More CMMC programs stall between the decision and the announcement than at any other point. The controls have consultants, the SSP has templates, but nobody hands the CEO the words for standing in front of the workforce and making the program real. This installment walks through that step, with working samples you can adapt: the announcement memo, the department head memo, the employee FAQ, and the kickoff agenda.
Here is a pattern I see repeatedly in real engagements. Leadership makes the CMMC decision. A budget number gets penciled in. Someone is told to look into consultants. And then months pass, because the next step is not a purchase or a policy. It is an organizational act: telling your own people that the company is taking on a program that will change how some of them work, naming who owns which pieces, and putting your own name on it. There is no template for that in any control framework, and it is the step executives most often ask me to help draft. So here it is, walked through in order, with the drafts.
This step is not corporate ceremony. It has direct assessment consequences. CMMC Level 2 includes an entire Awareness and Training family, and a C3PAO assessment includes interviews with the people who actually handle CUI: machinists, engineers, quality inspectors, front office staff. If those interviews reveal a workforce that has never heard of the program, does not know what CUI is, or cannot say who to ask, the paperwork upstairs stops mattering. Assessors are specifically trained to detect the gap between what the documents claim and what the organization actually does, and the fastest way to expose that gap is to ask a line employee a simple question.
The announcement also does something the org chart cannot: it converts the program from an IT initiative into a company commitment. Employees calibrate to what leadership visibly cares about. A program introduced by the IT manager in a routine email reads as an IT problem. The same program introduced by the CEO, with names attached and a reason grounded in the business, reads as the company's direction. That difference shows up eighteen months later in whether people follow the new procedures when nobody is watching, which is, in the end, what the entire framework is trying to produce.
Do not announce a program that has no owners. A memo that says "we are pursuing CMMC" without saying who is responsible for what is a press release, and your organization will treat it like one. Before anything goes to the full company, leadership should settle three assignments.
The executive sponsor. The senior leader who owns the program's success, controls its budget, and clears roadblocks. In a small or midsize contractor this is usually the CEO, the president, or the owner. Under CMMC this role has real teeth: a senior official personally affirms the company's compliance, so the sponsor is not a figurehead.
The program lead. The person who runs the work day to day: tracks the plan, chases the evidence, coordinates the consultant if you engage one, and reports progress to the sponsor. Often the IT lead, but not necessarily. The best program leads are organized and respected across departments, because most of the work is getting other people to do things.
The department owners. CMMC requirements land on departments that do not think of themselves as having security duties. HR owns pieces of personnel screening and training records. Facilities owns physical access. Quality owns document control habits. Contracts owns flowdowns. Engineering and the shop floor own how CUI moves through production. Mapping each requirement family to a named owner is its own piece of work, and it is worth doing formally as a responsibility matrix before launch, because it is the difference between a program and a wish. This is work I regularly do with clients at the start of an engagement, and it is the single best predictor I have of whether a program will move.
Sent from the CEO, company wide. Plain language, business reasons, names, and a place to bring questions. Highlighted fields are placeholders to replace. This draft assumes the company has engaged outside help; if you have not, remove that paragraph, though as the memo shows, naming the consultant openly answers the "who is this person walking around our shop" question before it gets asked.
Team,
I want to tell you about a company commitment that will involve all of us over the coming months.
As many of you know, much of our work supports the Department of Defense, directly or through our customers. The government now requires companies like ours to prove that we protect the sensitive technical information we handle, through a program called the Cybersecurity Maturity Model Certification, or CMMC. This is not optional and it is not paperwork for its own sake. Meeting this requirement is what keeps us eligible for the defense work that supports our jobs, and falling short would put that work at risk. I have decided we will meet it properly.
Starting [month], we will be implementing our CMMC Level 2 program, assisted by David Koran & Associates. David is a CyberAB Registered Practitioner Advanced who works onsite with defense contractors like us, and you will see him in the building working with our team. When you do, he is here at my request, helping us get this right.
Here is what this means in practice:
Two things I want to be direct about. First, no one is in trouble. If you see something in your area that does not match how we say we do things, tell [program lead name] or your supervisor. Finding those gaps now is exactly what this phase is for, and I would far rather hear about a problem from you than from an assessor. Second, this is a long program measured in months, not weeks, and I will keep you updated as we hit milestones.
This certification protects the work we have and positions us for work we want. Thank you in advance for taking it seriously.
Goes to managers and supervisors one or two days before the all-employee announcement, so the people who will field questions are never learning about the program at the same moment as their teams.
On [date], I am announcing our CMMC Level 2 program to the full company. You are getting this first because your teams will bring their questions to you, and I want you ahead of them, not beside them.
The attached announcement is what everyone will receive. Beyond it, here is what I need from each of you:
Questions about the program go to [program lead name]. Concerns about feasibility, resourcing, or timing in your department come straight to me.
Posted on the shop floor bulletin board, the intranet, or attached to the announcement. Its job is to answer the questions people will not raise in a meeting, in words that do not require a compliance background.
The Cybersecurity Maturity Model Certification. It is the Department of Defense's way of verifying that companies in its supply chain protect sensitive technical information. To keep doing defense work, we have to earn and keep this certification.
What is CUI?Controlled Unclassified Information. It is not classified, but the government requires it to be protected. For us, it typically means [customer drawings, specifications, technical data, and the files our own team creates from them, such as programs, process sheets, and inspection records]. If you work with that material, this program involves you.
Does this change my job?For most people, it changes some habits, not the job. Certain files will move through approved systems instead of personal email or thumb drives, some areas and systems will have tighter access, and everyone will get short training on recognizing and handling CUI.
Who is the outside consultant I keep seeing?David Koran of David Koran & Associates is helping us build the program. He works for us, at [CEO name]'s request. If he asks how something in your area really works, answer plainly. He is here to help us find and fix the gaps before the formal assessment.
What if I notice something that seems wrong?Tell [program lead name] or your supervisor. Nobody gets in trouble for surfacing a problem during this program. Finding problems now is the entire point of this phase.
What happens if we do not do this?Companies without the required certification become ineligible for the defense contracts that require it. This program is how we protect that work.
Who do I ask about anything else?[Program lead name], [contact details].
The meeting that comes before everything above. Ninety minutes, the full leadership team, no delegates. If you are working with a consultant, this is a natural session for them to co-lead, since the questions that surface here are the ones an experienced practitioner has answered a hundred times.
Drafting the memo is the visible part. Underneath it sits the work the memo depends on: mapping where CUI actually moves through your operation, building the responsibility matrix your department heads will accept, and sequencing the program so the announcement is followed by visible progress instead of silence. That is the work I do onsite, at the start of a readiness engagement, and it is why the launch step stops being hard once the underlying picture is clear.