Essex Junction, VT802-335-2662dkoran@davidkoran.com
DK
David Koran& Associates
CMMC Executive Series · Part 3 of 6

You signed off on CMMC. Now you have to tell the company.

More CMMC programs stall between the decision and the announcement than at any other point. The controls have consultants, the SSP has templates, but nobody hands the CEO the words for standing in front of the workforce and making the program real. This installment walks through that step, with working samples you can adapt: the announcement memo, the department head memo, the employee FAQ, and the kickoff agenda.

Home CMMC Executive Series Launching the Program

Here is a pattern I see repeatedly in real engagements. Leadership makes the CMMC decision. A budget number gets penciled in. Someone is told to look into consultants. And then months pass, because the next step is not a purchase or a policy. It is an organizational act: telling your own people that the company is taking on a program that will change how some of them work, naming who owns which pieces, and putting your own name on it. There is no template for that in any control framework, and it is the step executives most often ask me to help draft. So here it is, walked through in order, with the drafts.

Why It Matters

An unannounced program is indistinguishable from no program

This step is not corporate ceremony. It has direct assessment consequences. CMMC Level 2 includes an entire Awareness and Training family, and a C3PAO assessment includes interviews with the people who actually handle CUI: machinists, engineers, quality inspectors, front office staff. If those interviews reveal a workforce that has never heard of the program, does not know what CUI is, or cannot say who to ask, the paperwork upstairs stops mattering. Assessors are specifically trained to detect the gap between what the documents claim and what the organization actually does, and the fastest way to expose that gap is to ask a line employee a simple question.

The announcement also does something the org chart cannot: it converts the program from an IT initiative into a company commitment. Employees calibrate to what leadership visibly cares about. A program introduced by the IT manager in a routine email reads as an IT problem. The same program introduced by the CEO, with names attached and a reason grounded in the business, reads as the company's direction. That difference shows up eighteen months later in whether people follow the new procedures when nobody is watching, which is, in the end, what the entire framework is trying to produce.

The assessor will not ask whether you sent a memo. The assessor will ask your employees questions the memo should have answered.
Before the Memo

First, put names on the program

Do not announce a program that has no owners. A memo that says "we are pursuing CMMC" without saying who is responsible for what is a press release, and your organization will treat it like one. Before anything goes to the full company, leadership should settle three assignments.

The executive sponsor. The senior leader who owns the program's success, controls its budget, and clears roadblocks. In a small or midsize contractor this is usually the CEO, the president, or the owner. Under CMMC this role has real teeth: a senior official personally affirms the company's compliance, so the sponsor is not a figurehead.

The program lead. The person who runs the work day to day: tracks the plan, chases the evidence, coordinates the consultant if you engage one, and reports progress to the sponsor. Often the IT lead, but not necessarily. The best program leads are organized and respected across departments, because most of the work is getting other people to do things.

The department owners. CMMC requirements land on departments that do not think of themselves as having security duties. HR owns pieces of personnel screening and training records. Facilities owns physical access. Quality owns document control habits. Contracts owns flowdowns. Engineering and the shop floor own how CUI moves through production. Mapping each requirement family to a named owner is its own piece of work, and it is worth doing formally as a responsibility matrix before launch, because it is the difference between a program and a wish. This is work I regularly do with clients at the start of an engagement, and it is the single best predictor I have of whether a program will move.

The Sequence

Launch in this order

  1. Brief the leadership team first. A working session, not an email. The leadership team hears why the company is doing this, what it costs, what the timeline looks like, and what each of their departments owns. Objections and turf questions get resolved in this room, before the workforce is watching. The sample kickoff agenda below is built for this meeting.
  2. Brief the department heads and supervisors. The people your employees will actually ask. Give them the same story leadership heard, plus the department level specifics, and give them the announcement memo a day or two before it goes out so they are never surprised in front of their own teams.
  3. Send the all-employee announcement. From the CEO, in plain language. What the program is, why it matters to the business, who is running it, what will change, and who to ask. The first sample below is that memo.
  4. Follow through in the first thirty days. The announcement earns you attention once. Spend it: the employee FAQ goes out or gets posted, the first awareness training gets scheduled, and the program lead becomes visible. A launch with no follow-through within a month teaches the workforce the program was talk.
Sample One

The all-employee announcement memo

Sent from the CEO, company wide. Plain language, business reasons, names, and a place to bring questions. Highlighted fields are placeholders to replace. This draft assumes the company has engaged outside help; if you have not, remove that paragraph, though as the memo shows, naming the consultant openly answers the "who is this person walking around our shop" question before it gets asked.

