Nine CMMC Gotchas

Apr 19, 2024 | CMMC, Blog, CMMC 2.0, Compliance, Cybersecurity

For the defense industrial base (DIB), the dark clouds of CMMC are on the horizon. More companies are starting to ponder what it will take to meet CMMC requirements. At Duffy Compliance, we have seen an increase in companies asking for help to prepare.

Meeting those requirements is a daunting task and one that will take some time and effort. While each control has its own challenges, there have been a few “gotcha” issues we have noticed that, if unaddressed, will cause headaches on your journey. With that, here are 9 things to consider that may not be obvious to the casual observer.

1) Failure to identify CUI assets and how they will be handled

Most organizations seeking certification (OSCs) come to us saying they haven’t seen CUI, so they don’t know what kind of CUI they will encounter. However, a quick review of their DIB-related contracts will give them a pretty good idea of what kind of CUI they will be processing once rule making is complete. Knowing what kind of CUI to expect is integral to your business process and workflows, which leads to the second consideration.

2) Not knowing your data flow

If you are unsure what kind of CUI to expect, then you probably also can’t really trace how that CUI will enter, traverse, and exit your system…. which exacerbates the next couple of problems listed below. Think about what kind of CUI you will most likely receive and draw a picture of how it progresses through your business. This will help you scope your CMMC assessment boundary, which is next on our list.

3) Failure to scope properly

The CMMC Level 2 Assessment Scope document does a great job of helping OSCs identify what is in (or out) of scope. The problem is, many OSCs either aren’t aware of that document or haven’t really read it. Scoping is a critical first step, and it is very important to get it right. In this step you need to think about your own internal workflows, but also external service providers, software/cloud service providers, security tools, etc.

4) Not identifying assets based on CMMC scoping guidance

If an OSC hasn’t heeded the CMMC scoping document, then they are also unaware of the requirements for identification and classification of the 5 different types of Asset Categories specified in the CMMC program. All your assets (people, technology, equipment, software, service providers) should be looked at with the intent of categorizing them as one of the five different types as dictated by the CMMC scoping guidance document.

5) Not using NIST SP 800-171A to perform self-assessments

This is a big one and will cause you to fail 100% of the time. It is not enough to just look at the 110 practices of CMMC. You must meet all 320 accompanying assessment objectives. For any given control, you must meet (or prove it to be not applicable) every assessment objective… if you meet 6 out of 7, you get no credit for the control. For the most part, it’s all or nothing.

6) Not including internal security policies/procedures/plans to meet AT.L2-3.2.1

To meet the general awareness control, most OSCs sign up with a 3rd party training provider that does training/phishing and call it a day. A closer look at assessment objective [d] says: “managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.” Basically, you have a lot of documentation that pertains to the security of your system. Training on those documents is a must.

7) Not addressing all in-scope systems/components

Another big gotcha is when OSCs only focus on the big, obvious system components. For example, the system security plan might say, “We control system access using Active Directory.” And that may be the perfect answer for 75% of your in-scope assets, but you still have to explain how you handle the other 25%. Some examples could be software or networking equipment that can’t be controlled through AD. Go back and look at all your in-scope assets. Those all need to be addressed.

8) Having a set-it-and-forget- it attitude

This one is a culture shift. You cannot be of the mindset that you write a bunch of pretty policies and procedures that you pull out once every 3 years to show the assessor. This is a sure path to failure. Say what you do and do what you say. Keep good records as you will need to prove it!

9) Lack of commitment

This goes hand in hand with the previous point. The whole OSC staff needs to see that the executive team lives by the same rules they do. Security is everyone’s problem, not just the IT department’s. You must live, breathe, and build it into all aspects of your business.

Subscribe to Our Monthly Newsletter

Free education for cybersecurity.


Your personal information will not be shared and you are able to unsubscribe at any time.