**This is the 2021 UPDATE...we have clarified even more about ongoing CMMC development and have added a hard copy version, if needed**Changes include: 1) The latest FAQs and expectations for 2020 and beyond CMMC implementation efforts, 2) alignment of security controls with the most recent CMMC version 1.0 release, and 3) addition of sample control write-ups for inclusion in company Systems Security Plans and Cybersecurity policies. This manual is created to help the small and big business owner in meeting the newest in cybersecurity contracting requirements to conduct business with the Department of Defense (DOD). The CMMC is a wide-ranging certification process with security controls most aligned with federal National Institute of Standards and Technology (NIST) cybersecurity guidance. The gravest weakness of these security controls is that they tell you what to do, but not how to do them. That is the purpose of this book. It provides the how-to best approach and answer the security control or at least where to proceed for how to fully implement the stated cybersecurity measure. The requirement to protect information and data is not just limited to the financial services, insurance, and health care sectors. It is difficult to identify a federal or industrial sector that escapes some responsibility to protect its electronic data. Indeed, some areas deal with more sensitive information, so it is not a surprise that the DOD recently took steps to have its contractors provide "adequate security" for "Controlled Unclassified Information (CUI). CMMC is in its early throes of its roll out. This is a first edition where the author's over 20 years in cybersecurity controls and security engineering is intended to help. Don't expect DOD to be ready for a while. This book will help you and your IT staff start the challenge of CMMC.This manual is created to help the small and big business owner in meeting the newest in cybersecurity contracting requirements to conduct business with the Department of Defense (DOD). The CMMC is a wide-ranging certification process with security controls most aligned with federal NIST standards. The gravest weakness of these security controls is that the tell you what to do, but not how to do them. That is the purpose of this book. It provides the how-to best approach and answer the security control or at least where to proceed for how to fully implement the stated cybersecurity measure.The requirement to protect information and data is not just limited to the financial services, insurance, and health care sectors. It is hard to identify a federal or industrial sector that escapes some responsibility to protect its electronic data. Indeed, some areas deal with more sensitive information, so it is not a surprise that the DOD recently took steps to have its contractors provide "adequate security" for "covered defense information (CDI)," which includes Controlled Unclassified Information (CUI).