A person looking at a screen that says 'Procurement Integrated Enterprise Environment's' homepage

Most Common Failing CMMC Controls and How to Address Them

The cyber universe has become the next battlefield–a place where threat actors, malicious entities, cyber criminals, activists, and nation states are challenging U.S. hegemony globally. We’ve seen instances where millions, or even billions, of dollars of research and decades’ worth of work has been stolen by hostile nation states. Against this backdrop, it is imperative to secure the supply chain to help defend cyberattacks from impacting the U.S. Department of Defense (DOD).

The DOD created the Cybersecurity Maturity Model Certification (CMMC) to address these threats and help secure the defense industrial base. Prior to CMMC, the DOD leveraged compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171 to set standards for supply chain cybersecurity. So how well are defense contractors implementing these requirements–and which controls are the most problematic?

Let’s look at the data.


How we collected the data

Over the past several years CyberSheath has conducted approximately 600+ assessments to determine NIST and CMMC readiness for a wide variety of organizations. Here is a demographic snapshot of the clients evaluated:

  • 86% privately held
  • $3M to $5B+ revenue
  • 10 to 100K+ employees
  • Industries: manufacturing, aerospace and defense, construction, telecommunications, retail, business services, software, and energy, utilities and waste industries
  • SPRS scores of -175 and as high as +10


Supplier Performance Risk System (SPRS): Note that as of last year, the government requires you to have an overall score regarding your cybersecurity compliance status. This SPRS score is determined through using government scoring mechanisms and criteria, which assess where you stand on the requirements. These results are to be used by contracting officers to evaluate cybersecurity risk when they’re issuing contracts. The score ranges from -203 to +110.


The top 5 failing controls

After we analyzed the data on the assessments we performed, we were able to determine the controls that companies most often did not have fully or properly implemented. The list is rather astounding in those two thirds to three quarters of the companies that we’ve assessed are noncompliant in these controls.


Control Category Control Detail Non-Compliance
1 Access Control AC.2.016: Control the flow of CUI in accordance with approved authorization. 66%
2 Configuration Management CM.2.064: Establish and enforce security configuration settings for information technology products employed in organizational systems. 69%
3 Identification and Authentication IA.3.083: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. 71%
4 Incident Response IR.3.099: Test the organizational incident response capability. 69%
5 Media Protection MP.3.122: Mark media with necessary CUI markings and distribution limitations. 74%


This list provides a great indication of where your company should focus its initial investment. If you only have a limited amount of dollars to work with, prioritizing these requirements in the short term might make sense but in the long term CMMC compliance is an all or nothing proposition.

In the short term…How to increase your SPRS

Let us walk through an example of the impact of the assessment, findings, and recommendations that we at CyberSheath provide to clients. Typically, a report would open with a statement noting that the assessed company has a significant amount of work to become compliant with the DFARS mandate and to close all identified DFARS and CMMC gaps.

Key recommendations are made to outline corrective actions which are typically heavy-lift items taking significant resources and time to implement. Throughout the report, we identify additional items that represent significant risk to the organization’s environment that should be addressed as soon as possible.

We then provide specific guidance on which controls should be implemented to lift the company’s SPRS score up 50 or more points. For example:

  • Security Governance Practices – 6 Controls – DOD Scoring Impact: +13 Points
  • Vulnerability Management – 4 Controls – DOD Scoring Impact: +11 Points
  • Incident Response Planning – 7 Controls – DOD Scoring Impact: +11 Points
  • Logging and Monitoring – 10 Controls – DOD Scoring Impact: +21 Points


For the long term…CMMC ML3 Data enclave use cases

Part of the compliance challenges you face could be addressed by establishing data enclaves, which will also have a positive impact on your SPRS score. Here are cascading use cases on how enclaves could help your organization.

  • Level 1: Data vault and collaboration SharePoint libraries – This secure SharePoint enclave can be hosted in GCC High or a commercial cloud depending on whether data is subject to export.
  • Level 2: Windows Virtual Desktop, SharePoint, Microsoft Office applications, and OneDrive – This approach is secured using Active Directory partitions and Windows Virtual Desktop. Desktops are shared, but data security is enforced to CMMC compliance standards. Great for users who only access Office applications, SharePoint Online, and OneDrive, there is no option to host private application servers.
  • Level 3: Level 2 plus private applications – Customers are segregated on private network segments with network security boundaries adding security beyond Active Directory partitioning. Desktops are private and only accessed by a single company. There is an option available for private application servers on the customer network segment. This approach works well for users looking for an affordable cloud platform while needing to use custom applications or file servers.
  • Level 4: All business operations enclaved – In this approach, all servers and desktops reside in the customer’s MS Azure tenant. Users access the environment using corporate credentials. It is the most expensive option, as all components including Active Directory are completely private. Companies can host any applications or files in their environment and can optionally connect the enclave to their corporate infrastructure.


Future-proof your business

Follow these steps to assess your current state, implement controls, and manage compliance to bring order to your cybersecurity challenges.

  1. Assess operations for compliance with NIST 800-171
  2. Generate a system security plan (SSP)
  3. Document plans of action and milestones (POA&Ms)
  4. Implement the security requirements
  5. Maintain compliance


As a company, you need to commit to running a cybersecurity compliance marathon–but you don’t have to do it alone. At CyberSheath, we have the expertise and experience to help you cross the finish line by continuously increasing your SPRS score and becoming compliant with your required level of CMMC. Contact us to get started.


Join us for CMMC CON 2024 on Sept. 25, 2024, at 9am EST for a free, virtual, one-day conference focused on safeguarding against cyber threats.
This is default text for notification bar