April 16, 2021

Last Updated on January 15, 2024

The Cybersecurity Maturity Model Certification (CMMC) standard from the US Department of Defense (DoD) will impact hundreds of thousands of organizations over the next few years—and not just within the defense industrial base (DIB). Other federal juggernauts, including the General Services Administration (GSA) and the Department of Homeland Security (DHS), are already putting CMMC compliance language in upcoming contracts.

Impacted businesses will need to pass a third-party certification audit against one of five CMMC maturity levels. Of those hundreds of thousands of businesses, most will be required to meet CMMC Level 1. Known as “Basic Cyber Hygiene,” this is the minimum set of cybersecurity “practices” (17 controls in all) necessary to safeguard Federal Contract Information (FCI).

If yours is among the countless businesses that need to demonstrate CMMC Level 1 compliance, what do you really need to do?

John Verry, Pivot Point Security’s CISO and Managing Partner, talks straight to business owners about that critical question on a recent special edition of The Virtual CISO Podcast. John has the unique and valuable perspective of being both a highly experienced cybersecurity assessor and the founder and owner of Pivot Point Security.

“CMMC Level 1 is a really interesting beast to me,” shares John. “Because what the CMMC framework says you need to do and what I think is the best way to do that… differ.”

“Take CMMC Level 3, for example,” John continues. “CMMC Level 3 has a great deal more formality than CMMC Level 1. You need to have policies that document your practices. And you need to have something called a System Security Plan (SSP).”

An SSP defines the information—FCI and/or CUI—and that’s in scope for your CMMC environment. Your SSP also defines how that information flows to you, how it’s generated within your organization, who you’re sharing it with, and what systems, people and processes interact with that information. Further, your SSP describes how each of the controls your CMMC level requires you to implement actually protects the data that’s in scope.

“For CMMC Level 1, you don’t need an SSP and you don’t need the associated policies,” John clarifies. “But here’s where it gets interesting…”

CMMC Level 1 certification requires you to engage with a third-party assessor. That person’s job is to find at least two forms of objective evidence of “persistent and habitual” execution of each of the 17 CMMC Level 1 controls.

No evidence equals no CMMC Level 1 certification. No certification equals no business with the DoD going forward.

As John states: “That assessor walks in your door and says, ‘How do you do this?’ If you haven’t taken the time to document that, how do you tell him how you do that? And if you haven’t taken the time to document that, how do you know that you have the evidence to support that?”

“So this is a huge business risk,” emphasizes John. “Screw the technical risk—the business risk is the really big risk here, right?  A lot of business owners listening to this are now saying, ‘Oh crap, if I don’t get this certification, I’m going to lose my contracts!”

That’s why John advocates putting in some extra effort to mitigate that massive risk: “I would argue that the best way to achieve CMMC Level 1 is to develop an SSP, and within that SSP to document those policies, how you actually achieve those 17 practices, and how you evidence that.”

“The beautiful thing about that becomes, as the biz owner, I’ve got one document that I can grab hold of, and say to anyone whose throat I need to choke, ‘Guys, do we have this crap?’ You need to be in a position where you have all this stuff when the assessor walks in the door,” John argues.

In other words, you want to lead your assessor by the nose. That way you have more control over the audit process, especially the end result.

“What you don’t want is for the assessor to walk in there and say, ‘What do you have?’ and you say, ‘What are you looking for?’” Then you’re just opening up your kimono,” John jokes. “What you really want to do is say to the assessor, ‘Here’s everything I think you’re going to need for your audit.’”

“Many times, I’m chatting with people now on the phone and they’re saying, ‘I looked at the standard and it says I don’t need that.’ And I’m, like, ‘Yeah, I know. But…’” reasons John. “As a business owner, this is Risk Management 101. If I can put a little more effort in, and be assured of success, I’m going to take it every time.”

What’s Next?

Need to make sure your company gets a CMMC Level 1 certification?

Don’t miss our special episode of The Virtual CISO Podcast on CMMC Level 1, available here. If you prefer not to use Apple Podcasts, click here.

For more information: