Cybersecurity Governance for Defense Contractors: What Actually Matters

(155 chars)

Word count: ~3,100

Specificity markers used:

1. NIST/CMMC control references: CA.L2-3.12.1, CA.L2-3.12.2, CA.L2-3.12.3, CA.L2-3.12.4, PS.L2-3.9.1, PS.L2-3.9.2, PM practices from NIST SP 800-171 Rev 3, AT.L2-3.2.1
2. Cost/time estimates: Virtual CISO/ISSO $8K–$20K/month; in-house ISSO $90K–$130K salary; governance program setup 3–6 months
3. Tool/product names: GRC platforms — ServiceNow GRC, Drata, Archer; policy management — Compliance.ai, Tugboat Logic
4. Common mistake: SSP written by IT and signed by no one in leadership; security decisions made without documented executive awareness or risk acceptance
5. Decision point: In-house ISSO vs. virtual ISSO/CISO — when each makes sense

---

Executive Summary

Key takeaways: - Governance is the organizational structure that makes your CMMC controls real and sustainable. Controls without governance are technical configurations waiting to drift. - Your assessor evaluates governance through the Security Assessment (CA) domain and the Personnel Security (PS) domain — but governance gaps show up everywhere. - The most common governance failure: security decisions made informally, without documentation, and without executive awareness. If your CISO (or whoever plays that role) can't point to documented decisions, those decisions don't exist in CMMC terms. - ISO 27001:2022 Clause 5 (Leadership) and NIST CSF 2.0's Govern function set the same expectations as CMMC's CA domain. If you're running a mature program under either framework, translate that work directly. - Governance setup takes 3–6 months when done properly. It's the slowest part of CMMC preparation because it requires organizational behavior change, not just technical deployment.

---

What Governance Actually Means for CMMC

"Cybersecurity governance" gets thrown around a lot. In the CMMC context, it means something specific: the documented organizational structure that ensures security controls are assigned, implemented, monitored, and accountable to leadership.

Your technical controls protect CUI. Governance ensures someone is responsible for those controls, that leadership knows what's being protected and accepted as risk, that the program is monitored continuously, and that when something breaks, there's a documented process to fix it.

Without governance, your CMMC controls are a collection of technical configurations that nobody is formally accountable for maintaining. They drift. Patches get skipped. Access reviews don't happen. And when your assessor asks "who is responsible for ensuring MFA is enforced on all privileged accounts?" the answer is a shrug.

The C3PAO assessor will evaluate governance primarily through the CA (Security Assessment) domain, but governance failures surface across every other domain too. The PS (Personnel Security) domain is where formal role assignments live. The AT (Awareness and Training) domain reflects whether governance extends to everyone in the organization. The IR (Incident Response) domain shows whether leadership has approved and tested the response plan.

---

The CA Domain: Your Governance Backbone

The Security Assessment domain has four practices at Level 2:

CA.L2-3.12.1 — Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

This requires an ongoing program of control assessment — not just the initial implementation, but periodic verification that controls are still working. Security controls drift. Configurations change. People leave. Vendors update software. Your governance program must include a schedule for regularly checking that controls are implemented as documented in your SSP.

In practice, this means: annual control assessments (at minimum), using the NIST 800-171A assessment objectives as your checklist. For each practice, verify that the control is implemented, review the evidence, confirm the SSP is still accurate. Document the results.

CA.L2-3.12.2 — Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

This is your POA&M requirement. When assessments (internal or external) identify gaps, those gaps must become documented, tracked, managed items. The POA&M is the governance document that keeps deficiencies from being forgotten. It shows the assessor that leadership is aware of unmet controls and has committed to a remediation timeline.

A POA&M without management review is just a list. A POA&M that gets reviewed monthly by your ISSO and quarterly by leadership is a governance document.

CA.L2-3.12.3 — Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Continuous monitoring. Not "we ran a scan last year." Ongoing, systematic verification that your controls are working. Automated where possible (SIEM alerts, configuration management tools, vulnerability scan alerts), manual where automation isn't feasible.

Governance means that someone is assigned to review monitoring results and act on anomalies — and that the assignment is documented.

CA.L2-3.12.4 — Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

The SSP is a governance document, not an IT document. It describes how your entire organization manages CUI protection. Senior leadership should know it exists, review it at least annually, and sign off on it. An SSP written by IT and never touched by management is a common finding — it usually means the SSP describes what IT does, not what the organization has decided to do.

---

Organizational Structure: Who Owns What

Effective governance requires clear role assignments. CMMC doesn't mandate specific job titles, but the functions must exist and be documented.

Minimum Required Roles

System Owner (SO): The individual responsible for the overall procurement, development, integration, modification, operation, and maintenance of a CUI system. Typically a senior manager or VP in the business unit that uses CUI. Not an IT role — a business accountability role. The System Owner approves the SSP.

