The CMMC ecosystem has experienced a major increase in activity in 2024. At DCG, we have seen big primes beginning to ask subs about their compliance efforts, contracting officers looking at SPRS scores for the first time, and the roughly-one-year deadline for companies to achieve an 88 generally looming large.
This ramp-up has influenced the advice we provide as CMMC consultants. Notably, I’ve seen us lean on a number of new metaphors when describing the most unique attributes of 800-171 implementation. These “CMMC analogies” don’t just help us communicate the model’s distinctive requirements in a memorable way. They support OSCs as they envision the processes that will underpin their company’s compliance efforts.
Read below to learn more about the analogies we find ourselves using most often with clients —and their CMMC takeaways.
1.CUI KITTENS
CMMC Takeaway: CUI Flow and Control is a crucial process for any successful CMMC program.
I haven’t completed a work day in weeks that didn’t include hearing my CEO say, “You have to get the kittens in the box.”
The fable itself is simple: a litter of kittens waddles around a cardboard box as mom prepares to take them to the vet. She turns her back for one second, only to find the cats have scattered across her living room. She scoops them up, one at a time, but soon learns that the time she spends chasing one kitten opens a window of opportunity for those in the box to escape. Again.
The kittens are your CUI. The box is your enclave (or enterprise, depending on your CMMC approach).
You can’t catch two kittens at once. This seems intuitive, but in a modern cybersecurity context, working toward several goals at the same time has become ubiquitous. Attempting to track every possible complication or cascading effect, at all times, does not lend itself to progress. Focused, iterative reviews do.
Your kittens will always exit the box. There is no solution that permanently confines them to the box that does not also permanently separate you from the kittens.
Therefore, OSCs must construct their CMMC programs with continuous, focused kitten chasing built in. Resist the urge to envision an escapeless box, or a multi-kitten chase mechanism. Security working groups, dedicated staff, and formal self-assessments are just some of the recommendations we make along this line of reasoning.
“You have to get your kittens in the box,” is a memorable adage that helps to frame client understanding of the need for a structured CUI Flow and Control process—in addition to and in conjunction with—straightforward compliance efforts. How does CUI enter, move through, and exit your system ideally? How does it flow through your system today? And finally, how do we structure ongoing efforts to align (and realign) actual vs. idealized CUI Flow?
2. TENT POLES
CMMC Takeaway: CMMC compliance is a program, not a project.
Your dad stands under an unpitched tent. Both hands above his head, he lifts the canvas away from his face one step at a time. Maybe, just maybe, your mom’s suggestion to practice setting it up before taking the family to the lake for a long weekend fell on deaf ears. You stand back, watching as one corner, then another, is elevated over his hands only to collapse a moment later.
He forgot to pack the tent poles.
This may be the most common approach to compliance in the DIB today. Many models work well this way. Set up a stack of documents, button up some architectural changes, and blow the dust off when an assessor knocks on the door. No tent poles needed—we can just hold it in the air while they’re looking.
Sometimes we find a company setting up their CMMC tent without the structural supports that will make them successful. As discussed above, CMMC is a model that demands both near-perfect compliance and continuous action. These iterative activities require more than capable team members (or ambitious dads!). It calls for tent poles: a program, not a project. Unlike one-and-done projects, programs entail organized efforts without an end date. They come not only with an understanding of ongoing activity, but with long term goals, executive buy-in, and organized, strategic directives.
3. THE CRASH AT THE INTERSECTION
CMMC Takeaway: Uncertainty.
This isn’t the first time we’ve discussed ‘the crash’ on this blog.
“The incoming CMMC final draft has often been described to me as a runaway big mac truck, moments from sliding into a busy intersection against the red light. It will create a crash, but no one quite knows where all of the pieces will end up.”
Small businesses living below the ‘cybersecurity poverty line’ (e.g. their gross income cannot cover the annual cost of compliance) are likely to exit the DIB or be subsumed. Meanwhile, big primes “too big to fail” will submit formal requests for exception (and will either receive them, or cease to exist, depending on the needs of the DoD). Fewer than 300 Certified CMMC Assessors (CCAs) will need to field more than 80,000 companies seeking assessment—and that's without considering the potential impacts of the upcoming presidential election.
We use this image not to frighten clients, but to demonstrate transparency. No one knows for certain when the Final Rule will drop, how its content might differ from earlier drafts, or when the rollout will be introduced to industry. We shouldn’t pretend to. Communicating this uncertainty is crucial to both relationship building and positioning clients for success, regardless of how ‘the crash’ shakes out.
Given what the community knows today, we recommend achieving a self-assessed SPRS score of 88 by April 2025. However, this is a recommendation. It is not written as a requirement anywhere. When a client asks why this is, ‘the crash’ metaphor helps us to communicate the uncertainty of the CMMC community at large, alongside many of the complicating factors and stakeholders involved in the potential outcomes.
CMMC analogies, like all analogies, help to distill complicated concepts down to their most important parts. In our experience, they make the dynamic CMMC regulatory story more accessible to those who must come to know it—or lose their CUI kittens.