Sample Memo · All Employees
To: All Employees
From: [CEO name], [Title]
Date: [Date]
Subject: Our CMMC Level 2 Program

Team,

I want to tell you about a company commitment that will involve all of us over the coming months.

As many of you know, much of our work supports the Department of Defense, directly or through our customers. The government now requires companies like ours to prove that we protect the sensitive technical information we handle, through a program called the Cybersecurity Maturity Model Certification, or CMMC. This is not optional and it is not paperwork for its own sake. Meeting this requirement is what keeps us eligible for the defense work that supports our jobs, and falling short would put that work at risk. I have decided we will meet it properly.

Starting [month], we will be implementing our CMMC Level 2 program, assisted by David Koran & Associates. David is a CyberAB Registered Practitioner Advanced who works onsite with defense contractors like us, and you will see him in the building working with our team. When you do, he is here at my request, helping us get this right.

Here is what this means in practice:

  • [Program lead name] is leading this program day to day and reports directly to me on it. Questions go to [him/her] first.
  • Each department head owns the parts of the program that touch their area, and they will brief their teams on the specifics.
  • Everyone will receive short training on recognizing and handling controlled unclassified information, the sensitive technical data at the center of all this. It applies to more of our everyday work than most of us realize.
  • Some procedures will change: how we share certain files, who can access certain systems and areas, and how we handle certain drawings and documents. Where a new procedure seems slower than the old way, that is usually the point.

Two things I want to be direct about. First, no one is in trouble. If you see something in your area that does not match how we say we do things, tell [program lead name] or your supervisor. Finding those gaps now is exactly what this phase is for, and I would far rather hear about a problem from you than from an assessor. Second, this is a long program measured in months, not weeks, and I will keep you updated as we hit milestones.

This certification protects the work we have and positions us for work we want. Thank you in advance for taking it seriously.

[CEO name]
[Title]
A note on the drafts: these are starting points, not scripts. The details that make an announcement land, the specific contracts at stake, the department names, the company's voice, are exactly what gets tailored during an engagement. Every client memo I help draft ends up meaningfully different from this one.
Sample Two

The department head memo

Goes to managers and supervisors one or two days before the all-employee announcement, so the people who will field questions are never learning about the program at the same moment as their teams.

Sample Memo · Department Heads
To: Department Heads and Supervisors
From: [CEO name]
Date: [Date]
Subject: CMMC Program: What Your Department Owns

On [date], I am announcing our CMMC Level 2 program to the full company. You are getting this first because your teams will bring their questions to you, and I want you ahead of them, not beside them.

The attached announcement is what everyone will receive. Beyond it, here is what I need from each of you:

  • Own your assignments. The responsibility matrix [program lead name] is distributing maps specific requirements to your department: [e.g., HR owns training records and screening steps; Facilities owns physical access and visitor control; Quality owns document handling; Engineering owns technical data flow]. Review yours before the announcement goes out and raise conflicts now, not in month four.
  • Make time for the working sessions. Over the coming weeks, [program lead name] and our consultant will sit with each department to map how controlled information actually moves through your area. The honest version is the useful version. If the real process differs from the written procedure, that is precisely what we need to see.
  • Set the tone. If your team hears you treat this as an annoyance, they will treat it as one. What I need them to hear from you is simpler: this keeps our defense work, and we are doing it right.

Questions about the program go to [program lead name]. Concerns about feasibility, resourcing, or timing in your department come straight to me.

