The part of CMMC that lands on HR

The Cybersecurity Maturity Model Certification (CMMC) program is how the Department of Defense is phasing in verified cybersecurity requirements across its contractor base — tying the long-standing NIST SP 800-171 controls to an actual assessment before certain contracts can be awarded. Most of the conversation is about IT: encryption, network boundaries, logging, multifactor authentication. But a meaningful slice of those controls is fundamentally about people — who is allowed near controlled information, whether they were screened and trained, and whether you can produce the records to prove it.

That's the part that quietly falls on HR and recruiting, and the part small contractors are least prepared for. This article is about getting the workforce side ready. To be clear up front: CMMC certification is something the contractor's information systems earn through an assessment; this is a guide to preparing your people and personnel records so they don't become the weak link. It is not legal or assessment advice — confirm your specific level, scope, and assessment path with your assessor and contracting officer. (If you're new to the broader compliance regime, the DCAA-compliant timekeeping and OFCCP self-identification pieces cover adjacent GovCon obligations.)

Personnel security: who is allowed to touch CFCI/CUI

A core idea behind the underlying controls is least privilege — people should have access only to the information their role requires. On the HR side, that translates into a few concrete obligations:

  • Screen people before granting access. The personnel-security family expects that individuals are screened before being authorized to handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). For many roles this looks like a documented background check (run cleanly under the FCRA adverse-action process); for export-controlled work it intersects with US-person status and ITAR/EAR eligibility.
  • Tie access to role, not to tenure or convenience. When someone changes roles, their access should change with them. "They've been here forever so they can see everything" is exactly the posture an assessor probes.
  • Have a defined onboarding and offboarding access flow. Access granted on day one must be revoked on the last day. A clean, dated offboarding process — accounts disabled, badges and devices recovered, access logs updated — is not just good hygiene; it's evidence for a personnel-and-access control.

Awareness and training: it's not real unless it's recorded

The controls include security awareness and role-based training — and crucially, the expectation that you can show it happened. An assessor doesn't take "we tell everyone to be careful" as satisfying a control. They look for:

  • Initial security-awareness training at onboarding, with a completion record per person.
  • Recurring (typically at least annual) refresher training, again recorded.
  • Role-based training for people with specific responsibilities (privileged users, those handling CUI).
  • Records that survive turnover — a completion log that doesn't evaporate when the person who tracked it in a spreadsheet leaves.

This is the single most common workforce gap: organizations do the training but can't prove it on demand. Treating training as dated, assignable tasks inside your onboarding workflow, with completion timestamped and retained, turns "we think everyone did it" into a record you can hand an assessor.

The evidence problem: documentation, not good intentions

A CMMC-style assessment is fundamentally an exercise in producing evidence. For the people-related controls that means being able to pull, quickly:

  • Who currently has access to FCI/CUI, mapped to their role and a current need.
  • The screening record that authorized each of those individuals.
  • The training-completion history for everyone in scope, current and recurring.
  • The offboarding record showing access was revoked when people left.
  • Records retained for as long as your contract and the applicable retention rules require — coordinate this with your broader recruiting and personnel records retention schedule rather than inventing a separate one.

If those records live in scattered spreadsheets and email threads, an assessment becomes a fire drill. If they live in a system that tracks the task, the owner, and the completion date, the same request is a report you run.

A practical pre-assessment checklist for the people side

You don't need to solve CMMC from HR — but you can make the workforce controls a non-issue:

  • Map access to roles. Know, on paper, which roles touch FCI/CUI and what each needs. Kill standing access nobody uses.
  • Make screening a gate, not an afterthought. No access to controlled information until the documented screening clears, applied identically to everyone in scope.
  • Make training assignable and recorded. Initial plus recurring, role-based where required, with per-person completion you can export.
  • Make offboarding revoke access on schedule. Same-day deprovisioning, logged.
  • Keep the records together and retained. One place an assessor can be shown screening, training, access, and offboarding evidence — not a treasure hunt.

The bottom line

CMMC is an IT-led program, but the workforce controls — personnel screening, least-privilege access, recurring recorded training, and disciplined offboarding — are where small contractors quietly lose points, almost always on evidence rather than intent. None of it requires heroics; it requires that the right people be screened before they get access, that training actually gets recorded, and that access ends when employment does. Run those as tracked, dated steps in the same hiring and onboarding workflow you already use, keep the records together and retained, and the people side of the assessment stops being the thing that holds up your award.