The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program designed to enhance the cybersecurity posture of the Defense Industrial Base (DIB) and verify implementation of existing DFARS regulations. Its primary goal is to protect sensitive data—such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)—from cyber threats.
The CMMC framework is made up of three maturity levels, each with defined cybersecurity practices and processes. For organizations supporting DoD contracts, achieving Level 2 or 3 certification is essential for compliance and plays a critical role in safeguarding national security.
In this spotlight, we feature a conversation with Derek Kernus, CEO of Aethon Security Consulting, who shares how his team supports customers on their CMMC journey—and how they’ve become a certified provider themselves.
This Q&A is based on a real information-sharing session, with all sensitive or proprietary information removed.
Q&A with Derek Kernus, CEO, Aethon Security Consulting
Q: Can you tell me a little bit about your company and what you do?
A: Derek Kernus: Aethon Security Consulting is a Managed Security Service Provider (MSSP) that works almost exclusively in the CMMC space. We also handle some HIPAA requirements, but our main focus for the past five years has been on CMMC requirements.
Q: What category do you put yourselves in, and why is that different from other categories?
A: Derek Kernus: We categorize ourselves as an External Service Provider. We provide a tailored program for Organizations Seeking Certification (OSC), primarily focusing on CMMC Level 2 requirements. We help design and build environments that make sense for their business operations, provide continuous security monitoring services, and generate the required documentation on behalf of the OSC.
Q: I heard you recently became certified for CMMC yourselves. Can you tell me about that?
A: Derek Kernus: Yes, we did. We became certified at CMMC Level 2 to lower the level of effort in our clients' assessments and to show the market that we know what it takes to earn the certification. We built an environment that demonstrates our security protection assets and processes, which can now be inherited by our clients. The inheritance will ultimately lower the cost as well as the time and effort needed by the OSC in the assessment.
Q: What are some key areas where customers can inherit controls from you?
A: Derek Kernus: Customers can inherit controls based on our Shared Responsibility Matrix. For example, we can conduct risk assessments and security monitoring on their behalf. However, some controls, like background screenings, must be handled by the clients themselves.
Q: How do you help customers think about protecting data beyond just CMMC requirements?
A: Derek Kernus: We focus on zero-trust principles and least privilege access. We advise clients on proper data segregation within document sharing sites and ensure administrative controls are in place to limit access to only what is necessary.
Q: Can you give an example of a control that defense customers might overlook?
A: Derek Kernus: One example is SC.L2-3.13.11, the FIPS requirement. We had a client concerned about FIPS on their firewall, but since CUI wasn't traversing the firewall, it wasn't necessary. Understanding the nuances of such requirements is crucial.
Q: What are some important elements for providing a defensible position in CMMC assessments?
A: Derek Kernus: It's essential to understand the terms used in NIST 800-171 and to have a clear data flow diagram. Flexibility in meeting control requirements is allowed, but it should not compromise good security practices and adhering to the intent of the CMMC practices and assessment objectives.
Q: What documents should defense contractors read to protect CUI properly?
A: Derek Kernus: Contractors should refer to all the documents on the DoD CIO’s website under “CMMC Resources & Documentation”. They should also develop a familiarity with multiple supporting documents including NIST 800-171A, NIST 800-63B, NIST 800-88, and the DoD procurement toolbox. These documents provide guidance on meeting CMMC requirements and protecting CUI. Last but not least, contractors subject to CMMC should maintain an awareness of the memos coming out from DoD that impact CUI security including the December 21, 2023, memo commonly referred to as the FedRAMP equivalency memo.
Q: What Microsoft tools do you find underrated for achieving CMMC controls?
A: Derek Kernus: Microsoft Purview is a fantastic tool with excellent searching capabilities and data loss prevention policies. Sensitivity labels within Purview help protect data at the file level and strongly support a zero-trust architecture.
Q: How do you use Microsoft Entra in your environment?
A: Derek Kernus: We use conditional access policies to tailor security policies for different users and devices. Entra ID is a core component in the design of a zero-trust architecture that meets CMMC requirements.
Q: Any parting thoughts or tips for defense contractors?
A: Derek Kernus: Conducting a gap analysis with a Certified CMMC Assessor before the assessment is a good insurance policy. Proper, thorough documentation is critical for a smooth assessment process.
Q: Thank you for your time.
A: Derek Kernus: Thanks, Lisa
Share Your CMMC Journey with the Community
The path to CMMC certification is complex—and your experience can help others navigate it more effectively. We're looking to feature stories from organizations who are actively working through, or have completed, their CMMC journey.
If you have insights, lessons learned, or practical tips, we’d love to highlight your perspective. Your story could offer meaningful guidance to peers across the broader Microsoft Public Sector Tech Community.
To share your experience, please contact Lisa Haywood at lisahaywood@microsoft.com.
Resources
For additional guidance and tools to support your CMMC readiness, explore these Microsoft resources:
- Microsoft CMMC Compliance Resources – Learn how Microsoft helps organizations prepare for and meet CMMC requirements across all three maturity levels.
- Microsoft Compliance Manager – Assess and monitor your compliance posture with built-in CMMC templates.
- CMMC and Microsoft 365 Documentation – Detailed guidance on how Microsoft 365 supports CMMC compliance.
Microsoft