Compliance

Top 10 Failed CMMC Controls, #10 System Baselining

Leave a Comment / By Grant Mooney, CMMC, Compliance, Cybersecurity, Email Security, Managed Service Provider, MSSP, Security /

CMMC Journey Guides

#10- CM.L2-3.4.1: System Baselining

When working with individual controls, we know that they have to be dissected from an objective level. For this specific control out of the 110 controls, 320 objectives in CMMC, I have chosen to split it up with objectives a/b/c and d/e/f. Two parts, mainly covering “baseline configurations” and “system inventory”. If you work with CUI, you don’t get to “wing it” on configurations or inventory. CM.L2-3.4.1 asks you to do two big things across the system life cycle:
(1) build and maintain secure, documented baselines for each system and
(2) keep a trustworthy inventory that actually reflects reality in production.

The CMMC Level 2 Assessment Guide spells this out clearly, including exactly what assessors will “Examine/Interview/Test” to verify it’s in place. In this article we will get granular with 1) Dissecting the Control, 2) What full implementation looks like, 3) Why this Control Fails, 4) A Quick Checklist.

1) Dissecting The Control in Two Logical Halves

Objectives A/B/C: Baseline Configurations

  • [a] Establish a baseline configuration for each system component type. For every deployed machine type, you define the approved build: OS version, required apps, hardened settings, network placement, and anything else that affects security and function.
  • [b] Include the full buildout for each system. Baselines must cover hardware, software, firmware, and documentation—not just a golden image. Think platform model/BIOS, OS and app versions/patch status, and the config parameters that lock it down.
  • [c] Maintain it consistently moving forward. As your environment changes, review and update baselines so they always reflect the live system and enterprise architecture (create new baselines when things change materially).

What lives in a solid baseline:

  • Laptops/Desktops/Servers
  • Enclaves (e.g., entire VDI and each component), laptops/workstations, servers
  • ALL Applications per asset group
  • Versions & patch levels for OS/apps/firmware
  • Networking elements: routers, switches, firewalls, WAPs, etc.

Objectives D/E/F: System Inventory

  • [d] Establish a system inventory. A real one… no, seriously. This is ideally software via Asset Management agent(s) that automate most of this process. BUT that is not required, just advice. Any devices classified as any of the CMMC asset types will be in-scope and should be in the system inventory.
  • [e] Include the full buildout for each system in the inventory. (again: hardware, software, firmware, and documentation).
  • [f] Maintain it. Review and update it as systems evolve so it stays accurate to production reality in a reasonable and timely manner.

What lives in a solid inventory:

  • Manufacturer, device type, model, serial number, physical location, owners/main users
  • Hardware specs & parameters
  • Software inventory with version control and potentially licensing information
  • Network info (machine names, IPs)

Assessor angle (what they look at): Policies, procedures, SSP, Configuration Management plan, inventory records and update logs, config docs, change/install/remove records; plus, interviews with the people who build and maintain these things; plus, tests of the actual processes and mechanisms you use to manage baselines and the inventory.

2) What Full Implementation Looks Like

A simple, effective pattern from the Assessment Guide:

  1. Design a secure workstation baseline. Research the hardened settings that deliver the least functionality needed to do the job, then test that baseline on a pilot machine.
  2. Document it (build sheet, settings, required software, version list, how it’s joined to the network) and roll it out to the rest of that asset class from the documented baseline.
  3. Update the master inventory manually, or make sure an appropriate agent is live to reflect the software changes and the devices now at the new baseline.
  4. Schedule a regular review interval to re-validate versions, patches, and settings; or make review a normal part of your SOP that is updated on a regular basis.

Scale that approach across all deployed machine types:

  • Enclaves & Virtual Desktop Infrastructure: baseline the image and each supporting component (connection brokers, secure gateways, user-profile layers, and file-system layers).
  • Laptops & Workstations: document hardware models and BIOS/UEFI versions, OS build, required apps, GPOs/MDM profiles.
  • Servers: OS baselines per role (AD/DNS, file, app, DB), service hardening, approved modules/agents.
  • Networking: switch/router/Firewall/WAP firmware baselines, approved feature sets and templates.
  • Applications Inventory: version standards, required configs, and how they’re deployed/updated.
  • Docs: build guides, change records.

And yes, tie everything to change management controls, because the second you patch, you either (1) update the baseline or (2) record an approved deviation and a plan to reconcile. The guide’s “Potential Assessment Considerations” call out version/patch levels, configuration parameters, network info, and communications with connected systems (proof for [a]/[b]), and timely baseline updates ([c]).

How computers are actually baselined, end-to-end:

  1. Procurement & intake: approve models; capture serials/asset tags at receipt; record ownership/location.
  2. Imaging: apply the gold image (or Autopilot/MDT/SCCM/Intune flow); inject drivers; enforce policies (GPO/MDM).
  3. Hardening: apply CIS/NIST-inspired settings that match your baseline; lock services/ports/protocols; set logging.
  4. Application set: install required software; check licensing; verify versions.
  5. Join & place: join to domain/MDM; put it in the right OU/MDM group/VLAN/segmented subnet.
  6. Recordkeeping: update the inventory with HW/SW/firmware/docs and network details; save the build sheet and sign-off.
  7. Review cadence: calendar-based (e.g., quarterly) and/or event-based (whenever a major patch lands) to keep baseline and inventory current ([c], [f]).

3) Why This Control Fails (Top-10, sitting at #10)

Short answer: it’s a lot of work. and it’s the kind that doesn’t scream until something goes terribly wrong…

  • Documentation feels heavy. A real baseline covers hardware, software, firmware, and documentation and needs regular updates. That is inherently more than “we have an image.” It is buildout documentation, version matrices, network placement, and the approval trail that shows the baseline evolved with your environment.
  • Inventory discipline gets neglected. Many shops run with a “good enough” list. CMMC expects manufacturer, model, serial, location, owner, license/version data, and network identifiers; and expects you to keep it aligned to reality. If the list doesn’t match what’s plugged in, you’ll feel it during interviews and evidence review… and potentially a failed assessment.
  • Change is constant. Patches, feature updates, firmware drops, and hardware refreshes mean your baseline and inventory are living artifacts. If you don’t have a trigger to update both when changes roll out, drift creeps in, and you’ll miss [c]/[f] maintenance requirements.
  • Historical culture. Plenty of orgs “got by” without rigorous Change Management and Asset Inventory. CMMC is forcing the shift from tribal knowledge to documented, reviewable practice. Assessors will Examine/Interview/Test to verify it’s not just policy on paper.
  • Tool sprawl and ownership ambiguity. If imaging is owned by one team, firmware by another, and inventory by a third, gaps appear. You need clear roles and a single source of truth that each team updates as part of their workflow (again, the guide’s methods target exactly these mechanisms).

4) A Quick checklist you can actually use:

  • A baseline configuration exists for each asset class (VDI, laptop/WS, server roles, network devices, key apps) with:
    • Versions/patch levels, hardened settings, required software, network placement, and rationale (A/B).
    • An update log proving periodic and event-driven reviews (C).
  • A system (asset) inventory exists and matches production, with HW/SW/firmware/docs and the who/where/how (D/E).
  • A cadence (calendar + change triggers) keeps both baseline and inventory in sync with reality (F).
  • Evidence on hand for assessors: policies, CM plan/SSP, build sheets, images/scripts, install/removal/change records, inventory review logs, asset inventory dashboards, and interviews with the people who actually do the work (the assessment guide lists these explicitly).


Sources:

  • CMMC Assessment Guide – Level 2, CM.L2-3.4.1 (practice statement, objectives a–f, methods, discussion, example).
  • NIST SP 800-171A, 3.4.1 (assessment objectives and methods).
  • NIST SP 800-171r2, 3.4.1 discussion (what belongs in baselines and inventories).

Top 10 Failed CMMC Controls, #10 System Baselining Read More »

DoD’s 48 CFR Final Rule Reaches OIRA Review & is Cleared

Business, CMMC, Compliance, Cybersecurity / / , , , ,

On July 22, 2025, the Department of Defense took a major step toward finalizing its long-anticipated 48 CFR (DFARS) rule implementing the Cybersecurity Maturity Model Certification (CMMC). The rule was officially submitted to the Office of Information and Regulatory Affairs (OIRA) for interagency review.

This submission marks the last checkpoint before the rule is published in the Federal Register and becomes binding on contractors. Once cleared by OIRA, DoD can move forward with inserting the updated DFARS requirements into new solicitations and contracts.

What Comes Next

  • OIRA Review: OIRA cleared it on August 25, 2025. 
  • Federal Register Publication: The rule will be published in the Federal Register along with an official effective date. Federal regulations generally become enforceable within 1 to 60 days of publication.
  • Contract Implementation: Contractors can expect DFARS clauses referencing the CMMC requirements to begin appearing in solicitations as early as late 2025.

