From cmmc
CMMC v2.0 expert for DoD contractors. Covers NIST 800-171 Rev 2 (14 families, 110 controls), SPRS scoring, POA&M rules, 32 CFR Part 170, DFARS clauses, scoping, ESP/CSP, C3PAO assessment lifecycle, and Rev 2 → Rev 3 transition.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cmmc:cmmc-expertThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Deep, practitioner-grade expertise in the Cybersecurity Maturity Model Certification (CMMC) v2.0 for Department of Defense contractors. Built from the authoritative chain: **NIST SP 800-171 Rev 2** (control text), **NIST SP 800-171A Rev 2** (320 assessment objectives), **32 CFR Part 170** (CMMC program rule), and **48 CFR / DFARS Part 204.75** (acquisition rule).
Deep, practitioner-grade expertise in the Cybersecurity Maturity Model Certification (CMMC) v2.0 for Department of Defense contractors. Built from the authoritative chain: NIST SP 800-171 Rev 2 (control text), NIST SP 800-171A Rev 2 (320 assessment objectives), 32 CFR Part 170 (CMMC program rule), and 48 CFR / DFARS Part 204.75 (acquisition rule).
Purpose: Standardize verification of NIST SP 800-171 cybersecurity controls across the Defense Industrial Base (DIB) protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Authority chain:
Authoritative sources to cite in deliverables:
All dates keyed to November 10, 2025 (DFARS rule effective date).
| Phase | Window | What's in contracts |
|---|---|---|
| Phase 1 | 2025-11-10 → 2026-11-09 | L1 (Self), L2 (Self); L2 (C3PAO) at DoD discretion |
| Phase 2 | 2026-11-10 → 2027-11-09 | + L2 (C3PAO) as routine contractual requirement |
| Phase 3 | 2027-11-10 → 2028-11-09 | + L3 (DIBCAC) for high-sensitivity programs |
| Phase 4 | 2028-11-10 and beyond | All applicable solicitations require appropriate CMMC level |
Triennial re-assessment + annual affirmation throughout the certification cycle.
| Level | Name | Practices | Source | Assessment | POA&M Allowed | Cycle |
|---|---|---|---|---|---|---|
| Level 1 | Foundational | 15 | FAR 52.204-21 | Self only | No — never | Annual self + annual affirmation |
| Level 2 | Advanced | 110 | NIST SP 800-171 Rev 2 | Self or C3PAO | Yes — restricted (see §11) | Triennial + annual affirmation |
| Level 3 | Expert | 134 (110 + 24 selected from 800-172) | NIST SP 800-171 Rev 2 + 800-172 | DCMA DIBCAC | Per DIBCAC methodology | Triennial + annual affirmation |
Acronyms used here (correctly):
Who needs what:
These are the only 14 families in Rev 2. Any reference to Asset Management (AM), Recovery (RE), Risk Management (RM), or Situational Awareness (SA) as 800-171 families is incorrect — those names belong to CMMC v1.0 or to other catalogs.
| # | ID | Family | Controls |
|---|---|---|---|
| 1 | AC | Access Control | 22 |
| 2 | AT | Awareness and Training | 3 |
| 3 | AU | Audit and Accountability | 9 |
| 4 | CM | Configuration Management | 9 |
| 5 | IA | Identification and Authentication | 11 |
| 6 | IR | Incident Response | 3 |
| 7 | MA | Maintenance | 6 |
| 8 | MP | Media Protection | 9 |
| 9 | PS | Personnel Security | 2 |
| 10 | PE | Physical Protection | 6 |
| 11 | RA | Risk Assessment | 3 |
| 12 | CA | Security Assessment | 4 |
| 13 | SC | System and Communications Protection | 16 |
| 14 | SI | System and Information Integrity | 7 |
| TOTAL | 110 |
Numbering scheme: Chapter.Family.Requirement (e.g., 3.1.1 = Chapter 3, AC family, Requirement 1). Each requirement is either Basic (high-level) or Derived (technical implementation specifics) in Rev 2.
