How to get a CMMC Audit or Assessment

You’re in the right place if the US Government or your prime contractor told you that you need to get a CMMC certification. What is CMMC? CMMC is an initialization for the term “Cybersecurity Maturity Model Certification”. This term was introduced by the Department of Defense in 2019 to name a new cybersecurity program. This Read More

Policy templates and tools for CMMC and 800-171

This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171 **Updated April 3, 2024** Please help others in the community by leaving a comment with resource links! Policies Templates SANS Institute – Security Policies SANS Institute provides a set of best practices security policies in Read More

C3PAO Shopping Guide

The National Defense Information Sharing & Analysis Center (ND-ISAC) is pleased to announce the release of a “C3PAO Shopping Guide for Small & Medium-Sized Businesses.”  The guide was created through a team effort among participants in ND-ISAC’s Small & Medium-Sized Business Working Group in consultation with other SMBs across the Defense Industrial Base (DIB), along with Read More

CMMC JSVA program – what you need to know

Some tidbits about CMMC’s Joint Surveillance Voluntary Assessment (JSVA) program that you might not know: JSVA program is intended to train C3PAOs and CMMC Assessors 1) The DoD is essentially using the JSVA program to train and vet our private sector assessment teams over-the-shoulder with the DoD’s cybersecurity assessment teams. This lets us learn from Read More

When do you need a new assessment? What can change?

Information systems are constantly changing. Especially if they are functional, production systems, supporting real use. Workstations and servers break. Technology becomes obsolete. New solutions are implemented in response to changing functional requirements. One thing we don’t know, in the CMMC world, is how much change is too much change. What is the maximum amount of Read More

What is “Certified” as the result of assessment??

What exactly is “certified” when you go through a CMMC or Joint Surveillance assessment, or when you self-assess your environment and report it to the DoD? What does it mean when you want to bid on contracts using this certification? Disclaimer: I’m not a lawyer. This is not legal advice. I don’t have special insight Read More

CISA Proposed Rule – Mandatory Reporting of Cyber Incidents

CISA releases proposed rule for mandatory reporting of cyber incidents by Critical Infrastructure and State, Local, Territorial Governments. To my understanding, this will affect all DoD contractors with DFARS 252.204-7012 in their contracts, as well as most Federal Contractors. For example, despite small businesses being given an exclusion, any business that “Owns or operates critical Read More

CMMC assessment? Don’t let pride take you down

Getting CMMC assessed? Some advice.. Listen to your assessor If we say that your evidence isn’t related to the requirement being inspected, or especially the critical words “I think you have misinterpreted this requirement”, instead of getting mad, take a long pause and go ask a knowledgeable consultant to review your situation. Most interpretation problems Read More

CMMC Level 1 certification and preparation (how-to)

If you are reading this article, you are probably the owner of a small DoD contracting company.  You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office.  You might be frustrated at yet another computer requirement, or you might be excited at the opportunity to Read More

CMMC Capabilities Discussion Home

This page describes how to find the CMMC requirements, how to interpret them, and how to start preparing for an outside audit. It explains how to read the CMMC document and how your team or an auditor would check each requirement against your information systems. Disclaimer: The goal is to help you understand how the Read More

CMMC News Rollup October 6, 2020

Hello folks, This is week’s update is pretty short. The DFARS Interim Rule is still the biggest news. Other topics are the new DoD CUI website which has great resources for contractors, and word-of-mouth updates on the CMMC-AB’s registered practitioner and C3PAO programs. -Amira Armond CMMC Registered Practitioner Per CMMC-AB support email: Everyone who completed Read More

DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171 and CMMC

If you are a Defense Contractor that handles Controlled Unclassified Information (CUI), this news is going to be very important for you. DFARS 252.204-7012 Interim Rule Yesterday, the DoD released an interim rule to the Defense Federal Acquisition Rules Supplement (DFARS) which goes into effect on November 30th, 2020. This publication is 89 pages long Read More

CMMC News Roundup September 28 2020

Hello all, Big news this last two weeks. In particular, the DFARS rule for CMMC abruptly changed course. It looked like it was delayed for months, but then (I think?) it got approved on an interim basis, to go into effect around November 27, 2020. DFARS Interim Rule Added – enforces assessments Federal Register Publication Read More

