Module 4 · CMMC
A foundational module for everyone at AdVran Inc. CMMC decides whether companies like ours can keep doing defense work, and a lot of that comes down to how each of us handles information every day. This walks you through what it is, what we protect, and the part you play.
If AdVran ever touches a Department of Defense contract, directly or as a subcontractor a few links down the chain, CMMC is the bar we have to clear. It's the DoD's way of checking that the companies handling its information are actually protecting it, instead of just promising they are.
The Cybersecurity Maturity Model Certification (CMMC) is a U.S. Department of Defense program that verifies a contractor has put required cybersecurity protections in place before it can be awarded a contract, or keep working on one.
For years, contractors simply self-attested to their security under DFARS 252.204-7012 and were largely taken at their word. Sensitive defense information kept getting stolen off contractor networks anyway. CMMC adds the missing piece: verification. For the more sensitive work, an outside or government assessor confirms the controls genuinely exist. They don't take it on faith.
CMMC scales with risk. The more sensitive the information a contract involves, the higher the level, and the harder the proof required. You don't get to pick your level; the DoD sets it based on the data in play.
Everything in CMMC traces back to one question: what kind of information are you holding? Get the answer wrong and you either over-spend protecting low-risk data, or, far worse, under-protect data the law says you must guard. These are the two categories worth knowing cold.
Information that isn't meant for public release, provided by or generated for the government under a contract to deliver a product or service. It excludes anything the government already makes public, and basic transactional data like payment processing.
Information the government creates or owns that a law, regulation, or government-wide policy says must be safeguarded. It's the more sensitive subset, and it usually arrives carrying a CUI marking that tells you to handle it carefully.
Level 2's 110 controls aren't a random pile of rules. NIST SP 800-171 sorts them into 14 families, each covering one slice of security. You don't need every control memorized, but knowing the map helps you see where your own habits fit.
Select any domain to see what it covers and a real example.
Certification isn't a participation trophy. It's a measured score, a signed affirmation, and, depending on the level, an outside set of eyes. Here's how the proof gets generated and kept honest.
You assess your own controls each year and post the result. Faster, but the affirmation that follows is legally binding.
An accredited third-party assessor verifies your controls and certifies you, on a three-year cycle.
The government's own assessment center evaluates you directly, for the highest-priority programs.
For Level 2 you post a score in the DoD's SPRS system. You start at a perfect 110 and subtract the weight of every control you haven't fully met — each is worth 5, 3, or 1 points by impact, with no partial credit. Skip enough of the heavy ones and the math goes negative; the floor is −203.
Most of CMMC lives in tooling and policy that IT owns. But a real share of it is just how you work, and assessors look at exactly that. These are the habits that keep us certified.
Recognize FCI and CUI. When you can't tell, treat it as protected and ask — don't guess.
Company-approved, in-scope tools only. Never personal email, personal cloud, or texting apps.
Apply and preserve CUI markings on documents and emails so the next person knows to protect it.
Multi-factor on anything that touches FCI or CUI. It's one of the non-negotiable 5-point controls.
Only reach for the access your job needs. Flag access you no longer use instead of sitting on it.
Report a suspected incident or lost device immediately — the DoD's clock can be as tight as 72 hours.
Lock your screen, secure laptops and media, escort visitors, and shred or sanitize before disposal.
Keep systems patched, skip the shadow IT, and keep your training up to date. Certification is continuous.
A project manager is racing a deadline. A client engineering drawing — marked CUI — needs to reach a teammate working from home, and the approved file share feels slow. Forwarding it to a personal Gmail would take ten seconds. She does it.
Nothing visibly breaks. But CUI just left every protection the company is certified on: no approved storage, no encryption in scope, no audit trail. If that ever surfaces in an assessment, or a breach, it's a finding against AdVran, not a time-saver.
A team is asked for its SPRS number before a bid. A few of the heavier controls aren't really finished, but rounding up feels harmless. Everyone's busy, and they'll "get to it." The higher score gets posted, and a senior official affirms it.
That affirmation is a legal statement. The DOJ's Civil Cyber-Fraud Initiative has already settled cases against contractors for inflated SPRS scores: Georgia Tech ($875K), MORSE ($4.6M), Penn State ($1.25M), and Aerojet ($9M). Several of those were started by the contractors' own employees as whistleblowers.
Answer each question to confirm the essentials stuck. Pick the best answer — you'll get feedback either way.