Each 800-171 requirement decomposes into lettered assessment objectives (e.g., 3.1.1[a]–[f]). All objectives within a practice must be satisfied for the practice to be Met in a C3PAO assessment.
| Family | Controls | Assessment Objectives |
|---|---|---|
| 3.1 Access Control | 22 | 70 |
| 3.2 Awareness & Training | 3 | 9 |
| 3.3 Audit & Accountability | 9 | 29 |
| 3.4 Configuration Management | 9 | 44 |
| 3.5 Identification & Authentication | 11 | 25 |
| 3.6 Incident Response | 3 | 14 |
| 3.7 Maintenance | 6 | 10 |
| 3.8 Media Protection | 9 | 15 |
| 3.9 Personnel Security | 2 | 4 |
| 3.10 Physical Protection | 6 | 16 |
| 3.11 Risk Assessment | 3 | 9 |
| 3.12 Security Assessment | 4 | 14 |
| 3.13 System & Comms Protection | 16 | 41 |
| 3.14 System & Info Integrity | 7 | 20 |
| TOTAL | 110 | 320 |
These drive the bulk of assessment effort and evidence burden:
| Control | Objectives | Evidence focus |
|---|---|---|
| 3.4.7 | 15 | Port/protocol/service documentation (most objectives of any control) |
| 3.13.1 | 8 | Network boundary definition + monitoring/control/protection |
| 3.4.5 | 8 | Change control access restrictions (physical AND logical) |
| 3.12.4 | 8 | SSP completeness (boundary, environment, connections, update freq) |
| 3.6.1 | 7 | IRP covering all incident response phases |
| 3.6.2 | 6 | Incident reporting chain (internal + external) |
| 3.1.1 | 6 | User/device/process inventory + access restrictions |
| 3.1.20 | 6 | External system agreements + connection controls |
| 3.3.1 | 6 | Audit log configuration + retention policy |
| 3.3.8 | 6 | Log protection controls |
| 3.4.1 | 6 | Baseline config + asset inventory |
| 3.13.2 | 6 | Secure architecture documentation |
| 3.14.1 | 6 | Flaw ID/report/correct with defined timeframes |
| 3.1.3 | 5 | Data flow diagrams + flow enforcement |
| 3.1.22 | 5 | Public web content review process |
Per NIST SP 800-171A Rev 2, assessors use exactly three methods (not four). The verb "Determine" that opens each assessment objective is not a method — it's the assessor's overall judgment, supported by E/I/T evidence.
| Method | What it is | Depth attributes |
|---|---|---|
| Examine | Reviewing, inspecting, observing, studying, or analyzing assessment objects (specifications, mechanisms, activities) | Basic / Focused / Comprehensive |
| Interview | Discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence | Basic / Focused / Comprehensive |
| Test | Exercising assessment objects under specified conditions to compare actual vs. expected behavior | Basic (black box) / Focused (gray box) / Comprehensive (white box) |
Assessment objects assessors examine or test:
Practitioner rule of thumb: For each AO, the OSC should be able to produce (1) the document/specification, (2) the technical artifact or screenshot showing the mechanism is configured, and (3) at least one person who can speak to operating the control.
cui.archives.gov.Two flavors:
Confidentiality impact value: No less than FIPS 199 moderate.
Boundary scope rule (key to scoping): 800-171 requirements apply only to components that process, store, or transmit CUI, or that provide protection for such components.
Marking expectations:
CUI//SP-PRVCY).Per 32 CFR 170.19 and the CMMC L2 Scoping Guide, each asset falls into one of five categories. Proper categorization can dramatically reduce assessment burden and cost.
| Category | What it is | CMMC treatment |
|---|---|---|
| CUI Assets | Process, store, or transmit CUI | All 110 controls apply |
| Security Protection Assets | Provide security services to CUI Assets (firewalls, IDS/IPS, SIEM, VPN, MDM, patch mgmt, AD/LDAP) — may not touch CUI directly | Applicable security requirements apply |
| Contractor Risk Managed Assets (CRMA) | Can technically reach CUI Assets but aren't required to process CUI (jump hosts, admin workstations) | Contractor-developed risk-based approach, documented |
| Specialized Assets | OT/ICS, IoT, Government Furnished Equipment | Tailored — document applicability and any compensating controls in the SSP |
| Out-of-Scope Assets | Isolated; no connection path to CUI systems | Not subject to CMMC — but isolation must be technically demonstrated, not merely asserted |
The most commonly misunderstood area of CMMC. ESPs and CSPs follow different rules.
A third-party providing cloud services (SaaS / PaaS / IaaS) where CUI is processed, stored, or transmitted.
Common CSP options for CUI:
| Platform | FedRAMP | Notes |
|---|---|---|
| Microsoft 365 GCC High | High | Suitable for most DoD CUI, including ITAR |
| Microsoft Azure Government | High | |
| AWS GovCloud | High | |
| Microsoft 365 GCC | Moderate | Limited CUI types; not suitable for ITAR/EAR |
| Google Workspace Enterprise | Moderate (some configurations) | Validate per use case |
ITAR/EAR caution: A CSP can be FedRAMP-authorized and technically eligible — but still ineligible to process specific CUI categories due to export-control restrictions on foreign-national access. Evaluate CUI category restrictions independently of FedRAMP authorization.
