800-171 and DFARS)
This website is an official DoD website, even though it doesn’t look like it. The page has an FAQ document which has some of the best technical clarifications for what the DoD expects their contractors to do for cybersecurity. It is written for existing DFARS 252.204-7012 and NIST SP 800-171 compliance requirements, but these overlap CMMC requirements almost perfectly.
NIST SP 800-171 DoD Assessment Methodology
This document gives instructions for performing a NIST SP 800-171 self-assessment and scoring the self assessment so that the results can be entered into SPRS. CMMC uses this document to identify which practices cannot be failed in order to pass a CMMC assessment (the 5-point practices). The document also gives advice about Not Applicable practices.
Security policy templates, training, and tools
This is a page on cmmcaudit.org (this website), with links to other good cybersecurity resources that will help you get ready.
Glossary of CMMC terms and key players
This page gives simple descriptions of many terms and resources related to CMMC. Very helpful to read through when you are starting out.
This is a Discord server which focuses on CMMC, CUI, 800-171 compliance, and other topics of interest to defense contracting cybersecurity. Most of the top level people in CMMC contribute in this forum. Best source of peer-to-peer information available.
This is the website of the C3PAO Stakeholder Forum, an industry group of CMMC assessment companies. The Positions page has articles with recommendations for how to assess CMMC, as well as high-level recommendations for the program as a whole.
This page is relevant for all companies who are currently contractors for the DoD. It explains existing requirements for cybersecurity, which happen to look a lot like the new requirements for CMMC.
Index of all articles on this site
This page has all articles on the site. Remember that CMMC has changed over time, and articles written before 2022 may be outdated.
DoD to contractors: Your cybersecurity is not good enough
The Cybersecurity Maturity Model Certification (CMMC) is an initiative lead by the Office of the Assistant Secretary of Defense for Acquisition. This is an office in the Department of Defense (DoD) which helps set policy for DoD contract requirements.
DoD contractors who handle Controlled Unclassified Information (CUI) are already required to self-certify compliance with the NIST SP 800-171 set of cybersecurity best practices. However, as pointed out by Ms. Katie Arrington during the CMMC Listening Tour in 2019, self-certification is not working. DoD contractors have been successfully targeted by cyber adversaries because they haven’t fully secured their networks.
To force DoD contractors to implement cybersecurity, the CMMC will require many DoD contractors to get an audit and certification from a third party auditor if they have CUI on their information systems.
We talk about 800-171 too!
Although this website is named “CMMC Audit”, almost all our articles are also relevant to NIST SP 800-171 and DFARS 252.204-7012 compliance. Check our NIST 800-171 menu above for specific information about these current requirements. Articles that discuss CMMC Level 2 or Controlled Unclassified Information will be helpful for your 800-171 journey today.
What you need to know about CMMC
CMMC enforcement timelines
The current timelines have shifted right significantly since 2020. As of November 2022, we still have not had any real CMMC assessments of defense contractors. Here is the current timeline (guesstimate)
- Mid 2022 – 20 C3PAOs have been “Authorized”, but cannot yet perform CMMC assessments.
- Mid 2022 – Mid 2023: A few C3PAOs are allowed to do “joint” assessments of 800-171 alongside the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). So far the rate has been 1 completed per month. These are not CMMC assessments.
- Mid 2023 or Mid 2024 – New DFARS rule introducing CMMC is published.
- After the rule: Authorized C3PAOs are able to perform CMMC assessments on their own schedule. Possibly up to 100 assessments per month will occur, with perhaps 600 performed in the first year after the DFAR rule is released ( <1% of total )
- Mid 2024? The Cyber-AB is accredited as an ISO 17011 Accreditation Body, and begins accrediting C3PAOs as inspection bodies.
- Gradual and accelerating expansion over time.
CMMC levels and requirements
The DoD recognizes that their contracts have different risk profiles, so each RFP will list a CMMC level requirement from 1-3. Having proof of compliance at that level would be a requirement to even submit a bid.
The lower level (1) applies to DoD contractors who don’t deal with Controlled Unclassified Information (CUI). I expect most resellers will fit into this category. Other than purchase orders and possibly human resources information, they don’t hold government information on their corporate networks. The security requirements for these levels are much less stringent.
In the middle level (2), DoD contractors handle CUI. This is information like schematics for DoD equipment. Data which lets adversaries reverse-engineer or learn about military capabilities. For example, a shipyard might have maintenance plans for submarine equipment on a CUI network. This requires a level of protection very similar to the current NIST SP 800-171 recommendations.
At the highest level, (3), the CUI being protected is high stakes. These networks will be targeted by cyber adversaries. Examples of this information would be weapon test results or detailed manufacturing schematics. Securing your network up to level 3 is likely to be very expensive.
For more details about the CMMC as an overall program, see CMMC Basics โ the Full Details
Does CMMC apply to your business?
This infographic describes different types of sensitive but unclassified Federal data and their related cybersecurity requirements.
Are you just looking for a CMMC audit provider?
The sponsor of CMMC Audit (Kieri Solutions) is an Authorized CMMC Third Party Assessment Organization. Kieri Solutions is known for supporting defense contractors by publishing free training and advocating to the CMMC-AB and DoD on behalf of contractors. If you need CMMC assessment services, check them out!
Are you just looking for help preparing for the CMMC?
We encourage you to reach out to the sponsor of CMMCAudit.org , Kieri Solutions, if you like what you see on this website. At the least, they are happy to chat for 30 minutes and give you free advice.
CMMCaudit.org is not a representative of the Department of Defense, the CMMC Accreditation Body, or the CMMC Assessors and Instructors Certification Organization. This website is meant to be community resource for CMMC audit (or assessment!) preparation.