Simplifying CMMC Compliance and Breaking Down Its Controls
Those seeking contracts with government agencies must meet many requirements and guidelines regarding cybersecurity. Each entity has its own, including the Department of Defense (DoD). Introduced in 2024 and being implemented in phases, Cybersecurity Maturity Model Certification 2.0 (CMMC) sets new rules around protecting controlled unclassified information (CUI) and federal contract information (FCI). CMMC compliance has lots of complexities; let’s talk about how to simplify and streamline it.
Key CMMC Compliance Timeline and Requirements
Organizations that want to bid on DoD contracts are subject to CMMC. The government put forth a phased implementation. The next deadline is Phase 2 with an effective date of November 10, 2026. Phase 1 has been in place since November 2025.
Phase 2 involves contractors handling CUI. They will need to undergo a third-party evaluation by a certified assessor organization. It’s a requirement to receive the award for a contract.
Contractors must have specific protections in place for CUI and FCI. Security must be in place for data at rest, in use, and in transit. The protocols for executing on this must align with NIST 800-171, NIST 800-172, and FIPS. What’s critical to understand is that encryption at rest is insufficient, and most platforms fall short here.
CMMC Controls in Practical Terms
CMMC documents 14 control domains derived from NIST SP 800-171. They are both comprehensive, but what do they really represent?
1. Access Control (AC)
Contractors must have Identity Access Management (IAM) with data-level access enforcement, requiring a data protection component.
2. Awareness & Training (AT)
Employees of contractors must complete security training and have records to verify this.
3. Audit & Accountability (AU)
You must be able to provide audit logs and evidence of data protection. Platforms that generate audit logs and documentation reduce the time and effort required by manual activities.
4. Configuration Management (CM)
To meet this control, you’ll need policy baselines within a data protection system along with Security Information and Event Management (SIEM).
5. Identification & Authentication (IA)
Companies should have standard protocols for identification and authentication, such as MFA and password policies.
6. Incident Response (IR)
Organizations must develop and document an IR plan, including containment and testing.
7. Maintenance (MA)
Systems should receive regular maintenance. If those doing so don’t have authorization, there must be a supervisor. If the maintenance is remote, MFA must be in place.
8. Media Protection (MP)
To protect media, you should have CUI data discovery capabilities as well as classification of this information, layered with access controls.
9. Personnel Security (PS)
You must screen individuals prior to providing them with CUI access.
10. Physical Protection (PP)
Complying with this involves limiting physical access to only those who need it and maintaining a log of physical access.
11. Risk Assessment (RA)
Meeting these policies includes ongoing evaluations for risk, vulnerability scanning, third-party assessments, and penetration testing.
12. Security Assessment (SA)
In this control, the emphasis is on assessing and monitoring security controls and having an operational plan of action. Performing penetration testing is an example.
13. System and Communications Protection (SC)
Data encryption must be in place for data at rest and in transit, and the cryptography must be FIPS-validated.
14. System and Information Integrity (SII)
This category involves endpoint security, software patching, antivirus protection, and real-time security alerts.
These controls touch on every area of security. Many of these have a connection to encryption practices.
CMMC Compliance: Transitioning to Modern Encryption
Where are your current gaps in terms of data encryption that meet compliance and elevate security, in general?
Here are a few areas that should be on your checklist.
Beyond Disk-Centric Encryption
Many contractors rely on disk-centric encryption mechanisms. They satisfy the at-rest part of the rule. However, once that data moves, the protection is no longer present. It leaves organizations in a position of heightened risk exposure and noncompliance.
Modern encryption expands protections by being data-centric. It remains with the sensitive information throughout its lifecycle. It stays with the data even in file sharing.
This type of encryption is at the file and field level. Protection travels with CUI across endpoints, file shares, the cloud, email, or partner environments.
FIPS Validated vs. Compliant
AES-256 encryption is insufficient to achieve compliance or best practices. Rather, you’ll need FIPS-validated encryption to accomplish this. Not all encryption methods can provide this. As a result, you’ll need to evaluate gaps.
Key Management Simplified
CMMC also requires proper procedures for managing encryption keys. This can get complicated and has considerable costs. Our Smartkeys make this much easier. They combine encryption keys with a corresponding access control list. You don’t need a separate key infrastructure.
Contingency keys are always available, as well. You can’t be locked out of your data even if you lose the original one or passphrase.
Encryption That’s Not Disruptive
Certificate-free encryption maintains authorized user access without disrupting workflows or applications. Applications and workflows can access the sensitive information they require to function.
This is possible through software development kits (SDKs) and application programming interfaces (APIs) connections. This mechanism enables in-stream encryption and decryption within an application. Data is never written to disk in an unencrypted state. With this approach, you achieve CMMC compliance and ensure consistency in these activities across your enterprise.
Quantum-Safe Encryption
The age of quantum computing is nearing, which means encryption could become easier to break. CMMC takes the approach of NIST standards. Organizations will need to adopt these quantum encryption requirements upon release.
Ideally, you want to be on an encryption platform that’s already planning for this. It’s a vital consideration, and you should evaluate any solution’s crypto agility.
What’s Next in the CMMC Compliance Journey?
Phase 2 compliance will be effective and enforceable soon. Preparing now offers the best course to ensure your organization doesn’t lose contracts. Have more questions about the technical requirements? We’ve got that covered in our article, Understanding Cybersecurity Maturity Model Certification.
