What is CMMC? CMMC Update Archives CMMC Links
Consulting Employee Training Security Awareness Training Public Speaking Expert Witness
White Papers Newsletters CMMC Update Articles Videos Interviews
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

October 21, 2025

Security vs. Compliance: Same? Or Different?

I know many people who say Different! And I agree with them, but maybe not for the same reason. There are many security professionals that disdain compliance standards because they don't create "real security."

On the other hand, I say Different! Because a truly secure network can still be very far from compliant with some standards. We see this fairly often with clients that have used "industry standard best practices" for PCI compliance, for example, and they think they can just "explain" to the CMMC assessor how it's basically the same level of security. That won't work. CMMC requires implementing NIST SP 800-171r2 for information systems that process, store or transmit Controlled Unclassified Information ("CUI"). If you have a truly secure network reflecting "industry standard best practices," will you automatically meet the requirements of 800-171r2? Not necessarily.

One thing I've learned in working with DFARS 7012 the past 9 years is that DoD/DoW doesn't really care about "industry standard best practices." They want you to do what you're told. Blindly and without question.

The biggest disconnect I find when folks with a non-government background enter the world of DoD/DoW compliance is with the concepts of "Compensating Controls" and what the PCI Data Security Standard refers to as the "Customized Approach."

"Unlike compensating controls, which are used when organizations have a constraint and are unable to meet the requirement as stated, the customized approach is for entities that choose to meet the requirement differently than is stated."

While compensating controls may be used in very limited situations in CMMC (specifically Specialized Assets), the customized approach really isn't a viable option (short of a waiver from the DoD/DoW, and those don't get handed out often). While there is certainly a fair amount of flexibility in how one implements each control, one must still implement every control. No cherry-picking or choosing a different security measure that you believe has the same effect as the actual requirement.

CMMC assessors have been trained to look for clear implementation of the requirements as stated. Deviations present a very high assessment risk.

So, what should you do? Download the CMMC L2 Scoping Guide and Assessment Guide, and read them cover to cover. Refer to the NIST Glossary to be sure you understand exactly what those terms mean (hint: NIST often uses ordinary words in slightly different ways than "industry standard best practice" does).

Need help? You know where to find me.



Glenda R. Snodgrass

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
email: sales at theneteffect dot com
Secure Payment Center






The Net Effect, LLC

Copyright 1996-2025 The Net Effect, L.L.C. All rights reserved. Read our privacy policy