The Cybersecurity Maturity Model Certification, version 2.0, is finally in effect, which means thousands of businesses that have roles in the Department of Defense supply line need to do the work to comply and pass their audits to receive certification.
It’s inevitable that many of these businesses will fail their initial audits. The standards are high, the margin of error is narrow, and the timeline is tight.
If you want to do everything in your power to avoid becoming one of those audit failures, you need to know why it happens so you can avoid the common pitfalls. To help with that, we’ve put together a list of the top ten reasons why people fail their CMMC audits and what you can do to prevent it from happening to you.
BLUF - Bottom Line Up Front
The new Cybersecurity Maturity Model Certification (CMMC) version 2.0 requires businesses in the Department of Defense supply chain to comply with strict standards and pass audits. Common reasons for audit failure include poor credential management, outdated documentation, improper cryptography, and lack of continuous monitoring and risk assessment. Addressing these issues, ensuring organizational buy-in, testing response plans, and seeking expert help are key steps to avoid audit failures.
1: Poor Credential Management
Managing credentials is tough. Every user needs their account, with the appropriate access and permissions for their job, but no more. They need strong passwords and multi-factor authentication enabled.
It doesn’t sound like much, but there’s a lot of friction involved in this scenario. Users who have never had their accounts compromised may take security for granted. They may view themselves as protected by “security through obscurity,” the concept that they’re safe because no one knows who they are and they aren’t important enough to be targeted.
You also frequently run into issues where the hassle of switching accounts, requesting permissions, and going through The Process is all a hassle. People like to take the path of least resistance, so they might share accounts, use communal passwords, or allow access to people who shouldn’t have it for the sake of convenience.
All of this can cause a failure of a CMMC audit because it’s all a set of potential vectors through which an attacker can gain unauthorized access. Fortunately, there are ways you can alleviate some of that friction. The use of a secure password manager, for example, can make using strong passwords much less of a hassle.
2: Poor, Outdated, or Missing Documentation
One of the key elements of security frameworks, whether it’s CMMC, ISO 27001, FedRAMP, or something else entirely, is documentation. It’s not enough to say you have policies in place; you need documentation of those policies, such as when they were implemented and whether they’re followed. It’s not enough to say your software is secure; you need audit logs and access histories. It’s not enough to make claims; you need proof.
Documentation also isn’t static. When you document a process, policy, or procedure, those documents are timestamped, and they need to be updated when things change. Regular updates, continuous monitoring, and the assurance that your security is in place and effective are all critical.
Failure to provide adequate documentation is one of the leading causes of audit failure. You can get by if you later find and hand over the documentation, but it’s still a red flag.
One of the best ways to solve this is to use a centralized repository for relevant documentation, like the Ignyte Platform. We designed the Ignyte Platform specifically to solve this issue by creating a place where documents can live and people can collaborate on them without having to pull them into siloed software or other walled gardens that can cause conflicts or friction down the line. You can read more about it here, reach out if you have any questions, or book a demo right away.
3: Improper Cryptography
One of the most important elements of modern digital security is cryptographic security. Data at rest needs to be encrypted at rest, such that only those with authorized accounts can access it. Data in transit needs to be encrypted end to end so that anyone managing to listen in the middle won’t be able to read what is transmitted.
The greatest point of failure in cryptography is not using the right kind of encryption. Encryption comes in many different forms, some of which are much weaker than others. The CMMC rulebook includes specific encryption requirements, both in terms of what needs to be encrypted and how it’s encrypted.
What it doesn’t do, however, is specify the exact encryption to use beyond ensuring that what you use is FIPS-validated. This is both to prevent any one form of encryption from being a target and to allow CMMC to be agile in the face of increasing cryptographic standards. You don’t want a year or more of delay in updating a cryptographic requirement when new technology emerges, after all.
4: Insufficient Continuous Monitoring
Part of what makes frameworks like CMMC effective is the stipulation that your organization must actively monitor your security and your systems for signs of problems. These problems can relate to configuration, access, unauthorized access, breaches, and much more.
CMMC requires that organizations keep this monitoring ongoing and that they proactively identify any issues, report those issues to the relevant authorities, and address the problems as quickly and as thoroughly as possible.
If your active monitoring is not sufficient to detect and alert when issues arise, it can cause an audit to fail. Unfortunately, there’s no simple solution beyond making sure that your monitoring is as thorough as possible.
5: Not Conducting Risk Assessments
A risk assessment within the CMMC framework is an analysis that includes:
- What a threat is.
- What vulnerabilities the threat exploits.
- The impact the threat would have on the organization.
- The likelihood of the threat occurring.
It’s a way to assess potential threats, both internal and external. It’s also a way to proactively identify potential problems and take steps to secure against them.
