Simplifying CMMC Compliance and Breaking Down Its Controls
Those seeking contracts with government agencies must meet many requirements and guidelines regarding cybersecurity, including the Cybersecurity Maturity Model Certification 2.0 (CMMC). Introduced in 2024 by the Department of Defense (DoD), CMMC sets new rules around protecting controlled unclassified information (CUI) and federal contract information (FCI). CMMC compliance is complex. Let’s talk about how to simplify and streamline it.
Key CMMC Compliance Timeline and Requirements
Organizations that want to bid on DoD contracts are subject to CMMC. The government put forth a phased implementation. The next deadline is Phase 2 with an effective date of November 10, 2026. Phase 1 has been in place since November 2025.
Phase 2 involves contractors handling CUI. They will need to undergo a third-party evaluation by a certified assessor organization.
Contractors must also have specific protections in place for CUI and FCI. Encryption must be in place for data at rest, in use, and in transit. The protocols for executing this must align with NIST 800-171, NIST 800-172, and FIPS. What’s critical to understand is that encryption at rest is insufficient, and most platforms fall short here.
CMMC Controls in Practical Terms
CMMC documents 14 control domains derived from NIST SP 800-171. They are both comprehensive, but what do they really represent?
1. Access Control (AC)
Contractors must have Identity Access Management (IAM) with data-level access enforcement, requiring a data protection component.
2. Awareness & Training (AT)
Employees of contractors must complete security training and have records to verify this.
3. Audit & Accountability (AU)
You must be able to provide audit logs and evidence of data protection. Platforms that generate audit logs and documentation reduce the time and effort required by manual activities.
4. Configuration Management (CM)
To meet this control, you’ll need policy baselines within a data protection system along with Security Information and Event Management (SIEM).
5. Identification & Authentication (IA)
Companies should have standard protocols for identification and authentication, such as MFA and password policies.
6. Incident Response (IR)
Organizations must develop and document an IR plan, including containment and testing.
7. Maintenance (MA)
Systems should receive regular maintenance. If those doing so don’t have authorization, there must be a supervisor. If the maintenance is remote, MFA must be in place.
8. Media Protection (MP)
To protect media, you should have CUI data discovery capabilities as well as classification of this information, layered with access controls.
9. Personnel Security (PS)
You must screen individuals prior to providing them with CUI access.
10. Physical Protection (PP)
Complying with this involves limiting physical access to only those who need it and maintaining a log of physical access.
11. Risk Assessment (RA)
Meeting these policies includes ongoing evaluations for risk, vulnerability scanning, third-party assessments, and penetration testing.
12. Security Assessment (SA)
In this component, the emphasis is on assessing and monitoring security controls and having an operational plan of action. Performing penetration testing is an example.
13. System and Communications Protection (SC)
Data encryption must be in place for data at rest and in transit, and the cryptography must be FIPS-validated.
14. System and Information Integrity (SII)
This category involves endpoint security, software patching, antivirus protection, and real-time security alerts.
These controls touch on every area of security. Many of these have a connection to encryption practices.
CMMC Compliance: Transitioning to Modern Encryption
Identifying your encryption gaps is the first step toward both Level 2 CMMC compliance and a stronger security posture.
Here are a few areas worth evaluating.
Going Beyond Disk-Centric Encryption
Many contractors rely on disk-level encryption. This approach satisfies the at-rest part of the rule. However, once that data moves, the protection is no longer present. It leaves organizations in a position of heightened risk exposure and noncompliance.
Modern encryption expands protections by being data-centric. It remains with the sensitive information throughout its lifecycle. It stays with the data even in file sharing.
This type of encryption is at the file and field level. Protection travels with CUI across endpoints, file shares, the cloud, email, or partner environments.
Key Management Simplified
CMMC also requires proper procedures for managing encryption keys. This can get complicated and has considerable costs and overhead. PKWARE’ s Smartkey technology make this much easier. They combine encryption keys with a corresponding access control list. You don’t need a separate key infrastructure.
Contingency keys are always available, as well. You can’t be locked out of your data even if you lose the original one or passphrase.
Encryption That’s Not Disruptive
Certificate-free encryption maintains authorized user access without disrupting workflows or applications. Applications and workflows can access the sensitive information they require to function.
This is possible through software development kits (SDKs) and application programming interfaces (APIs) connections. This mechanism enables in-stream encryption and decryption within an application. Data is never written to disk in an unencrypted state. With this approach, you achieve CMMC compliance and ensure consistent, frictionless encryption across your enterprise.
Quantum-Safe Encryption
The age of quantum computing is nearing, which means encryption could become easier to break. CMMC takes the approach of NIST standards. Organizations will need to adopt updated quantum encryption requirements upon release.
Ideally, you want to be on an encryption platform that’s already planning for this. It’s a vital consideration, and you should evaluate any solution’s crypto agility.
What’s Next in the CMMC Compliance Journey?
Phase 2 compliance will be effective and enforceable soon. Preparing now offers the best course to ensure your organization doesn’t lose contracts.
Have more questions about the technical requirements? We’ve got that covered in our article, Understanding Cybersecurity Maturity Model Certification.
