Excuses that won’t work for your CMMC assessment

Public Safety Announcement for #CMMC and DIBCAC assessments of 800-171 compliance.

“My _________ is scheduled to occur in January and we haven’t reached January yet.”

– said too many Organizations Seeking Certification

Do not try to use this excuse to explain why you lack evidence for performing an 800-171 requirement! Your assessor will not be sympathetic.

What is __________ ?
👊 Full self-assessment
👊 Ongoing monitoring of controls
👊 Incident Response Testing
👊 Risk Assessment
👊 Vulnerability scanning
👊 Capture baselines
👊 Update log settings
👊 Search for FCI/CUI on public assets
👊 Manage organizational cryptographic keys
👊 Sanitize FCI/CUI from assets before reuse or disposal
👊 Change Management
👊 Monitoring activity

Network was built last week? No excuse.

Your third party assessor will expect to see a MINIMUM of one example of you performing each requirement even if you just stood up your network yesterday.

If you get assessed and fail a requirement because you didn’t do it the first time? Plan to perform that requirement TWICE before you get re-assessed to show that you are capable of performing it over time. (This is what was taught to provisional assessors and may change as the CMMC Assessment Process is revised).

Success in CMMC is about mindset

CMMC compliance works best if you buy-in wholeheartedly, no matter how stupid and wasteful it seems.

When you were a teen, were you ever sarcastic to your parents with the assumption that they were too dumb to figure it out? 😈 (I was)
Turns out, assessors, like parents, can tell when you are angry and trying to weasel out of work. Assessors tend to dig harder when they get that impression.

CMMC Level 2 is incompatible with taking shortcuts.

Some other CMMC excuses that won’t work

Here are some other common excuses that don’t work either:
1) “I don’t have any CUI, therefore my network doesn’t need to be secure.”
2) “I won’t accept CUI onto my network, therefore my network doesn’t need to be secure.”
3) “My single laptop is disconnected from the network and stored in a locked safe therefore all requirements are met”
4) “We use a FedRAMP authorized cloud, therefore every requirement is met.”
5) “We will delete the CUI after we work on it, so my network doesn’t need to be secure.”
6) “That is a Contractor Risk Managed Asset so I don’t need to do any security for it at all.”

Did I miss a common excuse? Have you heard of anyone successfully using these excuses?

Leave a Reply

Your email address will not be published. Required fields are marked *