CMMC (Cybersecurity Maturity Model Certification) Program Update Action Kit

Event Classification: CRITICAL

Domain: CMMC Compliance

Date Posted: February 14, 2024

---

Immediate Actions (This Week)

• [ ] Watch the DoD (Department of Defense) CMMC overview video posted February 14, 2024, and assign key personnel (contracts manager, cybersecurity lead, compliance officer) to review and document takeaways
• [ ] Conduct a rapid gap analysis against your current cybersecurity posture using the proposed CMMC rule requirements published December 26, 2023
• [ ] Identify all active contracts and proposals that involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI (Controlled Unclassified Information)) and flag them for CMMC impact assessment
• [ ] Review your subcontractor roster to determine which partners will require CMMC certification and at what level based on CUI flow-down requirements
• [ ] Assign an internal CMMC program owner responsible for coordinating certification readiness across IT, security, contracts, and operations teams
• [ ] Document your current System Security Plan (SSP) status and identify gaps against NIST SP 800-171 (NIST Special Publication 800-171) Rev 2 baseline requirements

Short-Term Actions (30 Days)

• [ ] Develop a CMMC certification roadmap with target dates for Level 1 (annual self-assessment) and Level 2/3 (third-party assessment) based on your contract portfolio
• [ ] Conduct a CUI data mapping exercise to identify where CUI is created, stored, processed, and transmitted across your IT environment and supply chain
• [ ] Establish a Plan of Action and Milestones (POA&M) for any NIST SP 800-171 controls not yet implemented, with remediation timelines and resource requirements
• [ ] Engage with your Contracting Officers on active DoD contracts to understand their timeline expectations for CMMC compliance and any interim requirements
• [ ] Update your bid/no-bid criteria to factor in CMMC certification costs, timeline, and competitive positioning for opportunities requiring Level 2 or Level 3 certification
• [ ] Review and update teaming agreements to include CMMC certification requirements and flow-down language for subcontractors handling CUI
• [ ] Assess your IT infrastructure for boundary definition, network segmentation, and enclave architecture to support a defensible CMMC assessment scope
• [ ] Begin vendor due diligence on C3PAO (CMMC Third-Party Assessment Organizations) and Registered Practitioner Organizations (RPOs) if pursuing Level 2/3 certification

Long-Term Actions (90+ Days)

• [ ] Implement technical controls required for your target CMMC level, including multi-factor authentication, encryption, audit logging, incident response capabilities, and security awareness training
• [ ] Conduct internal readiness assessments (mock audits) using CMMC Assessment Guides to identify deficiencies before engaging a C3PAO
• [ ] Establish continuous monitoring processes for security controls, including vulnerability scanning, configuration management, and security event correlation
• [ ] Develop a CMMC-compliant proposal response library with pre-written compliance narratives, security architecture diagrams, and past performance examples demonstrating cybersecurity maturity
• [ ] Schedule your official CMMC assessment with a certified C3PAO, allowing 6-12 months lead time for Level 2 assessments and longer for Level 3
• [ ] Integrate CMMC requirements into your capture process so every opportunity is evaluated for certification requirements, timeline feasibility, and competitive advantage
• [ ] Build CMMC certification costs into your indirect rate structure and pricing models to ensure proposals reflect the true cost of compliance
• [ ] Establish a supplier certification tracking system to monitor subcontractor CMMC status and ensure flow-down compliance across your supply chain

Compliance Checklist

This proposed rule establishes specific requirements contractors must meet. Use this checklist to track your readiness:

CMMC Level Requirements

• [ ] Determine your required CMMC level based on contract CUI requirements (Level 1 for FCI only, Level 2 for CUI, Level 3 for priority programs)
• [ ] Understand assessment frequency: Level 1 requires annual self-assessment; Level 2 requires triennial third-party assessment; Level 3 requires triennial government-led assessment

NIST SP 800-171 Rev 2 Controls (110 Controls for Level 2)

• [ ] Access Control (AC): 22 controls including account management, least privilege, remote access, and session controls
• [ ] Awareness and Training (AT): 3 controls for security awareness and role-based training
• [ ] Audit and Accountability (AU): 9 controls for event logging, monitoring, and audit record protection
• [ ] Configuration Management (CM): 9 controls for baseline configurations, change control, and security settings
• [ ] Identification and Authentication (IA): 11 controls for user identification, authenticator management, and MFA
• [ ] Incident Response (IR): 6 controls for incident handling, monitoring, and reporting
• [ ] Maintenance (MA): 6 controls for system maintenance and maintenance tools
• [ ] Media Protection (MP): 8 controls for media access, marking, storage, transport, and sanitization
• [ ] Personnel Security (PS): 2 controls for personnel screening and termination procedures
• [ ] Physical Protection (PE): 6 controls for facility access, monitoring, and visitor control
• [ ] Risk Assessment (RA): 3 controls for risk assessment, vulnerability scanning, and threat information sharing
• [ ] Security Assessment (CA): 7 controls for security assessments, POA&Ms, and continuous monitoring
• [ ] System and Communications Protection (SC): 20 controls for boundary protection, encryption, network segmentation, and secure communications
• [ ] System and Information Integrity (SI): 8 controls for flaw remediation, malicious code protection, and security alerts

Level 3 Enhanced Controls (24 Additional Controls)

• [ ] Advanced persistent threat (APT) protection for priority DoD programs
• [ ] Enhanced detection and response capabilities
• [ ] Asset management and supply chain risk management

