Rewrite: building-a-cybersecurity-team-for-cmmc-what-you-actually-need

Word count: ~2,000

Specificity markers hit (5/5):

1. ✅ NIST/CMMC control references — PS.L2-3.9.1, PS.L2-3.9.2, AT.L2-3.2.1, AT.L2-3.2.2, CA.L2-3.12.1, IR.L2-3.6.1
2. ✅ Cost/time estimate — ISSO $95K–$130K/yr; MSSP $2K–$8K/month; C3PAO assessment $40K–$80K; security training $15–$30/user/yr
3. ✅ Tool/product name — DoD Cyber Workforce Framework, CompTIA Security+, CISSP, ISC2 SSCP, Cybrary
4. ✅ Common mistake — Relying on the IT admin to be the security officer; conflating roles in ways that create SoD gaps
5. ✅ Decision point with guidance — When to hire in-house vs. use an MSSP; what certifications actually matter

---

Defense contractors routinely over-think the staffing question for CMMC. They assume CMMC Level 2 requires a dedicated security department. It doesn't. What it requires is that specific functions exist, are assigned to specific people, and are performed consistently. For a 50-person contractor, that might be one person with security as a primary responsibility and two or three others with defined security roles as part of a broader IT or management function.

Here's what the framework actually requires, what a realistic team looks like, and where to draw the line between internal staff and outside support.

What CMMC Level 2 Actually Requires in Terms of People

The framework doesn't specify an organizational chart. But several controls create implicit staffing requirements:

PS.L2-3.9.1 — Screen individuals prior to authorizing access to organizational systems. Someone is responsible for background screening of personnel who access CUI systems. In practice, this is HR for initial hire screening and IT management for ongoing access governance.

PS.L2-3.9.2 — Ensure CUI is protected during and after personnel actions such as terminations and transfers. Someone owns the offboarding process for CUI access — deprovisioning accounts, recovering hardware, revoking physical access. Usually IT, but it requires coordination with HR.

AT.L2-3.2.1 — Conduct security awareness and training. Someone plans, delivers, and tracks completion of security awareness training for the entire organization. Someone ensures that role-specific training requirements (AT.L2-3.2.2) are identified and met for personnel with security responsibilities.

CA.L2-3.12.1 — Periodically assess the security of organizational systems. Someone is responsible for planning and executing security assessments — either internal reviews or coordinating external assessments. Someone owns the POA&M and ensures findings are tracked to remediation.

IR.L2-3.6.1 — Establish an operational incident response capability. Someone owns the incident response plan, trains the team, coordinates the response when an incident occurs, and ensures the plan is tested and updated.

These functional requirements point to two distinct security roles at minimum: a security owner who handles policy, planning, and compliance (often called an Information System Security Officer or ISSO), and someone who handles day-to-day technical security operations (often the IT administrator with a security function, or an MSSP).

The Minimum Viable Security Function

For a small defense contractor (20–100 people, one CUI environment), the minimum viable security function has three components:

1. Information System Security Officer (ISSO)

This is the role that owns CMMC compliance. The ISSO is responsible for:

• Maintaining the System Security Plan (SSP)
• Managing the POA&M
• Planning and tracking security assessments
• Overseeing the annual security training program
• Serving as the primary contact for your C3PAO assessors
• Reviewing access control policies and approving exceptions
• Incident response coordination

This person doesn't need to be a technical expert (though it helps). They need to understand the CMMC framework, know the organization's environment, have enough authority to make compliance decisions, and have enough time to actually do the work. At a small contractor, this is often a 50% role — a senior IT manager or compliance-focused employee who splits time between security governance and other responsibilities.

Compensation range: $95,000–$130,000 annually for a dedicated ISSO in the defense contractor market. If it's a partial role combined with IT management, the total compensation reflects both functions.

Certification signal: CompTIA Security+ is the entry-level credential that demonstrates baseline security knowledge. ISC2's SSCP or CISSP demonstrates more depth. Neither is required by CMMC, but they signal that the person has invested in the knowledge base. The DoD Cyber Workforce Framework (DCWF) lists role definitions and associated knowledge requirements — useful for hiring or developing this role.

2. Technical Security Function

The ISSO governs the security program. Someone else has to run the technical operations: managing firewall rules, endpoint protection configurations, vulnerability scanning, patch deployment, log review, and user account management.

For small contractors, this is usually the IT administrator with security duties added. The risk here — discussed in the segregation of duties context — is that concentrating all technical access and all security monitoring in one person creates oversight gaps. The mitigation: the ISSO provides independent review of technical operations, external scans verify configurations, and log exports go to a destination the IT admin can't tamper with.

For mid-size contractors (100–500 people), this function might be a dedicated security engineer or security analyst, or a small team. Budget $80,000–$110,000 for a security engineer with 2–5 years of experience.

