CMMC Compliance Guide.

/ 01What CMMC is

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for verifying that defense contractors have adequate cybersecurity to protect government information. Version 2.0 was finalized in 2024 and implementation through DFARS rule 252.204-7021 began phasing into contracts that same year.

The framework exists because DoD has been requiring contractors to comply with NIST SP 800-171 for years (since 2017 via DFARS 252.204-7012), but compliance has been largely self-attested and inconsistently enforced. CMMC adds third-party verification.

Three things matter to know up front:

• It's not optional for contractors who want continued or new DoD work. Solicitations are starting to specify required CMMC levels at award.
• It's tiered. Not everyone needs the highest level. Most contractors land at Level 1 or Level 2.
• It's a process, not a product. You can't buy "CMMC compliance" off a shelf. You implement controls, document them in a System Security Plan, and either self-assess or get assessed by a C3PAO.

/ 02Who needs CMMC

Two questions answer who needs what:

1. Do you have a DoD contract or subcontract? If yes, the next question matters. If no, you don't need CMMC.
2. What information does the contract require you to handle?
   • FCI only → Level 1
   • CUI of any kind → Level 2
   • Critical national security CUI → Level 3 (rare, prime-level engineering work mostly)

In Tennessee specifically, common CMMC-affected categories include:

• AEDC (Arnold Engineering Development Complex) suppliers and subcontractors
• Oak Ridge / Y-12 supply chain (some elements DoD, some DOE — different frameworks but overlapping)
• Aerospace component manufacturers
• Defense electronics suppliers
• Software and engineering services for DoD primes
• Test equipment and instrumentation suppliers
• Some specialty machining, metal fabrication, and composites work
• Logistics and transportation contractors with DoD work

/ 03The three levels

Level 1: Basic Safeguarding

17 controls drawn from FAR 52.204-21. Common-sense basics: limit access to authorized users, use IDs and passwords, control physical access, use boundary protections (firewalls), patch systems, control external connections. Self-assessment annually. No formal SSP required (though documenting your controls is still a good practice).

Level 2: Advanced

The 110 NIST SP 800-171 controls. Documented System Security Plan required. Third-party assessment by an authorized C3PAO (Certified Third Party Assessor Organization). Most Tennessee contractors who handle any CUI land here. The bulk of this guide focuses on Level 2 because that's the lift.

Level 3: Expert

110 NIST 800-171 controls plus a subset of NIST SP 800-172 enhanced controls. Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Reserved for critical programs. Most small and mid-size defense contractors never reach this level.

/ 04NIST SP 800-171 walkthrough

The 110 controls in NIST SP 800-171 are organized into 14 control families. Here's the practical lay of the land:

Some controls are easy ("provide security awareness training") — others are heavy lifts ("monitor and control communications at the external boundary of the system and at key internal boundaries").

/ 05Scoping your environment

Scope is everything. CMMC compliance applies to systems that process, store, or transmit CUI. Reducing the scope of what touches CUI dramatically reduces the cost of compliance.

Three scoping options

Option A: Whole company in scope. Every system, every user, every device is compliant. Simplest to explain. Most expensive to maintain. Works for small organizations under 25 people where nearly everyone touches CUI anyway.

Option B: CUI enclave. Build a separate enclave (often a dedicated Microsoft 365 GCC High tenant or an Azure Virtual Desktop environment) where all CUI work happens. Users access CUI from the enclave; their general business systems remain commercial. The enclave is in scope; the rest of the company is not. Best balance for most contractors with 25-200 employees.

Option C: Dedicated facility. Physical separation. CUI-cleared employees work in a dedicated space with dedicated systems on a separate network. Required only for the highest-classification work. Overkill for typical Level 2.

