CMMC – No POAMs Allowed?

Exploring the implication to achieve CMMC certification.

Table of Content

CMMC – No POAM’s?

In an ever increasing complex and connected world.  The idea that a company complies 100% with any one cybersecurity compliance framework seems like a far-fetched idea, its 2021, we are bombarded with almost weekly data breach articles and reports.  The sad reality is that most breaches are not reported.  If an organization’s cybersecurity program is not continuously improving and addressing vulnerabilities and weaknesses to their program, they become the low-hanging fruit and an attacker’s next target.

“Any security requirements that were in part of a plan of action must be closed/met in order to be granted the CMMC assessment”

Sourced from the CMMC Appendices v1.02

No POAM’s Allowed??

It begs the question, does the DoD really understand residual risk and current state cybersecurity?

First things first, an organization is never done implementing cybersecurity.  To repeat – never done. If the organization is not working to improve and address weaknesses that are identified, what are they doing?  Here is another issue, CMMC is brand new.  When FedRAMP was rolled out, CSPs were experiencing 40% pass rates during their first assessment cycle, which required considerable remediation.  Why would DoD expect a Defense Industrial Base (DIB( contractor to implement a new cybersecurity framework and then expect the contractor to obtain 100% compliance with all requirements within a very short timeframe of being assessed?  This is unrealistic, naïve, and flawed all at the same time.

Second, CMMC threatens the integrity of independent assessors.  C3PAOs are required to provide an independent, unbiased attestation of the target boundary’s level of compliance with the security requirements.  In our twenty-five plus years of assessing systems, we have never encountered a 100% compliant environment ever.   Security vulnerabilities and associated risks always exist, no matter what the environment.  POAMs are a requirement and expected.  POAM management is even a “practice” (control) requirement under CMMC, yet POAM Items are not allowed to achieve certification.  Please explain this one.

Because C3PAOs are paid by the DoD government contractor, does this create a conflict of interest and the potential for collusion?  Is there an expectation that the C3PAO will have to look the other way to get their paying customer CMMC certified?  The DoD Contractor has a very short timeframe to resolve any findings the C3PAO identified, provide evidence to the C3PAO that all the findings are closed, and then submit a POAM-free package for certification consideration. This exerts pressure on the C3PAO to ensure the findings they identified have been corrected and does not make sense.  Rather than putting the burden on a traditional authorizing official model to address remaining risks, the burden is on the C3PAO.  By taking this approach, the DoD undermines the very creditability of C3PAOs they want to facilitate.

Finally, modern corporate network environments change all the time.  Adoption of Cloud, remote workforce, zero-trust, etc., are works-in-progress.   Ensuring that ongoing security improvement efforts are tracked through a continuous monitoring program is critical to achieve situational awareness.   Why would the DoD give the DoD contractor 3 years of zero POAM items or risks that they need to address?  This approach enables the contractor to be complacent and inactive.  If they are not working to correct or improve any of their cybersecurity functions, how can we expect them to protect CUI and the DoD Supply Chain on an ongoing basis?

Our Take

The DIB is critical to our national security and is part of other highly regulated industries.  These organizations must ensure they have a clear understanding of the US Public Sector regulatory environment.  Organizations need to plan and build a strategic roadmap that incorporates issues, such as, IT transformation, cloud adoption, containerization, and emerging technology solutions that overlay their in-scope compliance frameworks.

CMMC is the DoD’s mandated attempt to improve the security posture of the DIB.  Is it flawed, will it have problems, are we all frustrated?  Absolutely, but despite these flaws, CMMC is necessary.   Our adversaries are becoming increasingly brazen and sophisticated.   We must leverage CMMC to our advantage by improving an organization’s security posture, reducing systemic risks, and gaining a competitive advantage in the acquisition process.

The DIB should work with the DoD, CMMC AB, C3PAOs, and the cybersecurity community to improve CMMC. The POAM Management process is an important part of any cybersecurity and continuous monitoring program.

Summary

As it currently stands, requiring a DoD contractor and the C3PAO to submit a 100% compliant security assessment report for certification consideration with no POAM items does not make any of us more secure. Instead, it gives us a false sense of security. We should work to make CMMC better and address this issue head-on.

Thoughts?  Sound off!  Talk to your colleagues, the DoD, NIST, and your Congressmen/Congresswomen & Senators!  We can all work together to improve CMMC!

Source: CMMC Appendices v1.02 March 18, 2020

Stay informed with our Industry Compliance Roadmaps, Technical Testing, Interviews and Resources to help you simplify cybersecurity and compliance.