3. External Support

No small or mid-size defense contractor should try to do everything in-house. The functions best handled externally:

CMMC assessment prep and consulting — A Registered Practitioner Organization (RPO) or independent CMMC consultant knows the assessment process from both sides. Use them for your initial gap assessment, SSP review, and pre-assessment mock evaluation. Engagements run $20,000–$60,000 depending on scope and company size.

C3PAO assessment — You don't hire assessors; you contract with a C3PAO (Certified Third-Party Assessment Organization) for your triennial assessment. C3PAO assessments for small-to-mid contractors typically run $40,000–$80,000 for Level 2.

Managed SIEM / security monitoring — If you don't have the headcount for 24/7 monitoring, an MSSP that provides log management and alerting fills the gap. $2,000–$8,000/month covers monitoring for most small contractor environments.

Penetration testing — Annual or pre-assessment pen testing by an external firm. $10,000–$30,000 for a combined external/internal network test.

Legal and HR for personnel security — Background check processes, adverse action procedures, and CUI-specific employment agreements often require HR and legal input that goes beyond what an ISSO handles.

The IT Admin / Security Officer Conflict

The most common team-building mistake in small contractors: they designate the IT administrator as the Information System Security Officer without thinking through the implications.

The IT admin has privileged access to all CUI systems. They can create accounts, change firewall rules, modify configurations, and access audit logs. Simultaneously designating them as the ISSO means they're governing and auditing their own technical activities. That's the core SoD problem discussed in the segregation of duties article.

This doesn't mean the IT admin can't have security responsibilities. But the ISSO role specifically needs independence from the day-to-day technical administration of CUI systems. If your IT admin is also your ISSO, the ISSO functions that require independence (reviewing access logs, approving access changes, evaluating technical controls) need compensating controls — external review, management oversight, or tooling that provides independent verification.

The cleaner solution: designate the ISSO role to someone in management, compliance, or a dedicated security function, and have them direct the IT admin's security activities rather than being the IT admin themselves.

Training Requirements for Your Team

AT.L2-3.2.1 requires security awareness training for all personnel who access CUI systems. This covers your entire workforce that interacts with CUI — engineers, program managers, administrative staff, leadership. Annual training at minimum. Each training session needs a completion record and signed acknowledgment.

Budget $15–$30 per user per year for commercial security awareness platforms (KnowBe4, Proofpoint Security Awareness, SANS Security Awareness). These provide off-the-shelf content with CMMC-relevant modules (CUI handling, phishing recognition, incident reporting), automated reminders, and completion tracking. The tracking is critical — your assessor will ask for completion records for the assessment period.

AT.L2-3.2.2 requires role-based training for users with security responsibilities. Your ISSO, IT security engineers, and system administrators need more than general awareness training. Role-specific training should cover their specific responsibilities under CMMC: how to conduct access reviews, how to manage the POA&M, how to respond to security incidents, how to configure and maintain specific security tools.

This training doesn't need to be formal or expensive. Internal training sessions, vendor-provided certification programs, or platforms like Cybrary (security-specific training content at $99/month for individuals) work. The requirement is that training happened, was role-appropriate, and was documented.

Building the Team Over Time

Most contractors don't hire a security team from scratch — they develop security functions from existing staff over 12–24 months while implementing controls. A realistic maturation path:

Months 1–6 (CMMC implementation): IT manager takes on ISSO responsibilities as a primary project. Bring in an external CMMC consultant for gap assessment and SSP development. Focus is on implementation, not long-term organizational structure.

Months 6–12 (approaching assessment): Formalize the ISSO role — document it in the SSP, establish the POA&M review cadence, stand up the training program. Engage an MSSP if in-house monitoring isn't feasible.

Post-assessment (ongoing operations): Evaluate whether the current structure is sustainable. If the ISSO role is consuming the IT manager and leaving IT operations under-staffed, it's time to hire a dedicated security person. If the external consultant is costing more than a part-time hire, same conclusion.

The goal isn't a specific org chart — it's a program that functions sustainably without heroics from any single individual.

What Your Assessor Expects

Assessors evaluating your team will look at:

• Your SSP's description of security roles and responsibilities — who owns what function
• Evidence that the ISSO role is active — current SSP updates, POA&M revision history, training records
• Background screening records for personnel with CUI access (PS.L2-3.9.1)
• Training completion records with dates (AT.L2-3.2.1, AT.L2-3.2.2)
• Your incident response team composition and contact list (IR.L2-3.6.1)

They'll interview your ISSO directly — expect questions about how you maintain the SSP, how you handle findings, how you respond to incidents, and how you manage access. The ISSO needs to know the environment well enough to answer these without looking everything up. If your ISSO is a nominal designation with no actual ownership of the function, that will be evident in 10 minutes of conversation.

---

Defining your ISSO role? Write the job description before you hire or designate. List the specific CMMC controls the ISSO owns — it makes the responsibilities concrete and clarifies whether one person can realistically handle the workload.