Skip to content


  1. Barbara George, PhD
    July 3, 2019 @ 7:23 am

    Hemisphere Cyber has been preaching this concept since December 2016.


  2. Barb Wert
    July 8, 2019 @ 12:01 pm

    The OUSD(A&S) website says that “all companies conducting business with the DoD must be certified”. This is different from the information in #1 above, which indicates some contracts may not require the certification if no CUI is involved.

    What is the basis of your statement? OUSD(A&S) is directly working with other agencies to put this certification together, so I think they would be pretty clear in the information they posted.


    • D.W.
      December 5, 2019 @ 1:36 pm

      If you manage Controlled Unclassified Information (CUI) in any way, you have to meet at least security level 3.

      It looks like most subcontractors won’t need the same security level as primes. But the latest news is that every DoD contractor will need to be at least CMMC level 1 in order to bid on RFPs.


  3. Amira Armond Amira Armond
    July 8, 2019 @ 1:35 pm

    Hello Barb,
    This article is my notes from an in-person presentation. I haven’t gone out to the OUSD website to double-check the official stance. So I might be wrong.
    However, it doesn’t make any sense to me that “all companies conducting business with the DoD” must go through a DFARS 252.204-7012 and NIST 800-171 audit. Both of these programs are specifically for companies that are holding Controlled Unclassifed Information. That is not every company.
    For example, companies that provide landscaping on Naval bases probably don’t have CUI to protect. I don’t think the CMMC will apply to them.


    • Amira Armond Amira Armond
      December 13, 2019 @ 8:43 am

      How time flies – as you can see, my comment from July is wrong and Barb’s is up to date. They later released that all DOD contractors have to get audited, no matter what. Oi!


  4. Cl;arence Johnson
    November 12, 2019 @ 11:18 pm

    How do I get certified as a trainer or Auditor for CMMC ?


  5. Joe Rance
    April 8, 2020 @ 6:27 am

    Katie Arrington, who leads this program stated in a webinar that ALL DoD contracts will need to have an audited and certified system, regardless of security level. She showed an example of a lawn maintenance company who prepares his bid by calculating the square feet of grass using a drawing of the air base. The drawing is considered CUI even though it is being used to calculate a lawn mowing bid. This was just one example she used to justify having ALL suppliers certified, even office supply vendors.


Leave a Reply

Your email address will not be published. Required fields are marked *