ISSO (Information System Security Officer): The day-to-day security operations lead. Responsible for maintaining the SSP, tracking the POA&M, managing the continuous monitoring program, overseeing access reviews, and coordinating incident response. This role can be in-house or contracted (virtual ISSO).

CISO or equivalent: Executive accountability for the overall security program. Sets security policy, makes risk acceptance decisions, reports to the board or senior leadership, and has budget authority for security investments. Small contractors may combine CISO and ISSO functions.

System Administrators: Implement and maintain technical controls. Not a governance role, but the primary source of technical evidence for the assessor.

The In-House vs. Virtual ISSO Decision

This is the first major decision most defense contractors face when building governance. The choice depends on size, budget, and contract pipeline:

Hire an in-house ISSO if: - You have more than 100 employees in your CMMC scope - CUI handling is central to your primary business (not occasional subcontract work) - You have multiple active DoD contracts and a growing pipeline - You need someone on-site regularly and you're concerned about continuity

Salary range for an experienced ISSO with CMMC/NIST 800-171 background: $90,000–$130,000/year depending on experience level and location. Add benefits, overhead, and recruiting cost.

Hire a virtual ISSO or virtual CISO if: - You have fewer than 100 people in scope - CUI handling is intermittent (one or two contracts, not the whole business) - You need expert help but can't justify a full-time hire yet - You want experienced guidance through your first CMMC assessment, then may build internal capability afterward

Virtual ISSO/vCISO engagements run $8,000–$20,000/month depending on engagement scope and hours. A 12-month engagement through your first assessment typically costs $80,000–$180,000 total — less than an in-house hire at the senior end, with no recruitment cost or benefits.

The hybrid option many small contractors use: a part-time internal security coordinator (an existing IT manager with additional responsibilities) supported by a vCISO who provides strategic direction, assessment readiness guidance, and documentation review. This works when the internal person can handle day-to-day operations and the external expert handles the hard calls.

---

The Policy Framework

Governance requires documented policies that describe how your organization manages security. These aren't optional — they're the written evidence that governance exists. Your assessor will examine policies in every domain review.

At minimum, your policy framework needs to cover:

Information Security Policy — the top-level document establishing the organization's commitment to protecting CUI, assigning authority, and defining scope. Typically 3–5 pages. Must be signed by senior leadership (CEO or equivalent) and reviewed annually.

Access Control Policy — how you grant, review, and revoke access to CUI systems. Reference specific practices: AC.L2-3.1.1 through 3.1.22.

Configuration Management Policy — how you establish, document, and maintain system baselines. References CM domain practices.

Incident Response Policy — how you detect, respond to, and recover from security incidents. Must include the DFARS 252.204-7012 72-hour reporting requirement.

Risk Management Policy — how you assess and manage risk, including your POA&M process. References CA and RA domain practices.

Media Protection Policy — how you handle, mark, transport, and destroy CUI media.

Personnel Security Policy — how you screen employees with CUI access and what happens when they leave.

Security Awareness Training Policy — who gets trained, on what, and how often. References AT.L2-3.2.1 and AT.L2-3.2.2.

Each policy should: state its purpose and scope, assign accountability (who owns it), describe the required behavior or control, reference the relevant CMMC practices or regulatory requirement, specify the review cycle (at least annually), and be signed and dated.

Policies that exist but haven't been reviewed in three years aren't governance — they're wallpaper. Build the review cycle into your governance calendar.

---

Personnel Security: The Governance Domain People Forget

The Personnel Security (PS) domain has two practices, both required at Level 2:

PS.L2-3.9.1 — Screen individuals prior to authorizing access to organizational systems containing CUI.

PS.L2-3.9.2 — Ensure that CUI and the systems that process, store, or transmit CUI are protected during and after personnel actions such as terminations and transfers.

PS.L2-3.9.1 doesn't mandate specific background check levels — that's determined by your contracts (many DoD programs require specific investigation levels through the Defense Counterintelligence and Security Agency). At minimum, your organization needs a documented process for screening employees before granting CUI access. What the screening consists of depends on your risk posture and contractual requirements; the requirement is that some screening occurs and is documented.

PS.L2-3.9.2 is the termination and transfer process. When an employee leaves or moves to a role without CUI access: their accounts are disabled, their access is revoked, and CUI they controlled is accounted for. Every assessor has seen the same failure here — former employees whose accounts were never disabled, whose access to cloud systems persisted for months after departure, and whose badge access never got revoked. Make account termination a checklist item that HR and IT both sign off on, with a documented date and time.

Personnel security governance is an HR/IT/security joint responsibility. None of those three functions alone is sufficient. It needs a documented process that crosses organizational lines.

---

Common Governance Failures

The SSP as an IT document. The SSP describes how the organization protects CUI. "The organization" includes the business, not just IT. SSPs written entirely by IT staff, reviewed only by IT staff, and signed by nobody are common assessment findings. The SSP describes management decisions — who has access and why, what risks are accepted and why, what the organization does when an incident occurs. Those decisions belong to the business, not just to IT.

