What happens when a group of cybersecurity practitioners has a dark sense of humor and too much time on their hands? Well... this is it! This is not affiliated with the DoD, CMMC-AB or CMMC-COE. This is an independent project to help those dealing with Cybersecurity Maturity Model Certification (CMMC) compliance issues. We support any effort to fix CMMC and transform it into a viable, scalable Supply Chain Risk Management (SCRM) solution for the US Defense Industrial Base (DIB).

On a serious note, we've seen a "money grab" as CMMC has become its own cottage industry and we wanted to do something to help those in the DIB by providing a starting point to understand what possible technology options exist.

This information is "use at your own risk" so you are fully-expected to do your own due diligence and due care when selecting any product or service, otherwise you are an idiot and you seriously should not be supporting the DIB in the first place! Seriously.

CMMC Center of Awesomeness (CMMC-COA)

The CMMC Center of Awesomeness (CMMC-COA) project is a volunteer effort. We received a lot of input and recommendations from cybersecurity practitioners who are very experienced in NIST SP 800-171 and CMMC. These valuable insights are what made this project useful, since what might work for PCI DSS, HIPAA, SOC 2, etc. does not necessarily mean it will work for CMMC, based on the data-centric nature of protecting regulated data, which is Federal Contract Information (FCI) for CMMC Levels 1-2 and Controlled Unclassified Information (CUI) & FCI for CMMC Levels 3-5.

The CMMC-COA is an attempt to help the DIB attain CMMC awesomeness! This is a free resource to help those in the DIB get pointed in the right direction. The idea behind the way information is presented is that the size of an Organization Seeking Certification (OSC) best determines the budget/staffing/complexity more than any other single aspect. That is why the technology solutions are proposed according to the following organization size guidelines:

  • Micro-small (<20 employees/staff)

  • Small (20-100)

  • Medium (101-200)

  • Large (201-2,000)

  • Enterprise (2,000+ - think Fortune 500 expectations)

Neutral Explanation of What CMMC Is

If you are new to​ CMMC and want to get a neutral explanation of what it is without any Fear, Uncertainty & Doubt (FUD) marketing, you can click on the image to the left to read the "Defense Acquisitions: DOD’s Cybersecurity Maturity Model Certification Framework" from the Congressional Research Services (CRS). This document is meant to help educate members of Congress on CMMC, so it is about as neutral as anyone could expect an overview to be.

It is full of references that you can go read on your own to gain mastery of this subject. The better educated you are, the better the DIB is in general. We want you to educate yourself, so that when you start looking at solutions to become compliant or speak with consultants, you are fully educated on the subject and will not be taken advantage by some douchebag claiming to solve all your CMMC issues with their magical solution or services. They are out there, so education is your best defense!

"Good Security" Follows The CIAS Quadrant Model

Just to make it painfully clear, we feel it is important to point out that NIST SP 800-171 and CMMC only focus on the CONFIDENTIALITY and INTEGRITY of regulated data (specifically CUI and FCI). This does not equate to "good security" for the overall organization, just minimal requirements for an OSC to contractually fulfill its obligation to protect its client's data (e.g., DoD's FCI and CUI data).

The four pillars of a modern cybersecurity program are Confidentiality, Integrity, Availability and Safety and that should be the guiding concept that you use when evaluating and selecting any technology solutions for your organization:


Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.


Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.


Availability addresses ensuring timely and reliable access to and use of information.


Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.

CMMC Focuses On "Good IT Hygiene" Practices

NIST SP 800-171 and CMMC are more focused on good IT practices more than hardcore cybersecurity practices. This is quite evident when you breakdown the various processes and practices to People, Processes & Technology (PPT) :

  • Tasks Assigned To Application/Asset/Process Owner

  • Tasks Assigned To Cybersecurity Personnel

  • Tasks Assigned To IT Personnel

  • Configuration or Software or Hardware or Outsourced Solution

  • Configuration or Software Solution

  • Hardware Solution

  • Software or Hardware Solution

  • Software Solution

  • Technical  Configurations (e.g., security settings)

© 2021. CMMC Center of Awesomeness (CMMC-COA)

The operator of this website disclaims any liability whatsoever for the use of this delightfully entertaining and educational website. Use the CMMC-COA at your own risk. The CMMC-COA is not meant to be politically correct, so it is your profound mistake if you think it is meant to be.


If you have compliance questions, you really, really, really need to consult a competent cybersecurity professional to discuss your specific needs. This website is for educational purposes only and does not render professional services - it is not a substitute for dedicated professional services from a competent cybersecurity professional. There is no endorsement of any kind for products or services listed on this website - It is entirely your responsibility to conduct appropriate due diligence and due care in selecting and engaging with a product or service in your implementation of the CMMC practices and processes.

We do not warrant or guarantee that the information will not be offensive to any person. You are hereby put on notice that by accessing and using the website, you assume the risk that the information and documentation contained in the web site may be offensive and/or may not meet your needs and requirements. The entire risk as to the use of this website, or its contents, is assumed by you. If you don't like these terms, then tough shit - don't use the website or any of the content it provides... go do your own research and work, since it will be good for you.


​We reserve the right to refuse service in accordance with applicable statutory and regulatory parameters.

  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon