Rewrite: building-a-cmmc-compliance-program

Word count: ~2,050

Specificity markers: - ✅ NIST/CMMC control references (CA.L2-3.12.3, AT.L2-3.2.1, AC.L2-3.1.1, etc.) - ✅ Cost/time estimates ($15K-$50K/yr continuous monitoring, 80-120 hrs SSP writing) - ✅ Tool/product names (Tenable.io, Microsoft Sentinel, KnowBe4, Drata) - ✅ Common mistakes (treating assessment prep as the program) - ✅ Decision point with guidance (when to hire an MSSP vs. build in-house)

---

There's a contractor mentality that treats CMMC like a tax audit: get through it, file it away, and don't think about it for three years. That approach works fine for taxes. For cybersecurity, it's how you end up with critical findings at your next assessment because nobody maintained the controls you documented in your SSP.

A compliance program is not an assessment. The assessment is a snapshot — it tells the DoD where you stood on a specific set of days. The program is what keeps you at that level between assessments and supports your annual affirmation without having to rebuild everything from scratch each time.

Here's how to build one that actually functions.

Start With the Right Foundation: Scoping and SSP

Everything starts with knowing what's in scope. Before you can run a program, you need a documented, accurate picture of your Controlled Unclassified Information (CUI) environment: which systems store, process, or transmit CUI; which systems support those systems; and how CUI flows through your organization.

That picture lives in your System Security Plan (SSP). The SSP is not just an assessment artifact — it's the living document your program is built on. Every control implementation, every policy, every process described in the SSP has to be maintained in reality, not just on paper.

Common mistake: Writing an SSP for the assessment and then never updating it. Your environment changes — new systems get added, configurations change, staff turns over, processes evolve. An SSP that described your environment two years ago doesn't describe your compliance posture today. Assessors notice when the SSP says you have 15 systems in scope and your network diagram shows 27.

Update your SSP at least annually, and whenever you make a significant change to your environment (new cloud service, major infrastructure upgrade, acquisition, office relocation). Budget 20-40 hours per year for SSP maintenance after the initial document is written.

Build the Program Around the Three Assessment Methods

NIST 800-171A defines three methods an assessor uses to evaluate each control: examine, interview, and test. Your compliance program should continuously feed evidence into all three categories.

Examine — documentation, configurations, policies, logs. Your program needs: - Configuration management to maintain documented, approved baselines (CM.L2-3.4.1) - Centralized logging with retention of at least 12 months (AU.L2-3.3.1) - Policy review cycles (annual minimum) to keep policies current with your actual operations - An evidence library organized by control domain

Interview — what your people know and do. Your program needs: - Security awareness training for all users (AT.L2-3.2.1) — annual at minimum, tracked with completion records - Role-specific training for administrators and security personnel (AT.L2-3.2.2) - Clear, written procedures so employees can actually answer "how do you handle CUI?" without guessing

Test — does it actually work? Your program needs: - Regular vulnerability scanning (RA.L2-3.11.2) — quarterly or continuous - Security control assessments (CA.L2-3.12.1) — annual internal review - Periodic access reviews to verify least-privilege is still in effect (AC.L2-3.1.1, AC.L2-3.1.3) - Incident response testing — tabletop exercise at minimum, annually

Most compliance programs are strong on "examine" evidence (policies, configurations) and weak on "interview" readiness and "test" evidence. Your assessor will interview five to ten employees. If those employees can't explain how they handle CUI, what they do in an incident, or who they report security issues to, you have a program gap — even if your documentation is pristine.

The Annual Affirmation Is Not Optional

Under the CMMC rule, every Level 2 contractor must submit an annual affirmation through the Supplier Performance Risk System (SPRS) confirming that their security posture is being maintained. A senior company official signs the affirmation — which means a named individual is on the hook if it's inaccurate.

The affirmation requirement changes the economics of compliance. You can't treat your CMMC score as a three-year asset. You need to be able to stand behind that affirmation every year, which means your controls have to stay in place and your evidence has to stay current.

Build your program calendar around the affirmation:

• Monthly: Review access control lists, check patch status, confirm logging is functioning
• Quarterly: Vulnerability scan and remediation, review security metrics, check for configuration drift
• Annually: Full internal security assessment, SSP review and update, training completion audit, affirmation preparation

Continuous Monitoring: Your Proof That Controls Are Working

CA.L2-3.12.3 requires ongoing monitoring of security controls. This is the requirement that separates a real program from a paper one.

