Did you know one of the most prolific failures for an organization’s self-assessments and those seeking certification under Cybersecurity is their documentation?

For some crazy reason organizations think draft documentation, settings that were just simply created by IT, or none at all is enough to meet the requirements per NIST SP 800-171A and CMMC guidance.

At the core of this general misunderstanding lies organization’s missing the verb “𝐚𝐩𝐩𝐫𝐨𝐯𝐞” in:

  • 4.3, Track, review, 𝐚𝐩𝐩𝐫𝐨𝐯𝐞 or disapprove, and log changes to organizational systems.
  • 4.5, Define, document, 𝐚𝐩𝐩𝐫𝐨𝐯𝐞, and enforce physical and logical access restrictions associated with changes to organizational systems.

Heck, it even shows up in 3.1.3, “Control the flow of CUI in accordance with 𝐚𝐩𝐩𝐫𝐨𝐯𝐞𝐝 authorizations.”

To make matters worse…yes, worse… when an assessor is given unapproved documentation for a requirement, the requirement is 𝑵𝑶𝑻 𝑴𝑬𝑻.

This episode of As the CMMC Churns looks at the underlying NIST SP 800-171 requirement relationships and, more importantly, how you can go about approving your system configuration documentation.


Peak InfoSec Homepage: https://peakinfosec.com

As the CMMC Churns Episodes: https://peakinfosec.com/as-the-cmmc-churns/

Contact Peak InfoSec for Support: https://peakinfosec.com/contact/

Email: [email protected]