There's No Silver Bullet for CMMC: How to Spot Empty Promises by Software Vendors

For security leaders in the defense industrial base, the pressure is mounting. To continue working on Department of Defense (DoD) contracts, achieving CMMC Level 2 compliance is not a "nice to have" — it is an existential requirement.

While there is no shortage of helpful information published by vendors when it comes to meeting CMMC, there is also a lot of noise — some of which is misleading. 

In this post, we’ll dig into what to consider, and how to  proceed with caution, when any software vendor is publishing how many controls they can help you with when it comes to meeting CMMC.

No Single Vendor Does It All

To achieve CMMC Level 2 certification, you must obtain a perfect score of 110 out of 110 controls required. To help Organizations Seeking Certification (OSCs) understand how certain vendors fit in, many vendors have published a Shared Responsibility Matrix (SRM) or Customer Responsibility Matrix (CRM).

But, when a software vendor claims to solve 100+ of the 110 CMMC Level 2 controls, it’s time to read the fine print. 

Facing a mountain of security controls for protecting controlled unclassified information (CUI), and added costs, it is only natural to look for the "Easy Button" that will knock out as many CMMC controls as possible. But, as the adage goes: If it sounds too good to be true, it probably is.

When evaluating data protection software, you must be wary of vendors playing the numbers game. There is a concerning trend of vendors inflating their Shared Responsibility Matrix to claim they satisfy nearly all of the 110 CMMC Level 2 controls. Here is why that marketing tactic can be dangerous, and why it could lead to even more costs, frustration, and even to a failed assessment

The Point of CMMC

CMMC compliance requires DoD contractors to demonstrate secure handling of CUI. There is a lot of debate about the structure and rollout of CMMC as a compliance standard, but almost everyone can agree that the desired outcome is stronger national security through the protection of sensitive information.  

That's why empty promises by vendors are so problematic in this scenario: They lead defense contractors to believe that their security posture is stronger than it actually is.

At Virtru, we think transparency is the best policy for CMMC compliance — and our network of CMMC-certified customers, Lead CCAs, and C3PAOs, agree. Here's how one C3PAO recently put it:

"I appreciate the approach Virtru is taking toward CMMC. There are others, unfortunately, that lack your integrity and are jeopardizing their clients' security and contract eligibility, as well as our national security."

If you're buying software to support your CMMC compliance journey, there are a few red flags you should be on the lookout for.

CMMC Controls vs. Objectives

First, let’s clarify what you are actually being graded on when you undergo a CMMC assessment. While we talk about the 110 controls of CMMC Level 2 (NIST SP 800-171), the assessor isn't just checking 110 boxes. They are evaluating the 320 assessment objectives nested within those controls.

To pass an assessment, OSCs need a perfect score, or a near-perfect score with a plan to address any small gaps in short order called Plan of Action and Milestones (POA&M). You must demonstrate to an assessor how you meet every single objective. Software vendors are not regulated by a governing body regarding what they claim in their marketing materials, including their SRM or CRM. They can assert they "help" with any number of controls they choose.

However, there is a massive difference between facilitating a control (like encryption) and satisfying a control completely. 

Don't Fall For the 'Inheritance' Trap

The most common way vendors inflate their numbers is by claiming you can "inherit" controls from their cloud hosting providers (like AWS or Azure). While inheritance is valid in specific contexts, some vendors stretch this logic to a breaking point.

Let’s look at a specific, real-world example of how this falls apart under scrutiny: Physical Protection (PE.3.10.3). This control requires you to Escort Visitors and Monitor Visitor Activity. The specific objectives require that when a visitor walks through the front door of your facility:

1. An employee is there to greet a visitor  
2. Someone at your company escorts them whenever they travel in your facilities.
3. The guest is likely issued a visitor badge or some other visual designation.
4. Their activity is monitored while they are in your facilities , until they leave.

Some data protection vendors claim they cover this control in their Shared Responsibility Matrix. But, how can a piece of software escort a human visitor through your building?

The logic of certain software vendors is usually this: “We store your data (CUI) in AWS. AWS has people and processes in place at their data centers to escort and monitor visitors, meeting the control requirements. Therefore, you can inherit this control.”

It is important to note, there may be instances where certain "physical" controls may be out of scope. However, for most organizations, it is highly unlikely.

What Your CMMC Assessor Sees

Imagine sitting across from your assessor. They have reviewed  your documentation, claiming you satisfy PE.3.10.3 via your software vendor.

The assessor will look at your office — where your employees sit and can access CUI — and ask: "Okay, but who is watching the contractor standing in your lobby right now?” Or, even worse, no one greeted the assessor when they first entered your office.

If your answer is, "My encryption vendor  handles that," you will likely fail that objective. And, in turn, it could cause you to ultimately fail your assessment, leaving you with additional work to resolve, more costs, and more frustration.

Usually CUI security software vendors encrypt and control access to data; they do not deploy physical people (security guards) to your physical office. Claiming otherwise is a marketing tactic, not a compliance strategy.

Other Pitfalls to Avoid: FedRAMP Equivalency

It's worth noting that many software vendors tout FedRAMP Equivalency rather than FedRAMP Authorization. While the terms look similar, there is a big difference. If your vendor is "equivalent," that means your organization assumes all the risk in case of a CUI breach. If your vendor is FedRAMP authorized (on the FedRAMP Marketplace), then they are responsible for meeting and maintaining security standards aligned with DFARS requirements — including incident reporting.

Recommended Reading:  Feedback from the Front Lines — Where 'FedRAMP Equivalent' Falls Short

Trust Vendors Who are Transparent on CMMC Controls

Virtru does not overpromise on CMMC compliance. We take data-centric security seriously, which is why we take a conservative and honest approach: Virtru helps you meet 27 of the 110 CMMC controls. These are controls directly applicable to our capabilities. We handle the encryption, the auditing, and the sharing of CUI — the things our software actually does.

When you see a vendor claiming they handle 100+ controls, you need to ask for their Shared Responsibility Matrix and audit it line by line and ask things like:

• Are they claiming credit for physical security?
• Are they claiming credit for security awareness training for your staff?
• Are they offering continuous monitoring?
• Can CUI only be in their platform to meet the objective?

The Bottom Line: Don't Let Empty Promises Derail Your CMMC Assessment. 

As a security leader, your goal is not just to buy software to check the CMMC box. The goal is to protect CUI in accordance with CMMC, DFARS, and NIST requirements to ensure that sensitive information is managed securely. If you work with the DoD consistently on projects that contain CUI, a successful CMMC assessment is critical to keep your revenue flowing. Don't just take our word for it: Here's what Bunny Banowsky, CEO of SHE BASH, had to say on this topic. 

Do not fall for the vendor who claims the highest number of controls on their marketing collateral. A vendor that is honest about the 27 controls they actually solve is a partner. A vendor that claims to solve 102 controls by taking credit for Amazon’s security guards is a liability to your business.

Know the difference. Read the objectives. And choose a partner that values transparency over "checking the box." To learn more about how Virtru can support your CMMC compliance journey, contact us for a demo. We'd love to show you why hundreds of DIB contractors trust us for encrypted, secure CUI management.