Monitoring means you have visibility into your CUI environment in real time — not just when you run a quarterly scan. At minimum:

• SIEM or centralized logging: Microsoft Sentinel, Splunk, or a managed equivalent. All authentication events, access to CUI systems, administrative actions, and security alerts feeding into one place. Budget $15,000–$30,000/year for a managed SIEM if you don't have in-house security operations.

• Vulnerability management: Tenable.io, Qualys, or Rapid7 scanning your CUI environment regularly. Track findings with severity and remediation dates. Keep the reports — your assessor will want to see that you've been scanning consistently and remediating.

• Configuration drift detection: Tools like Microsoft Endpoint Configuration Manager or CIS-CAT Pro can compare live system configurations against your documented baselines and alert on deviations.

• User activity monitoring: Review access logs monthly. Look for anomalies — accounts accessing systems they don't normally use, off-hours access, large data transfers.

If you don't have an internal security team to watch all of this, a Managed Security Service Provider (MSSP) is the alternative. MSSPs offering CMMC-specific monitoring packages typically run $3,000–$8,000/month for a small-to-mid-size contractor. That's expensive, but it's less expensive than failing your assessment.

The In-House vs. MSSP Decision

This is the decision that determines how your program operates day-to-day.

Build in-house if: - You have more than 100 people in your CUI environment - You have an existing IT or security team with capacity to add monitoring responsibilities - Your CUI workflows are complex or specialized (manufacturing environments, engineering simulation, classified-adjacent work) - You want control over the tooling and visibility into raw data

Use an MSSP if: - Your CUI environment is small (20 people or fewer, 10 systems or fewer) - You don't have dedicated security staff - You want a defined cost and don't want to manage tooling - You need 24/7 coverage that your team can't provide

Hybrid: Many mid-size contractors do both — internal IT manages day-to-day operations and system administration, while an MSSP provides monitoring, alerting, and incident response coverage. This is often the right answer for organizations with 50-200 employees.

The MSSP you choose needs to be able to document their services in your SSP (they're a service provider touching your CUI environment), provide you with evidence for your assessment, and have appropriate security agreements with your organization. A compliance platform like Drata or Secureframe can sit on top of either model to aggregate evidence for your assessment package.

Plan of Action and Milestones (POA&M): Managing What's Not Yet Done

Every organization has gaps. The question isn't whether you have them — it's whether you're managing them. The Plan of Action and Milestones is the document where you track what's not yet implemented, when you'll implement it, and who's responsible.

The POA&M is not a shame document. It's the proof that you know what you don't have and you have a plan to fix it. Assessors expect to see a POA&M. An organization with no POA&M either has no gaps (unlikely) or isn't tracking them (a finding in itself).

Keep your POA&M current. When you remediate a gap, close it with a date and evidence reference. When a new gap appears — from a vulnerability scan, an internal audit, or a configuration change — add it. Review the POA&M monthly. The DoD doesn't expect perfection; they expect accountability.

What Your Assessor Expects

A C3PAO assessor evaluating a CMMC Level 2 organization expects to see a program that runs between assessments, not one that was reconstructed for the occasion.

Signs they look for: - SSP that reflects the current environment — not one written two years ago with systems that no longer exist or missing ones that do - Training records that go back at least 12 months — not a training completion dump from the past month - Vulnerability scan history — not a single scan run last week; a pattern of quarterly or monthly scans with remediation tracked - Incident response capability — a documented plan, trained personnel, and evidence that you've tested it (even a tabletop exercise write-up) - Access reviews with dates — showing that someone checks access lists regularly, not just at assessment time

The question assessors often ask: "Walk me through how your security program operates on a normal Tuesday." If the honest answer is "we don't really do anything until the assessment," that's a problem. If the answer is "our SIEM is monitored daily, we scan quarterly, we do access reviews every 90 days, and we reviewed our SSP six months ago" — with documentation to back it up — that's a program.

Build the program first. The assessment takes care of itself.

---

CTA: Need a framework for your annual CMMC compliance calendar? Use our free SSP maintenance and program checklist template to structure your 12-month security operations cycle. Once your program is running, a compliance management system keeps everything organized.