I have had the pleasure of working with Leighton Johnson, Vincent Scott, and Lauren Tucker on our curriculum. Together, we are covering every single practice, process, and assessment objective of Cybersecurity Maturity Model Certification (CMMC) domains. There are 17 domains, 130 practices, and 705 objectives necessary for Level 3 Certification.

Like owls scanning the fields, we need to be able to see the big picture, but it is equally as important to focus on key targets of understanding.

Despite this, we have all agreed that CMMC domains are the wrong place to focus first.

Many people blame CMMC for all of their problems and technical debt, when in fact CMMC did not create the CUI policy; NARA did. This was in response to the Secretary of Commerce, who in turn was responding to an Executive Order from the President. CMMC did not decide CUI needs FIPS validated modules for encryption, nor did CMMC decide CUI needed moderate protection; the Office of Management and Budget did.

Almost all of the costs associated with CMMC existed long before the program began. In fact, a deep understanding of the Defense Federal Acquisition Regulation Supplemental clauses 7012-7021 is necessary to grasp how CMMC evolved.

Below is a sample activity we will use in our CMMC classes designed for CyberDI, an LPP and LTP working in partnership with higher education institutions across the country.

If you would like to join our prep classes (not for ceritifcation) to grow your SSP and shrink your POA&M, we have another beginning July 20th at Southern Connecticut Stae University

Defense Federal Acquisition Regulation Supplemental 7012-7021


Directions: Utilize the assigned readings and experts in our network to answer the following questions. You will be provided a scenario to guide your instruction.


Acme Inc is a small manufacturing company who is subcontracted from Roadrunner Corporation to produce high pressure air compressors for US Navy Submarines. Acme Inc also produces a variety of air compressors for other commercial needs. Roadrunner Corporation represents 40% of Acme Inc’s business.  


 Acme Inc has retained Mr. Wile E. Coyote as a 1099 consultant on the implementation of needed cybersecurity compliance requirements, which Roadrunner Corporation has informed them will soon be enforced.   


What qualifications might Acme Inc have considered in hiring Mr. Coyote? 











Mr.  Coyote conducts a series of interviews and reviews Acme Inc’s contract with Road Runner Corporation. He determines that Acme Inc is unaware of what Controlled Unclassified Information (CUI) is, but the CFO tells him that no matter what it is, Acme Inc does not have it. 


 In conversation with the Contract Assistant to the CFO who also serves as the Contracting Officer for Acme, Mr. Coyote learns that their contract with Roadrunner includes the DFARS 7012 clause, and that recently it was modified at the direction of the Navy to include the DFARS 7019, 7020, and 7021 clause. 


What are the implications of the DFARS 7012 clause?  What does it require? 













What are the implications of the DFARS 7019 and 7020 clause?  What request might Acme Inc expect now, or at any point going forward, based on the inclusion of these clauses? 














Currently, whose permission is needed to add the 7021 clause to a contract? 







What information should have been provided by the government and the prime when adding the 7021 clause to any contract?