Did you know one of the most prolific failures for an organization’s self-assessments and those seeking certification during a conformity assessment under Cybersecurity is their documentation?  Approvals.

For some crazy reason organizations think draft documentation, settings that were just simply created by IT, or none at all is enough to meet the requirements per NIST SP 800-171A and CMMC guidance.

At the core of this general misunderstanding lies organization’s missing the verb “approve” in:

  • 4.3, Track, review, approve or disapprove, and log changes to organizational systems.
  • 4.5, Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Heck, it even shows up in 3.1.3, “Control the flow of CUI in accordance with approved authorizations.”

To make matters worse…yes, worse… when an assessor is given unapproved documentation for a requirement, the requirement is 𝑵𝑶𝑻 𝑴𝑬𝑻.

This episode of As the CMMC Churns looks at the underlying NIST SP 800-171 requirement relationships and, more importantly, how you can go about approving your system configuration documentation.

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites