CMMC Compliance

Note: CMMC policy framework requires Enterprise Edition.

The Cybersecurity Maturity Model Certification (CMMC) policy framework helps 350,000+ Defense Industrial Base (DIB) contractors achieve CMMC compliance for DoD contract eligibility.

Overview

CMMC 2.0 establishes cybersecurity requirements for organizations handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in defense contracts. Aquilon DLP’s CMMC policy helps contractors comply with:

• FAR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems
• DFARS 252.204-7012 - Safeguarding Covered Defense Information
• DFARS 252.204-7019 - Notice of NIST SP 800-171 Assessment
• DFARS 252.204-7020 - NIST SP 800-171 DoD Assessment

CMMC Levels

Detection Methods

Government-Specific Scanners

PII Relevant to Defense Contracts

Configuration

Basic Configuration (Level 2)

[policies]
enabled_policies = ["cmmc"]

Level-Specific Configuration

[policies.policy_configs.cmmc]
settings = { level = "2", confidence_threshold = "0.7" }

Configuration Options

Context Detection

Defense Industrial Base Context

• Contract terms: prime contractor, subcontractor, DIB, defense contract, teaming agreement
• DoD terms: DoD, Department of Defense, Pentagon, armed forces, military branch names
• Program terms: CAGE code, DUNS, SAM registration, UEI, contract number (W/N prefixes)
• Roles: contracting officer, COR, COTR, program manager, DCMA

Technical Context

• Technical data: engineering drawings, specifications, schematics, BOMs, ICDs
• Export control: ITAR, EAR, ECCN, defense article, USML category
• System terms: CDS, cross-domain, classified system, enclave, authorization boundary
• Development: source code, firmware, software, algorithm, design document

Contract Vehicle Context

Different contract types affect CMMC applicability:

• Prime contracts: Direct DoD contracts requiring flow-down
• Subcontracts: DFARS flow-down requirements apply
• SBIR/STTR: Small business innovation research with CUI potential
• GSA Schedule: May include DoD task orders
• OTA: Other Transaction Agreements with DoD

Supply Chain Context

Multi-tier supply chain indicators:

• Tier references: Tier 1, Tier 2, subcontractor, supplier
• Flow-down terms: DFARS flow-down, 252.204-7012, prime requirements
• Assessment references: SPRS, NIST assessment, POA&M, SSP

Example Context Flow

Finding: Database connection string with credentials
Context: "DFARS contract W52P1J-21-C-0045 subcontractor portal"

Result: Critical violation (CMMC Level 2 - credentials in defense contract context)

Finding: Technical drawing (.dwg file)
Context: File metadata contains "CAGE: 1ABC2" and "ECCN: 9A515"

Result: Critical violation (export-controlled technical data)

Violation Metadata

Each CMMC violation includes:

{
  "policy": "CMMC",
  "severity": "critical",
  "cmmc_level": 2,
  "data_type": "cui",
  "dfars_clause": "DFARS 252.204-7012",
  "sprs_relevant": true
}

Compliance Reporting

SPRS Score Support

Query findings that may affect your Supplier Performance Risk System (SPRS) score:

-- All CMMC findings by severity
SELECT severity, COUNT(*) as count
FROM aquilon_dlp_alerts
WHERE policy = 'CMMC'
GROUP BY severity
ORDER BY count DESC;

Pre-Assessment Audit

Before a CMMC assessment:

-- Critical CUI exposures requiring remediation
SELECT path, scanner, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'CMMC'
  AND severity = 'critical'
ORDER BY timestamp DESC;

Best Practices

By CMMC Level

Level 1 (FCI only):

• Focus on basic PII protection
• Monitor for accidental data spillage
• Self-assessment annually with affirmation

Level 2 (CUI):

• Enable all CUI detection settings
• Implement continuous monitoring
• Document findings for POA&M
• Prepare for third-party assessment (C3PAO)

Level 3 (Enhanced):

• Strict alerting on any detection
• Integration with SIEM
• Real-time incident response
• Government-led assessment preparation

SPRS Score Impact Assessment

Aquilon DLP findings can identify gaps affecting your SPRS score:

Score-Impacting Findings:

• Unencrypted CUI storage → impacts AC.L2-3.1.19 (-5 points)
• Credentials in plaintext → impacts IA.L2-3.5.10 (-5 points)
• Missing access controls → impacts AC.L2-3.1.1 (-5 points)

Using DLP for SPRS Improvement:

1. Query critical findings to identify control gaps
2. Map findings to NIST SP 800-171 controls
3. Document remediation in POA&M
4. Re-scan to verify remediation
5. Update SPRS score with improved controls

Level-Based Remediation Priorities

Level 1 Remediation Focus:

1. Remove FCI from unauthorized locations
2. Ensure basic access controls on FCI systems
3. Document FCI boundaries

Level 2 Remediation Focus:

1. Eliminate CUI spillage outside enclave
2. Implement encryption for CUI at rest and in transit
3. Remove hardcoded credentials from CUI systems
4. Document in System Security Plan (SSP)

Level 3 Remediation Focus:

1. Zero tolerance for any critical findings
2. Implement advanced threat detection
3. Enhanced logging and monitoring
4. Prepare for government assessment evidence

Assessment Preparation

1. Inventory: Use Aquilon to discover where CUI resides
2. Categorize: Map findings to CMMC practice requirements
3. Scope: Define assessment boundary using DLP data
4. Remediate: Address critical exposures before assessment
5. Document: Export findings for POA&M evidence
6. Evidence: Generate compliance reports for assessors
7. Monitor: Maintain continuous compliance post-assessment

Related Resources

• Compliance Overview
• CUI - NIST SP 800-171 details
• Configuration Guide