CMMC Fitness – 12 Months To Get Your OSC In Shape author avatar


The blog post been guest written by our colleagues over at Edwards Performance Solutions. As CMMC Training Program Manager, Joy Beland oversees the curriculum development and live instructor training for CMMC-AB approved certification courses at Edwards. Her contact information is below the post.

CMMC - What is it?

The Department of Defense (DoD) estimates that at least 350,000 U.S. businesses in the Defense Industrial Base (DIB) who contract with the DoD must undergo a cybersecurity assessment and certification to participate in upcoming contracts. This program, referred to as the Cybersecurity Maturity Model Certification or CMMC, is being rolled out in phases from 2021-2025, and already showing up as a requirement for award in some “pilot” contracts. Each year, more contracts will begin to include CMMC requirements. Organizations Seeking Certification (or OSCs), as well as their subcontractors and 3rd party service providers, may be required to achieve an assessment certification at either CMMC Level 1 or CMMC Level 3, depending on the type of information they handle as part of servicing DoD contracts to continue working with the DoD.


CMMC 12 Month OSC Timeline

This is not new information, but it is the first time OSCs will be required to prove their cybersecurity maturity level before being awarded a contract. Many small businesses who hold long-standing DoD contracts are concerned about the resources (both staff and funding) needed to meet these requirements. After all, cybersecurity is all we hear about these days, and most small businesses who receive proposals to get their cyber controls in order are overwhelmed and under-funded. It’s difficult to break the problem into digestible pieces and make progress. So, below is my breakdown for CMMC fitness – monthly goals to aim for CMMC preparedness in a year.


  Understand the type of information (FCI or CUI) you maintain and how it flows throughout your company.

This is demonstrated best in a data flow diagram, which is different from an infrastructure diagram. A data flow diagram will include information systems, business units, connections, and permissions.  Ask yourself – where does FCI or CUI enter our business? Trace it through each application, user, device, business unit, and storage.

  From your data flow diagram, create the infrastructure diagram and complete an inventory of all systems, users, devices, and services.


  Clearly identify the systems, users, devices, and services that interact with the FCI or CUI data. This is the initial scope. 

Can that be reduced as a footprint? Is there remote access capability to store the data on the prime contractor site without storing it on your network? Is there a way to limit access to fewer people? How about having only one location handle the data instead of multiple sites? And, do you have the ability to set up an “enclave” that only certain people have access to, both digitally and physically?

  Identify risks and vulnerabilities on the network with a full security assessment.


  Conduct an 800-171 assessment along with the CMMC Delta20 assessment, and generate a Plan of Action and Milestones (POA&M).


  Take the POA&M and determine how to best clear priority items (items that have the most impact by checking off multiple boxes) and assign resources (funding and staff) over a five month period.

You are at the six month mark – use this time to align resources, secure leadership support, and plan for success using project management skills.

  Tackle the biggest POA&M items over months seven through ten.

Be sure to schedule weekly meetings to monitor progress and keep your goals in the forefront.

  Review the Information Security policies to see how they match up with the CMMC domains.

If you want to achieve Maturity Level 3 certification or higher, each domain and practice must align with a policy.

  Work with the team to create procedures for each practice as it is confirmed or implemented according to the POA&M.

Make sure the procedures map back to at least one policy.

  Work with the business unit leader responsible for each policy (or even at the procedure level) to understand future resourcing needs.

Develop a resourcing plan to prove commitment to each practice. The plans can be one-to-many for the practices, as it makes sense.

  Send at least one team-member to a Certified CMMC Professional (CCP) course for training.

The target audience for this course is internal IT, IT consultants, and assessors themselves. This foundational level course covers the CMMC assessment process end to end, so your team will know exactly what to expect in the formal assessment (and is well worth the one-time cost). That individual (or multiple team members) might also consider participating in a formal assessment with a C3PAO as a 1099 contractor, to gain experience in an actual assessment. Network with C3PAOs to determine if this makes sense for your business.

  Bring in an RPO or C3PAO to confirm your readiness for the CMMC assessment.

Your on-staff CCP will help reduce the work involved in this, saving you money.


Depending on the size of your business and the level of certification you seek, this 12-month plan might be unrealistic. However, the general flow and steps remain the same for most OSCs, whether the timeframe is shorter or longer. Some OSCs bring in an RPO or C3PAO to help with the 800-171 and CMMC Delta 20 assessment early on; but if your internal team is robust, you may not need this. There will be caveats for every business as no two businesses are the same, especially when it comes to cybersecurity. Nevertheless, having a roadmap to follow and setting goals for each milestone will help immensely.


Edwards Performance Solutions

Be sure to communicate with the stakeholders in every step. And, if you need assistance, reach out – at Edwards Performance Solutions, we are here to shepherd this process, because we’re all in this together.

Joy Beland, CISM | SSAP | CMMC-AB RP, PA & PI

CMMC Program Training Manager


Change in Government Fiscal Year author avatar

Government Fiscal Year

For clients that operate on a government fiscal year basis, please remember to address the following items in accordance with the year change on October 1st!


