In our CCP-Essentials class being offered at Southern Connecticut State University our first module covered the basics of “What is CMMC?”

As a performance assessment students had to create a “Create a one-page flyer explaining the CMMC program for a manufacturing defense contractor and a flyer for a Manage Service Provider “

For my mentor text I chose to do a Storyboard. All module long we stressed do not worry about arguing over VDI, split tunneling, FIPS, if you can’t tell me what policies you do and not have in place.

So in terms of building up a policy library I thought I would create a remixable storyboard that students could use to make training videos for their staff and employees. To meet the Awareness and Training domain people need to Conduct security awareness activities and training.

This storyboard can serve as a quick primer on CMMC and can be remixed to fit the style guide of your company.

Topic: Introduction

Total words:

Estimated Time:


Visual Assets

Audio Assets

In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self reporting of cyber hygiene that used to govern the DIB. The CMMC puts an end to self-assessment and requires a third party assessor to verify the cybersecurity maturit level.


All DoD contractors must comply with the Federal Acquisition Regulation (FAR) and the Defense Acquisition Regulation Supplemental (DFARS). These regulations require companies to meet specific security standards from the National Institutes Standard of Technology. If a company connects to the Government network they must meet the NIST 800-53 standards. Companies not connected to a network were required to self certify that they met the 110 controls, actions to increase cyber hygiene as laid out in NIST 800-171.

Label: Federal Acquisition Regulation (FAR) and the Label: Defense Acquisition Regulation Supplemental (DFARS)

Label: National Institutes Standard of Technology.


Third party assessors, who must complete coursework and obtain a certification will then measure what maturity level a contractor has met. An organization must demonstrate the institutionalization of the process and the utilization of the practices. Furthermore the maturation model is cumulative, meaning a contractor must demonstrate they have met the practices and processes of lower levels as well.


The goal is to protect two types of sensitive data, federal contract information and federal


Topic: FCI

Total words:

Estimated Time:


Visual Assets

Audio Assets

Authorized holders, who have a Department of Defense Contract with a 7012 clause must protect two types of sensitive data: Federal Contract Information and Controlled Unclassified Information



FCI, or Federal Contract information is any information included in or created for a government contract not meant for public release.

Label: What is FCI?

FCI<![if !supportAnnotations]>[MG1]<![endif]>, or Federal Contract information is any information included in or created for a government contr<![if !supportAnnotations]>[MG2]<![endif]>


You or the government can create FCI. The You must do the work on behalf of a contract that generates or uses information not for public release.

Label: Who makes FCI?


You do not need to label FCI. No classification exists. Instead you apply basic safeguards to information not meant for public release

Label: How do I label FCI?


All of this got established by FAR Clause 52.204-21 which lays out basic protections for sensitive data. A company should not assume meeting the requirements of FAR will be easy or cheap. Yet they often reflect better business practices and provide a good starting pointon your CMMC journey.

Make a screen of the basic safeguards


Contractors who only touch or create FCI will need to pass a level one maturity assessment

By 2025 all contractors will be assessed using the CMMC Level 1 methodology


Topic: FCI

Total words:

Estimated Time:


Visual Assets

Audio Assets

Controlled Unclassified Information requires greater protections than FCI. The government defines CUI as Information that requires safeguarding or dissemination controls required by law, regulation, or Govt-Wide Policy but not classified and nuclear data or material. These require greater protections CUI.

Put definition in a call out

“All unclassified information throughout the executive branch that requires any safeguarding or dissemination control is CUI.”

32 CFR 2002.14.


The CUI program got created by President Obama’s Executive Order 13556 after 9/11 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA), of the National Archives and Records Administration

is responsible for oversight of the CUI Program, monitoring its implementation by executive branch agencies.

Executive Order 13556


Contractors who touch, create, receive, transmit or destroy CUI will need to pass a level three maturation assessment

By 2025(ish) all contractors will be assessed using the CMMC Level 3 methodology


Topic: History

Total words:

Estimated Time:


Visual Assets

Audio Assets

The Department of Defense launched the Cybersecurity Maturity Model Certification Program in 2019.

