Passing your CMMC assessment is not simply about having the right tools in place, but about maturity, implementation, and demonstrable discipline. Too often, businesses can fail to attain their certification because of preventable mistakes.
Below is a list of a few common ways a business can fail its CMMC Assessment. Here are the top 6 we're seeing. (In no particular order!)
1. Unclear Scoping:
Many organizations fail to clearly define the system boundary for the assessment
Why this matters: Without a properly scoped environment, assessors cannot validate compliance, and staff will have a difficult time understanding how to work responsibly to secure CUI. Additionally, you may be missing out on opportunities to save money: a well-scoped environment has the potential to save your organization's resources.
Start here: Determine how CUI flows through your environment. Here are some initial questions you could ask: What type of CUI do you work with? Who transmits it and how? Where and how is CUI stored or printed? Who or which divisions in the organization need to work with CUI?
2. Lack of Evidence of Artifacts:
Controls are implemented, yet the organization is unable to produce tangible evidence.
Why this matters: Your company may be doing all the right technical and operational things, but without the documentation that points to those actions and the ability to prove that they are happening or, have the ability to meet the control, you will not meet the CMMC requirements.
Start here: Assessor's review that the policies your organization has in place and the defined processes you follow are adequate to secure the CUI entrusted to you. They may ask to see screenshots, logs, or configuration information. Sometimes they will ask to have an employee demonstrate a configuration or examine a process. Make sure you have a good understanding of the CMMC requirements, then invite your team to review your organization’s current policies and processes. Work with your technical resources to get a picture of their ability to safe guard CUI and determine if your current information system meets the requirements of the program.
3. Outdated or Incomplete System Security Plan (SSP):
The SSP does not reflect the assessment environment.
Why this matters: An SSP serves as the “roadmap” of the organization's security posture and must be accurate and comprehensive. If the SSP is outdated, or is missing details, this can undermine the entire assessment process! In fact, the SSP is the first document reviewed by the C3PAO's assessor during Phase 1. A lacking SSP will cause a hard stop to your assessment, and risk a delay in your certification!
Start here: Review each objective (listed as a,b,c, etc) beneath each security control. Ensure that your SSP refers to your policies and processes. Include the file names of the documents and describe how those policies and processes fully satisfy each control at the objective level. Stretch your fingers: the SSP will be a large document! If your finished document comprises only 25 pages, it is probable that your SSP is inadequate.
4. Plans of Action & Milestones (POA&M):
Open POA&Ms with stale dates.
Why this matters: A CMMC Level 2 Assessment requires that within no more than 180 days from the close of your assessment, all objectives are "met."
Start here: Before your assessment, complete a self- assessment and log a score. Organizations should have a strong or perfect self-assessment score going into Phase 1 of your assessment: some security requirements have assigned point values 1,3, or 5 for a maximum possible score of 110. If you have open POA&Ms, check to see if they represent 3- or 5-point values: if they do, you cannot pass your CMMC Level 2 assessment. A minimum score of 88 is required for a "Conditional" CMMC Level 2 status, with only one-point controls. Organizations can use POA&Ms to address deficiencies over a 180-day timeframe, and the C3PAO will reassess those controls toward a Final Certification.
5. Incomplete Implementation of Controls:
Only a portion of the required controls is operational.
Why this matters: Some organizations implement only a portion of the security and operational controls; CMMC Level 2 requires full implementation.
Start here: Take stock of your organization and environment. Are you clear on what the controls require or are asking you to demonstrate? Do you have the staff to initiate and maintain the efforts required to meet the controls?
6. Lack of Muscle Memory:
An assessor asks for a demonstration, and the staff member is unable to perform it.
Why this matters: If it is obvious that staff are not trained or familiar with applying security procedures in the course of their work responsibilities, the organization risks failing the assessment and compromising the organization's, and our national security.
Start here: Make sure the policies and processes are thoughtfully created, strategically deployed and understood, and enforced across your organization. Train staff, taking time to practice areas under their purview, and make sure they understand their part in securing sensitive data and contribute to the security and strength of the organization. In the weeks before your CMMC Level 2 assessment, schedule time to practice!
Avoid the Guesswork
You can avoid these common stumbling blocks: at MNS Group, we've helped guide defense and federal contractors to meet their CMMC Assessment with confidence and clarity.
Reach out to our team today to make sure you are in good shape for your assessment.