  • Establish new task numbers to increment the option year on cost type contracts that continue beyond the end of the current fiscal year
  • Complete the billing setup for the new task numbers
  • Establish new work authorizations
  • Establish new expense authorizations

May Be Required*

  • Enter the new accounting year
  • Enter the accounting periods for the new accounting year
  • Establish timesheet periods for October 2019 – September 2020
  • Establish new task numbers for tracking PTO by fiscal year

*If you operate on a calendar basis but have contracts that operate on a government fiscal year basis, not all of the above items will apply to your company. If that is the case, we recommend focusing on the first 4 items.


Additional Help

If you need help with any of the listed items, please contact your consultant. Depending on which version of the software you are on, some of the items may not be relevant to your company.

Our consulting team can be reached at

Five Potential Changes for HUBZone Certified Contractors – SBA Recap author avatar

HUBZone Map

As announced two weeks ago, we had the opportunity to sponsor the National HUBZone 2019 Conference in Chantilly, VA. There were many great presentations and industry updates, all of which could have a direct impact on HUBZone business in the near future.

Of these presentations, the U.S. Small Business Administration’s agency and regulatory update had potentially the greatest impact on HUBZone contractors. Led by Associate General Counsel, John Klein, the SBA’s team commented on many major changes to legislation that they feel will be made into law by 12/31/21.

Below are our 5 main takeaways from this update, which all focus on proposed changes to HUBZone requirements. It’s important to note that this information is all speculative at this point in time, but these were heavily emphasized throughout the 90-minute presentation:


1) HUBZone status is no longer required at all phases of attaining contract.

Prior requirement – Contractor must be HUBZone certified from the time of offer through time of award.

Proposed change – Contractor only has to be HUBZone certified at either the time of offer or time of award. No longer required for both steps.

Interpretation – Contractors in danger of losing HUBZone certification can still bid on work before losing status, which helps continue cash flow while management readdresses company status. New companies can also bid on work while attempting to become HUBZone certified rather than having to wait for the process to complete. This change should smooth out the work opportunities of companies on both ends of the spectrum. 


2) HUBZone status to drop the minimum requirement from 35% to 20% HUBZone designated employees.

Prior requirement – Contractor must have at least 35% of its employees live in a HUBZone designated area.

Proposed change – Contractor only has to have at least 20% of its employees live in a HUBZone designated area.

Interpretation – The 35% rule is being loosened for HUBZone certification. This could allow for more companies to attempt to become HUBZone certified, as well as HUBZone work to become more competitive. The drop in percentage allows for current certified contractors to have some leeway in employee status.


3) Employees must live in HUBZone designated area for at least 180 days to be considered towards the new 20% requirement. Registering for a voter ID can no longer expedite process.

Prior requirement – Employees could either live in HUBZone designated area for 180 days or register for voter identification to be considered towards the 35% requirement.  

Proposed change – Employees must live in HUBZone designated area for 180 days to meet the new 20% requirement.

Interpretation – While the 35% rule is being loosened, employee status is being tightened. This is mostly done to cut down on any loopholes being exploited in filing for voter registration. Contractors that depend on employee hirings to impact their percentage immediately will have to build in a 180-day buffer. 


4) Employees do not lose HUBZone certification after 180 days, even if they move. However, status is lost once they leave the company.

Prior requirement – In order to count towards the 35% requirement, employees must live in a HUBZone area.

Proposed change – Employees can now move out of HUBZone area as long as they achieved HUBZone status after 180 days. This status is continuous only for that specific employer, and once employment ends, the status is lost.   

Interpretation – SBA mentioned that one of the goals of HUBZone work is economic advancement for employees. They do not want to penalize companies for having employees advance in their careers and afford to move out of economically challenged areas. As long as the company still resides in the economically challenged area, and the employee stays with that company, they feel it is a beneficial to all parties to allow advancement and career growth.


5) The areas determined to be HUBZone designated will be unfrozen after the 2020 Census.

Current Status – The HUBZone map that defines the lines for which areas are economically challenged is currently frozen. SBA is waiting for 2020 Census information before unfreezing the maps.

Once Unfrozen – The estimated timeframe to be unfrozen is 12/31/21. HUBZone certification will continue as it was before the HUBZone map was frozen on 12/07/17. For example, if your company was in an area set for redesignation 3 months after being frozen on 12/07/17, you can expect the redesignation to occur 3 months after 12/31/21 on 03/31/21.


Follow Up Information

If any of the above points interest you or your company, we highly recommend attending this event next year. These are just 5 of the many important updates covered by the Council that effect HUBZone businesses in the near future. For more information, be sure to check in with the HUBZone Council here.

For frequently asked questions about current HUBZone rules and regulations, SBA’s HUBZone information can be found here.

For more information related to these potential changes, SBA has a blog they update regularly with more interpretations and concepts related to updates.