Why It Matters

This milestone carries real implications for defense contractors. Once the rule takes effect, companies that lack a CMMC-certified environment may find themselves ineligible to win or execute DoD contracts. It won’t be enough to have plans in place—contracting officers will need assurance that sensitive Department of Defense work is performed within a secure, certified environment.

For many small and mid-sized businesses, this could mean the difference between maintaining a foothold in the Defense Industrial Base or being locked out of future opportunities. Companies that have delayed compliance run the risk of being passed over in favor of competitors who are audit-ready.

Final Thought

For defense contractors, this is the clearest signal yet that CMMC compliance is no longer optional or “someday.” With the rule in OIRA’s hands, the countdown to enforcement has begun. Contractors handling Controlled Unclassified Information (CUI) should ensure their NIST 800-171 controls are implemented, documented, and verifiable inside a certified environment.

DoD’s 48 CFR Final Rule Reaches OIRA Review & is Cleared Read More »

Not Just Talking CMMC — Leading Efforts

AI, CMMC, Compliance, Cybersecurity, Security, Small Business, Technology / / , , , ,

🎙️ Cordell Rolle Speaks at Space Coast Women In Defense Annual Awards Panel: CMMC, AI, and How to Stay Smart and Secure

At the Women In Defense Space Coast (WIDSC) Annual Awards Event, Rolle IT’s CEO Cordell Rolle joined an expert panel of cybersecurity and compliance leaders to unpack the evolving challenges of CMMC (Cybersecurity Maturity Model Certification) and Artificial Intelligence (AI). The panel brought together perspectives from across the industry and was expertly moderated by David Bragg from the University of Florida.

Cordell spoke alongside:

  • Reagan Edens, Chief Technologist and Founder at DTC Global
  • Elizabeth Huy, VP of Business Operations at Alluvionic
  • David Bragg, Moderator and Cybersecurity Programs Director, University of Florida

Together, they tackled some of the most urgent and nuanced topics facing the defense industrial base and government contractors today.

🔐 CMMC: Building a Culture of Compliance, Not Just Checking Boxes

The panel opened by reinforcing the mission behind CMMC:

“CMMC isn’t a hurdle — it’s a shield. It’s how we protect our nation’s supply chain, intellectual property, and the future of our industrial base.”

The panel addressed real-world concerns many small and mid-sized contractors face:

  • Confusion around what level of CMMC is required for subcontractors
  • Cost implications of CMMC Compliance and Assessments- which should have already been factored into contract prices
  • Companies looking to “just get compliant” without understanding the risk landscape

Cordell emphasized education and empowerment, not fear-mongering:

“We can’t just talk about compliance as a cost. It’s a capability. It tells our partners we’re ready, responsible, and reliable.”

🤖 AI & Compliance: Smart Technology Needs Smarter Boundaries

The conversation then shifted to Artificial Intelligence — one of the most anticipated and complicated topics of the evening.

Cordell discussed how AI can be a powerful force multiplier in cybersecurity, automating detection, correlation, and even response in ways humans can’t match. But he also cautioned against blind adoption:

“You can’t use just any AI tool in a compliant environment. You need to know exactly where your data is going — and who owns it once it leaves your network.”

One key insight from Cordell: Using AI within your controlled environment — not as an external, public tool — may be the only way to remain compliant under frameworks like CMMC, NIST 800-171, and DFARS.

He challenged companies to ask:

  • Is the AI processing data locally or in the cloud?
  • Is the model trained on your proprietary information — and if so, how is it secured?
  • Can you control retention, deletion, and auditability?
  • Who has access to your prompts, responses, and metadata?
  • How are permissions set for access to information within your environment?

“AI isn’t the enemy — it’s your responsibility. If you can’t explain where your information is going, then you’re not compliant. And you’re definitely not secure.”

🧠 Key Takeaways from the Panel

This year’s WIDSC event brought together government leaders, defense tech innovators, women in STEM, and cybersecurity trailblazers. Cordell’s message was clear:

CMMC compliance is achievable — if you start early and build smart habits
AI should be internalized, audited, and tested before use in sensitive environments
Zero trust applies to software too — especially those with autonomous learning
Education is the strongest defense — and free, public guidance must continue

💬 The Bigger Picture: Rolle IT Leads With Purpose

Cordell Rolle’s panel appearance reflects a broader principle at Rolle IT: We don’t just offer cybersecurity solutions — we help shape the cybersecurity conversation.

