Improving Your Security Posture: What to Do First

Word count: ~1,980 Specificity markers hit: (1) NIST/CMMC control references — AC, IA, CM, SI, AU domains; SPRS scoring weights (2) Cost/time estimates — MFA deployment 1–4 weeks; enclave build $50K–$150K; vulnerability scanning $3K–$4K/year (3) Tool/product names — Azure AD/Entra, Microsoft Intune, CrowdStrike, Nessus, BitLocker (4) Common mistake — writing policies before fixing technical controls (5) Decision point — quick wins vs. structural changes

---

Improving Your Security Posture: What to Do First

When defense contractors start working toward CMMC Level 2, the 110-control requirement list is paralyzing. Everything seems equally important. Nothing gets done.

Here's the practical answer: not everything is equally important. Some controls have high SPRS point values and are quick to implement. Others require months of infrastructure work. Prioritizing by a combination of risk, point value, and implementation speed gets you moving — and gets you to a defensible SPRS score faster than trying to work through the domains in alphabetical order.

This is the prioritization framework that works for most small-to-mid-size defense contractors starting from a typical baseline.

Start With the Assessment

Before you prioritize remediation, you need to know where you actually stand. Run a structured gap assessment against the 110 NIST 800-171 Rev 2 practices using the NIST 800-171A methodology. Don't estimate — look at your actual configurations, policies, and practices.

The assessment doesn't have to be formal. A knowledgeable internal resource (your IT manager, security lead, or an outside consultant) can work through the 110 controls and document what's in place, what's missing, and what's partially implemented. Keep the evidence you examine — configuration screenshots, policy documents, interview notes. This becomes your SSP supporting documentation and your self-assessment evidence.

Without the assessment, remediation is guesswork. You might spend three months hardening configuration management while leaving a critical access control gap open. Spend two to four weeks on the assessment first. It sets your baseline SPRS score and tells you where the biggest gaps are.

The Priority Order

Tier 1: Quick Wins With High SPRS Impact

These are controls that most organizations can implement in one to four weeks with existing tools, and that have significant SPRS scoring weight.

Multi-Factor Authentication (IA.L2-3.5.3) Require MFA for all remote access and all privileged accounts. If you're using Microsoft 365, MFA is included in your existing licensing. Azure AD Conditional Access (now Microsoft Entra ID) lets you enforce MFA for all users accessing CUI systems within a day or two of configuration. This single control closes one of the most commonly exploited attack paths. Deployment timeline: one to two weeks for a typical Microsoft 365 environment, including testing and user communication.

If you're not on Microsoft 365, Duo Security is the most common standalone MFA solution for small contractors, starting around $6/user/month. Okta and similar identity providers work at the enterprise level.

Unique Account Identification (AC.L2-3.1.1, IA.L2-3.5.1) Every user who accesses CUI systems must have a unique account. No shared logins, no generic admin accounts used by multiple people. If you're running Active Directory or Azure AD, audit your accounts now: find shared accounts, service accounts with interactive login rights, and accounts for former employees. Disabling departed employee accounts and eliminating shared accounts costs nothing and closes real risk.

Session Lock and Timeout (AC.L2-3.1.10) Configure automatic screen lock after 15 minutes of inactivity on all CUI systems. In Windows Group Policy, this is a single setting. In Microsoft Intune, it's a compliance policy. Takes 30 minutes to configure and deploy.

Automatic Session Termination (AC.L2-3.1.11) Define conditions for session termination (extended inactivity, end-of-work periods) and configure them. Usually done in the same Group Policy or MDM configuration as screen lock.

Minimum Password Requirements (IA.L2-3.5.7) Enforce password complexity, minimum length (at least 12 characters), and account lockout after failed attempts. Standard Group Policy enforcement. Takes one hour to configure.

Malware Protection (SI.L2-3.14.2) Deploy endpoint protection on every CUI system with automatic updates and real-time scanning enabled. If you don't have EDR, CrowdStrike Falcon Go or Microsoft Defender for Endpoint (included in Microsoft 365 Business Premium) covers this. Ensure protection is actually active on every system — pull an inventory report from your endpoint management platform to verify. Deployment timeline: one to two weeks for full rollout across a typical small environment.

Encryption at Rest (SC.L2-3.13.8) Enable BitLocker on all Windows endpoints and servers storing CUI. In Group Policy or Intune, enforce BitLocker with FIPS mode enabled. Verify the implementation uses FIPS-validated cryptography (not just any AES-256 implementation). Timeline: one to two weeks for policy deployment; may require TPM provisioning on older hardware.

Tier 2: Structural Changes (Two to Eight Weeks)

These require more planning and configuration work but are necessary for any meaningful security improvement.

