.jpg?ext=.jpg)
Webinar: Top Ten CMMC Controls Not Met
In this webinar, Robert McVay comments on the DOD report summarizing the top ten most common "other than satisfied" controls in CMMC assessments.
The Assessment Gap: What the Data Tells Us
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducted 117 high-level assessments between 2019 and 2022. The findings were sobering:
- 883 control failures, categorized as “Other Than Satisfied” (OTS), were identified.
- On average, each organization failed seven critical controls.
- These controls are non-POA&M-eligible, meaning they result in automatic assessment failure under CMMC Level 2.
Among the most common OTS failures:
- Failure to implement FIPS-validated cryptography for CUI in transit and at rest
- Incomplete or missing multi-factor authentication (MFA) for privileged and remote access
- Deficiencies in identifying, reporting, and correcting system flaws
- Lack of periodic risk assessments and vulnerability scanning
- Insufficient audit logging, event correlation, and incident response testing
Each of these areas is considered a non-negotiable requirement under CMMC and NIST SP 800-171.
A Call to Action for the Defense Industrial Base
Cybersecurity readiness is no longer an aspirational goal; it is a contractual obligation. Defense contractors who process, store, or transmit Controlled Unclassified Information (CUI) must demonstrate evidence-based compliance—not just policy alignment.
What can organizations do now?
- Review your current implementation of NIST SP 800-171 Rev. 2
- Prepare for the transition to Rev. 3, ensuring alignment with forthcoming assessment procedures
- Conduct internal assessments or engage a C3PAO to identify OTS risks
- Prioritize remediation of non-POA&M-eligible controls
- Ensure documentation, evidence, and testing procedures are audit-ready
Those relying on Managed Service Providers (MSPs) must also confirm that external cybersecurity services are clearly documented and meet the required standards.
Final Thought: Compliance Is Not a Check-the-Box Exercise
The next 12 months will determine whether your organization remains eligible for future DoD contracts. Compliance with CMMC and NIST SP 800-171 is not just about passing an audit—it’s about demonstrating cyber maturity in a volatile threat landscape.
Organizations that embrace the requirements early, implement strong internal controls, and foster a culture of cybersecurity will not only withstand the coming wave of regulation but position themselves as trusted suppliers in the national defense supply chain.