How to prepare for a DoD CMMC audit and certification

Ms. Katie Arrington (Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber) gave a presentation to small DoD contractors on May 23, 2019 to announce a new program which will require cyber-security audits and certification for all DoD contractors.

The proposed program is called the Cybersecurity Capability Model Certification (CMMC).

Here are my notes from the presentation.


Per Federal Acquisition Regulations (FAR), federal contractors must comply with a list of cyber-security best practices.   Any contractor computer systems that interact with Controlled Unclassified Information (CUI) as part of the contractor’s services or sales are in-scope.

What is CUI?

Controlled Unclassified Information is data that needs to be protected against release, but has not been classified by the United States Government. For example, military vehicle design schematics could be considered Controlled Unclassified Information. This information may be shared with federal contractors in order to manufacture replacement parts, or for reference while performing maintenance contracts. CUI also includes well-known sensitive categories such as personally identifiable information and health records for service members.

In 2016, the National Institute of Standards and Technology (NIST) released a document named “Special Publication 800-171”. This lists 110 cyber-security best practices that contractors with access to CUI must comply with. An example of an individual best practice is requiring strong passwords for any account that can access CUI.

While compliance with NIST 800-171 is a requirement in order to win new contracts, there is no auditing or certification program in place yet. Government contractors are allowed to self-certify that they meet the security requirements.

The problem identified by Ms. Katie Arrington is that the self-certification requirement for cybersecurity is not working. Theft of CUI from federal contractor systems has increased over time, not decreased. As a solution, her office (DoD Cyber, Acquisitions) is leading an initiative called the Cybersecurity Maturity Model Certification (CMMC).

The CMMC initiative will require DoD contractor information systems to be certified compliant by an outside auditor. This solves an issue where some businesses self-certify compliance without fully implementing (or understanding) needed security controls.

Highlights of the CMMC

  • A single standard used across all DoD contracts starting in 2020-2021
  • Considered a “go/no-go” requirement
  • Based on the NIST 800-171 controls
  • Identifies five levels of data security so that contractors can implement reasonable security for the data they deal with. Encourages government contract officers to pick an appropriate tier (not everything requires level 5)
  • Provide automated tool which automatically gathers data to simplify reporting efforts
  • Required CMMC level will be contained in RFP sections L & M
  • Authorizes a non-profit organization to oversee the program and accredit private-sector auditors
  • Makes cybersecurity an “allowable cost” in DoD contracts

Timeline for CMMC enforcement

Ms. Katie Arrington described the following timeline for CMMC:

Mid 2019 – Working groups and creation of automated assessment tools.

Early 2020 – Begin developing oversight and certifier accreditation program, processes.

Mid 2020 – Test the certification program and revise it.

Mid/late 2020 – Accredit third-party certifiers.

Future – Begin adding CMMC requirement to all new DoD RFPs

Next are my thoughts about what DoD contractors should be doing to prepare. These steps are my recommendations as a cyber-security consultant and are not from Kate Arrington’s presentation.

DoD Contractors – How to Prepare for the CMMC

1. Ask these questions first

Do you have to deal with Controlled Unclassified Information in current or future contracts? Not all government contractors deal with CUI. This may not apply to you at all. If you aren’t sure, ask your contracting officer or read the RFP. Examples of CUI are personally identifiable information, schematics of military equipment, sensitive information about schedules and personnel, and configuration documentation for government networks.

Is the CUI stored or accessed on your contractor information systems right now? If you have CUI on your systems now, you need to protect it according to NIST SP 800-171 requirements. It will be years (or possibly never) before CMMC comes into effect. 800-171 is in effect now.

If you are a subcontractor – ask your prime to identify what information is CUI, and whether you NEED to store or access it using your information systems (as opposed to government systems or your prime’s systems). If you can avoid storing CUI on your own systems, do so! It reduces risk to your company (and probably will protect the data better) if you can store it elsewhere.

If you are a prime – ask your contract officer to identify what information is CUI, and whether you NEED to store or access it using your information systems (as opposed to government systems). Government systems have to adhere to very stringent requirements for cyber security. This is the best place to store CUI if you have an option.

As time progresses toward 2021, you may ask your contract officer to identify which CMMC level applies to your CUI information. (Until then, all controls in NIST 800-171 apply)

Is it possible to isolate CUI information to fewer systems, fewer networks, or fewer users, while still fulfilling the terms of your contract? You don’t need to secure ALL of your computer systems for the entire company. You just need to secure the ones that store CUI, or could be used to access that CUI. Make the job easier by reducing your CUI footprint.

2. Perform a Risk Assessment

Work with a cybersecurity professional who specializes in NIST 800-171 and have them perform a risk assessment. This assessment will review your progress toward compliance with the NIST 800-171 controls and list the ones that are deficient. Some form of vulnerability scanning and penetration testing will normally be included, with a report of findings.

3. Write a Systems Security Plan

NIST provides a template for this plan here. You should describe how your information systems are secured and what policies are in place that relate to cybersecurity. This plan should give a POA&M (Plan of Action & Milestones) to resolve each deficient control. Note that you do not need to be 100% compliant with all security controls. You do need to have the most critical 17 addressed (as defined in DFARS 252.204-7012), a plan to fix the rest or explain why they don’t apply, and show progress over time.

4. Prepare for Incident Management

Make sure that you have a high quality Incident Management plan and practice it regularly. Besides implementing security controls, you are also expected to report security incidents to the DoD within 72 hours.

Make sure to register with the DoD reporting website ahead of time. The DoD will want to issue you a certificate to verify your identity, which can take a few days. The reporting website is

5. Follow Up and Continual Improvements

Ensure that your policies are realistic. Many organizations write policies that state that they will keep all systems fully patched at all times. If the organization then fails to patch systems for two months, and has an incident as a result, their failure to follow their own policy will count doubly against them. To the converse, if you have a really good reason to only patch every three months, and have written that into your policy, it might protect you against liability if there is an incident at the two month mark.

Next article: Free Incident Response template, definitions, and training scenarios

Want help with your compliance project?

Kieri Solutions specializes in NIST 800-171 compliance for small federal contractors (5-50 FTEs). Our employees have backgrounds in DoD security controls, Windows domain security, and network security. We have implemented fixes for each NIST 800-171 control including DMZs, multi-factor authentication, encryption, and configuration management. We have proven templates for security policy and procedures. We would be happy to help with your compliance project or at least give you a few tips! Schedule a free consult by emailing

2-page data sheet for Kieri Solutions NIST SP 800-171 compliance capabilities

Our cyber-security compliance page


NIST Special Publication 800-171 Website

Federal Contractor Incident Reporting Website

System Security Plan Template

3 thoughts on “How to prepare for a DoD CMMC audit and certification

  1. Barb Wert says:

    The OUSD(A&S) website says that “all companies conducting business with the DoD must be certified”. This is different from the information in #1 above, which indicates some contracts may not require the certification if no CUI is involved.

    What is the basis of your statement? OUSD(A&S) is directly working with other agencies to put this certification together, so I think they would be pretty clear in the information they posted.

  2. Amira Armond says:

    Hello Barb,
    This article is my notes from an in-person presentation. I haven’t gone out to the OUSD website to double-check the official stance. So I might be wrong.
    However, it doesn’t make any sense to me that “all companies conducting business with the DoD” must go through a DFARS 252.204-7012 and NIST 800-171 audit. Both of these programs are specifically for companies that are holding Controlled Unclassifed Information. That is not every company.
    For example, companies that provide landscaping on Naval bases probably don’t have CUI to protect. I don’t think the CMMC will apply to them.

Leave a Reply

Your email address will not be published. Required fields are marked *