CMMC-COA

CMMC Center of Awesomeness (CMMC COA)

What happens when a group of cybersecurity practitioners has a dark sense of humor and too much time on their hands? Well... this is it! This is not affiliated with the DoD or CyberAB. This is an independent project to help those dealing with NIST 800-171 & Cybersecurity Maturity Model Certification (CMMC) compliance issues. We completely understand that CMMC is a dumpster fire and we support any effort to fix CMMC and transform it into a viable, scalable Supply Chain Risk Management (SCRM) solution for the US Defense Industrial Base (DIB).

On a serious note, we've seen a "money grab" as CMMC has become its own cottage industry and we wanted to do something to help those in the DIB by providing a starting point to understand what possible technology options exist. There are free tools, references and a list of consultants so there are a lot of options at your disposal.

This information is "use at your own risk" so you are fully-expected to do your own due diligence and due care when selecting any product or service, otherwise you are an idiot and you seriously should not be supporting the DIB in the first place! Seriously.

The CMMC Center of Awesomeness (CMMC-COA) project is a volunteer effort. We received a lot of input and recommendations from cybersecurity practitioners who are very experienced in NIST SP 800-171 and CMMC. These valuable insights are what made this project useful, since what might work for PCI DSS, HIPAA, SOC 2, etc. does not necessarily mean it will work for CMMC, based on the data-centric nature of protecting regulated data, which is Federal Contract Information (FCI) for CMMC Level 1 and Controlled Unclassified Information (CUI) & FCI for CMMC Levels 2-3.

The CMMC-COA is an attempt to help the DIB attain CMMC awesomeness! This is a free resource to help those in the DIB get pointed in the right direction. The idea behind the way information is presented is that the size of an Organization Seeking Assessment (OSA) / Organization Seeking Certification (OSC) best determines the budget/staffing/complexity more than any other single aspect. That is why the technology solutions are proposed according to the following organization size guidelines:

- Micro-small (<20 employees/staff)

- Small (20-100)

- Medium (101-200)

- Large (201-2,000)

- Enterprise (2,000+ - think Fortune 500 expectations)

Cybersecurity Maturity Model Certification (CMMC)

It is going to be a waiting game to see how the DoD and CMMC-AB roll out "CMMC 3.0" with the release of NIST 800-171 R3, given the significant difference in the volume of controls that exist between R2 and R3 of NIST 800-171. Regardless of it being a waiting game, it is imperative that you take this time to educate yourself on the basics. First, start with the DoD's website about CMMC. The following graphics are meant to help break down some of the basic concepts about the remaining 3 levels of CMMC 2.0 that will exist, which essentially are made up of pre-existing standards:

- Level 1 has 17 controls that are sourced directly from the 15 basic cybersecurity controls in FAR 52.204-21.

- Level 2 has 110 controls that are sourced directly from NIST SP 800-171. However, do not forget the 61 Non-Federal Organization (NFO) controls in Appendix E of NIST SP 800-171.

- Level 3 has all the tantalizing goodness of Level 2, but adds controls from NIST SP 800-172. This will end up being a subset of the 35 controls found in NIST SP 800-172.

CMMC Awesomeness Spreadsheet

At the heart of what we've done is create the "CMMC Awesomeness Spreadsheet" that you can download as an Excel file.

There is no endorsement of any kind for products or services listed on this website. It should not be needed, but we have to call out that it is entirely your responsibility to conduct appropriate due diligence and due care in selecting and engaging a product or service for implementation against CMMC practices and processes within your organization. Your responsibility, not ours! Yours!

To wrap your head around CMMC, it is worth your time to watch the video below. This is "A Banquet of Consequences: The Story of CUI, DFARS & CMMC" by Jacob Horne. This is an excellent, in-depth look into the origins of CMMC that proves the point that CMMC was not "sprung upon the DIB" without warning... a nearly two decades-long glacier that "suddenly appeared" out of nowhere.

"Good Security" Follows The CIAS Quadrant Model

Just to make it painfully clear, we feel it is important to point out that NIST SP 800-171 and CMMC only focus on the CONFIDENTIALITY and INTEGRITY of regulated data (specifically CUI and FCI). This does not equate to "good security" for the overall organization, just minimal requirements for an OSC to contractually fulfill its obligation to protect its client's data (e.g., DoD's FCI and CUI data).