A third-party that is not cloud-based but whose services implement 800-171 controls or that processes/stores/transmits CUI on the OSA's behalf.
Common ESPs: MSSPs (SOC, SIEM), MSPs (patching, endpoint management), outsourced IT/AD admins, physical security monitoring vendors.
Rules (32 CFR 170.19 / 170.16):
Decision tree:
Is the third-party service cloud-based?
├── YES → CSP → FedRAMP Moderate (or higher) authorization required
└── NO → ESP → Include in scope OR get ESP CMMC-certified
Per the regulation (unless DoD specifies otherwise), the prime contractor determines the CMMC level required for each subcontractor based on the data the sub will handle.
| Prime's requirement | Sub handling FCI only | Sub handling CUI |
|---|---|---|
| L2 (Self) | L1 minimum | L2 (Self) minimum |
| L2 (C3PAO) | L1 minimum | L2 (C3PAO) minimum |
| L3 (DIBCAC) | L1 minimum | L2 (C3PAO) minimum (unless DoD specifies higher) |
Prime obligations:
Practical advisory: Primes should build supplier cybersecurity verification into procurement processes now. Waiting until Phase 2/4 to verify subs will create supply chain disruptions.
| Concept | What it is | Where it lives |
|---|---|---|
| SPRS Score | Numerical (e.g., 98/110) from DoD Assessment Methodology self-assessment | SPRS (contractor-submitted) |
| CMMC Status | Categorical (Conditional L2 / Final L2 / etc.) from a CMMC assessment under 32 CFR 170 | SPRS (self) or eMASS (C3PAO) |
During Phase 1, a current SPRS score from a valid self-assessment is the CMMC L2 (Self) status.
Under DFARS 252.204-7019/7020:
| Tier | Conducted by | Rigor | SPRS effect |
|---|---|---|---|
| Basic | Contractor self | Low (honor system) | Contractor submits score |
| Medium | DoD records/interview review | Medium | DoD adjusts score if gaps found |
| High | DIBCAC on-site | High | DIBCAC score supersedes contractor's |
SPRS = 110 − Σ (deductions for not-implemented or partially-implemented controls)
A single Not-Implemented finding on any of these costs 5 points and — for most of them — is not POA&M-eligible. Verify against the current CMMC Scoring Methodology before client-facing work.
A Plan of Action & Milestones is a time-bound documented plan to remediate identified deficiencies. Under CMMC, POA&Ms are not a general remediation tool — they are tightly restricted.
Rule 1 — Level 1 = NO POA&Ms ever. Per 32 CFR 170.21(a)(1). All 15 FAR 52.204-21 practices must be fully implemented at time of self-assessment submission. No exceptions.
Rule 2 — Level 2 POA&Ms require a passing score of ≥ 80%. Per 32 CFR 170.21(a)(2)(i). Assessment score ÷ 110 must be ≥ 0.8 → ≥ 88 of 110 practices must be MET before any POA&M is allowed.
Rule 3 — Only 1-point practices on POA&M, with one exception. Per 32 CFR 170.21(a)(2)(ii). No practice on a POA&M may have a point value greater than 1. The single exception: SC.L2-3.13.11 (FIPS-validated cryptography) may be on a POA&M at its 3-point value only if encryption is in use but not yet FIPS-validated. If encryption is not employed at all, 3.13.11 carries its full 5-point weight and is not POA&M-eligible.
| Scenario | Encryption posture | Deduction | POA&M eligible? |
|---|---|---|---|
| A | None | 5 pts | No — assessment fails |
| B | In use, not FIPS-validated | 3 pts | Yes |
| C | FIPS-validated in use | 0 pts | n/a — fully Met |
Practitioner play: Before assessment, get clients to implement encryption (even if not yet FIPS-validated) — converts a disqualifying 5-point hit into a POA&M-eligible 3-point hit.
Per 32 CFR 170.21(a)(2)(iii), the following are explicitly ineligible regardless of point value:
Operational POA&Ms (continuous improvement tracking under normal NIST practice) are separate from CMMC assessment POA&Ms (formal regulatory constructs with 180-day clocks). Don't conflate them.
At the assessment objective level, each AO produces one of:
At the practice level, the rollup is:
Findings language convention in deliverables:
3.1.1[a]).After initial CMMC Status, a senior company official must affirm in SPRS/eMASS each year that:
Frequency: within one year of initial CMMC Status Date, then annually for the 3-year cycle. Material changes may trigger re-assessment.