Review of CMMC Registered Practitioner Training

This is a historical post from September 2020. Information on Registered Practitioners may have changed since then. You have been warned. I just finished the CMMC-AB’s Registered Practitioner training course. We aren’t allowed to reproduce the content, so you won’t learn any secrets from me, but I can tell you about my experience. Thanks to Read More

CMMC News Roundup September 9 2020

Hello folks, Here’s the latest CMMC news and articles you should check out! CMMC FAQ for Organizations Seeking Certification This easy FAQ article discusses frequently asked questions about implementing CMMC security. Things like “Can my employees use their home computers to work on CUI?” Incident Handling tips from CISA The Cybersecurity and Infrastructure Security Read More

CMMC News Rollup – August 26, 2020

DFARS rule update for CMMC The acquisitions office has proposed an amendment to DFARS 252.204-7012, which is the contract rule that currently requires a high level of cybersecurity for the majority of Defense Contractors. The amendment is expected to replace the 110 controls in NIST SP 800-171 with CMMC’s Level 1-5 approach. If and when Read More

When is a conformity assessment not a conformity assessment? (hint – it is CMMC)

Author: Tom Cornelius| Senior Partner at ComplianceForge | Founder & Contributor at Secure Controls Framework (SCF) Originally published on LinkedIn on August 13, 2020 This episode of Coffee Thoughts With Tom addresses CMMC as a conformity assessment, since conformity assessments are intended to use a risk-based approach to determine a confidence point (e.g., materiality threshold) instead of Read More

CMMC Glossary, Terms, and Definitions. Who’s who in CMMC

As the CMMC ecosystem grows, it is starting to get hard to track all the key players and concepts. This page is meant as an easy to understand “who’s who” and “what’s what” for the CMMC. This CMMC glossary of terms is ordered so that each term builds on the previous terms. If you are Read More

CMMC “allowable cost” discussion and thoughts

*Updated August 13, 2020* CMMC cybersecurity is an “allowable cost” for DoD contractors? “The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.” “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. Read More

What is FCI in CMMC and how does it affect scope?

The Cybersecurity Maturity Model Certification references “FCI”.   What is this abbreviation? FCI in CMMC stands for “Federal Contract Information”. FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government.  FCI does not Read More

CMMC Provisional Auditor program opt-ins

On August 9th 2020, the CMMC Accreditation Body sent this email to me (and presumably others who registered for CMMC certified assessor). To opt-in, you must attest that you meet experience requirements 10+ years experience conducting evidence-based assessments in cyber or other information technology field. or 20+ years experience as a “consultant or proven leader” Read More

CMMC Rollout Status – Taking stock (July 31, 2020)

Editor’s note: This article gives a timely update on the laws and processes governing CMMC enforcement. To this point, there has not been official requirement for CMMC in the Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS). However, as this article describes, the process has been started to change the regulations. Author: Read More

CMMC news round-up July 30, 2020

Here are the CMMC news topics this week: Registrations open for CMMC auditors, C3PAOs, and “registered” practitioners / organizations Registration has been open for a month and a week. Links and information about registration can be found at this CMMCaudit blog “CMMC AB opens registration for C3PAOs and Assessors“. I submitted applications for C3PAO and Read More

A Practitioner’s Thoughts On CMMC

Editor’s comments: This article is an excellent read if you have experience doing cyber-security compliance based on NIST SP 800-171 or DFARS 252.204-7012. If you don’t have prior experience on these topics, the article may not make much sense to you. Of particular interest to me is the scoping conflict between FCI and CUI, which Read More

CMMC news: CMMC AB opens registration for C3PAOs and Assessors

Hello all, The CMMC Accreditation Body has opened new pages on their website to give information about registering as a C3PAO  (Certified Third Party Assessor Organization) and as an Assessor.   They also have information about becoming a ‘registered practitioner’ or a ‘registered provider organization’ (these can be team members but not lead audits). You can Read More

CMMC News – Auditor Training Update – May 22, 2020

These are my notes from the CMMC Accreditation Body webinar regarding Assessor / Auditor Training. Disclaimer: I’m not a member of the CMMC AB, I am just providing these notes as a service to the community. Please watch the webinar for exact wording and full details. This webinar was released May 21, 2020 on the Read More

CMMC News – May 21 2020

The CMMC Accreditation Body (CMMC AB) has started to publish their progress via webinars on the website. Here are my notes from the webinar I watched on 5/21/2020, published at and archived on YouTube here. Ty Schieber is the Chair of the CMMC Accreditation Body. He presented the current status of the AB.  Read More