From supporting small DIB contractors to contributing on non-sponsored expert panels, Rolle IT shows up where it counts — with practical advice, not a sales pitch.

To learn more about how we support compliant AI adoption, CMMC readiness, and cyber risk reduction, visit us at https://rolleit.com.

Not Just Talking CMMC — Leading Efforts Read More »

The CMMC Tsunami: How Ripples Became Waves—and Now a Storm Threatens the Defense Industrial Base

AI, Business, CMMC, Compliance, Cybersecurity, Managed Service Provider, MSSP, Security, Small Business, Technology / / , , , , , , ,
Rolle IT Cybersecurity, CMMC Experts, CMMC Consulting CAAS

Far offshore, deep under the ocean, a powerful shift occurs—an earthquake, a volcanic eruption, or a landslide.
At first, the surface looks almost calm.
There’s no immediate towering wall of water.
Just a subtle change: a slight pull of the tide, a few ripples moving outward.

But beneath the surface, an unstoppable force has been unleashed.
A massive surge of energy races silently across the water at hundreds of miles per hour. As it approaches land, the seafloor rises. The wave, once almost invisible, grows into a towering wall of water.

When a tsunami hits, it doesn’t just flood the coastline—it redraws it.
Entire towns are swept away.
Harbors are wiped clean.
The landscape is forever altered, and only the most prepared—or the highest ground—survives intact.

Tsunamis are not ordinary storms.
They are transformational forces.

Now, across the Defense Industrial Base (DIB), another tsunami is approaching—not made of water, but of regulation, enforcement, and cybersecurity evolution.
This tsunami is called CMMC (Cybersecurity Maturity Model Certification).

The warning signs have been there. The ripples started years ago.

The only question left is: Will you be ready when it hits?

🌱 The First Ripples: Early Warnings Ignored

Years ago, the Department of Defense (DoD) recognized a growing threat: foreign adversaries were targeting the U.S. through the supply chain. Sensitive defense information was bleeding out through small and mid-sized contractors who lacked robust cybersecurity.

In response, early guidance like NIST SP 800-171 and DFARS 7008 & 7012 requirements were issued. These policies were the first ripples—small movements in the water that signaled a shift in expectations. While many companies unknowingly drifted closer to this impending disaster, each DFARS 7008 and 7012 clause they signed legally obligated them to have already fully implemented NIST 800-171 standards. These contractual commitments weren’t mere bureaucratic formalities—they were early tremors, subtle but undeniable confirmations of the seismic event beneath the surface. Those early ripples, largely ignored or misunderstood, were legal liabilities accumulating beneath calm waters, now coalescing into the regulatory tsunami known as CMMC.

But many companies treated these requirements as minor disturbances. Some completed a checklist. Some promised improvements without making real changes, some attested to NIST 800-171 compliance without knowing a thing about it. And others simply ignored the warnings altogether, anchored by the belief that bigger threats only happen to bigger ships.

The ripples were there. But few adjusted their course. 

🌊 The Rising Waves: CMMC Begins to Form

As data breaches multiplied and cyberattacks grew more sophisticated, the ripples grew into undeniable waves.
The Department of Defense realized more dramatic action was needed to protect national security.

Thus, the Cybersecurity Maturity Model Certification (CMMC) was born.

No longer would companies self-attest to their cybersecurity practices.
Third-party assessments would now be required to prove compliance.
Without certification, companies would be barred from executing on defense contracts.

The water was no longer gently stirring. It was rising.

And those waves carried with them a heavy message: Adapt or be cast adrift.

💥 The Earthquake Beneath: A Tectonic Shift in the DIB

Many companies didn’t notice it—but while they worked through proposals and deliveries, a massive earthquake rumbled far beneath the surface.

  • Threat actors were becoming state-sponsored and far more sophisticated.
  • Legislative pressure was mounting on the DoD to shore up its vulnerabilities.
  • Public trust in the resilience of the U.S. defense supply chain was beginning to erode.

This earthquake is what triggered the tsunami—the seismic force of CMMC requirements reshaping the entire defense contracting landscape.

By the time the first wall of water appears on the horizon, it’s already too late for last-minute scrambling. The energy unleashed cannot be stopped—it can only be anticipated and prepared for.

🌊🌊🌊 The Tsunami Approaches: What Happens Next?

The full enforcement of CMMC is not a distant possibility—it is an inevitable, crashing wave speeding toward the DIB.