The four pillars of a modern cybersecurity program are Confidentiality, Integrity, Availability and Safety and that should be the guiding concept that you use when evaluating and selecting any technology solutions for your organization:

CMMC is a shit sandwich & we all have to take a bite!

You can minimize CMMC, but can't ignore it

CMMC is punishment for the DIB blowing off the DoD's requirements to comply with NIST 800-171 requirements to protect Controlled Unclassified Information (CUI). The DoD went from self-certification to a pathological focus on perfection.

Ignore CMMC At Your Peril

CMMC is not going away any time soon. Realistically, the US Government will only expand compliance efforts for NIST SP 800-171.

CMMC Assesses Your Compliance With NIST 800-171

The DoD learned that self-certification does not work. CMMC is the DoD's solution to check your compliance status.

False Claims Act (FCA) Territory

Falsifying compliance status is a very big no-no. Companies have been taken to court for falsifying their NIST 800-171 compliance status.

NIST 800-171 has been a requirement since January 1, 2018

It is all about CUI

NIST 800-171 has been around since 2016 (almost a decade now) and went into effect in 2018. Since the DIB failed to take it seriously, CMMC was spawned and has only made things worse for contractors. This is a case of "the path to hell is paved with good intentions."

Scoping Matters

We know it sucks to have to document things, but you have to wear your big boy pants and document your IT environment since NIST 800-171/CMMC compliance starts with scoping.

Not All Solutions Will Work

A tough lesson for many with NIST 800-171/CMMC is that not all technology solutions work, since some will greatly expand your scope.

Dependencies Matter When Protecting CUI

Fundamental to scoping is understanding how your CUI is protected, since those tools/technologies/services will be in scope.

Beware of Shitty Consultants & Service Providers

CMMC Dumpster Fire

Wow...where to begin on this one? There are just so many examples of "bad eggs" in this ecosystem, where consultants and service providers do more harm than good. This is where you absolutely need to perform your due diligence before signing up for any product or service to comply with NIST 800-171 and CMMC.

RP & RPO Badges

The Cyber AB only made the dumpster fire that is CMMC worse by selling badges (e.g., Registered Provider (RP), Registered Provider Organization (RPO), etc.) that individuals and organizations have hid behind as a false sense of legitimacy. If the first thing you hear is "We are a RPO" or "We have x number of RPs on staff" just tell them to fuck off and find a different provider to work with.

MSPs & MSSPs

There are some good Managed Service Providers (MSP) and Managed Security Services Providers (MSSP) for NIST 800-171/CMMC compliance efforts, but they are rare. Often times, your MSP/MSSP is more of a liability to you than an asset since they need to earn a CMMC certification for you to earn your CMMC certification. If they fail to meet NIST 800-171/CMMC compliance requirements, then you don't pass.

Consultants

There are a lot of consultants who see CMMC as a "greener pasture" and have migrated from HIPAA, PCI DSS, SOX, etc. What many of them fail to realize is that their previous experience is often of little value when it comes to CMMC compliance efforts. This is again a scenario of buyer beware, since you have to understand how long they've been in the NIST 800-171/CMMC game. This is not a place for amateurs.

Our Customers Love Us

What People Have To Say About The CMMC-COA...

Sheesh, thank you everyone for making this site. This is fuckin awesome.

Random Dude
I just want to say that this site is AWESOME, and I LOVE YOU! ❤️ Seriously ...

CMMC COA Fan Girl
I just wanted to say great job putting this together and thank you for the laughs.

Another Random Dude
You have created a masterpiece Excel document for CMMC. I just wanted to say thank you.

CMMC COA Fan Boy

Read All Reviews

Latest news and Articles

Check what's happening inside

Apr 29th 2024

Goldilocks & The Three C3PAOs

Feb 15th 2024

Attacking The Low Hanging Fruit

Jan 29th 2024

Top 10 Small Business Manufacturing Stresses

read all articles

CMMC is a shit sandwich & we all have to take a bite!