Common Challenges and Pitfalls to Becoming CMMC Compliant.

Pitfalls and challenges

Any organization that works with the DoD or is part of a DoD prime contractor supply chain must be compliant with CMMC 2.0. While there is some question as to the actual timeline of when full compliance will be required, many subcontractors are discovering that their primes are not waiting and they need to be compliant NOW. While a number of contractors already have some safeguards in place to protect DoD information, many businesses have discovered that they still have a lot of work to do. The following includes BSC Systems’ experience with the types of pitfalls that organizations have run into when trying to meet these requirements.

Required Documentation

We have found that many organizations have not bothered with documentation. There are key documents that must be in place to be CMMC compliant. In addition, you need valid documentation that reflects what you actually do. Please don’t try to use someone else’s documentation and cut and paste the company name. We often see this and it will not pass a CMMC assessment. You need documentation that is current and reflects your organization along with objective evidence that the policies and procedures have been implemented for months if not years. Key documents required include a complete System Security Plan, Policies and Procedures and an Incident Response Plan. BSC has templates for all of the required documents and can help tailor them for your organization.

System Security Plan

A NIST 800-171 compliant System Security Plan (SSP) is a document that outlines an organization's approach to meeting the requirements set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This publication provides guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations, including contractors and subcontractors that work with the DOD and potentially other agencies in the future.

The plan should detail how the organization meets each of the 110 security requirements specified in NIST SP 800-171, including the implementation of access controls, incident response procedures, and continuous monitoring processes. The SSP should be updated periodically to reflect changes in the organization's security posture and to address any new risks that may emerge, but at a minimum of once a year. Make sure that your plan is current and complete and that there is evidence of period review/update, as this is one of the biggest artifacts required.

Policies and Procedures

While the implementation of your technical controls may be sound, without the policies and procedures to support it, you’ll have a hard time maintaining consistency and PROVING you have a seasoned security program in place. Furthermore, while CMMC does not clearly specify that policies and procedures are required for each of the 14 control families, many prime contractors are refusing to even assess their subcontractors until they have policies and procedures in place for each of the control families. For example, you should provide clear documentation about the way event logs are collected, stored, and analyzed and have detailed documentation about the access controls you have in place. This documentation will also prove invaluable during any assessments and will help the reviewer you get through the process. Lastly, documentation procedures will need to be both implemented and mature with the ability to show a history of artifacts that support the documentation.

Incident Response Plan (IRP)

The IRP is a documented and structured approach to addressing and managing cybersecurity incidents or data breaches. It provides a clear set of guidelines and procedures to follow in the event of an incident, with the goal of minimizing damage, containing the incident, and restoring normal operations as quickly as possible. The incident response plan outlines a series of actions when an incident is identified or suspected, including: (1) detection of the incident, (2) containment and isolation of affected systems, (3) investigation and analysis of the incident, (4) notification of relevant stakeholders and authorities, (5) remediation and recovery of systems and data, and, (6) post-incident review and reporting. Having a well-defined incident response plan in place can help organizations respond more quickly and effectively to cyber threats, minimize the impact of incidents, and maintain business continuity. It is an essential component of a comprehensive cybersecurity strategy. As with all documents, the plan must be reality based and reflect your organization and your IR approach. This will be the basis for how your IR strategy is assessed. You also need to test the plan annually and ensure your staff are knowledgeable of its content and their responsibilities.

Continuous Monitoring

Compliance is not a one-time process, but an ongoing process that requires constant monitoring and improvement. Many of the controls have an annual requirement such an IR Testing and Security Awareness Training. A continuous monitoring schedule can assist with this to ensure that the staff can plan for these activities and keep them current. Also, many of the controls are ongoing, such as vulnerability scanning, which is part of your continuous security regimen. Bottom line: none of this is “one and done”, and in order to be successful, you must continue to perform these activities before, during and after any assessment activities. Additionally, these activities and tools must be updated to support the evolving threat landscape. BSC has a detailed Excel modeling spreadsheet that can be customized to your organization to assist with continuous monitoring.

Failing to Define a System Boundary

Contractors are required to handle Controlled Unclassified Information (CUI), which is not classified information, but still must be protected by the law. A common problem is that companies often fail to locate or partition the CUI they store. The result is that the controls they use to protect CUI are too broad, which leads to unnecessary costs and extra work. If you can identify and segregate where your CUI is stored, you can limit the need to implement all of the controls enterprise-wide. The key is to identify and monitor where all of your CUI is located so a system boundary can be put in place. Let us know if BSC can help define your partition and ensure your CUI is securely managed.

How can BSC Help?

BSC has a proven track record with current CMMC references of helping businesses of all sizes meet the CMMC requirements. As a Cyber-AB Registered Practitioner Organization, we have tools, templates and the expertise to tailor them for your organization and help lay the foundation for a compliant and more secure environment. Give us a call or send us an email for a free one-hour consultation to discuss your needs. Call Philip Norton at 703-405-7131 or email me at Also visit our web site at