[{"data":1,"prerenderedAt":292},["ShallowReactive",2],{"blog-list":3},[4,68,97,137,168,197,219,246,269],{"id":5,"title":6,"author":7,"blogbody":8,"body":9,"category":16,"ctaLabel":17,"ctaUrl":18,"date":19,"description":20,"extension":21,"featured":22,"image":23,"lastReviewed":19,"meta":24,"navigation":25,"outboundlinks":26,"path":27,"reviewStatus":28,"seo":29,"seoTitle":30,"sources":31,"stem":59,"tags":60,"videos":26,"youtubelinks":26,"__hash__":67},"blog\u002Fblog\u002Fssp-poam-sprs-cmmc-affirmations-small-manufacturers.md","SSP, POA&M, SPRS, and CMMC Affirmations: What Small Manufacturers Need Before a Prime Contractor Asks","Nick DiVito","## Executive summary\n\nA lot of small manufacturers are waiting for a prime contractor, contracting officer, or customer portal to make CMMC feel real.\n\nThat is understandable. It is also risky.\n\nBy the time someone asks for your SPRS score, SSP status, POA&M plan, or CMMC affirmation, the real question is usually not \"Do you know what CMMC is?\"\n\nThe real question is: can your business explain the environment, the data, the gaps, the evidence, and the person who is willing to stand behind the answer?\n\nThat is a very different question.\n\nCMMC Phase 1 is active. The Department's public CMMC page says Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026 and brings Level 2 certification requirements into more applicable solicitations. The important part is not the date trivia. The important part is that CMMC is moving from \"eventually\" into contracting reality.\n\nIf you are a small manufacturer, machine shop, industrial supplier, or DoD-adjacent business, the work now is not to panic.\n\nThe work is to get your scope, SSP, SPRS score, POA&M, evidence, and affirmation process clean enough that you are not inventing the story under pressure.\n\n## The prime contractor question is usually a proxy\n\nA prime contractor may ask a simple question:\n\n\"Do you have a current SPRS score?\"\n\nOr:\n\n\"Are you ready for CMMC?\"\n\nOr:\n\n\"Can you confirm your Level 2 status?\"\n\nThose questions sound simple because the person asking may only need to complete a supplier review, submit a bid package, or satisfy a flowdown requirement. But behind the question sits a whole chain of assumptions.\n\nDo you know whether you handle Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both?\n\nDo you know which systems are in scope?\n\nDoes your System Security Plan describe the actual environment, or does it describe the environment you wish you had?\n\nIs your SPRS score tied to real evidence?\n\nAre your open gaps tracked in a POA&M that leadership understands?\n\nIf someone affirms compliance, do they understand what they are affirming?\n\nThat is where a lot of small businesses get sideways. They treat the prime's question like an administrative request when it is really a readiness test.\n\nNot a formal assessment, necessarily. Not always a pass-fail moment.\n\nBut a test of whether the business has enough control over its own security story to answer without guessing.\n\n## The four artifacts that show whether readiness is real\n\nThe language gets messy, so let us simplify it.\n\nFor most small manufacturers preparing for CMMC Level 2 pressure, four artifacts matter early:\n\n- **SSP:** the system story.\n- **SPRS score:** the current score summary.\n- **POA&M:** the gap closure plan.\n- **Affirmation:** the leadership statement that the organization continues to meet the applicable requirements.\n\nThese are not random paperwork objects. They connect to each other.\n\nThe SSP explains the system. The assessment score reflects how well the requirements are implemented in that system. The POA&M tracks what is not done. The affirmation raises the question of whether leadership can responsibly stand behind the status.\n\nIf those four things disagree with each other, the business is fragile.\n\nA common example: the SSP says MFA is implemented. The SPRS score claims the requirement is met. The POA&M says nothing about access control. Then someone discovers that shared shop-floor accounts still exist, cloud admin accounts do not use phishing-resistant MFA, and old contractor access was never removed.\n\nThat is not just a documentation problem. That is an operating problem.\n\nThe paperwork revealed it.\n\n## Start with scope, or everything else gets weird\n\nScope is where the CMMC conversation either becomes useful or turns into theater.\n\nManufacturers rarely have clean environments. They have estimating files, drawings, customer portals, ERP systems, shared drives, email threads, old file servers, CNC programming workflows, quality documentation, vendor remote support, and a few laptops that somehow became \"temporary\" seven years ago.\n\nThat is normal.\n\nBut normal does not mean ignorable.\n\nBefore you can write a useful SSP or score NIST SP 800-171 honestly, you need to understand where FCI and CUI live. You also need to understand which systems protect or support those systems. That includes cloud storage, identity providers, endpoint protection, backups, logging, email security, MSP access, and sometimes specialized assets on the shop floor.\n\nThe goal is not to shove the entire business into scope because that feels safer. That usually makes the work more expensive, more confusing, and harder to maintain.\n\nThe goal is also not to play games and pretend CUI never touches anything important.\n\nThe goal is a truthful boundary.\n\nA useful scope answers questions like:\n\n- Which contracts, customers, parts, drawings, specifications, or portals create FCI or CUI pressure?\n- Which users need access to that information?\n- Which systems process, store, or transmit it?\n- Which external service providers affect those systems?\n- Which assets are specialized, isolated, or operationally sensitive?\n- Which systems are business-important but outside the CMMC assessment boundary?\n\nWhen the scope is vague, every control discussion turns into fog. When the scope is clear, the business can make decisions.\n\n## The SSP is not a template trophy\n\nThe System Security Plan is one of the most abused documents in small business compliance.\n\nA lot of companies treat it like a binder. Fill in the blanks, save the file, put it in a folder, and hope nobody asks hard questions.\n\nThat misses the point.\n\nAn SSP should explain how the covered environment works. It should describe the boundary, architecture, responsible roles, CAGE codes, implemented requirements, inherited services, external dependencies, and the actual way the business protects the relevant information.\n\nIf a new executive, IT provider, assessor, or prime contractor needed to understand your environment, the SSP should help them get oriented.\n\nIt does not need to be fancy. It does need to be believable.\n\nFor a manufacturer, a believable SSP may need to explain awkward realities:\n\n- How drawings move between email, portals, shared drives, and production systems.\n- Whether ERP data includes CUI or only business records.\n- Which cloud services are used for storage, collaboration, identity, security, and backup.\n- How shop-floor or specialized assets are treated when they cannot follow normal endpoint patterns.\n- How vendors, MSPs, or remote support providers are authorized and monitored.\n- How evidence is produced when a requirement is marked implemented.\n\nThat last part matters.\n\nIf the SSP says something is implemented, somebody should be able to point to evidence. Not a vibes-based explanation. Not \"we think the MSP handles that.\" Something real enough to survive a review.\n\nThe SSP should not be written for a consultant. It should be written for the business.\n\nIf your leadership team cannot use it to understand the environment, the document is probably too decorative.\n\n## SPRS is not just a number\n\nSPRS gets reduced to \"what is your score?\"\n\nThat is understandable. The score is easy to ask for. It fits in a supplier form. It feels objective.\n\nBut the score is not the whole story.\n\nDFARS 252.204-7019 says that, when NIST SP 800-171 applies, an offeror needs a current assessment for each covered contractor information system relevant to the offer. The provision points to SPRS for summary score visibility. DFARS 252.204-7020 defines the Basic Assessment as a contractor self-assessment based on a review of the SSP and the DoD Assessment Methodology.\n\nThat means the score is supposed to connect back to the SSP.\n\nIf the SSP is weak, the score is weak.\n\nIf the scope is wrong, the score is probably wrong.\n\nIf the evidence is missing, the score may be hard to defend.\n\nThis is why a small manufacturer should not treat SPRS entry like a one-time administrative chore. The number should be the output of a real review.\n\nA practical SPRS-ready package usually includes:\n\n- The system or systems assessed.\n- The relevant CAGE codes.