CMMC Basics: What You Need to Know

CMMC Basics: What You Need to Know

CMMC Basics: What You Need to Know

Overview

CMMC is the Cybersecurity Maturity Model Certification, a U.S. Department of Defense program for protecting sensitive government information. If your company does work for the DoD or its contractors, CMMC may apply to you. This article explains what it means for your everyday work.

Before You Begin

  • Confirm with your manager whether your role touches government contracts.
  • Ask which type of controlled information you may handle: Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
  • Locate your company's CMMC handbook or policy if one exists.

Steps

  1. Learn the two main data categories. FCI is information provided by the government that is not for public release. CUI is more sensitive and carries stricter handling rules. Both require care.
  2. Recognize CUI markings. Documents and emails will often carry a banner that reads CUI at the top, the bottom, or both. Treat anything with that marking as restricted.
  3. Store CUI only in approved systems. Your company's CMMC-aligned environment is the right place. Personal email, consumer cloud storage, and unmanaged USB drives are not.
  4. Use multi-factor authentication on every account that touches FCI or CUI. This is required, not optional.
  5. Encrypt before you send. When you email CUI to an outside party, use the encryption option your administrator showed you. If you do not see one, ask.
  6. Lock your workstation any time you walk away. CMMC auditors check for unlocked screens during site visits.
  7. Report incidents fast. A lost laptop, a misdirected email, or a suspicious login attempt all need to go to your security team the same day.
  8. Complete your annual CMMC awareness training when prompted. Skipping it can put a contract at risk.

Troubleshooting

  • If you are not sure whether a file is CUI: check for markings. If none are visible but the content feels sensitive, ask the file's owner before you forward or save it elsewhere.
  • If a contract suddenly requires CMMC: loop in your security team early. CMMC controls take weeks to roll out, not hours.
  • If a coworker emails CUI to a personal address: report it. Even an accidental leak counts.
  • If you travel internationally with a device that holds CUI: stop and check with your security team. Some countries trigger export-control issues.

Related Articles

Need More Help?

Submit a ticket at support.bostonmit.com or email support@bostonmit.com.

    • Related Articles

    • HIPAA Basics for Everyday Employees

      HIPAA Basics for Everyday Employees Overview HIPAA is a U.S. law that protects patient health information. If your company handles medical records, billing data, or anything that identifies a person and their care, HIPAA shapes how you store, share, ...

    • SOC 2 Awareness: How Your Day-to-Day Supports the Audit

      SOC 2 Awareness: How Your Day-to-Day Supports the Audit Overview SOC 2 is a voluntary audit that proves your company protects customer data the way it claims to. If your company holds a SOC 2 report or is working toward one, your daily habits feed ...

    • Data Retention: What to Keep and What to Delete

      Data Retention: What to Keep and What to Delete Overview Data retention is the practice of keeping records for as long as you need them and removing them when you do not. Good retention protects your company from legal risk, reduces storage costs, ...