September 23, 2025
CMMC Compliance is a Team Sport
For years I've been telling people that cyber security is not "just an IT problem" -- with limited success -- and now I'm running into a real issue with contractors that have turned over their NIST SP 800-171/CMMC compliance program to IT (or MSP or other third parties), only to learn later that their actual compliance posture is far below what they believed.
Why does this happen? And how can we fix it?
Let's tackle the "why" first: Hammer-Nail Syndrome You've heard the old saying, "When you have a hammer in your hand, everything looks like a nail." I find that many IT people have this mindset, that every problem can be solved with technology.
The truth is, only about 30% of the assessment objectives (AOs) in 800-171 can be met strictly with technology. About 30% are strictly administrative functions (policy, process, documentation) and the rest can typically be satisfied either with technology or a process, depending on your organization's unique circumstances.
Too often, IT will read a control and immediately look for a tool (product or service) that meets it, without reading the AOs or the supplemental sections of 171a and the CMMC Assessment Guide (Discussion, Further Discussion, Example, and Potential Assessment Considerations) to see what is actually required. Quite often, IT's assumption is wrong. For example, let's look at the very first AO for the very first control in 800-171a:
3.1.1[a] authorized users are identified.
By far the most common response to this I see in clients' SSPs is some variation of "Authorized users are listed in Active Directory." Nope. For this AO, assessors expect to see a written procedure for identifying users that are authorized to access the CUI environment. The decision to authorize may be made by operations, or maybe HR as a function of the job description. Assessors also expect to see a list of authorized users that is updated when authorized users are onboarded, released or change roles in the organization. None of these activities are under the purview of IT.
IT and Active Directory come into play here:
3.1.1[d] system access is limited to authorized users.
There should be a written procedure for notifying IT to create, update and delete user accounts as users come and go. Assessors expect to see that periodically (at least annually in CMMC) someone compares the list of authorized users to the list of active user accounts to be certain that they match. This should be someone who does not maintain either list, which falls under this requirement:
3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Now that we understand the "why" let's tackle "how can we solve this problem"? You need a Compliance Team. IT is on the team for sure, also physical security, operations, HR, maybe finance, legal, compliance -- the exact composition of the team will be determined by your organizational structure and compliance obligations. But you need to understand that IT absolutely cannot do this on their own. You will not able to pass a CMMC L2 assessment if you are relying entirely on IT to build and maintain your compliance program.
And don't forget senior leadership! The Compliance Team needs to report to a senior level official who can make organizational decisions about risk management, someone who has budget authority, and who will support the team and promote integration and coordination of member activities.
With this new insight, I hope you all will pull out that SSP and read it carefully to see if there are too many IT assumptions in there. Many of you will be very surprised at what you read.
Do you need help developing your Compliance Team? Policies & procedures are my superpower!
Upcoming Virtual Workshops
| Oct 7 | CMMC 101: Getting Started |
| Oct 14 | Self-Assessing CMMC Level One |
Use code "CMMCUpdate" to get 20% off!
Hope to "see" you there!
Sincerely,
Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107