Module 8: Cybersecurity Compliance (CMMC)

DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," is the clause that makes cybersecurity compliance mandatory for DoD contractors. If your contract includes this clause, you must implement all 110 security controls from NIST SP 800-171 Revision 2.

What triggers this clause:

Any DoD contract that involves Controlled Unclassified Information (CUI). CUI is unclassified information that the government considers sensitive enough to require safeguarding. Examples include technical specifications, contract performance data, personnel records, and system security plans. If you are working on a DoD IT contract, you almost certainly handle CUI.

The 110 controls are organized into 14 families:

Access Control (AC): 22 controls. Limit system access to authorized users. Enforce least privilege. Control remote access. Manage wireless access.

Awareness and Training (AT): 3 controls. Ensure personnel understand security responsibilities. Provide training on recognizing threats.

Audit and Accountability (AU): 9 controls. Create and retain system audit logs. Review and report on audit findings. Protect audit information from unauthorized access.

Configuration Management (CM): 9 controls. Establish and maintain baseline configurations. Track and control changes. Restrict unauthorized software.

Identification and Authentication (IA): 11 controls. Identify and authenticate users, devices, and processes. Enforce password complexity. Use multi-factor authentication.

Incident Response (IR): 3 controls. Establish an incident response plan. Detect, report, and respond to incidents. Test incident response capability.

Maintenance (MA): 6 controls. Perform timely maintenance. Control maintenance tools. Supervise maintenance activities.

Media Protection (MP): 9 controls. Protect system media (physical and digital). Sanitize media before disposal. Control media transport.

Personnel Security (PS): 2 controls. Screen individuals before granting access. Protect CUI during personnel actions (termination, transfer).

Physical Protection (PE): 6 controls. Limit physical access to systems. Monitor the physical facility. Manage physical access devices (keys, badges).

Risk Assessment (RA): 3 controls. Periodically assess risk. Scan for vulnerabilities. Remediate vulnerabilities.

Security Assessment (CA): 4 controls. Assess security controls periodically. Develop and implement action plans. Monitor controls on an ongoing basis.

System and Communications Protection (SC): 16 controls. Monitor and control communications at system boundaries. Implement cryptographic mechanisms. Separate user and system functionality.

System and Information Integrity (SI): 7 controls. Identify, report, and correct system flaws. Monitor system security alerts. Update malicious code protection.

You do not need to memorize all 110. You need a System Security Plan (SSP) that documents how you implement each one, and a Plan of Action and Milestones (POA&M) for any controls you have not yet fully implemented.

Use the ClariFAR CMMC Assessment tool at /cmmc to walk through each control and assess your current compliance status.

The Cybersecurity Maturity Model Certification (CMMC) has three levels. Which level applies to you depends on the type of information you handle on your DoD contracts.

CMMC Level 1: Federal Contract Information (FCI) only. Controls: 17 practices derived from FAR 52.204-21. Assessment: annual self-assessment. You assess yourself and submit results to SPRS (Supplier Performance Risk System). Cost: minimal. These are basic cyber hygiene practices most IT professionals already follow. Examples of FCI: contract schedules, meeting notes, project plans that do not contain technical specifications or CUI markings.

CMMC Level 2: Controlled Unclassified Information (CUI). Controls: all 110 controls from NIST SP 800-171 Rev 2. Assessment: depends on the contract. Some contracts allow self-assessment. Others require a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). Cost: self-assessment is free (your time). Third-party assessment costs $30,000-100,000+ depending on the size and complexity of your environment. Examples of CUI: technical data, engineering drawings, personally identifiable information (PII), export-controlled information, vulnerability assessments.

CMMC Level 3: highest sensitivity CUI. Controls: 110 from NIST 800-171 plus additional controls from NIST SP 800-172. Assessment: government-led assessment by DCMA DIBCAC. Cost: significant. This level is for contractors handling the most sensitive unclassified information. For most small IT contractors: Level 3 is not relevant. Focus on Level 1 or Level 2.

How to determine which level you need:

The solicitation tells you. The contracting officer specifies the required CMMC level in the solicitation per DFARS 252.204-7021. If the solicitation says "CMMC Level 1," you need Level 1. If it says "CMMC Level 2 with self-assessment," you self-assess. If it says "CMMC Level 2 with C3PAO assessment," you need a third-party assessment.

If you are not sure whether a future contract will require Level 1 or Level 2: implement Level 2. The 110 controls subsume the 17 Level 1 controls. If you build to Level 2, you automatically satisfy Level 1.

Timeline for CMMC enforcement:

CMMC requirements are being phased into solicitations gradually. Not every DoD solicitation requires CMMC yet. But the trajectory is clear: by 2027, most DoD contracts involving CUI will require CMMC Level 2 certification. Start preparing now rather than scrambling when a solicitation you want to bid on requires it.

Your SPRS (Supplier Performance Risk System) score is a number between -203 and 110 that represents how many of the 110 NIST SP 800-171 controls you have implemented. A perfect score of 110 means you have fully implemented all controls. Each unimplemented control reduces your score by 1, 3, or 5 points depending on its severity weight.