\n- The date of assessment.\n- The NIST SP 800-171 version used for the assessment.\n- The summary score.\n- The expected date to reach full implementation, if gaps remain.\n- The POA&M items that support that expected date.\n- The evidence or reasoning behind each scored requirement.\n\nThe score should not be inflated because a bid is due.\n\nI get the temptation. Nobody wants to be the supplier with the ugly number.\n\nBut an honest score with a serious remediation plan is much stronger than an optimistic score that collapses the first time someone asks how it was calculated.\n\n## The POA&M is not a junk drawer\n\nA POA&M is supposed to be a plan of action and milestones.\n\nThat name is clunky, but useful. It should show what is not done, who owns it, what will be done, what evidence will prove closure, and when it is expected to be complete.\n\nThe problem is that a POA&M often becomes a junk drawer.\n\nMissing MFA? POA&M.\n\nNo logging review? POA&M.\n\nNo asset inventory? POA&M.\n\nNo vendor review? POA&M.\n\nNobody knows who owns access approvals? POA&M.\n\nThat might be fine for internal planning. It is not fine if the business starts treating the POA&M as a place where hard requirements go to age quietly.\n\nThe current CMMC program allows limited POA&M use for Level 2 and Level 3, but not Level 1. For conditional Level 2 and Level 3 status, public CMMC materials point to a 180-day closeout expectation. The final rule also distinguishes assessment-related POA&Ms from normal operational plans of action that a company may use to manage changes, patches, or newly discovered issues after achieving status.\n\nPlain language: not every gap can safely sit in the same bucket.\n\nA useful POA&M should separate:\n\n- Gaps that affect the current assessment score.\n- Operational improvement items that reduce risk but are not part of a conditional CMMC status.\n- Tooling tasks.\n- Policy and procedure updates.\n- Evidence cleanup.\n- Leadership decisions that require money, ownership, or a process change.\n\nThat last category matters more than people want to admit.\n\nSome gaps are not technical. They are business decisions nobody has made yet.\n\nWho approves new users? Who reviews privileged access? Who owns the asset list? Who decides whether a cloud service is allowed? Who can accept risk when a machine cannot be patched the normal way?\n\nIf those answers are missing, the POA&M should not pretend the problem is only a ticket for IT.\n\n## Affirmations raise the leadership stakes\n\nThe word \"affirmation\" sounds harmless until you slow down and think about it.\n\nUnder the CMMC program, affirmations are part of maintaining status. The Department's CMMC page is currently reminding companies to submit affirmations with CMMC assessments in SPRS. The CMMC rule describes an affirming official attesting to continuing compliance after assessments and annually thereafter.\n\nThat is not the same as a consultant saying, \"Looks good.\"\n\nSomeone in the organization is putting their name behind the status.\n\nThis is where I think many SMBs need to mature quickly. Not because executives need to become security engineers. They do not.\n\nBut leadership does need a business-level understanding of the security posture.\n\nAn executive should be able to answer:\n\n- What environment are we affirming?\n- What level are we affirming against?\n- What assessment produced the status?\n- What gaps remain?\n- What POA&M commitments exist?\n- What changed since the last assessment?\n- Who is responsible for keeping the program current?\n\nIf those questions cannot be answered in normal business language, the affirmation process is too thin.\n\nThat does not mean leadership should micromanage firewall rules. It means the organization needs a bridge between technical work, compliance status, and executive accountability.\n\nThat bridge is usually missing in small businesses. It is also one of the highest-value things to build.\n\n## Revision 3 is real, but CMMC is still in a transition space\n\nNIST published SP 800-171 Revision 3 in May 2024. It supersedes Revision 2 as the current NIST publication, and NIST also published assessment-related companion material.\n\nAt the same time, current public CMMC Level 2 materials still describe the Level 2 requirement set as aligned to NIST SP 800-171 Revision 2. The Department has also published resources related to Revision 3 organization-defined parameters and transition planning.\n\nThat creates an awkward but manageable reality.\n\nIf you are preparing for a current CMMC Level 2 assessment path, you need to understand the Rev. 2-based CMMC expectations. If you are building a security program that needs to last, you should also understand where Rev. 3 is moving the baseline.\n\nDo not use the transition as an excuse to freeze.\n\nA good program should survive a revision change better than a pile of template documents will.\n\nAccess control, asset inventory, logging, incident response, risk assessment, configuration management, vendor oversight, and evidence discipline are not going out of style.\n\nThe labels may shift. The operating backbone still matters.\n\n## What small manufacturers should collect before a prime asks\n\nIf you want to be ready for the supplier conversation, start collecting the boring things.\n\nBoring is good here.\n\nBoring means you are not scrambling.\n\nA useful readiness file might include:\n\n- Current contracts or flowdowns that mention FCI, CUI, DFARS 252.204-7012, DFARS 252.204-7019, DFARS 252.204-7020, DFARS 252.204-7021, CMMC, or NIST SP 800-171.\n- A short CUI and FCI handling summary.\n- A system boundary diagram or written scope summary.\n- Current SSP.\n- Current NIST SP 800-171 assessment worksheet or score basis.\n- Current SPRS summary information.\n- POA&M with owners, dates, and closure evidence.\n- Policies and procedures that match the actual environment.\n- Evidence samples for high-friction controls.\n- Cloud service and external service provider list.\n- User access and privileged access review records.\n- Incident reporting and escalation process.\n- Executive summary for leadership.\n\nDo not overcomplicate the first version. The point is to make the business legible.\n\nA prime contractor may not ask for all of this. A C3PAO assessment may require much more. An internal readiness review may find the first version is incomplete.\n\nThat is fine.\n\nThe goal is not to build the perfect archive overnight. The goal is to stop being dependent on memory, assumptions, and whoever happens to know where the spreadsheet is.\n\n## What not to do\n\nThere are a few traps I would avoid.\n\n**Do not buy tools before you understand scope.** Tools can help, but they do not decide what CUI is, where it lives, or who owns the program.\n\n**Do not copy a giant SSP and call it done.** A big document that nobody can explain is not better than a short document that tells the truth.\n\n**Do not inflate your SPRS score because the real number is uncomfortable.** The discomfort is useful. It tells leadership where the business needs to invest.\n\n**Do not treat the POA&M as permanent storage.** If something matters enough to list, it needs an owner and a path to closure.\n\n**Do not let the affirming official be surprised.** If leadership is going to affirm, leadership needs the plain-language version before the button gets clicked.\n\n**Do not make CMMC an IT-only project.** IT can implement a lot of controls. The business still owns scope, contracts, risk, vendors, budgets, and operating decisions.\n\nThat last one is usually the big one.\n\nCMMC sits in the uncomfortable space between security, contracts, operations, and leadership. If you pretend it only belongs to one department, the program gets brittle.\n\n## A practical 30-day path\n\nIf you are starting from scattered documents and a vague sense that \"we need CMMC,\" here is a practical first month.\n\n**Week 1: Find the pressure.**\n\nPull contracts, prime flowdowns, supplier questionnaires, portal requirements, and any customer language that mentions CMMC, CUI, FCI, DFARS, or NIST SP 800-171. Do not interpret everything yet. Just collect the pressure.\n\n**Week 2: Map the information.**\n\nIdentify where FCI and CUI may enter, move, rest, and leave the business. Include email, portals, shared drives, CAD\u002FCAM workflows, ERP, backups, mobile devices, MSP access, and cloud services. This does not need to be beautiful. It needs to be honest.\n\n**Week 3: Reconcile the SSP and score.**\n\nReview the SSP against the actual environment. If you have a current SPRS score, ask whether the scope, evidence, and POA&M still support it. If you do not have one, build the score from the SSP and assessment methodology rather than guessing.\n\n**Week 4: Brief leadership.