Winding Down: CMMC Setbacks, MCSP Experience, and the Future

This post results from the project “AMSec” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). This project focuses on CMMC topics in the context of Additive Manufacturing

If you’ve been keeping up with this blog series you’ll know that throughout the summer I’ve been working diligently on prepping a ComCode client for the Cybersecurity Maturity Model Certification, a new requirement from the Department of Defense in order to be awarded federal contracts. This model was designed to provide increased assurance that these clients can adequately protect sensitive unclassified information. With this increased assurance comes increased restrictions on certain practices within an organization, which can certainly lead to some bumps in the road to certification.

Preparing for any sort of audit can be challenging work, especially if it requires pulling personnel off certain day-to-day activities and having them dedicate themselves solely to this audit, but it becomes even more difficult when that audit is in response to an entirely new framework that your organization, along with thousands of others, are seeing for the first time. While it’s true that the CMMC is based closely on the ISO 2700 controls framework, there are plenty of other strict requirements that may not have been met prior by any particular organization. While I set off to prepare for this certification at the beginning of the summer, I was met with the unfortunate but realistic roadblock that many distributed corporate environments deal with, being able to attribute budget and personnel to a new project that falls outside the typical daily scope of operations.

While this CMMC project was re-scheduled, I was tasked with two other high-level tasks that would greatly benefit the client as well as my own professional experience outside governance and assurance. Although I can’t go into too much detail, these tasks fell into two major categories, application testing, and CIRT/DFIR. When it comes to Application Testing, it’s important to know that securing software goes far beyond using best coding practices, this is why it’s key to test software in a live environment and let someone such as myself take a stab at exploiting either it’s live code as it is executed, or make use of any traffic it may generate for either exploitation or intelligence gathering of the host software user. DFIR (Digital Forensics and Incident Response)/CIRT (Computer Incident Response Team), is a whole other topic that would require countless other blog posts to truly go into, but I highly recommend checking out these blog posts from Kaya Overholtzer and Ian Eubanks, two other MCSP Students, in relation DFIR and Big Data.

While I wasn’t able to stick with CMMC preparation for the entire period of this internship, it still took up the majority and I’m certainly grateful for that. Being hands-on with a new certification model that is quickly developing and actually required for any federal contractors is something that will prepare me for the future when it will most certainly present itself again. I feel familiar with the controls presented, the control domains outlined, and the major documentation requirements for such a large-scale project. Whether or not I continue on into governance and assurance with my career is yet to be determined, but I know I’ll be prepared when the CMMC shows itself again.

Follow us for more updates on this project!  For further questions about Munich Cyber Security Program, or this project please feel free to contact

Written By: Austin Grupposo ’23 // Digital Forensics & Cybersecurity

More Partners
The End: DFIR
CMMC A to Z: Personnel, Physical Protection, and Recovery
Classifying and Securing Devices