A good risk assessment can uncover problems with your overall security, but more importantly, it can provide an avenue for closing gaps in security before those gaps can be identified and exploited. This can be anything from changing default passwords on hardware to establishing an emergency software patch procedure for zero-day security holes and more.
Risk assessments are a critical and required part of CMMC compliance. Not properly conducting them and logging their results can result in a failure of your audit.
One area where many businesses get it wrong is assuming threats are outside, malicious actors. The reality is that threats can be anything from an unpatched piece of software to an employee finding a USB drive in the parking lot. These threats, as well, need proper assessment.
6: Not Maintaining Logs
In a sense, this one is an extension of several of the previous points of failure.
Documentation is critical, but that documentation goes beyond what many businesses initially realize. It’s not just about company policies, the results of company training, or the results of a red-team penetration test.
Instead, it goes all the way to the technical level, with logs of system access, which can be analyzed for potential gaps in security like account sharing, improper remote work, or third-party intrusion. Even routine logs that 99.99% of the time say “all systems normal” are still required.
Logging isn’t just about having a record if something is going wrong. It exists to prove, as well, that things are going right. Without logs, you have no way of knowing either way, and that gap in knowledge is just as bad for CMMC compliance as a failure.
Most of the time, your systems will have built-in ways to log everything you need to log. You may even have logs you don’t realize you have. The key is to make sure those logs are accessible and known.
7: Not Testing Response Plans
CMMC is not just about establishing and maintaining security; it’s also about what to do in the event of a problem. Emergency response plans may vary from a rapid audit and patch process to a detailed investigation involving high-level authorities and everything in between.
To pass an audit, your CMMC implementation needs to include response plans that you develop for various scenarios. Even just having them is not enough, though; you also need to test them. Then, based on the results of those tests, you may also need to change the plan and re-test, revalidate, and update the plans.
There’s a natural human tendency to be hesitant to point out gaps or faults or to downplay their severity. These inaccuracies can also lead to problems down the line, so it’s best to be honest and forthright with information, internally and externally, as necessary.
8: Intentionally Hiding Incidents
This one should be obvious, but it’s also surprisingly common. In the event of an incident, what happens?
Depending on the kind of incident, there’s often a sense of shame and guilt, especially if there are people within your organization at fault in an unintentional way. In that initial panic, there’s a temptation to hide that anything is wrong at all, to fix it before it blows up. There’s a reason a common sitcom gag framing is children getting into trouble and scrambling to fix it before their parents come home.
Ignoring security alerts, hiding gaps or incidents, and otherwise trying to downplay any sort of incident are grounds for a failed audit immediately. At best, it’s a harmless incident that can be properly reviewed and end with a slap on the wrist, some employee training, and an improvement to security processes. At worst, it becomes a massive breach of confidence and a serious incident. In addition to being unethical, it makes the vulnerabilities within your organization compound, making you a liability to the partners you work with.
9: Insufficient Buy-In
Properly achieving CMMC certification requires buy-in throughout the organization. It can’t be something your CEO mandates but your CTO waives off, or your C-levels mandate but your middle management ignores, or that your employees decide isn’t important enough or that it gets in the way of their job.
There will always be friction when implementing a security framework. It usually adds stringent requirements to work that feel confining and obstructive. Part of a successful implementation, in fact, is finding ways to comply with regulations while also minimizing the friction that leads to breaches.
Without adequate buy-in from the top, the things that need to be done are delayed, underfunded, or not approved. Without adequate buy-in from the organization, top to bottom, the rules don’t get followed, and security is not achieved.
Often, this requires a significant cultural change within an organization. If your company has already been certified with CMMC 1.0 or another security framework, this is less of a significant change, but newcomers to CMMC will find it steep. Unfortunately, it may be required to release certain employees who prove to be roadblocks for the good of the organization.
10: Not Utilizing Help
CMMC is immense and complex. With hundreds or thousands of pages of documents to read, hundreds of rules to interpret and comply with, and tight timelines with which to do it, starting fresh and going it alone is a recipe for disaster.
One of the best things you can do to prevent audit failure is to work with an expert who knows CMMC inside and out. Whether this is an individual consultant or a consulting firm may depend on your industry and the size of your organization, but the help is out there to find.
Even beyond talking to the right people, a lot can come down to using the right tools. While there are no magic apps where you can click a button and it will secure your organization, there are apps and platforms that can make it easier for you to go through the process.
We’ve already mentioned the Ignyte Platform once above, but we’ll do so again. We designed the Ignyte Platform to assist with the onerous documentation requirements for a range of different security frameworks, and we’re proud of how well it works for our clients. It won’t do all the work for you, but it will make doing the work much easier. Why not book a demo and see what it can do for you firsthand? We’re always available to answer any questions you may have, as well.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.