Common CMMC Requirements That Most Contractors Get Wrong

After working with hundreds of defense contractors across CMMC gap assessments, readiness reviews, and formal C3PAO assessments, patterns emerge. Certain controls consistently generate findings. Not because they are technically difficult, but because they are often misunderstood, incompletely implemented, or documented in ways that do not satisfy assessors. 

This is not an exhaustive list of the hardest controls. It is a practical guide to the controls that most frequently create problems and how to address them before your assessment. 

1. Multi-Factor Authentication (3.5.3)

MFA is required for access to organizational systems containing CUI. The failure almost always involves exceptions: service accounts, shared accounts, legacy systems, VPN access paths, or remote access methods that bypass the primary MFA implementation. Assessors look exhaustively for exceptions. There are none allowed. 

2. Privileged Account Management (3.1.7)

Many organizations have standard MFA in place but have not applied equivalent controls to administrative and privileged accounts. Privileged accounts require additional scrutiny, separate credentials from standard user accounts, and robust monitoring. Using a normal user account for administrative tasks is the most common failure mode. 

3. System and Communications Protection (3.13.6)

Network segmentation and traffic monitoring requirements are frequently partially implemented. Denying network communications traffic by default and allowing only by exception is conceptually simple but often not fully realized in practice. Many organizations have a permissive posture with significant carve-outs that undermine the intent. 

4. Configuration Management Baseline (3.4.1)

A documented baseline configuration for all in-scope systems is required. Many organizations have a baseline for servers and workstations but have not extended it to network devices, cloud resources, or specialized equipment in their CUI environment. Assessors check the full scope. 

5. AuditFailure Alerting (3.3.4) 

This control requires audit failure alerting across all systems that process CUI, including cloud services, collaboration tools, and any system within the boundary. It is not enough for alerting to exist in configuration or documentation — it must be actively enabled, monitored, and generating alerts when audit processing failures occur. 

Organizations must also demonstrate that audit failure detection and response processes are operating in practice, with evidence that failures are identified, surfaced to responsible personnel, and addressed in a timely manner. 

6. Incident Response Testing (3.6.3)

Having an incident response plan is not the same as having a tested incident response capability. The control requires that you test your IR capability, document the results, and update the plan based on what you learn. A plan written two years ago and never exercised does not satisfy this control. 

7. Media Sanitization (3.8.3)

Organizations often have a media sanitization policy but lack evidence of consistent execution. Certificates of destruction, sanitization logs, and documented processes for handling portable media are all reviewed. The gap between having a policy and having verifiable practice is where assessors find findings. 

8. Personnel Screening (3.9.1)

Background screening requirements for personnel with access to CUI are often broader than organizations initially realize. Employees, contractors, and in some cases vendor personnel with regular access to CUI systems may all fall within scope. Inconsistent application of screening requirements is a common gap. 

9. Third-Party Connections (3.1.20, 3.13.9)

Connections from external systems, including MSP remote access, vendor support portals, and cloud service APIs, require specific controls around monitoring and protection. Many organizations have these connections operating without the controls required to satisfy these practices. 

10. FIPS-Validated Encryption (3.13.11)

FIPS 140-2 or 140-3 validated cryptography is required for CUI in transit. Organizations that use strong encryption that is not from a validated module do not satisfy this requirement regardless of the algorithm used. Validating that your specific tools and configurations use FIPS-validated modules requires more than checking the encryption algorithm.