Centralized Logging and Audit (AU.L2-3.3.1 through 3.3.9) Stand up centralized log collection. If you're on Microsoft 365, Microsoft Sentinel provides log aggregation with built-in CMMC content packs. Splunk and Elastic work for on-premises environments. At minimum, collect authentication logs, file access logs for CUI file servers, and security event logs from all CUI systems. Configure retention: 90 days immediately available, 12 months archived.

Without centralized logging, you can't demonstrate monitoring capability and you can't reconstruct an incident timeline. This is foundational for AU, CA, and IR domains.

Vulnerability Scanning (RA.L2-3.11.2) Stand up a vulnerability scanner if you don't have one. Tenable Nessus Professional ($3,000–$4,000/year) covers most small environments from a single scanner. Qualys and Rapid7 are cloud-based alternatives that scale better. Configure quarterly scans at minimum; run your first scan and document all findings. Build a remediation tracking process: critical findings get patched within 30 days, high within 60, medium within 90.

Configuration Baselines (CM.L2-3.4.1) Document your approved configuration baselines for each system type: Windows workstations, Windows servers, network devices, cloud services. CIS Benchmarks provide pre-built baselines for every major platform — use them as your starting point and customize where operationally necessary. Use Microsoft Intune, SCCM, or Group Policy to enforce baseline configurations.

Boundary Protection (SC.L2-3.13.1, SC.L2-3.13.5) Define your CUI environment boundaries. Configure firewalls to restrict traffic between the CUI environment and everything outside it. Log all traffic crossing the boundary. If you're using an enclave approach, this is the most important structural control — without it, the enclave concept doesn't hold.

Tier 3: Policy and Documentation (Ongoing)

Documentation doesn't need to come first. In fact, writing policies before you have technical controls in place creates the problem of policies that describe things you haven't implemented yet. Technical controls first; documentation second.

That said, by the time you're through Tier 2, you need:

System Security Plan (SSP): Documents how each of the 110 controls is implemented. This is the primary artifact your C3PAO assessor reviews. The SSP should be accurate — it describes what you actually have, not what you wish you had.

Policies and procedures: Security policy, access control policy, incident response plan, configuration management policy, media protection policy. These don't have to be lengthy, but they need to exist, be approved by management, be communicated to personnel, and be consistent with your actual practices.

Training records: Document security awareness training completion for all personnel with CUI access. This satisfies AT.L2-3.2.1 and AT.L2-3.2.2. Commercial platforms like KnowBe4 or Proofpoint Security Awareness provide training content and completion tracking starting around $15–$25/user/year.

The Big Decision: Enclave vs. Enterprise

The most consequential prioritization decision for small contractors is scoping.

If only a small team (under 20 people) handles CUI, building an enclave — a dedicated, hardened segment just for CUI — minimizes the number of systems you need to bring to CMMC standard. Everything outside the enclave is a Contractor Risk Managed Asset (CRMA). You bring the enclave up to standard; the rest of your environment stays on your existing security baseline.

Enclave build cost: $50,000–$150,000 for a small contractor, depending on whether you're building physical infrastructure or a cloud-based enclave in Microsoft GCC High or Azure Government. Ongoing maintenance runs $2,000–$5,000/month.

If most of your employees handle CUI, an enclave creates more friction than it solves. Enterprise-wide improvement — bringing your whole environment up to standard — makes more sense operationally. Higher upfront cost, simpler ongoing management.

This decision shapes everything else on your remediation roadmap. Make it early.

Common Mistake: Writing Policies First

The most common remediation sequencing error is spending months writing policies, procedures, and an SSP before implementing any technical controls. The logic is understandable — documentation feels productive and doesn't require budget approval. But it creates a painful problem: you write an SSP that says "we use BitLocker for encryption" before BitLocker is deployed. Then you get to your assessment and your SSP claims don't match your actual configurations.

Write just enough documentation to describe your intent, then implement the controls, then update the documentation to reflect what you actually built. Your SSP should describe reality, not aspiration.

What Your Assessor Expects

Assessors don't expect a perfect environment. They expect an honest SSP, a current POA&M showing you're actively working on gaps, evidence that your implemented controls are actually functioning, and personnel who can credibly describe how the controls work.

The organizations that struggle in assessments aren't the ones with gaps — gaps are expected and manageable through a POA&M. The organizations that struggle are the ones whose SSP claims don't match their configurations, whose personnel can't describe the controls they supposedly own, and whose POA&M hasn't been updated since it was created.

Before your assessment: implement your Tier 1 controls, document them accurately in your SSP, update your POA&M with an honest status on everything else, and make sure your people have been briefed on what to expect during personnel interviews. That's the posture that produces a successful assessment.

---

CTA: Run your baseline gap assessment before you spend a dollar on remediation. Knowing your actual SPRS score and gap distribution tells you where to focus and prevents wasted effort on low-impact controls.