The Software Engineering Institute built the initial versions of the CMMC in collaboration with the Johns Hopkins University Applied Physics Laboratory

Get a CMM logo


Yet the effort to secure the Defense Industrial Base goes back as far as 2017 when the Department of Defense required all contractors who receive a 7012 clause to self-assess their cyber hygiene using set of controls called the Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations publish by the National Institute of Standards and Technology, commonly reffered to as NIST SP-800-171, or simply 171.

Screenshot of the manual page


NIST get empowered to set the standards for cybersecurity by the Secretary of Commerce under the Federal Information Security Modernization Act

Passed all the way back in 2002.

Federal Information Security Modernization Act-get a headline or something


So CMMC, while beginning in 2019 has roots almost twenty years old.


The Department of Defense accelerated cybersecurity through the CMMC program after the F-35 got stolen by the Chine military.

The plans did not fall into Chinese hands by hacking a single computer or company. No, instead thousands of cyber attacks were launched against the networks of small government contractors who moved plans and files, such as key radar information, back and forth between emails and servers.

These efforts did not stop with the F-35. In fact according to a Government Accountability Office:

“The Department of Defense (DOD) faces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department’s reliance upon computer networks.”

Something had to be done<![if !supportAnnotations]>[MG3]<![endif]>

Get some b roll of the f-35 and j-20

“faces tens of millions of attempted malicious cyber intrusions per year”

Dramatic world ending military beats with a bit of old school drum and bass House feel

The Department of Defense took the extraordinary approach of releasing an Interim Rule to speed up implementation of CMMC. The Interim rule introduced three new clauses, 7019,7020, and 7021.

The 7019 and 7020 clauses rely on the same approach to 171 as the past but now only the Under Secretary of Defense for Acquisition and Sustainment can assign the 7021 which has the CMMC requirements.

The Interim rule is set to be finalized in May of 2021 which then lays out a path for all Defense contracts to have the 7021 clause by 2025-2026.

It makes sense for Defense Contractors and the Managed Support Providers, the IT companies that work with small manufacturers, start to understand and implement the CMMC model

Make a graphic comparing the three interim clauses


Topic: Model

Total words:

Estimated Time:


Visual Assets

Audio Assets

Since December 13, 2017 companies could lose DoD contracts due to lax cybersecurity. But the DoD took an extradionary step of releasing in interim rule to DFARS.

Yet until recently DFARS requires organizations to self assess. Companies had to to provide documentation on meeting the 110 controls of NISt 800-171 by collecting artifacts into a Body of Evidence.

A Body of Evidence contained three major items. The first a Systems Security Plan describes a company’s infrastructure such as the hardware and software utilized. The Plan of Action and Milestones (POAM) documented any shortcomings and described a remediation plan. A company would also submit their procedures and policies as part of the Body of Evidence.

DFARS required a contractors POAM to get shared with the DoD. A major change in the CMMC is the removal of POAM and having third party rather than self assessments.

Make a graphic comparing no 171a vs CMMC


The CMMC builds off of NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturation model and the role of third party assessors. The CMMC defines 17 domains of cyber hygiene that are comprised of 43 capabilities. These capabilities get institutionalized through 171 practices across five levels of maturation.


The Office of the Under Secretary of Defense for Acquisition and Sustainment defines maturation as, “set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.” The CMMC contains five levels of maturation.

“set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.


The CMMC model has five levels

<![if !supportLists]>· <![endif]>Level 1: Safeguard Federal Contract Information (FCI)

<![if !supportLists]>· <![endif]>Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI

<![if !supportLists]>· <![endif]>Level 3: Protect Controlled Unclassified Information (CUI)

<![if !supportLists]>· <![endif]>Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

Graphic of the Level


The Cybersecurity Maturity Model Certification program has 17 total Domains across these five levels.

Almost all of the domains come from NIST 800-171 and Federal Information and Processing Standards 200

To these 14 domains, the CMMC model adds Asset Management (AM), Recovery (RE), and Situational Awareness (SA) from other Interational and Risk Management Frameworks.

Across these Domains the model has 171 practices.

Yet to meet compliance on each practice you must demonstrate compliance with every single objective taken from the 171a methodology,

For level three the practices in each of the Domains of CMMC require someone to meet compliance on 362 objectives.

Access Control (AC) – Establish system access requirements. Control internal system access. Control remote system access. Limit data access to authorized users and processes.

