CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

June 3, 2024

Does your NIST SP 800-171/CMMC assessment tool give you points for POAMs?

Something I’ve run into recently with several new clients has me quite concerned. Apparently there are a number of assessment/compliance tools that claim to track your progress on implementing NIST SP 800-171, but they give points for POAMs (i.e., if you haven’t even started implementing a particular control, but you check the POAM box, you get points as if you had implemented it).

Whether this is a commercial tool you have purchased, or a supply chain management/survey/assessment tool provided to you by a prime contractor ...


THIS IS WRONG.

The DoD NIST SP 800-117 Assessment Methodology clearly states “Plans of action addressing unimplemented security requirements are not a substitute for a completed requirement. Security requirements not implemented, whether a plan of action is in place or not, will be assessed as ‘not implemented.’”

(Note that it is possible to get an exception approved by the DoD CIO, but this is the exception, not the rule.)

What does this mean? In short, if you are using an assessment/compliance tool that gives points for POAMs, your “score” is probably overstated by a wide margin. You should be deducting points for controls on your POAM. I suspect this is one of the reasons that so many organizations have entered perfect scores of 110 into SPRS, only to have DIBCAC re-score them 100+ points lower.

There are many good tools out there that will properly calculate your score, and there are many good consultants who can help you correctly calculate your score and work on improving it. Look for CCAs in particular as we have had the most training in the specifics of this standard.

Need help? You know where to find me!

How old is your SPRS self-assessment score? Might want to review this.



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy