Frequent Findings from the Most Recent Joint Surveillance Voluntary Assessments (BETA)


As a Registered Practitioner Organization, BSC is directly involved with the CMMC Cyber-AB organization and attends multiple meetings and town halls to stay current on the CMMC landscape. While no official CMMC assessments will be performed until rulemaking is completed, here are some of the common issues that arose during the voluntary beta assessments.

Organizations are having a hard time with FIPS validated encryption.

FIPS 140-2 is a standard that handles cryptographic modules and the ones that organizations use to encrypt  data at rest or transmitted. FIPS 140-2 has 4 levels of security, with level 1 being the least secure and level 4 being the most secure. Most tools are compliant with this requirement but you have to understand the tool, as many, such as BitLocker require an additional setting that many organizations are not using.

Many organizations don’t use Multi Factor Authentication

Multi Factor Authentication (MFA) and Two Factor Authentication are electronic authentication methods in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence. Many organizations just use a user id and password, and MFA is new to them. There are many ways implement MFA and it comes in many different price ranges. We can help you find a cost-effective option.

Risk Assessments are too informal

A risk assessment is the process of identifying what security vulnerabilities exist, or may appear in the workplace, how they may cause harm and taking steps to minimize harm. Many organizations track risks but do not use a formal process. A risk assessment is an ongoing task that should be reviewed regularly.

Inconsistent or no Vulnerability Scanning

Vulnerability Scanning is the process of identifying security weaknesses and flaws in systems and software running on them. This is an integral component of a vulnerability management program, which has one overarching goal – to protect the organization from breaches and the exposure of sensitive data. This, along with phishing tests, may be one of your most important tools to secure your organization. There are many tools available at different price ranges, but they all use the same database of vulnerabilities. The key is to find the most cost-effective solution for your organization.

Audit Logs are not reviewed

SIEM tools collect, aggregate, and analyze volumes of data from an organization's applications, devices, servers, and users in real-time so security teams can detect and block attacks. SIEM tools use predetermined rules to help security teams define threats and generate alerts. A SIEM tool is expensive, and depending on the size of your organization, buying a SIEM tool may not be cost-effective. You need to assess the requirement against your security posture and look at other options such as managed services or in some cases a much simpler tool.

Incident Response Tests are rarely performed

Incident response testing is critical to bolstering an organization's cyber-defenses against potential threats. By implementing incident response plan testing, you can be better prepared to handle various types of threats, secure sensitive data, and minimize disruptions to business continuity. BSC can facilitate your initial test that you can then perform on your own in the future. The key is to also have a robust test report as objective evidence so the activity can be assessed.

How can BSC Help?

BSC has a proven track record with current CMMC references of helping businesses of all sizes meet the CMMC requirements. As a Cyber-AB Registered Practitioner Organization, we have tools, templates and the expertise to tailor them for your organization and help lay the foundation for a compliant and more secure environment. Give us a call or send us an email for a free one-hour consultation to discuss your needs. Call Philip Norton at 703-405-7131 or email me at Also visit our web site at