N2CON
Open menu

CMMC: A Practical Guide

CMMC (Cybersecurity Maturity Model Certification) impacts how defense contractors protect CUI. The fastest way to get traction is to treat it as governance + scope + implementation + evidence—then work the plan.

Note: This is general information and not legal advice.

Last reviewed: February 2026
On this page

Executive Summary

What it is
A DoD cybersecurity requirement framework tied closely to NIST 800-171 controls for protecting Controlled Unclassified Information (CUI).
Why it matters
  • It can determine contract eligibility.
  • It drives operational requirements (access, devices, logging, retention, evidence).
  • It impacts vendors and subcontractors, not just primes.
When you need it
  • You handle CUI or work in the Defense Industrial Base (DIB).
  • A prime, contracting officer, or customer is asking for 800-171 alignment, evidence, or an SPRS score.
What good looks like
  • Scope is defined (where CUI lives, who touches it).
  • Controls are implemented in a supportable way (not checkbox theater).
  • Evidence is organized and stays current as systems change.
How N2CON helps
  • We build a roadmap and help implement controls aligned to your environment.
  • We help connect operations (MSP/MSSP) to compliance evidence needs.

Where to start without overcomplicating it

  1. Govern: assign an owner and a review cadence (roadmap, exceptions, evidence).
  2. Scope the data: confirm where CUI exists, how it flows, and who touches it.
  3. Choose an operating model: enclave vs broader rollout based on how much of the business touches CUI.
  4. Gap assess: compare current state to NIST 800-171 requirements and prioritize fixes.
  5. Implement controls + evidence: build proof as you deploy changes (not at the end).
  6. Run remediation visibly: track open gaps with a POA&M so progress is defensible.

Scope first: CUI boundaries decide the size of the problem

Most CMMC pain comes from unclear scope. If you don’t know where CUI lives, you either over-scope (expensive, disruptive) or under-scope (assessment surprises).

  • Data: which documents, systems, and workflows contain CUI?
  • People: which roles need access (and which don’t)?
  • Systems: what endpoints, file shares, SaaS tools, and integrations are in the access path?

Related: Defense & Aerospace brief.

Enclave vs enterprise rollout: pick deliberately

If only part of the organization touches CUI, an enclave can reduce scope. If CUI is everywhere, forcing an enclave can create operational friction.

  • Enclave: smaller compliance footprint, higher operational complexity.
  • Broader rollout: simpler workflows, broader control implementation and evidence burden.

Identity and access controls are the fastest leverage

  • Start with identity foundations so access is consistent and revocable.
  • Enforce MFA on CUI access paths and admin roles.
  • Reduce privilege sprawl with RBAC and periodic access reviews.
  • Use conditional access and device posture for sensitive apps.

Evidence that matters: run the program like operations

Assessment prep is not just policies. It’s being able to show that controls are implemented and operated.

  • SSP: keep a System Security Plan that matches reality.
  • POA&M: track open gaps and milestones (guide).
  • Logging: retain authentication and admin activity evidence (SIEM).
  • Recovery: prove restores (Backup & DR testing).

Common pitfalls

  • Over-scoping: applying the heaviest controls to the whole company when only a subset touches CUI.
  • Under-scoping: missing SaaS tools, personal email, unmanaged devices, or vendor access paths.
  • Evidence drift: controls exist, but proof is stale or scattered.
  • Vendor blind spots: subcontractors and third parties touch CUI without clear boundaries.

Related: vendor risk management.

Common Questions

What is the difference between CMMC and NIST SP 800-171?

NIST SP 800-171 defines the security requirements for protecting CUI. CMMC is the program and assessment framework that verifies implementation for applicable DoD contracts. In practice, you implement 800-171 controls and use CMMC to structure assessment readiness and evidence.

What is the difference between Level 1 and Level 2?

Level requirements depend on what your contracts require and what data you handle. Level 1 is commonly associated with basic safeguarding for Federal Contract Information (FCI). Level 2 is commonly associated with protecting Controlled Unclassified Information (CUI) and aligns closely to NIST SP 800-171.

Do we need CMMC if we only handle FCI (not CUI)?

If you only handle FCI (not CUI), your requirements may be different than organizations handling CUI. The practical starting point is to scope the data you touch and confirm which clauses apply in your contracts.

What is an enclave and when should we use one?

An enclave is a segmented environment where CUI is isolated from general business systems. It can reduce compliance scope when only a subset of your workflows touch CUI. The tradeoff is operational complexity: you must run and support two modes of work.

What evidence do assessors actually ask for?

Evidence typically includes: a current System Security Plan (SSP), policies and procedures that match how you operate, configuration proof (exports/screenshots), logging and retention proof, access review records, and restore testing evidence where recovery controls apply.

What is SPRS and why does the score matter?

SPRS is a DoD system used to capture supplier risk information, including some self-assessment scoring for NIST 800-171. Your score may be visible to contracting stakeholders and can influence confidence and eligibility depending on the procurement.

Can I use cloud services and still meet CMMC expectations?

Often yes, but it requires clear architecture and evidence: how identity is controlled, where CUI lives, how logging/retention is handled, and how shared responsibility is addressed. Treat cloud as an operating model you document, not a shortcut.

What is a POA&M and when is it relevant?

A <a href="/resources/poam-guide/">Plan of Action and Milestones (POA&amp;M)</a> is a structured remediation tracker for known gaps: what you will fix, owners, milestones, and evidence. It’s often part of compliance workflows and should be run like an operational plan, not a paperwork artifact.

How do we handle subcontractors and vendors?

Start by identifying which vendors and subs touch CUI or have privileged access. Treat that as a vendor risk and access boundary problem: scope access, prefer SSO/MFA, review privileges, and keep a small evidence pack you can reuse.

How long does CMMC readiness usually take?

It depends on scope, current controls, and how quickly you can implement changes without disrupting operations. The safest approach is to start with CUI scoping and an enclave strategy (if relevant), then build an evidence cadence while you close gaps.

Where this fits in your program

If you want an organizing layer for governance and evidence, NIST CSF 2.0 can help structure work across Govern/Identify/Protect/Detect/Respond/Recover.

Sources & References

Need a CMMC roadmap?

We can help scope, plan, and implement controls with a focus on practicality and evidence.

Contact N2CON