CMMC NUGGETS
CMMC certification will soon be a prerequisite for doing business with the DoD. Organizations should begin or continue their readiness efforts, including any necessary upgrades to cybersecurity practices, documentation, and processes.
To support you and your organization with this task, the DTC C3PAO team has written and complied “CMMC Nuggets,” valuable insights into the CMMC certification process. Those nuggets are archived below. If you have any questions or require assistance in preparing for your CMMC assessment, please reach out to our team.
CMMC Nugget Archive
May 20, 2026 Update: As the CMMC certification rollout advances, we’re refining and expanding these nuggets to better support your compliance journey. Check back over the next 10 weeks as our experts share valuable insights and timely guidance.
Tier 1 – Foundation
#1: Knowing Your CUI: Scoping, the CUI Registry, and Supply Chain Risk
Before your organization can implement a single CMMC control, patch a single system, or engage a C3PAO for
#2: Properly Categorizing Your Assets
Now that you know what CUI is and where it comes from (Nugget #1), the next critical step
#3: Finding the Right Fit: Choosing Your C3PAO
By this point in the series you know what CUI is, where it lives, and how to categorize
Tier 2 – Governance & Documentation
#4: The Compliance Foundation: SSP, POA&M, SPRS & Annual Affirmation
You know what CUI is. You have categorized your assets. You understand the certification ecosystem. Now it is
#5: Common Documentation Failures
In Nugget #4 we established the four foundational compliance documents every organization must maintain: the SSP, POA&M, SPRS
#6: Managing Insider Threats with Personnel Security
Technical controls protect your perimeter. Personnel security controls protect you from the inside. According to most industry data,
#7: Security Awareness Training
Did you know that human error accounts for the majority of cyber incidents across all industries? CMMC recognizes
Tier 3 – Architecture & Access
#8: Common Pitfalls of Securing the Architecture
By Nugget #8 you have established your CUI boundary, categorized your assets, selected a C3PAO, built your compliance
#9: Configuration Management Hiccups: Getting CM Right
Every time a system in your CUI environment changes: a new application installed; a firewall rule modified; a
#10: System Identity & Access Management
In Nugget #9 we established that controlling who can make changes to your systems is a core Configuration
#11: Access Controls in Action
Nugget #10 established the IAM framework and covered the foundational access and authentication controls. This nugget goes deeper
#12: Securing the Network and Monitoring
In Nugget #8 we addressed the architectural foundations of a secure environment. This nugget goes deeper into the
#13: MSP and CSP Shared Responsibility Models
As more Defense Industrial Base (DIB) organizations move workloads to the cloud and outsource IT management to managed
Tier 4 – Protection Domains
#14: Physical Security Requirements
In Nugget #13, we looked at how shared responsibility works when MSPs and CSPs sit inside your environment.
#15: Controlling & Performing Maintenance
In Nugget #14 we covered the physical space housing your systems. This nugget covers what happens when someone,