April 2, 2021

Last Updated on January 13, 2024

Government staffing agencies face unique and complex challenges around compliance with the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) framework. Many are discovering that upcoming contracts may require them to comply with CMMC Level 3, a stringent cybersecurity posture needed to handle Controlled Unclassified Information (CUI).

Why are prime defense contractors and other government organizations suddenly mandating CMMC Level 3 requirements for SMBs that typically haven’t handled sensitive government information on their own systems? Do you really need to comply? Can you push back on your customers? Or might CMMC Level 3 compliance actually be a competitive benefit for your business?

To answer all the top questions that government staffing agencies are asking about CMMC Level 3 compliance, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special episode of The Virtual CISO Podcast.

Like many cybersecurity conversations, this discussion starts with defining scope.

“Generally speaking, scope could be considered to be equal to the flow of data that is subject to the CMMC regulation,” explains John. “There are two forms of data that are governed by CMMC: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).”

“If you’re a staffing agency, you’re putting bodies on bases or bodies at agencies,” John continues. “And often these bodies are working on GFE—Government Furnished Equipment. You logically think, ‘Hey, CMMC Level 1 would apply, because I have a federal contract. But I don’t think CMMC Level 3 should apply because I don’t have any CUI in my environment.”

But how do you scope your environment in relation to CMMC requirements? How can you demonstrate to regulators or auditors that you don’t deal with CUI?

“The basis of scoping is to understand what data you have that is FCI, what data you have that is CUI, and then ‘follow the data,’” John clarifies. “How does that data come to you? How is that data processed within your organization, used within your organization, perhaps even created within your organization? Who is that data shared with? Maybe some downstream vendors? … Then how does that data get back to the agency or a prime that you’re working with? That’s what we call the data flow.”

“If you’re familiar with the Payment Card Industry Data Security Standard (PCI:DSS), you might have heard the terms ‘store, process, transit,’” adds John. “Another way to look at this is, does this system, application or individual store, process or transit FCI or CUI? Any system that does is considered in scope [for CMMC].”

What’s Next?

Understanding what data you have within your CMMC scope is a key initial step to addressing your CMMC questions and challenges—because CMMC is all about protecting FCI and CUI.

If you’re involved in government staffing and have concerns about cybersecurity regulations, put this special podcast with John Verry at the top of your must-watch list.

To listen to the show end-to-end, click here. If you don’t use Apple Podcasts, you’ll find all of our podcast episodes here.


New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.