**\n\nTurn the findings into a plain-language summary: what applies, what is in scope, current score posture, major gaps, likely contract risk, top remediation decisions, and what leadership would be affirming if asked.\n\nThat is not a complete CMMC program.\n\nIt is a serious start.\n\nMore importantly, it gives the business a way to have an adult conversation before a bid deadline or customer request turns everything into a fire drill.\n\n## The real value is operational clarity\n\nCMMC gets talked about like a compliance hurdle. It is one.\n\nBut for small manufacturers, the better way to think about this is operational clarity.\n\nDo we know what sensitive information we handle?\n\nDo we know where it lives?\n\nDo we know who can access it?\n\nDo we know which systems protect it?\n\nDo we know what gaps remain?\n\nDo we know who owns the fixes?\n\nDo we know what leadership is affirming?\n\nIf the answer to those questions is mostly yes, you are in a much better position. Not magically compliant. Not guaranteed anything. Just more controlled, more credible, and less dependent on hope.\n\nThat is the point.\n\nA small manufacturer does not need enterprise theater. It needs a security program that can be explained, operated, evidenced, and improved.\n\nThe SSP, SPRS score, POA&M, and affirmation process are not the whole program.\n\nThey are the places where the program has to show itself.\n\n## How Trawvid Sec can help\n\nTrawvid Sec helps small manufacturers and regulated businesses turn CMMC pressure into a practical operating plan.\n\nThat can mean scoping the environment, cleaning up the SSP, reviewing SPRS score logic, building a realistic POA&M, preparing leadership for affirmation decisions, or turning scattered security activity into evidence-ready documentation.\n\nThe goal is not to bury the business in paperwork.\n\nThe goal is to make the security story true enough, clear enough, and useful enough that the company can actually operate from it.",{"type":10,"value":11,"toc":12},"minimark",[],{"title":13,"searchDepth":14,"depth":14,"links":15},"",2,[],"CMMC Readiness","Schedule a CMMC readiness consultation","https:\u002F\u002Fcalendar.app.google\u002F8S8X6G7MnzmMvAfF6","2026-06-19","Small manufacturers preparing for CMMC need more than a control checklist. They need a defensible scope, usable SSP, honest SPRS score, disciplined POA&M, and leadership-ready affirmation story.","md",false,"\u002Fimg\u002Fcmmc-logo-300x255-1.jpg",{},true,null,"\u002Fblog\u002Fssp-poam-sprs-cmmc-affirmations-small-manufacturers","Current",{"title":6,"description":20},"SSP, POA&M, SPRS, and CMMC Affirmations for Manufacturers",[32,35,38,41,44,47,50,53,56],{"label":33,"url":34},"DoD CIO CMMC","https:\u002F\u002Fdodcio.defense.gov\u002FCMMC\u002F",{"label":36,"url":37},"DoD CIO About CMMC","https:\u002F\u002Fdodcio.defense.gov\u002FCMMC\u002FAbout\u002F",{"label":39,"url":40},"DoD CIO CMMC Resources and Documentation","https:\u002F\u002Fdodcio.defense.gov\u002FCMMC\u002FResources-Documentation\u002F",{"label":42,"url":43},"Federal Register CMMC Program Final Rule","https:\u002F\u002Fwww.federalregister.gov\u002Fdocuments\u002F2024\u002F10\u002F15\u002F2024-22905\u002Fcybersecurity-maturity-model-certification-cmmc-program",{"label":45,"url":46},"Federal Register DFARS CMMC Acquisition Rule","https:\u002F\u002Fwww.federalregister.gov\u002Fdocuments\u002F2025\u002F09\u002F10\u002F2025-17359\u002Fdefense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of",{"label":48,"url":49},"DFARS 252.204-7019","https:\u002F\u002Fwww.acquisition.gov\u002Fdfars\u002F252.204-7019-notice-nistsp-800-171-dod-assessment-requirements.",{"label":51,"url":52},"DFARS 252.204-7020","https:\u002F\u002Fwww.acquisition.gov\u002Fdfars\u002F252.204-7020-nist-sp-800-171dod-assessment-requirements.",{"label":54,"url":55},"Supplier Performance Risk System","https:\u002F\u002Fwww.sprs.csd.disa.mil\u002F",{"label":57,"url":58},"NIST SP 800-171 Revision 3","https:\u002F\u002Fcsrc.nist.gov\u002Fpubs\u002Fsp\u002F800\u002F171\u002Fr3\u002Ffinal","blog\u002Fssp-poam-sprs-cmmc-affirmations-small-manufacturers",[61,62,63,64,65,66],"CMMC","SPRS","SSP","POA&M","NIST 800-171","Manufacturers","tJoobB7XGV3KbqNwp7Mx1xy--ZmJhnSl7_Gx4y1nV64",{"id":69,"title":70,"author":7,"blogbody":71,"body":72,"category":16,"ctaLabel":76,"ctaUrl":77,"date":78,"description":79,"extension":21,"featured":25,"image":23,"lastReviewed":78,"meta":80,"navigation":25,"outboundlinks":26,"path":81,"reviewStatus":28,"seo":82,"seoTitle":83,"sources":84,"stem":92,"tags":93,"videos":26,"youtubelinks":26,"__hash__":96},"blog\u002Fblog\u002Fcmmc-compliance-federally-mandated-cybersecurity.md","CMMC Readiness: Federally Required Cybersecurity for Defense Work","## Cyber compliance? Says who?\n\nIf you work in the defense industrial base, cybersecurity is no longer just a good idea or a best-effort IT project. It is becoming part of how the Department evaluates whether a contractor is ready to handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).\n\nThe Cybersecurity Maturity Model Certification (CMMC) program is the current mechanism for that verification. The CMMC program rule became effective on December 16, 2024, and the Department's public CMMC guidance says phased implementation began on November 10, 2025.\n\nThat does not mean every small contractor needs the same assessment tomorrow. It does mean the old strategy of waiting until a prime contractor asks for evidence is getting harder to defend.\n\n## What changed?\n\nThe biggest change is that CMMC is no longer just a future concept. It is an active program with levels, assessment paths, affirmations, and a phased rollout.\n\nLevel 1 is tied to the 15 safeguarding requirements in FAR 52.204-21 and focuses on FCI. Level 2 is tied to the 110 requirements in NIST SP 800-171 Revision 2 and focuses on CUI. Depending on the contract and information involved, Level 2 can require either a self-assessment or a third-party assessment by an authorized C3PAO.\n\nThere is one important wrinkle: NIST published SP 800-171 Revision 3 in May 2024, and that is the current NIST publication. Current CMMC Level 2 guidance, however, still points to NIST SP 800-171 Revision 2. That means organizations should pay attention to both: Rev. 2 for current CMMC Level 2 expectations, and Rev. 3 for where the broader CUI security baseline is moving.\n\n## Am I affected?\n\nThe practical answer starts with the information you touch.\n\nIf your contract work only involves FCI, CMMC Level 1 may be the relevant level. If your systems process, store, or transmit CUI, then CMMC Level 2 and NIST SP 800-171 become the center of gravity.\n\nThis is where a lot of businesses get stuck. They do not know whether they have CUI, which systems are in scope, which subcontractors are involved, or what evidence they would produce if asked. That is not a technology problem first. It is a scoping and governance problem.\n\n## What should a business do first?\n\nDo not start by buying tools. Start by understanding the work.\n\nIdentify the contracts, data types, systems, users, vendors, and workflows that matter. Build or update the system security plan. Run a sober gap assessment against the applicable requirements. Decide what can be fixed quickly and what needs a plan of action. Document decisions as you go.\n\nThat documentation matters. CMMC is not just about whether a control exists somewhere in the environment. It is about whether the organization can explain, prove, and maintain how it protects the information in scope.\n\n## What will this cost?\n\nThere is no honest single answer. Cost depends on scope, data flow, current maturity, cloud architecture, endpoint management, identity practices, logging, policies, and the assessment path required by the contract.\n\nA focused environment with a clear boundary is usually easier to prepare than a sprawling one where CUI shows up everywhere. That is why scoping matters. Every system you leave in scope becomes something you may need to secure, document, and produce evidence for.\n\n## Summary\n\nCMMC readiness is not a magic badge and it is not a one-week paperwork push. It is the work of building a security program that can stand up to reasonable questions.\n\nFor small and mid-sized businesses, the smart move is to get clear before getting fancy. Know what information you handle. Know which requirements apply. Build practical controls. Keep evidence. Review the program regularly.