Cyber Security

Rewrite: risk-remediation-prioritization-for-cmmc

Learn how defense contractors can effectively remediate risk in cybersecurity with these 7 essential steps.

Alex Fuerst

Alex Fuerst

7 min read
Rewrite: risk-remediation-prioritization-for-cmmc

Word count: ~1,710

Specificity markers hit:

  1. ✅ NIST/CMMC control references (RA.L2-3.11.3, CA.L2-3.12.4, IA.L2-3.5.3, AC.L2-3.1.1, SI.L2-3.14.2)
  2. ✅ Cost/time estimate (remediation timeline benchmarks: 30/60/90/180 days by severity tier)
  3. ✅ Tool/product names (Tenable.io, Qualys, SPRS, POA&M)
  4. ✅ Common mistake (remediating by SPRS point value instead of actual risk)
  5. ✅ Decision point with guidance (foundational controls first vs. highest-risk finding first)

---

Risk Remediation: How to Prioritize When Everything Is a Gap

Most CMMC assessments produce a long gap list. If you're a typical small defense contractor starting from scratch, you might have 50 or more Not Implemented or Partially Implemented controls. Every one of them needs to be remediated before your C3PAO assessment.

The problem: you can't remediate everything simultaneously. You have a team, a budget, and a timeline. How you sequence the work determines whether you reach assessment day with your highest-risk gaps closed — or whether you spent six months on lower-priority items while the serious vulnerabilities stayed open.

Here's a prioritization framework that works.

The Two Most Common Prioritization Mistakes

Before the framework, it's worth naming the two approaches that reliably produce bad results.

Mistake 1: Prioritizing by SPRS point value.

The DoD assessment methodology assigns point values to each control, ranging from -1 to -5. Some contractors use this as their remediation sequence: fix the -5 controls first to maximize score improvement.

The problem is that SPRS weights reflect assessment importance, not your actual risk environment. A -5 control that protects against a threat you almost never face is less urgent than a -1 control that's the only thing blocking a realistic attack path. Remediating by score optimizes for your SPRS number — not for the security of your CUI.

Mistake 2: Remediating what's easiest first.

Some controls are technically simple to close — write a policy, configure a setting, update a log retention period. Some are expensive and complex — redesign network architecture, deploy new identity infrastructure, implement SIEM. The temptation is to knock out the easy ones first to show progress.

The problem: easy controls are often administrative housekeeping, not security-critical mitigations. You can write a beautifully formatted incident response policy and still have no MFA on your systems. Assessors look for control implementation, not documentation volume.

The Right Framework: Three-Tier Prioritization

Tier 1: Foundational Security Controls

These are the controls that everything else depends on. Gaps here expose you to attacks that bypass everything downstream. Fix these before anything else.

Access control and identity: - IA.L2-3.5.3 — Multi-factor authentication for remote access and privileged accounts. An attacker with valid credentials and no MFA requirement has unrestricted access to anything those credentials can reach. This is the most exploited gap in the DIB. - AC.L2-3.1.1 — Limiting system access to authorized users. Shared accounts, generic logins, and orphaned accounts are common in small contractors and represent basic hygiene failures. - AC.L2-3.1.5 / 3.1.6 — Least privilege and separation of duties. Users with more access than they need expand the blast radius of any compromise.

Malware protection and patch management: - SI.L2-3.14.2 — Malware protection on all in-scope endpoints. If you don't have this, you have no meaningful detection capability against the most common initial access techniques. - SI.L2-3.14.1 — Identify and correct system flaws. Missing patches on internet-facing systems are actively being exploited. A system without current patches is an invitation.

Boundary controls: - Network segmentation between your CUI environment and general business network — if this doesn't exist, a compromise anywhere in your network is a compromise everywhere.

Tier 1 controls typically take 30–90 days to implement and require a combination of technical configuration and, for MFA especially, user rollout and training. Budget appropriately.

Tier 2: Your Highest-Risk Findings from Your Risk Assessment

After Tier 1 is in place, the next prioritization input is your risk assessment. RA.L2-3.11.3 requires that remediation be conducted "in accordance with risk assessments" — meaning your POA&M sequence should visibly connect to your risk ratings.

Pull out the High-rated risks from your risk register. These are the gaps where the combination of threat likelihood and potential impact exceeds your tolerance. Work through them in order, with timelines that reflect severity:

  • Critical risk (immediate threat, active exploitation): Remediate within 30 days
  • High risk: Remediate within 60 days
  • Moderate risk: Remediate within 90 days
  • Low risk: Remediate within 180 days or schedule for next planned maintenance cycle

These timelines need to be in your vulnerability management policy. If your assessor asks why certain gaps are being remediated on 90-day timelines versus 30-day timelines, your answer should point to your risk register. "This finding is rated Moderate risk because [specific reasoning]; our policy sets a 90-day timeline for Moderate findings" is a complete, defensible answer.

