CMMC Is a Program, Not a Project

Eric Marquette

Welcome to the show! I’m Eric Marquette with Paul Netopski and Roz the Rulemaker, and Paul, I keep seeing companies treat CMMC like it’s a $40,000 tool purchase or a 90-day checklist. We read the whitepaper that you created sometime ago and it has some great details on funding and scoping for CMMC. Can you talk to us about it?

Paul Netopski

And that is exactly how programs fail. The whitepaper breaks this into phases for a reason: scope, gap assessment, crosswalk, remediation, and formal assessment. I’d add a steady-state operating phase after that, because certification readiness is not the end of the mission.

Roz the Rulemaker

That word phase matters. In rulemaking and compliance work, the expensive mistakes usually happen when an organization answers the wrong question first. They ask, “What should we buy?” before they ask, “What are we actually obligated to protect, under which contract, and in which part of the business?”

Eric Marquette

So the lifecycle here is learn, scope, implement, assess, monitor, improve. Not glamorous... but sane.

Paul Netopski

And contracts drive it. Figure 4 in the whitepaper lays that out with specific clauses: FAR 52.204-21, DFARS 252.204-7012, 7019, 7020, 7021, even 252.239-2010. Different contracts carry different obligations. Those obligations determine scope, and scope drives cost, complexity, and risk.

Roz the Rulemaker

Wait -- 252.204-7021 is the one I’d want listeners to hold onto. Because once you’re talking about assessment obligations, you are no longer in the realm of “good cybersecurity hygiene.” You are in the realm of auditable obligation. That changes governance, budgeting, and executive attention very quickly.

Eric Marquette

And it changes the conversation internally, right? Because if I’m a defense contractor leader, I’m not just asking IT for a shopping list. I’m asking legal, contracts, operations, HR, quality... who touches what and why.

Paul Netopski

Correct. Phase 1 starts with understanding before building. Educate staff and leadership on federal requirements, what counts as CUI, and the business risk of getting this wrong. The paper is blunt on risk: cyber incidents can bankrupt small businesses, insurance premiums were up around 32% in the past year discussed, and insurers increasingly want framework-based evidence.

Eric Marquette

That 32% is the number that sticks for me. Not because insurance is the whole issue -- it’s not -- but because it turns “maybe later” into “this is hitting the balance sheet now.”

Roz the Rulemaker

And Phase 1 also means building a requirements inventory. Pull every contract. Identify applicable clauses. Determine what information is FCI, what is CUI, what must be marked or specially handled. If you skip that inventory, your later policy set and your later budget will both be fiction.

Paul Netopski

Then you choose a strategy based on maturity, not wishful thinking. In-house, outside consultant, MSP, MSSP, or a hybrid. The whitepaper explicitly warns against “buying compliance.” If your process maturity is weak, a managed service may help with operations, but it will not magically create accurate procedures, evidence, or executive accountability.

Eric Marquette

So if I’m hearing both of you right, the three build phases are: understand and scope, then remediate and implement, then assess and remediate findings. And after that comes the real test -- operating it every day without drifting.

Paul Netopski

Exactly. CMMC is a program, not a project. Projects end. Programs recur.

Eric Marquette

Let’s get practical. The whitepaper’s “Peter” example is great because it sounds ordinary. Peter downloads bid documents with FCI and CUI, stores them on a laptop, posts to a file share, the bid team uses a requirements tool, costing goes into ERP, proposals go out by email, backups land in a cloud tool, and Peter reads email on a company cell phone. That’s not one system. That’s... a spiderweb.

Paul Netopski

And the spiderweb is the point. You map user workflows first: who touches the data, who shares it, what applications they use. Then map data workflows: where CUI enters, where it is stored, processed, transmitted, backed up, and where it exits the organization. If you miss the cell phone, the backup platform, or the email system, you have missed real scope.

Roz the Rulemaker

Peter’s cell phone is the memorable token for me, because it captures how scope expands through convenience. A leader thinks, “We only handle proposals on a few laptops.” Then one mobile email sync later, you’ve implicated another asset class and another set of controls.

Eric Marquette

And this is where bad estimates are born. If you scope the fairy-tale environment instead of the real one, your cost model is nonsense.

Paul Netopski

Right. The paper even suggests narrowing scope by changing the data flow itself. For example, instead of receiving CUI by email, a contractor might review CUI inside a prime or government system over the internet so the contractor reduces its own exposure. That is a business design decision, not just a security setting.

Roz the Rulemaker

Though I’ll add one caution: narrowing scope is legitimate only if operations actually change. Saying “that system is out of scope” while people still use it for CUI is not clever scoping. It is poor documentation wrapped around a future finding.

Paul Netopski

Then translate the requirements into evidence. Crosswalk existing programs -- ISO 9001, AS9100, ISO 27001, NIST CSF, internal handbooks, whatever you have -- against CMMC’s NIST SP 800-171 basis. The paper notes Level 2 maps to the 110 NIST 800-171 practices, and it discusses reviewing 320 assessment objectives. Reuse what is valid, but update policies and procedures so they align with both 800-171 and 800-171A-style assessment expectations.

Eric Marquette

So not just “we patch systems,” but “here is the policy, here is the procedure, here is the record, and yes, the organization does what the document says.”

Roz the Rulemaker

Exactly. Then conduct the self-assessment, update the SSP, update the SPRS score, build or refresh the POA&M, and stand up a CONMON program. That package is what turns abstract intent into operational proof.

Paul Netopski

Phase 2 is action. Review the POA&M and confirm the remediation path still fits the business. Maybe you shifted from subcontractor to prime, acquired a company, or moved to cloud. Procure the missing technology, implement it, then update the policies, procedures, plans, and process artifacts so the control implementation is traceable and defensible.

Eric Marquette

And then you test scope AGAIN, because implementation changes behavior. New cloud storage, new MFA flow, new managed service -- suddenly data moves differently than people predicted.

Paul Netopski

Yes. Re-test workflows, reclassify assets if needed, reassess, refresh the POA&M, and update SPRS based on the new posture. That loop is normal.

Roz the Rulemaker

Phase 3 is operate, assess, remediate. Run CONMON. If certification is required, schedule the C3PAO assessment. High level, the formal assessment depends heavily on accurate scope and objective evidence. The paper warns that once scope, cost, and timeframe are agreed, changing scope can force the process to start over. And if findings remain, remediation and possible reassessment follow.

Paul Netopski

Then Phase 4 -- the sustainable state. Continue operating to policy. Conduct annual self-assessments and update SPRS. Prepare for the triannual C3PAO assessment. The paper is explicit: these are recurring costs, like maintaining a vehicle over time, not a one-time purchase.

Eric Marquette

Which brings us back to the whitepaper’s big takeaway: scope drives cost. If you understand contracts, clauses, data flows, systems, and people FIRST, then scoping, gap assessment, crosswalk, remediation, and formal assessment become fundable decisions instead of painful surprises. Narrow scope and reuse controls where you honestly can. Expand only where the business truly needs it. Do that well, and funding gets clearer fast. Thanks for joining us on CMMC Unlocked.