\n\nTrawvid Sec helps organizations work through that kind of readiness without turning it into bloated enterprise theater.",{"type":10,"value":73,"toc":74},[],{"title":13,"searchDepth":14,"depth":14,"links":75},[],"Schedule a consultation","\u002Fcontact","2026-06-15","CMMC readiness is now a practical contract-readiness issue for defense contractors and subcontractors that handle FCI or CUI.",{},"\u002Fblog\u002Fcmmc-compliance-federally-mandated-cybersecurity",{"title":70,"description":79},"CMMC Readiness for Defense Contractors",[85,87,89],{"label":86,"url":37},"DoD CMMC overview",{"label":88,"url":43},"CMMC program final rule",{"label":90,"url":91},"NIST SP 800-171 Revision 3 publication notice","https:\u002F\u002Fwww.nist.gov\u002Fnews-events\u002Fnews\u002F2024\u002F05\u002Fnist-issues-updated-security-requirements-and-assessment-procedures","blog\u002Fcmmc-compliance-federally-mandated-cybersecurity",[61,94,95],"Compliance","Defense Industrial Base","wDmpN1Ak6uxJ_7vhTFWAFE2UqMmo_LH6ZLPKd5bleww",{"id":98,"title":99,"author":7,"blogbody":100,"body":101,"category":16,"ctaLabel":17,"ctaUrl":18,"date":78,"description":105,"extension":21,"featured":25,"image":23,"lastReviewed":78,"meta":106,"navigation":25,"outboundlinks":26,"path":107,"reviewStatus":28,"seo":108,"seoTitle":109,"sources":110,"stem":133,"tags":134,"videos":26,"youtubelinks":26,"__hash__":136},"blog\u002Fblog\u002Fcmmc-phase-1-manufacturers-what-to-do-now.md","CMMC Phase 1 Is Here: What Manufacturers Should Do Now","## Executive summary\n\nCMMC is not just policy noise anymore. The CMMC Program rule is final, the DFARS acquisition rule is final, and the Department's public CMMC page says Phase 1 implementation began on November 10, 2025.\n\nThe practical message for small defense suppliers is simple: if your business touches Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you need to understand your required CMMC level, know what systems are in scope, keep your SPRS and affirmation story current, and build evidence that matches what your people actually do.\n\nDo not panic-buy tools. Do not assume a generic template package gets you ready. Do not wait for a prime contractor to explain your environment back to you.\n\nStart with scope, SSP, score, POA&M, evidence, cloud services, and ownership. That is the work that turns CMMC from a rumor into an operating plan.\n\n## What changed\n\nThe important shift is that the contractual machinery is now moving.\n\nThe CMMC Program rule at 32 CFR Part 170 became effective on December 16, 2024. That rule established the CMMC program structure, levels, assessment types, scoping, affirmations, POA&M rules, scoring methodology, and subcontractor application.\n\nThe DFARS final rule for CMMC was published on September 10, 2025 and became effective on November 10, 2025. That rule is the contract-side piece. It amends DFARS parts 204, 212, 217, and 252 to bring CMMC requirements into solicitations and contracts.\n\nThe Department's current CMMC page says Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on CMMC Level 1 and Level 2 self-assessments. That does not mean every contractor needs a C3PAO assessment today. It does mean the \"we will deal with this later\" posture is getting thinner by the month.\n\n## What matters right now\n\nFor most small manufacturers and industrial suppliers, the first question is not \"Which tool should we buy?\"\n\nThe first question is: what information do we handle, and where does it live?\n\nIf the business only handles FCI, the CMMC conversation may center on Level 1. If the business processes, stores, or transmits CUI, the conversation usually moves toward Level 2 and NIST SP 800-171. If a solicitation or contract specifies a CMMC level, that requirement drives the path.\n\nThe latest Department FAQ is also very clear on a point that gets missed: CMMC assessments are tied to the Department's phased implementation in applicable procurements, and the required level will be specified in the solicitation and resulting contract once CMMC is implemented contractually.\n\nThat means small suppliers need a way to read the contract pressure without overreacting to every headline.\n\n## What this means for manufacturers and machine shops\n\nManufacturers and machine shops tend to get stuck because their security scope does not look like a clean software company diagram.\n\nThere may be estimating files in email, drawings in shared drives, customer portals, ERP data, CNC programming workflows, quality records, old local admin habits, shared shop-floor systems, remote support vendors, and a mix of company-owned and vendor-managed infrastructure.\n\nThat mess does not make CMMC impossible. It does mean guessing is expensive.\n\nFor a small supplier, the useful first move is to separate the environment into practical categories:\n\n- Systems that clearly process, store, or transmit CUI.\n- Systems that support or protect those CUI systems.\n- External service providers, cloud services, and MSP relationships that affect the environment.\n- Specialized or shop-floor assets that need careful treatment.\n- Business systems that may be important, but do not belong in the CMMC assessment scope if they do not touch or protect FCI or CUI.\n\nThe goal is not to make the smallest possible scope at any cost. The goal is to define a truthful scope that the business can operate, defend, and explain.\n\n## SPRS, SSPs, POA&Ms, affirmations, and eMASS in plain English\n\nA lot of CMMC language sounds bigger than it is. Here is the practical version.\n\n**SPRS** is where summary assessment information and CMMC status become visible to the acquisition side. Existing DFARS 252.204-7019 and 252.204-7020 requirements already tied NIST SP 800-171 assessment scores to SPRS. The current SPRS site also has CMMC tutorials for Level 1 entry, Level 2 self-assessment, and affirming officials.\n\n**An SSP** is your System Security Plan. It should explain the system boundary, CAGE codes, architecture, implemented requirements, responsible parties, and how the environment protects the relevant information. If the SSP is fiction, the rest of the readiness work gets fragile fast.\n\n**A POA&M** is a Plan of Action and Milestones. CMMC allows limited POA&M use for Level 2 and Level 3, but not for Level 1. Conditional statuses have closeout expectations, and the public CMMC material repeatedly points to a 180-day closeout window for conditional Level 2 and Level 3 status. The useful takeaway is that a POA&M is not a parking lot for hard problems.\n\n**An affirmation** is a senior official saying the organization continues to meet the applicable CMMC requirements. The DFARS final rule and CMMC material make annual affirmation part of the operating rhythm. That raises the stakes for leadership understanding. Somebody should know what they are affirming.\n\n**eMASS** shows up in CMMC certification assessment reporting. For Level 2 C3PAO assessments, the C3PAO submits results into the CMMC instantiation of eMASS, which then transmits to SPRS. If you are not in a C3PAO assessment path yet, do not let eMASS become a distraction. Get your scope, SSP, evidence, and SPRS story clean first.\n\n## CMMC readiness is not the same as assessment readiness\n\nReadiness means the organization has a real program moving in the right direction.\n\nAssessment readiness means the organization can show the right scope, implementation, evidence, and ownership to the right assessment path.\n\nThose overlap, but they are not identical.\n\nA company can have decent security habits and still be a mess for assessment because evidence is scattered, the SSP is stale, cloud responsibilities are unclear, and nobody knows which CAGE codes or systems the score represents.\n\nA company can also have beautiful documents and still be weak operationally because the process is not happening. That is worse. It creates confidence on paper and confusion in reality.\n\nFor most small suppliers, the right sequence is:\n\n- Confirm contract and data pressure.\n- Define scope.\n- Build or clean up the SSP.\n- Score honestly.\n- Tie gaps to a real POA&M where allowed.\n- Organize evidence by requirement and owner.\n- Review cloud and external service provider dependencies.\n- Prepare leadership for affirmation.\n\nThat sequence is less exciting than a tool demo. It is also the work that keeps you from wasting money.\n\n## NIST SP 800-171 Rev. 3: watch it, but do not overreact\n\nNIST published SP 800-171 Revision 3 in May 2024, and NIST lists Revision 2 as superseded. That creates understandable confusion because current CMMC assessment material still centers on Revision 2.\n\nThe Department's latest FAQ addresses this directly. It says the Department will incorporate Revision 3 through future rulemaking. In the interim, the Department issued a class deviation to keep Revision 2 as the standard against which defense industrial base companies are assessed until Revision 3 is incorporated into the CMMC Program rule.\n\nThe same FAQ says companies can implement Revision 3, but should use the Department's organization-defined parameters and make sure gaps between Revision 2 and Revision 3 are addressed.\n\nPlain English: do not ignore Revision 3, but do not rebuild your CMMC plan around rumor. If you are preparing for current CMMC assessment expectations, understand the Revision 2-based path. If you are building a durable program, watch Revision 3 and the Department's ODPs so the program does not become obsolete the moment the next rulemaking lands.