Companies that fail to adapt will face existential consequences:

  • Loss of Contracting Opportunities: Without certification, companies will be disqualified from defense projects.
  • Reputational Damage: A company caught unprepared signals unreliability not just to the DoD, but to prime contractors and teammates.
  • ⚖️ Whistleblowers, False Claims Act, and Cybersecurity Noncompliance
    • False cybersecurity certifications are no longer a hidden risk. They are ticking time bombs.” – U.S. Department of Justice
    • Under the False Claims Act (FCA), companies that submit false information to the government—or falsely certify compliance with federal regulations—can be sued for massive damages.
      And cybersecurity compliance is now a major target.
    • In fact, the Department of Justice launched the Civil Cyber-Fraud Initiative in 2021, focusing specifically on holding contractors accountable when they:
      • Knowingly misrepresent their cybersecurity practices,
      • Fail to report breaches,
      • Or falsely claim they meet contract requirements like DFARS or CMMC preconditions.
    • 🔹 Example: In 2022, Aerojet Rocketdyne settled for $9 million after a whistleblower (their former cybersecurity executive) alleged that the company failed to comply with DFARS cybersecurity clauses—even though they were required to under federal contract terms (DOJ announcement).
    • 🔹 Key point: Individual employees—not just agencies—can trigger these lawsuits.
      Under the FCA’s qui tam provisions, whistleblowers are entitled to a portion of any recovered settlement.
    • In the context of CMMC, if a company falsely claims readiness or compliance to win a defense contract, they could face millions of dollars in penalties—and public reputation damage that is even harder to repair.
  • Financial Loss: Losing access to defense contracts could cripple companies, especially small and mid-sized firms that depend on this business.

This isn’t just a compliance checkbox. It’s an industry-wide rearrangement—a reshaping of who stays and who goes.

The coastline will be forever altered.

🛡️ Preparing for the Tsunami: Riding the Wave, Not Fighting It

The good news?
You can survive.
You can thrive.

But only if you start moving now.

Preparation looks like:

  • Understanding your CUI
  • Understanding your current cybersecurity posture
  • Developing robust System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms).
  • Engaging early with experts who can guide your certification journey.
  • Building a cybersecurity-first culture within your organization—before it’s forced upon you.

The organizations that prepare now will not only survive the tsunami—they’ll be the new leaders in the reshaped Defense Industrial Base.

Those who treat CMMC as an opportunity, not a burden, will rise with the wave.

The CMMC Tsunami: How Ripples Became Waves—and Now a Storm Threatens the Defense Industrial Base Read More »

🚨 Why I built this timeline: My goal was simple…to warn and serve the Defense Industrial Base.

By Grant Mooney, CMMC, Compliance, Cybersecurity Training, Email Security, Managed Service Provider, Security, Small Business, Technology / / , , , , , , ,

By Grant Mooney, CCP

🚨 Why I built this timeline: My goal was simple…to warn and serve the Defense Industrial Base.

I’ve spent the last few weeks working a lot… digging through over 20 years of DoD policy, DFARS clauses, Congress Mandates, NIST standards, and real world NIST 800-171 Lawsuit cases. Too many companies still think CMMC is “just a future contract checkbox.” It’s not.
It’s already a survival issue,

📉 If your business depends on DoD contracts and you haven’t finished implementing NIST 800-171, you’ve already missed the deadline: December 31, 2017!
📍 YOU ARE HERE — in the Death of the Old DiB. The “Great Disqualification” begins soon. Primes are already flowing down Level 2 requirements. If you don’t have a certificate or a plan, you’re already losing opportunities.
🎰 If you’re just now starting to take this seriously in Q2 2025, as a company, you’re a High Stakes Gambler. You’re betting everything on 12–24 months of implementation work in a shrinking window. Many won’t make it.
❌ Others will end up like the DoD Dumped Company on this timeline—disqualified, replaced, or acquired.
✅ But there’s still time to get ahead. I’ve heard the early movers landing more work, closing stronger teaming deals, and becoming go-to suppliers because they got certified while others waited.

This timeline is a warning. It’s also a roadmap. If you’re unsure where your company stands, or how to start, reach out. I’m here to help.

#CMMC

#NIST800171

#DFARS

#CyberCompliance

#DoD

#GovCon

#DIB

#BusinessRisk

hashtag

#FalseClaimsAct

🚨 Why I built this timeline: My goal was simple…to warn and serve the Defense Industrial Base. Read More »