[CEO name]
If you have not yet built the responsibility matrix this memo references, build it first. Announcing assignments that do not exist yet is worse than delaying the announcement a week.
Sample Three

The employee FAQ

Posted on the shop floor bulletin board, the intranet, or attached to the announcement. Its job is to answer the questions people will not raise in a meeting, in words that do not require a compliance background.

Sample · Employee FAQ One-Pager
What is CMMC?

The Cybersecurity Maturity Model Certification. It is the Department of Defense's way of verifying that companies in its supply chain protect sensitive technical information. To keep doing defense work, we have to earn and keep this certification.

What is CUI?

Controlled Unclassified Information. It is not classified, but the government requires it to be protected. For us, it typically means [customer drawings, specifications, technical data, and the files our own team creates from them, such as programs, process sheets, and inspection records]. If you work with that material, this program involves you.

Does this change my job?

For most people, it changes some habits, not the job. Certain files will move through approved systems instead of personal email or thumb drives, some areas and systems will have tighter access, and everyone will get short training on recognizing and handling CUI.

Who is the outside consultant I keep seeing?

David Koran of David Koran & Associates is helping us build the program. He works for us, at [CEO name]'s request. If he asks how something in your area really works, answer plainly. He is here to help us find and fix the gaps before the formal assessment.

What if I notice something that seems wrong?

Tell [program lead name] or your supervisor. Nobody gets in trouble for surfacing a problem during this program. Finding problems now is the entire point of this phase.

What happens if we do not do this?

Companies without the required certification become ineligible for the defense contracts that require it. This program is how we protect that work.

Who do I ask about anything else?

[Program lead name], [contact details].

Keep this to one page even if it hurts. The FAQ that gets read is the one that fits on the bulletin board.
Sample Four

The leadership kickoff agenda

The meeting that comes before everything above. Ninety minutes, the full leadership team, no delegates. If you are working with a consultant, this is a natural session for them to co-lead, since the questions that surface here are the ones an experienced practitioner has answered a hundred times.

Sample · Kickoff Meeting Agenda
Meeting: CMMC Program Kickoff, Leadership Team
Length: 90 minutes
Owner: [CEO name]
  • Why we are doing this (CEO, 10 min). The contracts at stake, the customer and prime requirements already arriving, and the decision: we are pursuing Level 2 and we are doing it properly.
  • What the program requires (program lead or consultant, 20 min). Plain language walkthrough: what CUI is and where it lives in our operation, the 110 requirements at a summary level, what an assessment examines, and the realistic timeline.
  • Who owns what (program lead, 25 min). The responsibility matrix, department by department. Each leader confirms or contests their assignments in this room. The output is a matrix with every row owned by a name.
  • What it costs and how long it takes (CEO or CFO, 15 min). The budget envelope, the target assessment window, and the resourcing commitments each department is making.
  • The launch plan (CEO, 10 min). The announcement date, the department head briefing, the FAQ, and the first training. Everyone leaves knowing the calendar.
  • Open issues (10 min). Objections, conflicts, and risks, recorded with owners and dates. The rule for this meeting: concerns are raised here, not in the hallway afterward.
The single most important output of this meeting is not enthusiasm. It is a responsibility matrix where every assignment was accepted out loud by the person who owns it.
Where This Fits

The launch is a few weeks. Getting it right is the engagement.

Drafting the memo is the visible part. Underneath it sits the work the memo depends on: mapping where CUI actually moves through your operation, building the responsibility matrix your department heads will accept, and sequencing the program so the announcement is followed by visible progress instead of silence. That is the work I do onsite, at the start of a readiness engagement, and it is why the launch step stops being hard once the underlying picture is clear.

← Previous · Part 2 Determine Which Level Applies to Your Company
About the Author

David W. Koran is a CyberAB Registered Practitioner Advanced and the author of The CMMC Decision, now in its second edition. He works onsite with defense contractors and their counsel, from the first leadership briefing through the pre-assessment review. Reach him at 802-335-2662 or dkoran@davidkoran.com.