As a security compliance professional, your daily work leads to one goal: passing a C3PAO assessment and maintaining a CMMC-compliant status. This of course is much easier said than done. So, throughout this process, it’s difficult to account for every nuance in publications—especially as they come out.
That’s why we’re here for a little “just so you know.” Many organizations are reviewing 3- and 5-point controls constantly to ensure success in their CMMC assessments. Understandably, considering these are known as “instant fails” controls. However, many organizations don’t realize a vital fact: certain one-point controls can result in an instant failure of your C3PAO assessment as well.
A Review of the CMMC Control Point System
Not all CMMC controls are created equal—literally and figuratively. CMMC controls are based on a weighted point system. So, during your C3PAO assessment, these points (per control) are subtracted from 110, with a minimum score of -230. Some controls count for 1 point, and others up to 5. These values matter because if your organization fails a 5-pointer control, you’re immediately unable to pass your C3PAO assessment.
Now you’re likely aware that during the assessment process, if certain requirements aren’t met, organizations can create Plans of Action and Milestones (POA&Ms) that allot a 180-day period to prove remediation to your assessor. After those requirements are deemed in-compliance, your score continues to go back up. However, there’s a caveat—not all controls are eligible for POA&M creation.
Breaking Down “One-Pointers” and POA&Ms
When people in the compliance space think of controls ineligible for POA&Ms, they tend to consider “5-pointers” and “3-pointers.” However, there’s a list that’s often overlooked and can lead to an organization’s assessment failure if fallen through the cracks—one-point controls.
While yes, there are indeed “one-pointers” that are eligible for POA&Ms with in-person reassessment, there’s a longer list of controls ineligible for POA&Ms entirely. Neglecting to prioritize these critical requirements can make or break the time, personnel, and money invested into a C3PAO assessment.
One-Point CMMC Controls Ineligible for POA&Ms
-
- AC.L2-3.1.20 External Connections (CUI Data)
- AC.L2-3.1.22 Control Public Information (CUI Data)
- PE.L2-3.10.3 Escort Visitors (CUI Data)
- PE.L2-3.10.4 Physical Access Logs (CUI Data)
- PE.L2-3.10.5 Manage Physical Access (CUI Data)
One-Point CMMC Controls Eligible for POA&Ms (With In-Person Reassessment)
-
- MP.L2-3.8.4 [a]: Media containing CUI is marked with applicable CUI markings.
- MP.L2-3.8.4 [b]: Media containing CUI is marked with distribution limitations.
- SC.L2-3.13.12 [b]: Collaborative computing devices provide indication to users of devices in use
Why You Need to Know the Latest on 48 CFR
While the information on one-point controls and POA&Ms isn’t new, these proposed updates do reiterate something organizations have been avoiding: you NEED time, expert prep, and resources to build a successful CMMC program. If the status of your assessment is delicate enough to be derailed by a single, one-point worthy control, your best bet is to stay informed—all while avoiding excess costs on top of the ones you’ve already taken on.
Based on the proposed updates to 48 CFR, here’s what organizations can expect to invest in implementing and maintaining CMMC as a program.
Moving Forward: CMMC Program Preparedness
So, where do you go from here? It depends on your compliance program. At the end of the day, it’s imperative to keep up with the latest publications and policy updates, understand nuances in interpretation and implementation, and know when it’s time for outside help.
If your organization’s CMMC program could use the boost of added support from a team of Certified CMMC Assessors (CCA), SP6 is home to a team of in-house experts. Reach out today and see if your organization is satisfying those sneaky “one-pointers” and feel assured you’re prepared for a future assessment.