\n\n## Cloud services and MSPs need adult supervision\n\nCloud and service-provider questions are where a lot of small businesses get surprised.\n\nDFARS 252.204-7012 already includes requirements for external cloud service providers that store, process, or transmit covered defense information. The CMMC FAQ reinforces that cloud service providers storing encrypted CUI still need to meet requirements equivalent to the FedRAMP Moderate baseline. It also says encrypted CUI is still CUI until properly decontrolled.\n\nMSP and MSSP relationships are also not magic escape hatches. The FAQ explains scenarios where external service providers do not need their own CMMC certification but are still assessed as part of the organization's assessment scope against applicable requirements.\n\nFor a manufacturer, that means the MSP conversation should be very concrete:\n\n- What systems does the provider administer?\n- Does the provider process, store, or transmit CUI?\n- Does the provider handle security protection data?\n- What provider evidence, service descriptions, shared responsibilities, and configuration records will support the SSP?\n- Is the cloud tenant yours, the provider's, or modified by the provider in a way that changes responsibility?\n\nIf nobody can answer those questions, you have a readiness gap.\n\n## Where companies get stuck\n\nThe usual failure points are boring. That is why they matter.\n\nCompanies get stuck when they:\n\n- Do not know whether they handle FCI, CUI, or both.\n- Treat every system as in scope because nobody wants to draw a boundary.\n- Treat almost nothing as in scope because the boundary was drawn for convenience instead of truth.\n- Have an SSP that does not match current systems, vendors, or workflows.\n- Submit or discuss an SPRS score without understanding which system and CAGE codes it represents.\n- Use a POA&M as a wish list instead of an executable remediation plan.\n- Assume the MSP, cloud provider, or prime contractor owns the problem.\n- Collect screenshots only after somebody asks for evidence.\n- Let executives affirm compliance without a plain-language briefing on what changed, what is still open, and what risk remains.\n\nNone of these are exotic cybersecurity problems. They are ownership problems.\n\n## What to do this week\n\nIf you are a small supplier trying to get out of the fog, start here:\n\n- Pull the contracts, solicitations, flowdowns, and customer requests that mention DFARS, CMMC, NIST SP 800-171, SPRS, FCI, or CUI.\n- Identify which products, programs, customers, and files may involve FCI or CUI.\n- Build a quick system map: email, file storage, ERP, CAD\u002FCAM, customer portals, cloud services, endpoints, servers, remote access, backups, and MSP tools.\n- Decide which CAGE codes and systems your current or future assessment story needs to cover.\n- Find the SSP. If it does not exist or does not match reality, fix that before polishing policy language.\n- Review your current SPRS status and who has access to manage it.\n- Identify the affirming official and brief them in plain English.\n- List all cloud providers and external service providers that touch CUI, security protection data, administration, backups, logging, or remote access.\n- Build a gap list and separate implementation gaps from evidence gaps.\n- Turn the gap list into a prioritized remediation plan instead of a giant spreadsheet nobody owns.\n\nIf that sounds like a lot, that is because it is the real work. But it is also manageable when you put it in the right order.\n\n## What is still uncertain\n\nSome things are now clear: the program rule is final, the DFARS rule is final, Phase 1 has begun, and the official materials describe assessment, affirmation, POA&M, SPRS, eMASS, and cloud expectations.\n\nOther things still need to be monitored contract by contract.\n\nThe required CMMC level comes from the solicitation and resulting contract. Primes may communicate flowdown expectations before the small supplier sees clean language. Some requirements may be delayed to option periods. The Department may update guidance, FAQs, training, and Rev. 3 transition material. The ecosystem will also keep learning what good assessment evidence looks like in the field.\n\nSo the right posture is not panic. It is readiness with a monitoring habit.\n\nWatch the official CMMC page, the CMMC Resources and Documentation page, the CMMC FAQ, relevant DFARS clauses, SPRS updates, and NIST publications. Treat vendor commentary as commentary, not authority.\n\n## The practical next step\n\nCMMC is now operational enough that small suppliers need a working plan.\n\nYou do not need to boil the ocean this week. You do need to know your scope, your current score story, your SSP quality, your POA&M reality, your cloud and MSP dependencies, your evidence habits, and who is comfortable making an affirmation.\n\nTrawvid Sec helps manufacturers, machine shops, industrial suppliers, and defense subcontractors turn that mess into a practical next-step plan. We can help you talk through your SSP, SPRS score, POA&M, cloud services, evidence, and assessment path before you spend heavily on tools or assessment prep.\n\nIf you want help organizing the work, start with the [CMMC readiness service](\u002Fservices\u002Fcmmc-readiness), review the broader [cybersecurity advisory services](\u002Fservices), or [contact Trawvid Sec](\u002Fcontact). If you are ready to talk now, schedule a CMMC readiness consultation and bring the requirement, customer request, or messy scope question that is slowing the program down.",{"type":10,"value":102,"toc":103},[],{"title":13,"searchDepth":14,"depth":14,"links":104},[],"CMMC Phase 1 is active. Here is what small manufacturers, machine shops, and DoD suppliers should do with SPRS, SSPs, POA&Ms, affirmations, cloud services, and evidence.",{},"\u002Fblog\u002Fcmmc-phase-1-manufacturers-what-to-do-now",{"title":99,"description":105},"CMMC Phase 1 for Manufacturers and DoD Suppliers",[111,113,114,117,119,121,124,126,128,129,130],{"label":112,"url":37},"DoD CIO CMMC About",{"label":39,"url":40},{"label":115,"url":116},"CMMC Program FAQ Revision 2.3","https:\u002F\u002Fdodcio.defense.gov\u002FCMMC\u002FFAQs\u002F",{"label":118,"url":43},"Federal Register - CMMC Program Rule, 32 CFR Part 170",{"label":120,"url":46},"Federal Register - DFARS CMMC Final Rule, 48 CFR Parts 204, 212, 217, and 252",{"label":122,"url":123},"Acquisition.gov - DFARS 252.204-7012","https:\u002F\u002Fwww.acquisition.gov\u002Fdfars\u002F252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.",{"label":125,"url":49},"Acquisition.gov - DFARS 252.204-7019",{"label":127,"url":52},"Acquisition.gov - DFARS 252.204-7020",{"label":54,"url":55},{"label":57,"url":58},{"label":131,"url":132},"DoD Organization-Defined Parameters for NIST SP 800-171 Revision 3","https:\u002F\u002Fdodcio.defense.gov\u002FPortals\u002F0\u002FDocuments\u002FCMMC\u002FOrgDefinedParmsNISTSP800-171.pdf","blog\u002Fcmmc-phase-1-manufacturers-what-to-do-now",[61,135,65,62,66],"DFARS","xWqjOwdavpXbGUWzSv0TJ24DBDIoIs-tkA_Nfa7Wlho",{"id":138,"title":139,"author":7,"blogbody":140,"body":141,"category":145,"ctaLabel":146,"ctaUrl":77,"date":147,"description":148,"extension":21,"featured":22,"image":149,"lastReviewed":150,"meta":151,"navigation":25,"outboundlinks":26,"path":152,"reviewStatus":28,"seo":153,"seoTitle":154,"sources":155,"stem":162,"tags":163,"videos":26,"youtubelinks":26,"__hash__":167},"blog\u002Fblog\u002Fwhat-are-nfo-controls-nist-sp-800-171.md","NFO Controls in NIST SP 800-171: The Security Program Behind the Checklist","## NIST SP 800-171 and NFO controls\n\nIn the older NIST SP 800-171 Revision 2 world, there was a strange little category that caused more confusion than it should have: NFO controls.\n\nNFO stood for Non-Federal Organization. These were controls from the broader NIST SP 800-53 moderate baseline that NIST treated as expected to be routinely satisfied by nonfederal organizations without spelling them out as derived 800-171 requirements.\n\nThat is a mouthful. In plain language, NIST was saying: some parts of a real security program are so foundational that the government should not have to write them into every CUI requirement to make them matter.\n\nThat idea was useful. It was also easy to misunderstand.\n\n## What changed in Revision 3?\n\nNIST published SP 800-171 Revision 3 in May 2024. In the Rev. 3 FAQ, NIST explains that the old NFO tailoring criterion was eliminated. Some foundational items that organizations often ignored or treated as \"not required\" were reworked through the new tailoring structure.\n\nSo if you are reading current NIST SP 800-171 Rev. 3 material, do not go hunting for the old NFO table like it still works the same way. The category changed.