Expert Breakdown of 3 Commonly Failed CMMC Controls :

...And How To Prepare For Your Assessment 


Author: Steven Burchett, Firewater Advisors Board Member

If your organization works on any contracts in the defense industry, you know the Cybersecurity Maturity Model Certification (CMMC) guidelines require compliance for many projects starting in 2023. 

In the coming years, only compliant companies that have completed an assessment will be able to win contracts—or even be eligible to send proposals.  $Billions in business revenue are on the line. 

So I met with Wayne Shaw, a CMMC Expert, vCIO and vCISO and a CMMC Registered Practitioner with The Cyber AB.  Mr. Shaw has helped dozens of companies toward compliance and to prepare for a successful assessment.  Watch the video above or read on to hear his expert guidance. 

Why Is Getting Assessed Now So Important? 

Mr. Shaw:  It’s simple. You pass the CMMC either self-assessment or assessment, or you don’t go after DOD contracts. 

And in the future, this will apply to more government agencies than just the Department of Defense (DoD). To me, that’s the value add that’s not out there.  So it’s going to be extremely important that you get on the boat as quickly as possible.  

Here’s what I see happening right now in the industry. Boeing, Northrop Grumman, whomever the big boys, all are required to do this at the highest level, and they’re doing it.  


Wayne Shaw, vCIO vCISO,
CMMC Registered Practitioner
CMMC Expert

To stay compliant, all of their subcontractors have to also meet CMMC guidelines.  So they’re pushing this down on to the Defense Industry Base to meet these requirements.  

So if you are a machine shop and you’re going to Boeing and you’re saying, “Hey, I can make this piece of the plane for you at X number of dollars”, Boeing is going to say, “Do you meet these requirements? Yes or no.”  

If you say “no,” or “we’re about to…” Boeing doesn’t have time for you to wait. They’re going to move on to your competitor.  

And you know business; if they move on to your competitor who is certified and has a self-assessment and you don’t, you’re out and they’re not going to come back. 

Looking at it from that angle, it makes business sense to get compliant right away.  Rather than a “cost,”  the CMMC is a competitor-crushing, business-increasing opportunity.  


Mr. Shaw:  The three things that you’re going to need—that most people either hate or don’t do—to pass your self-

assessment or your audit: 

    • Policies and procedures

    • Artifacts 

    • Training 

Because the two things that most companies have failed on with the CMMC in the NIST 800.171 framework in the past: having the policies and procedures in place, proof you’re following them via artifacts, and having every member of your team trained, each year, and being able to provide proof. 

So those are the three things you have to look at. 


FIRST THING: Archival Evidence 

Mr. Shaw:  One of the big things that we’re being told in the town halls:  you have to have the archival evidence.  

All of those reports, all of the agendas, all of those procedures that you do on a daily or weekly basis have to be in an artifact.   

And those artifacts have to be there—not for the three days before the assessor shows up.  It has to be a couple of years, if not a year. Right.  

Accountants get audited all the time, they know exactly what they’re supposed to do, right?  

So when the IT department starts thinking like the accounting department, thinking like an engineer: how do I back this up? How do I prove this?  They you gather and can produce proof to what you’re saying.  

You can tell an assessor, “hey, this is what I did.” But just like in GAAP, every assessor will tell you “if you can’t prove it you didn’t do it.” 

SECOND THING: Policies and Procedures  

Mr. Shaw:  Everybody hates them. Nobody likes them.  

But I’ll guarantee you before the assessor shows up, he or she will know your policies and procedures better than you do.  

And one of the requirements is for the assessors to go in and interview people, and they’re going to sit down and they’re going to say, “Hey, how do you handle making sure that not everybody has access to the folder in the Active Directory (AD)? How do you how do you restrict that?”  

Well, the way many organizations restrict that is to have a policy that relies on the onboarding and offboarding from HR. A new person walks in, HR fills out a form and says “This person is in Accounts Receivable.”  

Then IT takes it over and says, “Oh, well, if they’re in Accounts Receivable, they’re have access to go to these three folders, but they can’t go to this one.”  Right?  One on one. 

The problem is this process is often not followed at all. Usually, they just give everybody access to the entire tree, right? Especially in smaller corporations.  

So—based on your procedural document—the assessor is going to look for onboarding and offboarding forms, he’s going to match it up with the number of people on your Active Directory, going to make sure that they match.  If they don’t match? He’s gone.  

So you’re going to need the artifacts, you’re going to have to have them organized. And if an assessor walks in, so let’s let’s just be realistic, they’re human. They walk in and your artifacts are a mess, they’re going to dig deeper. 

If the artifacts are not a mess and they’re well-organized and he can just pound down through them, and then he goes out and talks to the people about the policies and procedures, and they’re explaining pretty much the same thing he’s seeing in the artifacts, he’s going to move on to the next one. Right? 


THIRD THING – Yearly CMMC CUI and FCI Cybersecurity Training  

Mr. Shaw:  Of the three things you can do to cover common gaps in CMMC pre-assessments, the training to me is the most important. You need to train your people first so they know what’s happening in their company.  

As a consultant, I come in and hear a lot of “I don’t know what’s going on in this company. I don’t know what the hell is happening” with the inevitable policy changes and tightened security.  

So if you train them at the beginning your staff knows what’s coming. They’re not as apt to complain about it and push against it, especially when you start making major changes like dual authentication. 

Since we found that the training was the most crucial part, to me, of introducing new changes to an organization, I worked with the Firewater Advisors team to put together a fully online, web-based training series to help companies toward compliance. 

It’s easy to use. It’s inexpensive. We provide all the elements that meet the CMMC requirements. And it updates and reminds your team year after year, as one of the requirements is yearly training for all your employees. 

So if you’re interested in our training, just ask an expert or schedule time with us to find out more about it. And if you have any questions, you can always email us. But it is the easiest, least expensive and the best way to go for meeting that requirement for the CMMC.  


Mr. Shaw:  In summary, the three things that are critical to have in place before a self-assessment or a visit from a CMMC assessor are:  
1) the policies and procedures for the security controls,  
2) the archival evidence that those procedures are routinely followed, and  
3) a solid CMMC training for every employee, every year, and proof that they’ve completed it and passed a quiz on main topics. 

Thank you for spending your time with me, I greatly appreciate it. Good luck on your CMMC journey. If you have any questions, we’re always, always available.  

Leave a Comment

Your email address will not be published. Required fields are marked *