How to calculate your SPRS score:

Step 1: Use the ClariFAR CMMC Assessment tool at /cmmc.

Step 2: For each of the 110 controls, mark your implementation status: Implemented: you have fully implemented this control. Full points. Partially implemented: you have started but not completed implementation. 1 point deducted regardless of weight. Not implemented: you have not implemented this control. Points deducted based on weight: 5 points for high-weight controls, 3 for medium, 1 for low.

Step 3: The tool calculates your SPRS score automatically. It also generates a summary showing which control families are strongest and weakest.

What is a good score?

110 is perfect but rare for small companies on their first assessment. Most small IT contractors score between 60-90 on their initial assessment. The government does not publish a minimum acceptable score, but contracting officers can see your score in SPRS and may use it as an evaluation factor.

Realistic scores for a 1-person IT shop (first assessment):

If you use MFA, encrypt your laptop, patch regularly, and have antivirus: expect 50-70. You are probably missing formal documentation (SSP, incident response plan), audit logging configuration, and some physical protection controls.

If you have invested in cybersecurity tooling (SIEM, endpoint protection, encrypted email): expect 70-90. You are probably missing some documentation and a few controls around media protection and personnel security.

If you have a dedicated IT security person or have been through an assessment before: expect 85-110.

How to submit your score to SPRS:

Go to sprs.csd.disa.mil. Log in with your CAC or Login.gov credentials. Enter your assessment results. The submission includes your overall score, the date of assessment, and whether you have a Plan of Action and Milestones (POA&M) for unimplemented controls.

For CMMC Level 1 (17 controls): you self-assess annually and affirm compliance. No score submission to SPRS is required for Level 1.

For CMMC Level 2 with self-assessment: you submit your score to SPRS. The score is visible to contracting officers.

For CMMC Level 2 with C3PAO assessment: the C3PAO conducts the assessment and submits the results. You do not self-report.

You completed your self-assessment and your SPRS score is not 110. Now what? Here is a prioritized remediation plan that focuses on the controls that matter most and cost the least to implement.

Priority 1: Access Control and Authentication (do this week). These controls have the highest weight and are the cheapest to fix.

Enable MFA on everything: email, cloud storage, VPN, SAM.gov, banking. Use an authenticator app, not SMS. Cost: $0 (most services include MFA free).

Enforce strong passwords: minimum 12 characters, no reuse across services. Use a password manager (1Password, Bitwarden). Cost: $0-36/year.

Review who has access to what: for a solo contractor, this is simple. Document that you are the only user with access to CUI systems. Remove any shared accounts. Cost: $0.

Priority 2: System Integrity and Patching (do this week). Enable automatic updates on your operating system, applications, and firmware. Run a vulnerability scan (free tools: Nessus Essentials, OpenVAS). Patch any critical or high vulnerabilities found. Install and enable endpoint protection (Windows Defender is adequate for a small shop). Cost: $0.

Priority 3: Documentation (do this month). This is where most small contractors lose the most points. The controls require documented plans, not just implemented practices.

System Security Plan (SSP): a document describing your information system, its boundaries, how you implement each of the 110 controls, and who is responsible. NIST provides a template. For a 1-person shop, this is a 15-20 page document. Cost: $0 (your time, 8-16 hours to draft).

Plan of Action and Milestones (POA&M): a document listing every control you have not fully implemented, what you plan to do about it, and when. Each entry has a target completion date. POA&Ms must be closed within 180 days of your assessment. Cost: $0.

Incident Response Plan: a 3-5 page document describing what you do when a cyber incident occurs. Include: how you detect incidents, who you notify (72 hours to DoD per DFARS 252.204-7012), how you preserve evidence, and how you recover. Cost: $0.

Priority 4: Technical Controls (do this quarter). These require some investment but are critical for a real CMMC Level 2 assessment.

Encrypted email: Microsoft 365 Business Premium ($22/month) includes email encryption, data loss prevention, and Azure AD with conditional access. This covers a large number of controls across multiple families.

Audit logging: configure your systems to log access events, authentication attempts, and data transfers. Microsoft 365 audit log covers cloud systems. For local systems, enable Windows Event Logging with appropriate retention (90 days minimum).

Encrypted storage: enable BitLocker (Windows) or FileVault (Mac) on all devices that store CUI. Cost: $0 (built into the OS).

Network segmentation: if you have CUI on your network, separate it from personal devices. For a solo contractor, this can be as simple as a dedicated VLAN on your router or using a separate laptop exclusively for government work.

Total cost for a 1-person IT shop to reach SPRS 85+: Microsoft 365 Business Premium: $22/month Password manager: $0-3/month Your time for documentation: 20-40 hours Everything else: $0 (using built-in OS features and free tools)

That is roughly $25/month plus your time. CMMC compliance is not expensive for small contractors. It is time-consuming because of the documentation requirements, but the actual technical controls are mostly free or already included in tools you use.