\n\nBut the security lesson did not go away.\n\n## The checklist is not the whole program\n\nThis is where a lot of organizations get sideways. They look at a requirement list and think the job is to answer each line item in isolation.\n\nThat is how you end up with MFA turned on but no access review process. Logging exists, but nobody owns review. Policies exist, but they do not match how the business actually works. Asset inventory is a spreadsheet somebody updates when they remember it exists.\n\nYou can have a pile of controls and still not have a program.\n\nThe old NFO conversation was valuable because it forced the bigger question: what security management functions should already exist underneath the CUI requirements?\n\n## What should exist underneath the controls?\n\nAt a minimum, most organizations handling sensitive contract information should be able to explain:\n\n- Who owns security decisions.\n- What systems and data are in scope.\n- How access is requested, approved, reviewed, and removed.\n- How assets are tracked.\n- How logging is collected and reviewed.\n- How policies are approved and updated.\n- How vendors and cloud services are selected.\n- How incidents are reported and handled.\n- How exceptions are documented.\n- How evidence is retained.\n\nNone of that is exotic. It is the boring backbone. And in security, the boring backbone is usually what keeps the wheels from falling off.\n\n## What about CMMC?\n\nCurrent CMMC Level 2 guidance still points to NIST SP 800-171 Revision 2. NIST's current publication is Revision 3. That creates an awkward transition space.\n\nThe practical answer is not to pick one document and ignore the other. If you are preparing for CMMC Level 2, understand the Rev. 2-based assessment expectations. If you are building a security program that needs to last, understand where Rev. 3 is moving the baseline.\n\nA useful program should be able to survive more than one version of a standard.\n\n## How do you make this useful?\n\nStart with policy and ownership, but do not write policy as decoration. A useful policy tells people how the business wants security decisions made. A useful procedure tells them how to carry those decisions out. Useful evidence shows the work actually happened.\n\nThat is the heart of this whole conversation.\n\nNFO controls may not exist in Rev. 3 the way they did in Rev. 2, but the message is still relevant: compliance work sits on top of a security program. If the program is weak, the checklist gets fragile fast.",{"type":10,"value":142,"toc":143},[],{"title":13,"searchDepth":14,"depth":14,"links":144},[],"Policy and Governance","Talk through your security program","2022-05-16","NFO controls were removed from NIST SP 800-171 Rev. 3, but the lesson remains: a checklist does not replace a working security program.","\u002Fimg\u002Fcmmc.gif","2026-06-06",{},"\u002Fblog\u002Fwhat-are-nfo-controls-nist-sp-800-171",{"title":139,"description":148},"NFO Controls in NIST SP 800-171",[156,158,161],{"label":57,"url":157},"https:\u002F\u002Fnvlpubs.nist.gov\u002Fnistpubs\u002FSpecialPublications\u002F800-171r3\u002FNIST.SP.800-171r3.html",{"label":159,"url":160},"NIST SP 800-171 Rev. 3 FAQ","https:\u002F\u002Fcsrc.nist.gov\u002Fcsrc\u002Fmedia\u002FProjects\u002Fprotecting-controlled-unclassified-information\u002Fdocuments\u002FFAQ\u002FFAQ-SP800-171R3-171AR3.pdf",{"label":86,"url":37},"blog\u002Fwhat-are-nfo-controls-nist-sp-800-171",[65,164,165,166],"NFO Controls","Policy","Governance","3YUP7xSVYXnABxcybRHBAl4PBiz0iu7cgAzdL-kkYD0",{"id":169,"title":170,"author":7,"blogbody":171,"body":172,"category":176,"ctaLabel":177,"ctaUrl":77,"date":178,"description":179,"extension":21,"featured":22,"image":180,"lastReviewed":150,"meta":181,"navigation":25,"outboundlinks":26,"path":182,"reviewStatus":28,"seo":183,"seoTitle":184,"sources":185,"stem":192,"tags":193,"videos":26,"youtubelinks":26,"__hash__":196},"blog\u002Fblog\u002Fsecurity-control-categories-administrative-preventative-detective-and-compensating.md","Security Control Categories: Administrative, Preventive, Detective, Corrective, and Compensating","Security controls are how an organization turns security intent into real behavior.\n\nA policy by itself does not stop much. A tool by itself does not explain why it exists. A dashboard by itself does not reduce risk if nobody knows what to do with the alert. Useful security comes from controls working together.\n\nThere are several ways to categorize controls. For a practical security program, these five categories are a good starting point: administrative, preventive, detective, corrective, and compensating.\n\n## Administrative controls\n\nAdministrative controls are the governance layer. They tell people what the organization expects and how decisions should be made.\n\nExamples include policies, standards, procedures, training, risk acceptance processes, vendor review processes, and access approval workflows.\n\nThese controls can feel less exciting than technical tools, but they matter. If nobody owns access reviews, an identity tool will not magically create accountability. If there is no incident procedure, a logging platform will not know who to wake up.\n\n## Preventive controls\n\nPreventive controls try to stop a problem before it happens.\n\nExamples include multi-factor authentication, least privilege access, patching, secure configuration, network segmentation, endpoint protection, and blocking known-bad traffic.\n\nPreventive controls are important, but they are not magic. They reduce the odds of a bad event. They do not remove the need to monitor, respond, and improve.\n\n## Detective controls\n\nDetective controls help the organization notice when something has gone wrong or when behavior is drifting from what was expected.\n\nExamples include logging, alerting, endpoint detection, file integrity monitoring, vulnerability scanning, audit review, and suspicious login detection.\n\nThe trap here is collecting logs nobody reads. A detective control should have an owner, a review rhythm, and a response path. Otherwise it is just expensive noise.\n\n## Corrective controls\n\nCorrective controls help the organization recover after something fails.\n\nExamples include backup restoration, password resets, account disablement, malware removal, patch deployment, system rebuilds, and incident response procedures.\n\nCorrective controls are where planning meets reality. If the backup has never been restored, it is not much of a recovery control yet. If nobody knows who can disable an account after hours, the procedure is still theoretical.\n\n## Compensating controls\n\nCompensating controls are alternative safeguards used when the preferred control is not feasible.\n\nThey should not be a loophole or a hand wave. A compensating control needs a reason, an owner, and enough strength to reduce the risk in a credible way.\n\nFor example, if a legacy system cannot support modern MFA, the organization might isolate it, restrict access, increase logging, review access more frequently, and document the exception. That does not make the legacy system ideal. It makes the risk visible and managed.\n\n## Choosing controls without making a mess\n\nBefore adding a control, ask practical questions:\n\n- What risk is this control supposed to reduce?\n- Who owns it?\n- How will it be implemented?\n- How will we know it is working?\n- What breaks if it fails?\n- Does it conflict with another process?\n- What evidence would show it is operating?\n\nSecurity programs get brittle when controls are added without purpose. A good control should support the business, reduce risk, and produce enough evidence to be trusted.\n\n## Summary\n\nNo single category does the whole job. Administrative controls guide the program. Preventive controls reduce the chance of trouble. Detective controls show when something is wrong. Corrective controls help recover. Compensating controls manage exceptions honestly.\n\nThe goal is not to collect controls. The goal is to build a security program that behaves well under pressure.",{"type":10,"value":173,"toc":174},[],{"title":13,"searchDepth":14,"depth":14,"links":175},[],"Security Program","Review your control strategy","2021-06-08","Administrative, preventive, detective, corrective, and compensating controls work together to reduce risk without turning security into theater.","\u002Fimg\u002Frisk.png",{},"\u002Fblog\u002Fsecurity-control-categories-administrative-preventative-detective-and-compensating",{"title":170,"description":179},"Security Control Categories Explained",[186,189],{"label":187,"url":188},"NIST SP 800-53 Revision 5","https:\u002F\u002Fcsrc.nist.gov\u002FPubs\u002Fsp\u002F800\u002F53\u002Fr5\u002Fupd1\u002FFinal",{"label":190,"url":191},"NIST Cybersecurity Framework 2.0","https:\u002F\u002Fcsrc.nist.gov\u002Fpubs\u002Fcswp\u002F29\u002Fthe-nist-cybersecurity-framework-csf-20\u002Ffinal","blog\u002Fsecurity-control-categories-administrative-preventative-detective-and-compensating",[194,166,195],"Security Controls","Risk Management","1RQCwPoZnqqFz6MFXMl_h6fziyeieE2L99Lw4C5f0Hs",{"id":198,"title":199,"author":7,"blogbody":200,"body":201,"category":195,"ctaLabel":205,"ctaUrl":77,"date":178,"description":206,"extension":21,"featured":22,"image":180,"lastReviewed":150,"meta":207,"navigation":25,"outboundlinks":26,"path":208,"reviewStatus":28,"seo":209,"seoTitle":210,"sources":211,"stem":216,"tags":217,"videos":26,"youtubelinks":26,"__hash__":218},"blog\u002Fblog\u002Fsteps-for-developing-a-risk-management-program.md","Steps for Developing a Risk Management Program","Risk management is how an organization decides what matters, what can go wrong, what to do about it, and who owns the decision.