Asset Management (AM) – Identify and document assets. Manage asset inventory.

Audit and Accountability (AU) – Define audit requirements. Perform auditing. Identify and protect audit information. Review and manage audit logs.

Awareness and Training (AT) – Conduct security awareness activities. Conduct training.

Configuration Management (CM) – Establish configuration baselines. Perform configuration and change management.

Identification and Authentication (IA) – Grant access to authenticated entities.

Incident Response (IR) – Plan incident response. Detect and report events. Develop and implement a response to a declared incident. Perform post incident reviews. Test incident response.

Maintenance (MA) – Manage maintenance.

 Media Protection (MP) – Identify and mark media. Protect and control media. Sanitize media. Protect media during transport.

Personal Security (PS) – Screen personnel. Protect CUI during personnel actions.

Physical Protection (PE) – Limit physical access.

Recovery (RE) – Manage backups. Manage information security continuity.

Risk Management (RM) – Identify and evaluate risk. Manage risk. Manage supply chain risk.

Security Assessment (CA) – Develop and manage a system security plan. Define and manage controls. Perform code reviews.

 Situational Awareness (SA) – Implement threat monitoring.

Systems and Communications Protection (SC) – Define security requirements for systems and communications.

 System and Information Integrity (SI) – Identify and manage information systems flaws. Identify malicious content. Perform network and system monitoring. Implement advanced email protections.


The CMMC model also requires an assessor to establish process maturity.

Maturity Level one allows you to demonstrate processes in an ad hoc manner and will not require poilcy in place for compliance. Hoever every company will find secuiryt impossoble to meet without good policy. So while you do not have to show policy for level one complinace it will be hard to reach without it.

Level two requires an organization to establish and document practices within a domain. This does not mean you write a process documentation for each Domain. Many of the objectives used to measure process maturity will exist across your portfolio,

Level three matutiry is required to handle CUI . An organization must establish, maintain, and resource a plan for managing cybersecurity. C activities as defined in the plan.

Level four requires an organization to review and measure practices for effectiveness. They must look for vulnerabilities and address them when found.

Level Five requires a company to standardize and optimize process implementation throughout the organization. Most level five organziations will be better prepared through experience handling Classified or Nuclear information.

Get a picture of the table from the model


The CMMC Model includes a lot of assumptions on the cost to implement CyberSecurity.

As Jacon Horne of DefCert notes, the Interim Rules assume Defense contractors have implemented the controls of 171.

Few have.

In fact NIST-800-171 itself assumes that many of the controls required in FAR-21 just happen as part of the way we do business in the modern world.

The Department of Defense knows the web has existed for 30 years or longer.

They used to call it ARPANet.

Can you blame the Department of Defense for not wanting to use contractors who have done nothing to address cybersecurity in 30 years?

They will not take excuses for a lack of cybersecurity, and have published some pricing guidance.

Jacob warns us to understand that these prices also include the assumptions built into the CMMC model.

Still even if these number represent the floor and not the ceiling, it will still cost a pretty penny for a sheen of cyber hygiene

The cost CMMC certification consists of 3 things:

1. The cost of the assessment itself;

2. First year, non-recurring engineering costs;

3. Recurring engineering costs split over five years.

Level 1 Certification: $2,999.56

 Assessment: $2,999.56

Nonreccuring Engineering: N/A

Recurring Engineering: N/A

Level 2 Certification: $50,755.88

Assessment: $22,466.88

Nonreccuring Engineering: $8,135.00

Recurring Engineering: $100,770.00 ($20,154.00 per year x 5 years)

Level 3 Certification: $118,975.60

Assessment: $51,095.00

Nonreccuring Engineering: $26,214.00

Recurring Engineering: $208,330.00 ($41,666.00 per year x 5 years


Always define the word on the screen when using a key concept for the first time. This is supported by Richard Mayers Multimedia Learning Theory and by more recent work in Universal Design for Learning 


Notice how I have a subtle transition at the end of each concept that connects the reader to the next topic being introduced.

This is designing for cogntive bias (activating proir knowledge, reducing inferences) without using bad meta language writing, "In this section I will tell you about CUI. First the history....." better than nothing but still bad writing

In GovCon you can not dileneate from the tempalte of the RFP but you can still weave your own story around the numbers