Support Centre

USA: CMMC - what lies beneath

In the first article in the series, USA: CMMC as competitive advantage and five things you can do today, Alex Sharpe, Principal at Sharpe Management Consulting LLC discussed why one shouldn't wait and the low-cost things you can do today to make your lives easier. In this article, Alex discusses what is not readily apparent until you start moving through your assessment. Think of it as an iceberg without the luxury liner. In the next article of the series, Alex will address what the Cybersecurity Maturity Model Certification ('CMMC') does not cover that may be critical to keeping your business, your customers and your partners secure. As always, your mileage may vary.

Quardia / Essentials collection / istockphoto.com

You probably know the CMMC is designed to take the cybersecurity posture of Defense Industrial Base ('DIB') organisations up a notch in a way that is readily identifiable by an objective third party. Let’s not gloss over that point. The CMMC is not a bureaucratic exercise. It is being done to improve the security posture of your business, the nation and our allies. Making it a certification and a maturity model makes it easy for a third party to have a readily identifiable sense of your security posture.

Public service announcement

Never forget, being compliant does not mean you are secure. The news is full of stories about breaches where this fundamental mistake was made. Do what you need to be compliant with the CMMC and whatever else you may be subject to, but never forget to ask the question:

"Is this sufficient to protect my business, my customers and my business partners?"


Business models, threats, actors and countermeasures evolve. Just like every other part of your business.

A look at the CMMC structure

The CMMC currently defines 17 domains of technical capability. Each of these domains has a series of Practices for each of the five Levels. Basically, as you move through the levels the specific requirements get more sophisticated.  All but three of the domains come from two source documents - NIST SP 800-1711 and FIPS Pub 2002. The three additional domains are Asset Management, Recovery, and Situational Awareness.

What is not seen until you get into it is that the CMMC actually references other criteria. It also requires items specific to the audit process and non-technical controls. Let's talk through the most notable and what seems to cause the most headaches. For the sake of illustration, we will presume most readers will be Level 3. That way we can cast the widest, most relevant net.

What are these things called Practices?

In their essence, NIST SP 800-171 and FIPS Pub 200 are list of controls. Other publications are standards, or configurations or regulations. The CMMC organised the model differently so that like items are collected together instead of parallel threads. The CMMC is organised into Practices. Each Practice is a collection of controls, documentation and processes. The CMMC documentation is not only your internal documentation like policies, procedures, training material and the like but it is also the evidence the auditor needs to demonstrate compliance to an objective third party. Think of these Practices as atomic units. Being collected this way helps you ensure the different dimension for each area is being addressed. At the same time, it allows the auditor to get a 360 degree view of an area all at once.

Be mindful of the Clarifications and Examples

Within the Practices, you will see much more than just a list of items. You will also see Clarifications and Examples. The Clarifications and Examples are drawn from the controls that support that particular Practice. You need to pay attention to these. They are there to help you. This is a very common practice in many industries but not usually seen in U.S. Government documents. Instead of just pushing out a requirement, this supporting text helps you understand the spirit of what is required and provides context. The attorneys reading this could think of it as analogous to legislative intent. But be careful. As my colleague, the CEO at CMMC Solutions, Bob Ashcraft noted, "Within these clarifications and examples, you will find 'additional' references to other documents list NIST SP 800-37, 53, 57, 70, 88 and 128 to name a few."

You will also notice as you move through the Levels the items within the Practices build upon each other. You would be well served to view the Level above to see if the additional requirements make sense for your business. Remember this is about making sure your business, your customers and your partners are secure. It is not about simply checking some boxes.

You will also be well served by looking at the Level below. Looking at the delta below is often useful in understanding the intent.

Configuration Management ('CM'), requires you to harden your servers, laptops, devices, OS and applications

What is not readily apparent is that when it comes to hardening and configurations there are three places to go:

  • Defense Information Systems Agency Security Technical Implementation Guides3;
  • Center for Internet Security Benchmarks4; and
  • NIST 800-535.

Just an aside: a fair number of studies shows 85% of breaches would have been prevented if the organisation conformed to any one of these.

CM requires the ability to identify ALL devices on a network

In principal it makes absolute sense. There are a couple of areas where it gets iffy. What does this mean with the rapid growth of the Internet of Things or in a military manufacturing environment or a medical business with devices? Do not get me wrong, given our breach history and our need to protect our critical infrastructures ('CI'), we need to do this. This is very straightforward when dealing with equipment designed to be networked. It is not as straightforward when dealing with devices that do not have an IP addresses.

"The manufacturing and warehouse floors are full of devices that assist in assembly and packaging processes, but are not as sophisticated as a laptop or even a cell phone!"

Bob Ashcraft, CEO of CMMC Solutions


Do not forget, the CMMC does not replace or supersede good cyber or privacy practices to protect CI.

Closing remarks

The CMMC is being done for all of the right reasons. In the end, it will make your business stronger and the world a safer place. Having a better handle on the way it is organised, how it can be used and where to look will make your life easier. After all, you want to apply your energy to securing you enterprise and running your business.

Alex Sharpe Principal
[email protected]
Sharpe Management Consulting LLC


1. Available at: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
2. Available at: https://csrc.nist.gov/publications/detail/fips/200/final
3. Available at: https://public.cyber.mil/stigs/
4. Available at: https://www.cisecurity.org/cis-benchmarks/
5. Available at: https://nvd.nist.gov/800-53