\n\nThat sounds obvious until cybersecurity gets involved. Technical risk can hide behind acronyms, dashboards, vulnerability scores, and tool alerts. Leadership may see the cost of stolen money immediately, but the business impact of weak access control, missing backups, or unmanaged vendors can feel abstract until something breaks.\n\nA risk management program makes those risks visible enough to manage.\n\n## 1. Establish the context\n\nStart with the business, not the tools.\n\nWhat does the organization do? What information does it rely on? What contracts, regulations, customers, systems, and vendors matter most? What would actually hurt if it failed, leaked, or became unavailable?\n\nThis is also where leadership support matters. A risk program without leadership support turns into a suggestion box. The organization needs to know who can accept risk, who can require treatment, and when risk needs to be escalated.\n\n## 2. Define scope\n\nScope keeps the program from becoming fog.\n\nDecide what parts of the organization, systems, data, and processes are included. A first risk program does not have to solve every possible problem at once. It does need clear boundaries.\n\nFor a contractor, scope may center on systems that handle CUI or FCI. For another business, it may center on payment systems, customer data, manufacturing operations, or cloud administration.\n\n## 3. Identify assets and owners\n\nYou cannot manage risk to assets nobody has identified.\n\nBuild an inventory of important systems, applications, data stores, vendors, accounts, devices, and business processes. Then identify owners. Ownership does not mean one person fixes everything. It means someone is accountable for decisions and coordination.\n\nAsset inventory does not have to be perfect to be useful. It does have to be maintained.\n\n## 4. Set risk criteria\n\nBefore assessing risk, decide how risk will be judged.\n\nWhat counts as high impact? What likelihood scale will you use? What kinds of risk can leadership accept? Which risks require treatment? Which risks are tied to contracts or legal obligations and cannot simply be waved away?\n\nWithout criteria, risk discussions turn into opinions. With criteria, the organization can make decisions more consistently.\n\n## 5. Assess risk\n\nA risk assessment looks at threats, vulnerabilities, likelihood, impact, and existing controls.\n\nNIST SP 800-30 remains a useful reference for this work. You do not need to make the process painfully academic. You do need to be consistent enough that leadership can understand why one risk is urgent and another can wait.\n\nGood assessments also consider the current control environment. A missing control is not automatically a disaster. A missing control on a critical system with sensitive data and no detective visibility might be.\n\n## 6. Choose a treatment path\n\nMost risks fall into one of a few paths:\n\n- Reduce the risk with controls.\n- Transfer part of the risk through contracts or insurance.\n- Avoid the activity that creates the risk.\n- Accept the risk with a documented decision.\n\nRisk acceptance should not be a shrug. It should be a conscious business decision made by the right person with enough context to understand the tradeoff.\n\n## 7. Document and monitor\n\nA risk register is useful when it drives action. It is not useful when it becomes a spreadsheet museum.\n\nTrack the risk, owner, treatment plan, due date, status, evidence, and review cadence. Revisit risks when systems change, vendors change, contracts change, incidents happen, or new requirements arrive.\n\nRisk management is not a one-time workshop. It is a management rhythm.\n\n## Summary\n\nA risk management program does not need to be huge to be useful. It needs context, scope, ownership, criteria, assessment, treatment, and review.\n\nFor small and mid-sized businesses, the best first version is usually practical and visible. Know what matters. Decide who owns it. Make risk decisions on purpose. Keep evidence. Improve over time.",{"type":10,"value":202,"toc":203},[],{"title":13,"searchDepth":14,"depth":14,"links":204},[],"Build a practical risk program","A practical risk management program helps leadership understand cybersecurity risk, assign ownership, choose controls, and revisit decisions over time.",{},"\u002Fblog\u002Fsteps-for-developing-a-risk-management-program",{"title":199,"description":206},"Developing a Cybersecurity Risk Management Program",[212,215],{"label":213,"url":214},"NIST SP 800-30 Revision 1","https:\u002F\u002Fcsrc.nist.gov\u002Fpublications\u002Fdetail\u002Fsp\u002F800-30\u002Frev-1\u002Ffinal",{"label":190,"url":191},"blog\u002Fsteps-for-developing-a-risk-management-program",[195,176,166],"eVzHpaSz4WK3GXHUGASvICEgj0Fge5qbCY8XfDZYa6s",{"id":220,"title":221,"author":7,"blogbody":222,"body":223,"category":16,"ctaLabel":227,"ctaUrl":77,"date":228,"description":229,"extension":21,"featured":22,"image":149,"lastReviewed":150,"meta":230,"navigation":25,"outboundlinks":26,"path":231,"reviewStatus":28,"seo":232,"seoTitle":233,"sources":234,"stem":243,"tags":244,"videos":26,"youtubelinks":26,"__hash__":245},"blog\u002Fblog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-3.md","Bringing FAR, DFARS, NIST SP 800-171, and CMMC Together","## Bringing it all together\n\nAt this point, we have talked about FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-171, and CMMC as separate pieces. Now we need to put them back together.\n\nThe simplest way to think about it is this:\n\n- FAR 52.204-21 is basic safeguarding for FCI.\n- DFARS 252.204-7012 brings defense CUI protection and cyber incident reporting obligations.\n- DFARS 252.204-7019 and 252.204-7020 deal with NIST SP 800-171 assessment requirements and SPRS.\n- NIST SP 800-171 is the CUI security requirement set.\n- CMMC is the DoD verification program layered onto this ecosystem.\n\nThat still sounds like alphabet soup, because it is. But once you know what each piece does, the path gets less mysterious.\n\n## Start with the data\n\nDo not start with the acronym. Start with the information.\n\nAre you handling FCI? Are you handling CUI? Where does it live? Who touches it? Which systems store, process, or transmit it? Which vendors are part of the workflow?\n\nThat one exercise can prevent a lot of pain. If the whole company is accidentally in scope, the project gets expensive and frustrating. If the scope is realistic and defensible, the work becomes much more manageable.\n\n## Then read the contract\n\nContract clauses matter. FAR 52.204-21 does not create the same obligations as DFARS 252.204-7012. A CMMC Level 1 requirement is not the same thing as a CMMC Level 2 requirement. A self-assessment path is not the same as a third-party assessment path.\n\nIf you do not understand the contract language, slow down before you promise anything. This is not an area where vague confidence helps.\n\n## Build the package\n\nA useful readiness package usually includes:\n\n- A clear scope.\n- A system security plan.\n- A control gap assessment.\n- Plans of action where allowed and appropriate.\n- Policies and procedures that match the real environment.\n- Evidence showing that controls are implemented.\n- An owner for maintaining the program.\n\nThe point is not paperwork for its own sake. The point is to make the security program explainable and repeatable.\n\n## What this means for a smaller business\n\nSmall and mid-sized businesses usually do not have extra people sitting around waiting to become compliance staff. That is why the program has to be practical.\n\nGood CMMC readiness work should reduce confusion, not add ceremony. It should help the business understand what it has, protect what matters, make better decisions, and produce evidence when a customer or assessor asks for it.\n\n## Summary\n\nThese requirements overlap, but they are not interchangeable. FAR gives the basic FCI floor. DFARS adds defense CUI obligations. NIST SP 800-171 defines the CUI safeguards. CMMC verifies implementation for defense contracts.