The compliance clause hiding in your contract

A lot of small companies discover CMMC the same way they discover a hidden fee: a prime contractor forwards a flow-down clause, and suddenly a requirement they have never heard of stands between them and renewing the work that pays the bills. The Cybersecurity Maturity Model Certification is the Department of Defense's way of verifying — rather than trusting — that the contractors and subcontractors touching its data actually protect it. For years the government accepted a self-attestation that you met the security requirements; CMMC exists because too many of those attestations turned out to be aspirational, and a single soft subcontractor is enough to leak a weapons program.

The honest starting point for most small shops is that this is not a brand-new universe of work. CMMC is built on top of security fundamentals you have read about here — access control, identity hardening, log monitoring, incident response, encryption, and security policies that match reality. The acronym is intimidating; the underlying controls are the same disciplines a serious security program runs anyway. What CMMC adds is a formal, assessed bar and a sharp dividing line on which data you handle.

First, figure out which data you actually touch

The single most important — and most commonly skipped — step is determining what kind of government data flows through your systems, because that decides which CMMC level applies to you. This is, at heart, a data classification and data-discovery problem pointed at one specific question: where does federal information live in your environment?

  • Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not intended for public release — fairly common, and the bar for handling it is the lighter end of the model.
  • Controlled Unclassified Information (CUI) is the sensitive-but-unclassified category — technical drawings, specifications, and program data the government marks as controlled. Handling CUI is what pulls you into the demanding tier.
  • Neither is also a real answer. Some subcontractors genuinely never receive FCI or CUI, in which case the obligation is far lighter than a panicked first read suggests. Knowing this with confidence — rather than assuming the worst — is itself a deliverable.

If you cannot draw the boundary of where this data lives, you cannot scope an assessment, and you will end up trying to certify your entire company when only one project enclave actually needs it. Narrowing that boundary is the highest-leverage move in the whole effort.

What the levels broadly ask for

CMMC is structured in tiers of increasing rigor, and you do not need to memorize the control catalog to understand the shape of the climb:

  • The foundational level covers basic safeguarding of FCI — a set of fundamental practices like controlling who has access, using MFA, keeping systems patched, and limiting physical access. For a team that already runs the endpoint and patch hygiene we have described, much of this is recognition rather than new construction.
  • The advanced level maps to the well-known NIST SP 800-171 requirements for protecting CUI — a far broader set spanning access control, audit and accountability, configuration management, incident response, and more. This is where a third-party assessment enters the picture for many contracts, and where the gap between "we mostly do this" and "we can prove every control" gets expensive if you wait.
  • The expert level layers on the most stringent requirements for the highest-priority programs and is out of scope for the typical small subcontractor.

The practical implication: most small businesses are aiming at one of the lower two tiers, and the difference between them is overwhelmingly about whether you handle CUI. Get the scoping right and you may be targeting a much lighter bar than your first reading of the flow-down clause implied.

Two artifacts the assessment lives and dies on

Across the CUI-handling requirements, two documents do disproportionate work, and both are things a lean team can start today:

  • The System Security Plan (SSP) describes your environment and how you meet each requirement. It is the map an assessor reads first, and it is fundamentally a policy-and-evidence exercise: for every control, what do you do, and where is the proof? A vague SSP fails the same way an aspirational security policy fails an auditor — the gap between the page and the practice is what gets flagged.
  • The Plan of Action and Milestones (POA&M) is the honest list of what you have not finished yet, with owners and dates. This is exactly the remediation tracking discipline reframed for a government assessor: an open gap with a named owner and a committed fix-by date is a managed risk; the same gap undocumented is a finding. Treating each requirement you do not yet meet as a tracked finding with a due date is precisely the workflow a POA&M wants.

If you have been running a real findings-management workflow and collecting evidence continuously, you are closer to both artifacts than you think — they are reorganizations of work you already do, not net-new bureaucracy.

How to prepare without a compliance department

You do not need to boil the ocean. The path that works for small contractors is incremental and looks a lot like maturing any security program:

  • Scope ruthlessly first. Build a small enclave for the federal work rather than dragging your whole company into the assessment boundary. The smaller the scope, the cheaper and faster everything downstream becomes.
  • Inventory and classify. You cannot protect — or attest to protecting — data you cannot find, so the asset inventory and data classification come first.
  • Map controls you already run to the requirements before buying anything. MFA, encryption, access reviews, logging, and an incident response plan you have actually rehearsed cover a meaningful slice already.
  • Track every gap as a finding with an owner and a date. That is your POA&M in motion, and it converts a scary checklist into a queue you work down.
  • Keep evidence current, not crammed. Continuous evidence collection beats a pre-assessment scramble every time.

One honest and important caveat: nothing in this article, and no platform, makes you CMMC certified or compliant. A platform can help you track which control areas your monitors actually cover, surface unmet requirements as findings with owners and due dates that feed a POA&M, and keep your supporting evidence current and exportable for an assessor — it organizes and proves the work. It does not perform the assessment, grant or guarantee any CMMC level, or determine which requirements legally apply to your contract. The certification is issued only through the official assessment process, the controls are operational steps your team owns, and whether and how CMMC applies to your specific contracts is a question for your contracting officer and qualified counsel — not software.

CMMC feels like a new universe, but for most small subcontractors it is the security fundamentals you should run anyway, plus a formally assessed bar and a hard line drawn around government data. Figure out whether you touch FCI or CUI, scope a small enclave, map the controls you already have, and turn every gap into a tracked finding feeding a POA&M. The acronym is the scary part; the work is the same disciplined posture management, pointed at a contract clause.