Administrative Requirements

• [ ] System Security Plan (SSP) documented and maintained
• [ ] Plan of Action and Milestones (POA&M) for any unimplemented controls
• [ ] CMMC certification uploaded to Supplier Performance Risk System (SPRS) or successor system
• [ ] Flow-down clauses included in all subcontracts involving CUI
• [ ] Certification validity tracking to ensure renewal before expiration

CUI Handling Requirements

• [ ] CUI Registry compliance for marking, safeguarding, dissemination, and destruction
• [ ] CUI enclave or boundary clearly defined and documented
• [ ] Non-CUI systems segregated to minimize assessment scope
• [ ] Contractor attributional/proprietary information protected per DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012

---

Resources

Official DoD Guidance

• CMMC Proposed Rule (Federal Register, December 26, 2023) (https://www.federalregister.gov/documents/2023/12/26/2023-28239/cybersecurity-maturity-model-certification-cmmc-program)
• DoD CMMC Overview Video (Posted February 14, 2024) (https://www.acq.osd.mil/cmmc/)
• NIST SP 800-171 Rev 2: Protecting Controlled Unclassified Information (https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
• CMMC Model v2.0 (Level 1, 2, 3 Requirements) (https://dodcio.defense.gov/CMMC/)

Cabrillo Club Resources

• **CMMC Compliance Guide** (/insights/cmmc-compliance-guide) — Comprehensive implementation roadmap for defense contractors
• **CUI-Safe CRM Guide** (/insights/cui-safe-crm-guide) — How to handle CUI in business development and proposal systems
• **Compliant AI Proposal Guide** (/insights/compliant-ai-proposal-guide) — Using AI tools while maintaining CMMC and CUI compliance

Assessment Resources

• CMMC Assessment Guides (CAGs) (https://dodcio.defense.gov/CMMC/assessmentguides/) — Detailed assessment procedures for each CMMC level
• CMMC Marketplace (https://marketplace.cmmcab.org/) — Directory of certified C3PAOs and Registered Practitioners
• NIST 800-171 (NIST Special Publication 800-171) Assessment Methodology (https://csrc.nist.gov/publications/detail/sp/800-171a/rev-2/final) — Assessment procedures for each security requirement

---

How Cabrillo Club Automates This

Cabrillo Signals War Room has already detected this CMMC program update and delivered this briefing to your dashboard within minutes of the DoD posting. The War Room continuously monitors Federal Register publications, DoD CIO announcements, and CMMC program updates so you're always first to know when certification requirements, assessment procedures, or compliance timelines change. You don't need to manually track dozens of government websites — every CMMC-related development is automatically captured, analyzed for impact, and routed to your team with severity scoring.

Cabrillo Signals Match Engine is now automatically rescoring your entire opportunity pipeline based on this CMMC update. Any opportunity tagged with DoD agencies, CUI requirements, or CMMC-related NAICS codes (541512, 541330, 541519, 541715) receives updated match scores reflecting the new competitive landscape. If you've already achieved CMMC Level 2 certification, your competitive positioning score increases for relevant opportunities. If you're still working toward certification, the Match Engine flags high-value opportunities where CMMC readiness is a discriminator, helping you prioritize which contracts justify accelerated certification investment.

Cabrillo Signals Intelligence Hub tracks all agencies, contract vehicles, and program offices affected by CMMC requirements. Use the saved search feature to create alerts for DoD solicitations that include DFARS 252.204-7012 (Safeguarding Covered Defense Information) or DFARS 252.204-7021 (CMMC requirement clause). The Intelligence Hub automatically tags opportunities by required CMMC level and CUI handling requirements, so you can filter your pipeline by certification readiness and avoid pursuing opportunities where you're not yet compliant. When follow-on solicitations appear on SAM.gov (System for Award Management) matching this event's profile, you'll receive instant notifications.

Proposal Studio (Proposal OS) maintains a CMMC-specific compliance library that automatically generates Section L responses for cybersecurity requirements. When a solicitation includes CMMC certification requirements, Proposal OS pulls your current certification status, SSP documentation, and POA&M summaries into the compliance matrix. The AI-powered proposal engine uses your past performance data to generate technical approach narratives demonstrating your cybersecurity maturity, incident response capabilities, and CUI handling procedures. The bid/no-bid decision engine now factors in CMMC certification status, timeline to certification, and estimated compliance costs when calculating probability of win (Pwin) scores. For more guidance on using AI tools while maintaining CUI compliance, see our Compliant AI Proposal Guide (/insights/compliant-ai-proposal-guide).

Proposal Studio Workflow Tracker automatically triggers a CMMC compliance review gate whenever your team advances an opportunity involving DoD contracts or CUI. The 9-gate capture workflow routes certification status verification to your cybersecurity lead, ensures subcontractor CMMC requirements flow down through teaming agreements, and generates audit-ready documentation packages showing when and how CMMC compliance was validated. If you're pursuing an opportunity that requires Level 2 certification and your current status is Level 1, the Workflow Tracker flags the gap, calculates the timeline to certification, and alerts your capture manager to adjust the pursuit strategy or schedule accordingly.

Ready to streamline your CMMC compliance tracking? Explore the CMMC Compliance Guide (/insights/cmmc-compliance-guide) for implementation best practices, and review the CUI-Safe CRM Guide (/insights/cui-safe-crm-guide) to ensure your business development systems meet DoD requirements. Your Cabrillo Club platform is already monitoring for the next CMMC program update — make sure your team is leveraging these automated workflows to stay ahead of the competition.

---