Those seeking contracts with government agencies must meet many requirements and guidelines regarding cybersecurity, including the Cybersecurity Maturity Model Certification 2.0 (CMMC). Introduced in 2024 by the Department of Defense (DoD), CMMC sets new rules around protecting controlled unclassified information (CUI) and federal contract information (FCI). CMMC compliance is complex. Let’s talk about how to simplify and streamline it.
Key CMMC Compliance Timeline and Requirements
Organizations that want to bid on DoD contracts are subject to CMMC. The government put forth a phased implementation. The next deadline is Phase 2 with an effective date of November 10, 2026. Phase 1 has been in place since November 2025.
Phase 2 involves contractors handling CUI. They will need to undergo a third-party evaluation by a certified assessor organization.
Contractors must also have specific protections in place for CUI and FCI. Encryption must be in place for data at rest, in use, and in transit. The protocols for executing this must align with NIST 800-171, NIST 800-172, and FIPS. What’s critical to understand is that encryption at rest is insufficient, and most platforms fall short here.
CMMC Controls in Practical Terms
CMMC documents 14 control domains derived from NIST SP 800-171. They are both comprehensive, but what do they really represent?
1. Access Control (AC)
Contractors must have Identity Access Management (IAM) with data-level access enforcement, requiring a data protection component.
2. Awareness & Training (AT)
Employees of contractors must complete security training and have records to verify this.
3. Audit & Accountability (AU)
You must be able to provide audit logs and evidence of data protection. Platforms that generate audit logs and documentation reduce the time and effort required by manual activities.
4. Configuration Management (CM)
To meet this control, you’ll need policy baselines within a data protection system along with Security Information and Event Management (SIEM).
5. Identification & Authentication (IA)
Companies should have standard protocols for identification and authentication, such as MFA and password policies.
6. Incident Response (IR)
Organizations must develop and document an IR plan, including containment and testing.
7. Maintenance (MA)
Systems should receive regular maintenance. If those doing so don’t have authorization, there must be a supervisor. If the maintenance is remote, MFA must be in place.
8. Media Protection (MP)
To protect media, you should have CUI data discovery capabilities as well as classification of this information, layered with access controls.
9. Personnel Security (PS)
You must screen individuals prior to providing them with CUI access.
10. Physical Protection (PP)
Complying with this involves limiting physical access to only those who need it and maintaining a log of physical access.
11. Risk Assessment (RA)
Meeting these policies includes ongoing evaluations for risk, vulnerability scanning, third-party assessments, and penetration testing.
12. Security Assessment (SA)
In this component, the emphasis is on assessing and monitoring security controls and having an operational plan of action. Performing penetration testing is an example.
13. System and Communications Protection (SC)
Data encryption must be in place for data at rest and in transit, and the cryptography must be FIPS-validated.
14. System and Information Integrity (SII)
This category involves endpoint security, software patching, antivirus protection, and real-time security alerts.
These controls touch on every area of security. Many of these have a connection to encryption practices.
CMMC Compliance: Transitioning to Modern Encryption
Identifying your encryption gaps is the first step toward both Level 2 CMMC compliance and a stronger security posture.
Here are a few areas worth evaluating.
Going Beyond Disk-Centric Encryption
Many contractors rely on disk-level encryption. This approach satisfies the at-rest part of the rule. However, once that data moves, the protection is no longer present. It leaves organizations in a position of heightened risk exposure and noncompliance.
Modern encryption expands protections by being data-centric. It remains with the sensitive information throughout its lifecycle. It stays with the data even in file sharing.
This type of encryption is at the file and field level. Protection travels with CUI across endpoints, file shares, the cloud, email, or partner environments.
Key Management Simplified
CMMC also requires proper procedures for managing encryption keys. This can get complicated and has considerable costs and overhead. PKWARE’ s Smartkey technology make this much easier. They combine encryption keys with a corresponding access control list. You don’t need a separate key infrastructure.
Contingency keys are always available, as well. You can’t be locked out of your data even if you lose the original one or passphrase.
Encryption That’s Not Disruptive
Certificate-free encryption maintains authorized user access without disrupting workflows or applications. Applications and workflows can access the sensitive information they require to function.
This is possible through software development kits (SDKs) and application programming interfaces (APIs) connections. This mechanism enables in-stream encryption and decryption within an application. Data is never written to disk in an unencrypted state. With this approach, you achieve CMMC compliance and ensure consistent, frictionless encryption across your enterprise.
Quantum-Safe Encryption
The age of quantum computing is nearing, which means encryption could become easier to break. CMMC takes the approach of NIST standards. Organizations will need to adopt updated quantum encryption requirements upon release.
Ideally, you want to be on an encryption platform that’s already planning for this. It’s a vital consideration, and you should evaluate any solution’s crypto agility.
What’s Next in the CMMC Compliance Journey?
Phase 2 compliance will be effective and enforceable soon. Preparing now offers the best course to ensure your organization doesn’t lose contracts.
Have more questions about the technical requirements? We’ve got that covered in our article, Understanding Cybersecurity Maturity Model Certification.