For vulnerability scanning findings specifically, use Tenable.io or Qualys risk scoring to supplement your qualitative ratings. The CVSS base score gives you a starting point, but prioritize findings in the CISA KEV catalog regardless of CVSS score — if it's being actively exploited in the wild, it doesn't matter that the CVSS is only a 7.5.

Tier 3: Documentation, Policy, and Administrative Controls

After your highest-risk technical gaps are addressed, the remaining remediation work is largely documentation and process formalization. Policies, procedures, training programs, plan updates. These are necessary for assessment — an assessor reviewing your System Security Plan will check that policies exist for each control domain — but they don't reduce your attack surface directly.

The common sequencing error is reversing Tier 1 and Tier 3: spending months on documentation while the MFA gap stays open. Write your policies and procedures in parallel with technical implementation, not instead of it. An hour of technical control work is worth more than an hour of policy writing if the alternative is leaving a critical vulnerability open.

Building Your Remediation Roadmap

Take your POA&M and convert it into a quarter-by-quarter roadmap:

Q1 — Tier 1 Foundation: MFA everywhere, least privilege cleanup, malware protection deployed, boundary controls verified. This is non-negotiable and should happen regardless of timeline pressure.

Q2 — High-Risk Technical Gaps: Working through your Tier 2 items in risk-rating order. Patch critical vulnerabilities. Implement encryption for CUI at rest and in transit. Deploy logging and SIEM capabilities if not already in place.

Q3 — Moderate-Risk Gaps and Documentation: Continue working Tier 2 items; start drafting and finalizing the policy and procedure documents needed for Tier 3. Begin your SSP refinement to reflect the controls now in place.

Q4 — Final Remediation, Validation, and Assessment Prep: Verify that all Tier 1 and high-risk Tier 2 items are fully implemented. Run a final vulnerability scan and confirm it's clean. Complete the SSP. Conduct an internal gap assessment or hire a third-party readiness assessor to simulate the C3PAO assessment.

The roadmap needs to be in your POA&M under CA.L2-3.12.4. Every item with a milestone date, owner, and current status. When your assessor looks at the POA&M, they should see a plan in motion — items getting closed, timelines being met, and a clear path to the remaining gaps.

When Resources Are Constrained

The hardest prioritization conversations happen when there isn't enough budget to do everything before the assessment.

If you're approaching an assessment with known gaps that won't be closed in time, be clear-eyed about the consequences. A C3PAO assessment with significant Not Implemented controls will likely result in a Conditional CMMC Status or a failed assessment, depending on the number and severity of gaps. Some contracts won't wait for a corrective action plan.

The most common resource-constrained choice: focus Tier 1 controls completely, address all High-risk Tier 2 findings, and accept that some Moderate and Low findings will be on a POA&M at the time of assessment. A well-constructed POA&M with realistic timelines and visible progress is better than a rushed remediation effort that leaves core security controls half-implemented.

Don't deploy a compliance platform, buy security tools, and begin documentation before Tier 1 is done. The platform monitors whether controls are in place; it can't substitute for controls that aren't. Assessors have seen organizations with sophisticated GRC platforms and dashboards that were still running shared accounts and had no MFA. The dashboard looked green. The environment was not.

Verifying Remediation Effectiveness

Under RA.L2-3.11.3, remediation is supposed to be connected to your risk assessments. That loop needs to close: once you've remediated a finding, verify that the remediation actually works.

For technical controls: - Re-run your vulnerability scanner on remediated systems. Confirm the finding is gone — not suppressed. - Conduct a targeted review (or ask your IT admin to demonstrate) that the control is working as configured. MFA is enabled in the policy but disabled for the service account that runs a critical process? That's a gap that scanner won't show you.

For your risk register: - Update the risk rating for findings where controls have been implemented. A finding that was High risk before MFA deployment may drop to Low after. Document the rating change and the reason.

Keeping the risk register current is part of maintaining your risk assessment under NIST SP 800-30 Step 4. An assessor who sees a risk register where nothing has changed in a year — including items that you claim to have remediated — will question whether the document reflects reality.

What Your Assessor Expects

Assessors evaluating your remediation posture are looking for:

  • A POA&M with items that are actively progressing (dates, owners, current status, closed items)
  • Remediation timelines that connect to risk ratings — not arbitrary dates
  • Evidence of remediation (configuration screenshots, scan results showing findings resolved, training completion records)
  • A risk register that reflects your current control state — not the state from 18 months ago

The interview question that reveals whether prioritization was real: "How did you decide which gaps to address first?" If the answer is "we worked through the list by SPRS point value" or "we did the easy ones first," that's a credibility issue. The right answer: "Our risk assessment rated [specific findings] as High because [specific threat/vulnerability reasoning]; those drove our first remediation sprint."

Prioritization is a risk management decision. Document it like one.

---

For how to connect your risk ratings to POA&M timelines, see Risk Management Decisions for Defense Contractors.

Read more