The enclave model in practice

The most common SMB Level 2 architecture:

• Commercial Microsoft 365 for general business email, files, collaboration
• Separate Microsoft 365 GCC High tenant for any work involving CUI
• Cleared users have accounts in both tenants
• CUI never touches commercial M365 — strict policy and technical controls
• GCC High tenant has the full security baseline applied: Conditional Access, Intune, DLP, monitoring
• Workstations used to access CUI are either dedicated GCC High devices or commercial devices with strict Conditional Access requiring compliant state to access GCC High

This enclave approach typically reduces CMMC scope by 70-90% compared to whole-company-in-scope, with corresponding cost savings.

/ 06The SSP and POA&M

System Security Plan (SSP)

The SSP is your authoritative document describing how your environment implements each of the 110 NIST SP 800-171 controls. It typically includes:

• System description and boundary (with diagrams)
• Inventory of in-scope assets
• For each control: implementation description, responsible role, status (implemented / partially / not implemented)
• Risk-based decisions and accepted residual risk
• Connections to external systems
• Roles and responsibilities

For a typical SMB at Level 2, the SSP runs 80-300 pages. Yes, really.

Plan of Action & Milestones (POA&M)

The POA&M lists controls that are not yet fully implemented, with target remediation dates. CMMC 2.0 allows you to have a POA&M for some controls at assessment time (you're not required to have 100% implementation to pass) — but:

• Certain critical controls cannot be on the POA&M; they must be fully implemented
• POA&M items must be closed within 180 days of assessment
• Failure to close POA&M items can result in loss of certification
• Your overall score still has to meet the minimum threshold

SPRS score

Each control is scored: fully implemented = the points the control is worth; not implemented = 0; partially = sometimes partial credit. The aggregate is your Supplier Performance Risk System (SPRS) score — up to 110 maximum. Your prime can pull your SPRS score. Many primes will not subcontract to suppliers below certain thresholds.

/ 07What an assessment looks like

Level 2 third-party assessments are conducted by C3PAOs (Certified Third Party Assessor Organizations) accredited by the Cyber AB. The assessment typically takes 2-6 weeks of elapsed time and includes:

Pre-assessment

• Scope confirmation and contract
• SSP and POA&M review
• Document request: policies, procedures, evidence of operation
• Pre-assessment readiness review (sometimes)

On-site (or remote) assessment

• Interviews with key personnel: security officer, IT lead, executives
• Walk-through of physical and technical controls
• Sampling of evidence for each control
• Testing of specific controls (e.g., MFA actually required, encryption actually enforced)
• Network architecture review
• Review of incident response, training, monitoring evidence

Findings and report

The assessor delivers findings — typically a mix of fully met, partially met, and not met. Your score is calculated. If you meet the threshold and have an acceptable POA&M for the partial items, you receive certification. Certifications are good for 3 years with annual affirmations in between.

/ 08Realistic budget and timeline

For a typical 50-person Tennessee defense contractor going from no formal compliance to Level 2 certified:

Plus ongoing costs:

• Microsoft 365 GCC High licensing: $33-$55 per user per month (depending on plan)
• SIEM and security monitoring: $5K-$25K per year
• Continuous monitoring and management: typically wraps into managed services contract
• Annual self-attestation; triennial reassessment fees (~$15K-$60K)
• Training program maintenance

The investment is significant but the alternative — losing access to DoD contracts entirely — is worse. For small contractors who are heavily DoD-dependent, CMMC is existential. For diversified contractors with limited DoD work, it's a business decision: is the DoD revenue stream worth the compliance investment?

Where to start

1. Inventory your DoD contracts and identify which involve CUI vs FCI-only.
2. Talk to your primes about their flow-down expectations and timelines.
3. Get a gap analysis from a qualified consultant (RPO — Registered Provider Organization — is a credential to look for). Don't try to assess yourself before you understand the framework.
4. Develop a roadmap with realistic timelines and budget approval.
5. Choose your scope strategy (whole-company, enclave, or facility) early — it drives every other decision.
6. Build in the right order: foundation (M365 GCC High or equivalent), then identity controls, then logging/monitoring, then everything else.