Those seeking contracts with government agencies must meet many requirements and guidelines regarding cybersecurity. Each entity has its own, including the Department of Defense (DoD). Introduced in 2024 and being implemented in phases, Cybersecurity Maturity Model Certification 2.0 (CMMC) sets new rules around protecting controlled unclassified information (CUI) and federal contract information (FCI). CMMC compliance has lots of complexities; let’s talk about how to simplify and streamline it.
Key CMMC Compliance Timeline and Requirements
Organizations that want to bid on DoD contracts are subject to CMMC. The government put forth a phased implementation. The next deadline is Phase 2 with an effective date of November 10, 2026. Phase 1 has been in place since November 2025.
Phase 2 involves contractors handling CUI. They will need to undergo a third-party evaluation by a certified assessor organization. It’s a requirement to receive the award for a contract.
Contractors must have specific protections in place for CUI and FCI. Security must be in place for data at rest, in use, and in transit. The protocols for executing on this must align with NIST 800-171, NIST 800-172, and FIPS. What’s critical to understand is that encryption at rest is insufficient, and most platforms fall short here.
CMMC Controls in Practical Terms
CMMC documents 14 control domains derived from NIST SP 800-171. They are both comprehensive, but what do they really represent?
1. Access Control (AC)
Contractors must have Identity Access Management (IAM) with data-level access enforcement, requiring a data protection component.
2. Awareness & Training (AT)
Employees of contractors must complete security training and have records to verify this.
3. Audit & Accountability (AU)
You must be able to provide audit logs and evidence of data protection. Platforms that generate audit logs and documentation reduce the time and effort required by manual activities.
4. Configuration Management (CM)
To meet this control, you’ll need policy baselines within a data protection system along with Security Information and Event Management (SIEM).
5. Identification & Authentication (IA)
Companies should have standard protocols for identification and authentication, such as MFA and password policies.
6. Incident Response (IR)
Organizations must develop and document an IR plan, including containment and testing.
7. Maintenance (MA)
Systems should receive regular maintenance. If those doing so don’t have authorization, there must be a supervisor. If the maintenance is remote, MFA must be in place.
8. Media Protection (MP)
To protect media, you should have CUI data discovery capabilities as well as classification of this information, layered with access controls.
9. Personnel Security (PS)
You must screen individuals prior to providing them with CUI access.
10. Physical Protection (PP)
Complying with this involves limiting physical access to only those who need it and maintaining a log of physical access.
11. Risk Assessment (RA)
Meeting these policies includes ongoing evaluations for risk, vulnerability scanning, third-party assessments, and penetration testing.
12. Security Assessment (SA)
In this control, the emphasis is on assessing and monitoring security controls and having an operational plan of action. Performing penetration testing is an example.
13. System and Communications Protection (SC)
Data encryption must be in place for data at rest and in transit, and the cryptography must be FIPS-validated.
14. System and Information Integrity (SII)
This category involves endpoint security, software patching, antivirus protection, and real-time security alerts.
These controls touch on every area of security. Many of these have a connection to encryption practices.
CMMC Compliance: Transitioning to Modern Encryption
Where are your current gaps in terms of data encryption that meet compliance and elevate security, in general?
Here are a few areas that should be on your checklist.
Beyond Disk-Centric Encryption
Many contractors rely on disk-centric encryption mechanisms. They satisfy the at-rest part of the rule. However, once that data moves, the protection is no longer present. It leaves organizations in a position of heightened risk exposure and noncompliance.
Modern encryption expands protections by being data-centric. It remains with the sensitive information throughout its lifecycle. It stays with the data even in file sharing.
This type of encryption is at the file and field level. Protection travels with CUI across endpoints, file shares, the cloud, email, or partner environments.
FIPS Validated vs. Compliant
AES-256 encryption is insufficient to achieve compliance or best practices. Rather, you’ll need FIPS-validated encryption to accomplish this. Not all encryption methods can provide this. As a result, you’ll need to evaluate gaps.
Key Management Simplified
CMMC also requires proper procedures for managing encryption keys. This can get complicated and has considerable costs. Our Smartkeys make this much easier. They combine encryption keys with a corresponding access control list. You don’t need a separate key infrastructure.
Contingency keys are always available, as well. You can’t be locked out of your data even if you lose the original one or passphrase.
Encryption That’s Not Disruptive
Certificate-free encryption maintains authorized user access without disrupting workflows or applications. Applications and workflows can access the sensitive information they require to function.
This is possible through software development kits (SDKs) and application programming interfaces (APIs) connections. This mechanism enables in-stream encryption and decryption within an application. Data is never written to disk in an unencrypted state. With this approach, you achieve CMMC compliance and ensure consistency in these activities across your enterprise.
Quantum-Safe Encryption
The age of quantum computing is nearing, which means encryption could become easier to break. CMMC takes the approach of NIST standards. Organizations will need to adopt these quantum encryption requirements upon release.
Ideally, you want to be on an encryption platform that’s already planning for this. It’s a vital consideration, and you should evaluate any solution’s crypto agility.
What’s Next in the CMMC Compliance Journey?
Phase 2 compliance will be effective and enforceable soon. Preparing now offers the best course to ensure your organization doesn’t lose contracts. Have more questions about the technical requirements? We’ve got that covered in our article, Understanding Cybersecurity Maturity Model Certification.
