The 5 Controls That Fail Most Small Contractors
It's usually not the technical controls that trip them up. It's the same five controls, over and over again.
Every year, thousands of defense contractors go through CMMC assessments expecting to pass. Most don't.
The surprising part? It's usually not the technical controls that trip them up. It's the same five controls, over and over again.
1. System Security Plan (Control 3.12.4)
The requirement:
Develop, document, and periodically update system security plans.
Why it fails:
Most contractors either don't have an SSP at all, or they have a template they downloaded three years ago and never updated.
Your SSP isn't a checkbox document. It's the foundation of your entire compliance program. Assessors read it first to understand your environment, then verify that reality matches what you wrote. When it doesn't, you fail.
Fix it:
Your SSP should describe YOUR systems, YOUR policies, YOUR implementation. Update it whenever something changes. If your SSP says you have 20 endpoints and you actually have 45, that's a finding.
2. Incident Response Testing (Control 3.6.3)
The requirement:
Test the organizational incident response capability.
Why it fails:
Companies write an incident response plan, put it in a folder, and never touch it again. When the assessor asks "when did you last test this?" the answer is silence.
You don't need a fancy tabletop exercise with consultants. You need to actually walk through your plan once a year. What happens when someone clicks a phishing link? Who gets called? In what order? Does everyone know their role?
Fix it:
Schedule a 2-hour tabletop exercise. Document it. Keep the attendance sheet and meeting notes. That's your evidence.
3. Audit Log Review (Control 3.3.3)
The requirement:
Review and update logged events.
Why it fails:
Logs exist. Nobody looks at them. The assessor asks "show me your log review process" and you have nothing.
It's not enough to have logging turned on. Someone has to actually review those logs on a regular schedule, document what they found, and escalate anomalies.
Fix it:
Assign someone to review logs weekly. Create a simple checklist: checked logs, date, reviewer name, any anomalies found. Keep those records. That's what assessors want to see.
4. CUI Flow Control (Control 3.1.3)
The requirement:
Control the flow of CUI in accordance with approved authorizations.
Why it fails:
Contractors don't actually know where their CUI lives or how it moves through their systems. They can't show the assessor a data flow diagram because they've never mapped it.
If you can't draw how CUI enters your environment, where it's stored, who can access it, and how it leaves—you can't prove you're controlling it.
Fix it:
Map your CUI flow. Where does it come from? (Email? Portal download? File transfer?) Where does it go? (File server? Cloud storage? Laptops?) Who touches it along the way? Draw it out.
5. Baseline Configurations (Control 3.4.1)
The requirement:
Establish and maintain baseline configurations and inventories of organizational systems.
Why it fails:
No current inventory. No documented baseline. Systems configured inconsistently. When the assessor asks "show me your asset inventory," contractors scramble to export something from Active Directory that's two years out of date.
Fix it:
Create a living inventory of every system in scope—hardware, software, cloud services. Document your standard configuration for each system type. Update it when things change.
The Pattern
Notice something? Four of these five controls are about documentation and process, not technology.
You can have the best firewalls, endpoint protection, and encryption in the world. If you can't prove it with documentation, you'll fail.
The contractors who pass aren't necessarily more secure. They're more organized. They document what they do. They review things on a schedule. They keep records.
Start with these five. Get them right. Everything else gets easier from there.
Check where you stand
Use our free SPRS calculator to assess all 110 controls and see your current score. Takes about 20 minutes.
Calculate Your Score