Thoughts on CMMC Assessment Readiness
- Vincent Scott
- Mar 17
- 2 min read
“Most companies think they’re ready. They are not. CMMC is brutal, and the sooner businesses accept that, the better chance they have of passing their first real assessment."
I have been saying this for a while but have not felt that many people in the DIB (or the DoD) are really hearing me. The Reddit thread found here is a really nice write up.
There is a two-fold aspect to this. First for the DoD - The DoD staff has long held that CMMC is "just the basics" and have said things that include, "just what you should do to protect your Netflix account at home," and "I can get this done in my home in 30 days." Both from senior members of the DoD CIO, and both are patent false-hoods.
Please please understand. As written, as the DoD CIO team has built CMMC, this is the hardest standard in cybersecurity far and away. Far harder than what the DoD applies to their own networks. Wait, this is a subset of the controls! How can that be?! Well, because all the wiggle room DoD gives itself has been removed. I concur completely with the Reddit author's description of "brutal." I will add "unforgiving." If you applied this assessment approach to the DoD and stuck with a plan of turning off everything that did not meet the standard, you would effectively shut down the DoD networks. None of them meet the standard. The DoD has the right to set the bar for risk management wherever you think it should be. Your call. But do NOT buy into the long held and widely spread myth in the Pentagon that this is just the basics. This is and always has been way more than the basics, especially based on the assessment process.
Second, for the DIB Companies looking at CMMC. Some of you think you are ready. Generally, you are not ready. The level of detail and inflexibility of the CMMC assessment approach is NOTHING like you have experienced with ISO, CMMI, SOC2 etc. Nothing. I have taken to saying that the DoD did not read from the standard commercial assessment playbook when they wrote CMMC. They adopted a well-written standard from NIST on how assessments should work (but never do in reality) and then said, "Do all that. Every word. Every comma and period without modification or failure." Pull in experts in the space to help you. Going it alone is almost never the way.
