CMMC Compliance: Understanding the Delta20

Are you a government contractor that handles CUI (Controlled Unclassified Information)? If so, you’re likely making the steps toward NIST 171 compliance, or you’ve already achieved compliance under NIST-171.

Does the idea of implementing new controls under the Delta20 seem incredibly daunting?

We’ve got a secret for you: Not only is the Delta20 easier to obtain than you might think, but you’re likely already following some of the controls if you’ve achieved compliance under NIST-171.

Ten Delta20 Practices You’re Likely Already Doing because of NIST-171:                                               

  • Policy/Procedure
    • AM.3.036 – Define procedures for the handling of CUI data
    • SC.3.193 – Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g. forums, LinkedIn, Facebook, Twitter)
  • Process
    • AU.2.044 – Review Audit Logs
    • IR.2.093 – Detect and report events
    • IR.2.094 – Analyze & triage events to support event resolution/incident declaration
    • IR.2.096 – Develop & implement responses to declared incidents according to predefined procedures
    • IR.2.097 – Perform root cause analysis on incidents to determine underlying causes
    • RM.3.144 – Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, sources, and measurement criteria
    • RM.3.146 – Develop & implement risk mitigation plans
    • SA.3.169 – Receive & respond to cyber threat intelligence from information sharing forums and sources; communicate to stakeholders

Five Delta20 Practices You May Already Be Doing Based on Best Practices:

  • AU.3.048 – Collect audit information (e.g., logs) into one or more central repositories
  • RE.2.137 – Regularly perform and test data backups
  • RE.3.139 – Regularly perform complete, comprehensive, and resilient data backups as organizationally defined
  • SC.2.179 – Use encrypted sessions for the management of network devices
  • SI.3.218 – Employ Spam protection mechanisms at information system access entry and exit points

Five Delta20 Practices You May NOT Be Doing:

  • RM.3.147 – Manage non-vendor supported products (e.g., end of life) separately and restrict as necessary to reduce risk
  • CA.3.162 – Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk
  • SC.3.192 – Implement Domain Name System (DNS) filtering services
  • SI.3.219 – Implement email forgery protections
  • SI.3.220 – Utilize sandboxing to detect or block potentially malicious email

At Sentar, have years of experience helping Federal contractors throughout all industries obtain their compliance with the cybersecurity controls, such as those specified in the Cybersecurity Model Maturity Certification (CMMC) standard. As a DoD contractor, we have the experience to prepare your organization for the accreditation (audit), perform the accreditation, or advise on how to reduce the impact of the requirements.

We hope this list makes you feel more confident on tackling the Delta20. If you have any questions on how to implement the Delta20 or achieving CMMC compliance, we encourage you to reach out to Chandler Hall today at to schedule a complementary phone call.

Read more about Sentar’s CMMC compliance solutions here.

Share This Post

Stay up to date with the latest news.