Deretti Cyber Labs CMMC Desk · Desk

CMMC.

A calm explainer for the CMMC program.

This resource explains what CMMC (Cybersecurity Maturity Model Certification) actually requires, what the words mean, and how the machinery works — cited to primary sources throughout.

01What this is

Is

A plain-language reference and learning desk for the CMMC program — what it requires, what the words mean, how the machinery works, what to expect, in reading order or as look-up. Broad, source-traceable, no jargon.

Is for

Defense-subcontractor owners/GMs who sign affirmations; IT leads at subs; MSPs/ESPs serving DIB clients; prime-contractor supply-chain readers who need to understand what they are asking of subs.

Is not

Certification preparation, assessment consulting, legal advice, a framework, a checklist product, or a substitute for the primary sources it cites.

02Where the rollout stands

Rollout status

The program is in Phase 1 — self-assessments in new solicitations. Phase 2, C3PAO certification where applicable, begins 2026-11-10. The System covers all four phases and what changes at each. 32 CFR 170.3(e)

03Start by role

Start Here opens with the signals that tell you whether any of this applies before you pick a route. Four routes live there — here’s the question each one answers.

04The desk map

The reference pages in the CMMC desk and what each one covers
PageWhat it covers
The SystemWho runs CMMC, which rule answers which question, and how the four-phase rollout works.
The LevelsWhat Level 1, 2, and 3 actually require, and who assesses each one.
The DataFCI and CUI, defined precisely, and where each tends to hide in ordinary business systems.
Scope & BoundaryThe five asset categories, enclave trade-offs, and what an MSP or cloud provider is actually responsible for.
Evidence, SSP & POA&MWhat proof looks like, the System Security Plan, POA&M mechanics in full, and how an assessor examines, interviews, and tests.
The AssessmentWhat actually happens during an assessment, Conditional vs. Final status, and what Level 3 adds.
Myths vs RulesEight common misconceptions, checked against what the rule actually says.
FAQTwelve questions, answered in the order a reader actually asks them.
GlossaryTwenty-four terms defined the way they’re actually used — not an acronym dump.
Source LibraryA bibliography and reading guide: which document to open for which question.

See also Domains — the 14 security-requirement families, one page each.

Practical guides

Six task-shaped pages that compress the reference body into working order — for when you have the specific job in hand rather than a reading afternoon.

The CMMC desk practical guides and what each one covers
GuideWhat it covers
Level 1, in practiceThe 15 requirements, the annual self-assessment, SPRS entries, and the affirmation — the FCI level end to end.
The contract clausesProvisions vs clauses, how 7012 / 7019 / 7020 / 7021 / 7025 relate, the 2026 renumbering, and a plain decision path.
SPRS, explainedWho posts what through which path, CMMC UIDs, and what a contracting officer actually sees.
Gap analysisChecking yourself against the NIST SP 800-171A objectives before anyone official does.
The implementation pathThe order the work tends to happen in, with a plain reader checklist.
By roleCompact summaries for executives, technical leads, and compliance owners.

05Independence note

This desk is independent educational material. It is not affiliated with, endorsed by, or representing the U.S. Department of Defense, the Cyber AB, or any C3PAO. CMMC is a DoD program — act on the primary sources this desk cites, and on your own advisors.