CMMC creates real FCA exposure — context every client conversation should include:
What creates exposure:
Safe-harbor posture: an honest, low SPRS score plus a credible POA&M is defensible. An inflated score is not. Accurate reporting + credible remediation = manageable risk; inflated reporting = potential criminal exposure.
CMMC is currently based on 800-171 Rev 2 only. Rev 3 (May 2024) is the forward horizon — not operative for CMMC until DoD adopts it (no announced date).
| Metric | Rev 2 | Rev 3 |
|---|---|---|
| Control families | 14 | 17 (adds PL, SA, SR) |
| Total requirements | 110 | ~97 (net — many consolidations) |
| Numbering | 3.X.Y | 03.X.Y (leading zeros) |
| Basic/Derived distinction | Yes | Eliminated |
| ODPs | None | Introduced |
| Family renames | — | CA → "Security Assessment and Monitoring" |
Introduced in Rev 3. Select requirements contain [Assignment: organization-defined X] values that must be defined by either the contracting federal agency or the contractor. Once defined, they become assessable scope.
ODP categories:
ODP planning for clients pre-adoption:
Some clients have implemented Rev 3-style controls and believe they're covered. Rev 2 has specific requirements that Rev 3 softened with ODPs — for current CMMC assessments, the Rev 2 language governs:
Replaces the loose gap list with practitioner-confirmed patterns mapped to specific assessment objectives.
| Gap | Practices / AOs | Why it fails |
|---|---|---|
| MFA partial — admins only, not all network users | IA.L2-3.5.3 (all AOs); related 3.1.12 | Rev 2 requires MFA for network access to non-privileged accounts; "admins only" does not satisfy |
| SMS or push-only MFA | IA.L2-3.5.3 | Phishing-resistant MFA expected; SMS increasingly called out |
| Account review records missing | AC.L2-3.1.1[d–f]; 3.1.5[a–d] | Policy exists but no documented periodic review evidence |
| Asset inventory incomplete / no network diagram | CM.L2-3.4.1[a–f]; CA.L2-3.12.4 | Baseline configuration cannot be asserted without inventory |
| Audit log retention without review | AU.L2-3.3.1[e–f]; 3.3.5 | Logs generated but never analyzed — fails Examine + Interview |
| IR plan untested or no 72-hour reporting process | IR.L2-3.6.1[a–g]; 3.6.3; DFARS 7012 | Plan exists but exercises absent; DIBNet reporting workflow undocumented |
| No baseline configurations / informal change control | CM.L2-3.4.1; 3.4.3; 3.4.5[a–h] | Required artifacts (baselines, change records) cannot be produced |
| Allow/deny software policy missing | CM.L2-3.4.8 | Policy-only without enforcement evidence; technical control required |
| FIPS-validated crypto unconfirmed | SC.L2-3.13.11; 3.13.8; 3.13.16 | Encryption in use but not via CMVP-validated module — 3-pt POA&M if encryption present, 5-pt fail if not |
| No documented deny-by-default boundary rule | SC.L2-3.13.6 | Implicit allow rules undermine flow control |
| CUI at rest not encrypted | SC.L2-3.13.16 | Common on endpoints; full-disk encryption alone may not satisfy if CUI is in cloud sync folders |
| SSP not current | CA.L2-3.12.4[a–h] | SSP exists but stale; assessor wants current state |
| Patch SLAs without evidence | SI.L2-3.14.1; RA.L2-3.11.3 | Policy says "30 days" but no records demonstrate it |
| AV not auto-updating | SI.L2-3.14.4; 3.14.5 | Signatures stale; tool report shows last update |
| Vulnerability scanning gap | RA.L2-3.11.2; 3.11.3 | Authenticated scans not configured; remediation cadence undocumented |
| External system connections unmanaged | AC.L2-3.1.20; 3.1.21 | No agreements with external systems; portable storage uncontrolled |
| Public-facing system content control | AC.L2-3.1.22 | No review process for what posts publicly |
These require technical implementation evidence, not just a policy document:
cui.archives.govAuthoritative locations: dodcio.defense.gov/CMMC/, cyber.mil, cyberab.org, sprs.csd.disa.mil, dibnet.dod.mil (incident reporting).
This skill supports:
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Manages knowledge base ingestion, sync, and retrieval across local files, MCP memory, vector stores, and Git repos. Use for saving, organizing, deduplicating, or searching knowledge.
3plugins reuse this skill
First indexed Jul 18, 2026
npx claudepluginhub vantainc/claude-grc-engineering --plugin cmmc