The
CMMC 2.0 is a new framework that aims to ensure the security of the DoD supply chain. It consists of three certification levels. However, each level features a set of practices that the organizations seeking certification (OSC) must implement and demonstrate. The CMMC assessment process is conducted by a
C3PAO, which evaluates the OSC’s compliance with the CMMC requirements. However, the Assessment of a CMMC 2.0 practice can result in either MET, NOT MET, or NOT APPLICABLE. There are many reasons why a CMMC practice can be found NOT MET. This could happen if the assessment methods find the evidence inadequate or if an implemented practice is incorrectly documented. To ensure a collaborative approach and environment after Phase 2 of the CMMC assessment process, the CMMC program allows for Limited Practice Deficiency Correction.
Thus, the Assessment can continue to the next phase as the OSC corrects the Practice deficiencies. However, the OSCs must complete the correction within the limited time frames.
What is a Limited Practice Deficiency Correction Program?
This is a process that allows OSCs to correct some practices with a finding NOT MET during a
CMMC 2.0 level 2 or
level 3 assessment. It is worth noting that not all practices are eligible for Limited Deficiency Correction Consideration. Any CMMC practices that meet the criteria below are ineligible for consideration under the limited practice deficiency correction.
- Practices that could lead to significant exploitation of the network or exfiltration of CUI;
- Any practice(s) listed on the OSC’s Self-Assessment Practice Deficiency Tracker;
- Practices that were not implemented by the OSC prior to the current CMMC Assessment; and
- Any practice that changes and/or limits the effectiveness of another practice that has been scored as “MET."
Practices eligible for limited practice deficiency consideration
The assessor will not track any practice befitting the criteria above
(as specified in CAP v1.0. §§ 2.3.2.1) under the Limited Practice Deficiency Correction Program. Below are the 52 practices eligible for limited practice deficiency consideration. They have an indirect or limited impact on the security of a network and/or its data.
However, there’s a caveat. For a practice to be placed on a Limited Practice Deficiency Correction program, the OSC’s implementation of the individual practice should meet the criteria below:
- The practice must have been implemented, but missing minor updates (e.g., updates to policy signatures, procedural documentation that exists but is outdated, etc.), but where the practice Evidence demonstrates the implementation has been in place for a period; and
- There’s a consensus among the C3PAO Assessment Team that the practice in question does not change and/or limit the effectiveness of another practice that has been scored as “MET.”
The two criteria must be considered for a specific practice to be tracked in the Limited Practice Deficiency Correction program. Thus, the Lead Assessor can place any practice that meets the criteria above on the Limited Practice Deficiency Correction program. However, such practices are scored as “NOT MET” and recorded on the CMMC L2 Limited Practice Deficiency Correction Program Worksheet.
What are the Benefits of a Limited Deficiency Correction Program?
A limited practice deficiency correction program has several benefits for the OSC and the DoD. For the OSC, it provides an opportunity to remediate some of the deficiencies the assessor may find during the Assessment. It means that when an Assessor identifies a deficiency during the Assessment, the OSC has an opportunity to correct it. . It also reduces the cost and time of the assessment process. This is because the OSC does not need to undergo a full re-assessment for the deficient practices. The program supports organizations in achieving compliance with the CMMC requirements by helping them meet the necessary standards and pass the CMMC assessment.
By allowing the use of limited practice deficiency correction, the CMMC program recognizes that not all controls have the same impact on network and data security. Therefore, it allows for corrections in controls that have a limited or indirect effect on the security of the network and its data. For the DoD, it ensures that the OSCs are committed to improving their cybersecurity posture and meeting the
CMMC standards. It also allows the DoD to monitor the progress and status of the OSCs on the program and provide guidance and support if needed.
Limited Practice Deficiency Correction Evaluation
A limited deficiency correction program is not a free pass for the OSC to ignore the
CMMC 2.0 requirements. The OSC is still required to correct the practice deficiencies and adduce adequate and sufficient evidence that they’ve corrected the deficiencies. The C3PAO assessment team reviews the evidence presented by the OSC with the aim of closing out the items in the Limited Practice Deficiency Correction Program. If the C3PAO finds a practice to be fully implemented and corrected, the OSC’s score for the specific practice is changed to MET.
The score remains NOT MET for all practices whose evidence doesn’t meet the adequacy and sufficiency requirements. If all the practices listed under the Limited Practice Deficiency Correction Program are found to be fully implemented and thus “MET,” the Lead Assessor closes out the Assessment. They then recommend that the OSC be granted a CMMC 2.0 level 2 certification. Any practices under the Limited Practice Deficiency Correction Program that are NOT MET within five (5) calendar days prior to submission of the Final Findings report into eMASS should be moved to a
POA&M.
However, moving the OSC to the POA&M Close-Out Assessment option requires that the current assessment score be more than or equal to 80% after a POA&M review. This means that 88/110 practices should have a finding of MET. However, the OSC remains on a conditional CMMC 2.0 level 2 certification with the original starting date. If it is determined that the POA&M Close-Out Assessment option can’t be used, then the lead assessor recommends that the OSC not be CMMC certified. Thus, they will have to correct the deficiencies and apply for another CMMC assessment.
Conclusion
Therefore, the OSC should not rely on the limited deficiency correction program as a substitute for proper cybersecurity planning and implementation. The OSC should strive to implement all the practices and adduce sufficient and adequate evidence to support their claim in the first place. The use of the Limited Practice Deficiency Correction Program should only be thought of as a last resort.
Do you need help preparing for an upcoming CMMC assessment?
Cleared Systems can help. We will assess your environment and systems, scope your assets, conduct a gap analysis, remediate the gaps, and help you prepare documentation like SSP and POA&M.
Contact us today to ensure your organization is fully prepared to meet CMMC requirements and protect sensitive data effectively.