\n\nThe work becomes easier when you stop treating the acronyms like separate monsters and start treating them like parts of one security program.",{"type":10,"value":224,"toc":225},[],{"title":13,"searchDepth":14,"depth":14,"links":226},[],"Get help scoping the work","2021-04-26","FAR, DFARS, NIST SP 800-171, and CMMC overlap, but each plays a different role in contract cybersecurity readiness.",{},"\u002Fblog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-3",{"title":221,"description":229},"FAR DFARS NIST 800-171 and CMMC Explained",[235,238,241,242],{"label":236,"url":237},"FAR 52.204-21","https:\u002F\u002Fwww.acquisition.gov\u002Ffar\u002F52.204-21",{"label":239,"url":240},"DFARS 252.204-7012","https:\u002F\u002Fwww.acquisition.gov\u002Fdfars\u002F252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.?searchTerms=252.204-7012",{"label":51,"url":52},{"label":86,"url":37},"blog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-3",[61,65,135,62],"1IJf53h5cbKcd4lheCX5NwBMyjCAbNIue8h0gJcEIuQ",{"id":247,"title":248,"author":7,"blogbody":249,"body":250,"category":16,"ctaLabel":254,"ctaUrl":77,"date":255,"description":256,"extension":21,"featured":22,"image":149,"lastReviewed":150,"meta":257,"navigation":25,"outboundlinks":26,"path":258,"reviewStatus":28,"seo":259,"seoTitle":260,"sources":261,"stem":265,"tags":266,"videos":26,"youtubelinks":26,"__hash__":268},"blog\u002Fblog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-1.md","NIST SP 800-171 and CMMC: Related, But Not the Same","In the first article, we separated FAR 52.204-21 from DFARS 252.204-7012. This time, we need to separate another pair that gets blended together all the time: NIST SP 800-171 and CMMC.\n\nThey are closely related. They are not the same thing.\n\n## What NIST SP 800-171 does\n\nNIST SP 800-171 is a publication for protecting Controlled Unclassified Information in nonfederal systems and organizations. In plain language, it tells contractors what security requirements are expected when CUI lives outside the government's own systems.\n\nNIST published Revision 3 in May 2024. That is the current NIST version, and it reorganizes and updates the CUI security requirements.\n\nFor many defense contractors, though, current CMMC Level 2 expectations still point to NIST SP 800-171 Revision 2. That creates a practical split: build for today's assessment expectations, but do not ignore the direction Rev. 3 is taking the baseline.\n\n## What CMMC does\n\nCMMC is the Department of Defense program for verifying that contractors and subcontractors are meeting cybersecurity requirements tied to FCI and CUI.\n\nCurrent CMMC has three levels:\n\n- Level 1 focuses on basic safeguarding for FCI.\n- Level 2 focuses on protecting CUI using NIST SP 800-171 Revision 2.\n- Level 3 is intended for more advanced protection requirements.\n\nDepending on the level and contract, an organization may self-assess or need a third-party assessment. That assessment path matters, but it should not distract from the real work: building a security program that is scoped, implemented, documented, and maintained.\n\n## Why the difference matters\n\nNIST SP 800-171 is the requirement set. CMMC is the verification program.\n\nA company can read 800-171 and still have no useful evidence. A company can talk about CMMC and still not know which systems are in scope. Neither one works without practical implementation.\n\nThis is why the system security plan matters. This is why asset inventory matters. This is why access control, logging, incident response, vendor review, and policy ownership matter. The assessment is not supposed to be a scavenger hunt. It should be a review of a program that already exists.\n\n## Scoring and evidence\n\nThe DoD assessment methodology for NIST SP 800-171 created the familiar score conversation many contractors know through SPRS. CMMC adds a separate certification or self-assessment pathway depending on the level and contract requirement.\n\nDo not assume one score, one upload, or one document automatically satisfies everything. Contract language still matters. Data type still matters. Assessment path still matters.\n\n## Summary\n\nNIST SP 800-171 tells you what CUI safeguards are expected. CMMC is how the Department verifies implementation for defense work.\n\nIf you are preparing for CMMC, do not start with logos, badges, or panic. Start with scope. Then build the system security plan, identify gaps, assign owners, collect evidence, and work the program like something the business actually depends on.",{"type":10,"value":251,"toc":252},[],{"title":13,"searchDepth":14,"depth":14,"links":253},[],"Map your CMMC readiness path","2021-04-21","NIST SP 800-171 tells contractors what CUI safeguards are expected. CMMC is the DoD program for verifying those safeguards.",{},"\u002Fblog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-1",{"title":248,"description":256},"NIST SP 800-171 vs CMMC",[262,263,264],{"label":86,"url":37},{"label":57,"url":58},{"label":88,"url":43},"blog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-1",[61,65,267,94],"CUI","3IkGkxCU4VgCdfpyLOZS71QQYaLWPzk_6u0L1YrikuU",{"id":270,"title":271,"author":7,"blogbody":272,"body":273,"category":16,"ctaLabel":277,"ctaUrl":77,"date":278,"description":279,"extension":21,"featured":22,"image":149,"lastReviewed":150,"meta":280,"navigation":25,"outboundlinks":26,"path":281,"reviewStatus":28,"seo":282,"seoTitle":283,"sources":284,"stem":289,"tags":290,"videos":26,"youtubelinks":26,"__hash__":291},"blog\u002Fblog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-1.md","Differences Between FAR 52.204-21 and DFARS 252.204-7012","The names are ugly, but the distinction matters.\n\nFAR 52.204-21 and DFARS 252.204-7012 are both contract clauses about protecting government-related information. They are not the same thing, and treating them like they are can lead to bad scoping decisions.\n\n## FAR 52.204-21\n\nFAR 52.204-21 is the basic safeguarding clause for Federal Contract Information (FCI). It contains 15 basic safeguarding requirements for covered contractor information systems.\n\nFCI is not meant for public release, but it is not necessarily CUI. Think of this as the baseline level of hygiene for federal contract information.\n\nIf this clause applies, the job is not to build a massive compliance program overnight. The job is to make sure basic safeguards are actually in place and not just assumed.\n\n## DFARS 252.204-7012\n\nDFARS 252.204-7012 is a defense clause. It is focused on Covered Defense Information and cyber incident reporting, and it points contractors toward NIST SP 800-171 for covered contractor information systems.\n\nIt also brings reporting and flowdown obligations that FAR 52.204-21 does not carry in the same way. If you use a cloud provider to store, process, or transmit covered defense information for the contract, that choice can matter too.\n\nIn plain language: FAR 52.204-21 is basic safeguarding. DFARS 252.204-7012 is a much heavier defense-contract obligation tied to CUI protection and incident reporting.\n\n## Where do DFARS 7019 and 7020 fit?\n\nDFARS 252.204-7019 and DFARS 252.204-7020 added assessment mechanics around NIST SP 800-171. They are the reason many contractors deal with Basic Assessments, scores, and SPRS.\n\nThis is where organizations often realize that \"we have a policy\" is not the same as \"we can show how this requirement is implemented in the system security plan.\"\n\n## What about CMMC?\n\nCMMC builds on these existing requirements. Current CMMC Level 1 aligns to the 15 requirements in FAR 52.204-21. Current CMMC Level 2 aligns to the 110 requirements in NIST SP 800-171 Revision 2 for systems handling CUI.\n\nCMMC does not erase the clauses. It gives the Department a way to assess and affirm that contractors and subcontractors are doing the work.\n\n## Summary\n\nIf you only have FAR 52.204-21, start with basic safeguarding and FCI. If DFARS 252.204-7012 appears, slow down and understand whether CUI is involved, which systems are in scope, what assessment requirements apply, and what evidence you need.\n\nThe wrong scope can make a reasonable project feel impossible. The right scope makes the work manageable.",{"type":10,"value":274,"toc":275},[],{"title":13,"searchDepth":14,"depth":14,"links":276},[],"Review your contract requirements","2021-04-17","FAR 52.204-21 and DFARS 252.204-7012 both deal with safeguarding information, but they apply to different data and different obligations.",{},"\u002Fblog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-1",{"title":271,"description":279},"FAR 52.204-21 vs DFARS 252.204-7012",[285,286,287,288],{"label":236,"url":237},{"label":239,"url":240},{"label":51,"url":52},{"label":86,"url":37},"blog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-1",[236,135,65,61],"SCA9GuzV34IBdMRdtVddsQo92TwnpcUuucVtWlFSbfY",1781885365458]