Undocumented risk acceptance. When a control can't be fully implemented — maybe a legacy system can't support MFA, or a specialized tool can't operate in the encrypted environment — someone in leadership has to formally accept that risk and document the decision. "We know it's a problem but it's too expensive to fix" is not risk acceptance. A signed risk acceptance memo describing the control gap, why it exists, what compensating controls are in place, and when it will be resolved is risk acceptance.

The one-person security program. A defense contractor where one IT manager handles all 14 CMMC domains, maintains the SSP, manages the POA&M, runs scans, responds to incidents, trains staff, and also keeps the email server running is a governance risk. Not a technical risk — a business continuity risk. If that person leaves or is unavailable, the program collapses. Governance requires documented processes that can survive personnel turnover.

No executive security review. Many small contractors implement reasonable technical controls but have no mechanism for executive leadership to stay informed about their security posture, open risks, and POA&M status. NIST SP 800-171 and CMMC expect leadership to be engaged, not just informed after the fact. A quarterly security briefing — 30 minutes, covering POA&M status, incident summary, and open risks — is the minimum for demonstrating executive governance.

---

Cross-Framework Alignment

ISO 27001:2022 — Clause 5 (Leadership) requires executive commitment, policy establishment, and role assignment that maps directly to CMMC's governance requirements. If you're pursuing ISO 27001 certification alongside CMMC, the governance work is largely shared. ISO 27001's Statement of Applicability (SoA) and CMMC's SSP serve similar functions — document them consistently and you avoid maintaining two divergent views of your program.

NIST CSF 2.0 — The new Govern function (GV) is explicitly about governance: organizational context, risk strategy, roles and responsibilities, policy, and oversight. CSF 2.0 GV.RR (Roles, Responsibilities, and Authorities) maps directly to the personnel role assignments described above. GV.PO (Policy) maps to your policy framework. If you're already using CSF 2.0, your GV work translates directly to CMMC governance requirements.

FedRAMP — FedRAMP's governance requirements include System Owner authorization, continuous monitoring reporting to the AO (Authorizing Official), and an ongoing Authorization To Operate (ATO). This is significantly more formal than CMMC, but organizations supporting FedRAMP-authorized systems will find their governance structures already exceed CMMC expectations.

---

GRC Tools: What Helps, What Doesn't

Governance, Risk, and Compliance (GRC) platforms can support your governance program but don't replace the organizational decisions and human accountability that governance requires.

Where GRC tools genuinely help: - Centralizing policies with version control and review reminders - Tracking POA&M items with status, due dates, and assignment - Generating evidence packages for assessments - Alerting when review cycles are due

Tools in the CMMC market: ServiceNow GRC (enterprise, expensive — $50K+/year but full-featured), Drata and Vanta (mid-market, $15K–$40K/year, CMMC modules improving), Archer (IRM platform, established enterprise option), Tugboat Logic (policy management focused). For small contractors, a well-maintained SharePoint site with version-controlled policy documents and a tracked spreadsheet POA&M is a legitimate starting point — you don't need a $30,000 platform to have good governance.

What GRC tools can't do: assign accountability, make risk decisions, ensure leadership engagement, or pass your assessment. They're organizational infrastructure, not compliance.

---

What Your Assessor Expects

The governance assessment is largely an interview and document review exercise, not a technical test. Your assessor will:

Examine: Your SSP (is it current, complete, signed by leadership?), your security policies (do they exist, are they current, are they signed?), your POA&M (does it reflect known gaps, is it actively maintained?), role assignment documentation (who is the ISSO, who is the System Owner?), personnel security records (screening evidence, termination records), and your continuous monitoring program documentation.

Interview: "Who is responsible for your security program?" "When was your SSP last updated?" "How does leadership stay informed about your security posture?" "What happens when an employee leaves who had CUI access?" "How do you track remediation of security findings?" "What is your process for reviewing and updating your policies?"

The interviews will expose governance failures that documents can hide. If your ISSO is solid but your System Owner has never read the SSP, the assessor will find that in 10 minutes of conversation with each of them.

The governance readiness self-test: Before your assessment, hold a 30-minute governance review with your ISSO, System Owner, and a senior IT lead. Work through these questions: - Can each person state their security role and responsibilities without looking at a document? - Is the POA&M current and does everyone know the top three open items? - When was the SSP last reviewed and does it still accurately reflect the environment? - Can you produce the signed information security policy on demand? - What do you do when an employee is terminated today — what's the process and who owns it?

If any of those questions produce hesitation or inconsistency, you have governance work to do before the assessment.

---

Want a second opinion on your governance program before your C3PAO assessment? Schedule a governance review.

Related reading: How to Write Your SSP | Building Your POA&M | CMMC Level 2 Assessment: What to Expect