Spotless compliance evidence can still hide a broken control

In this interview with Help Net Security, Marc Rubbinaccio, Head of Cybersecurity and Compliance at Secureframe, explains where security teams go wrong when preparing for CMMC and FedRAMP 20x. The conversation covers how organizations check the 110 requirements but miss the 320 assessment objectives beneath them, why spotless SOC 2 evidence can hide a broken control, and how continuous monitoring is changing compliance work.

It also includes advice for junior practitioners on AI and practical moves a mid-market defense supplier can use to get ready for a CMMC Level 2 assessment on a tight budget.

Walk me through the last time you watched a security team try to map an existing control set onto a CMMC or FedRAMP 20x requirement and realized the mapping was a fiction. What did the room look like, and what did you change after that?

CMMC is based on NIST 800 171r2 which not only has 110 requirements but within those high level requirements are 320 assessment objectives. This is where I have seen organizations assume preparedness through the 110 requirements, without understanding how deep the assessment objectives go.

When organizations are comparing current control sets and other frameworks to NIST 800 171, I have noticed that organizations assume intent of the high level requirement when in reality it’s important to map controls to the underlying assessment objectives themselves. AC.L2-3.1.1 says limit system access, but the objectives underneath ask whether authorized users are identified, whether processes acting on behalf of users are identified, whether devices are identified, etc. Teams will check the top-level box and miss three of the four objectives. FedRAMP 20x KSIs are not like your typical controls in standard information security frameworks, it is focused on outcome and objective instead of specific implementation. This means a FedRAMP KSI could map across multiple internal controls a company has implemented.

Pick one client engagement where the compliance evidence looked spotless on paper but the underlying control was broken. How was it discovered, and who caught it first, the auditor, the red team, or an incident?

The pattern I see most often is during SOC 2 Type 2 audits, and it can show up in access reviews. The policy could be written with the proper processes and procedures, quarterly reviews, manager attestation, evidence retained. The Secureframe platform is then wired to send reviewers reminders, and the reminders get acknowledged.

What auditors find during sampling is that the same approver has been clicking ‘approved’ across multiple cycles without actually opening the user list. The policy says reviews happened. The platform says reviews happened. The control, meaningful human judgment about access, is broken. It’s almost always the auditor who catches it, not the customer, and usually when asking about the review itself or catching a mistake in the evidence.

FedRAMP 20x is leaning hard into continuous monitoring and machine-readable artifacts. What does your team do on a Tuesday morning that a FedRAMP 20x environment makes obsolete, and what new muscle have you had to build?

The Tuesday morning task that FedRAMP 20x makes obsolete is the manual evidence gathering routine. For years compliance teams would start the week by emailing infrastructure administrators for current server inventories, requesting user access lists from each application owner, and dropping the results into spreadsheets to review. I’ve been moving customers away from this since 2020 through automated tests and integrations, and FedRAMP 20x now formalizes that expectation. Inventory pulls, user access reviews, configuration checks, and control evidence are produced continuously by the platform rather than pulled together by administrators prior to audit.

The biggest change is in how validations are designed. Traditional control testing asks whether a setting is enabled, true or false. FedRAMP 20x KSIs are outcome focused, which means it is not enough to show that encryption at rest is turned on or that MFA is configured. The validation needs to demonstrate that the outcome is actually occurring on a continuous basis, including how often the control fires, what happens when it fails, and how the evidence is presented in a machine readable format that agencies can consume directly. Building that capability requires our team to think less like auditors confirming a checkbox and more about how each KSI can be measured continuously, mapped clearly to underlying controls, and surfaced in a way that supports the persistent validation model FedRAMP is moving toward.

What is the worst piece of advice junior practitioners are getting right now from LinkedIn thought leaders about AI in security operations, and what do you tell them instead when they show up at your door?

The worst advice circulating on LinkedIn right now is that AI is going to handle the fundamentals of cybersecurity, instead of learning the fundamentals of security and compliance work, learn how to use AI. Usually posts are stating how AI can write policies, write reports, map controls to frameworks, but the importance of reviewing and having the expertise is extremely understated. The AI can be often wrong, and how can you determine when it is right or wrong without the underlying experience.

AI in security operations sits in the middle of the two extremes you see online. AI is not taking every job and it is not useless. It is genuinely advancing capabilities on both the defender and attacker sides, vulnerability detection and exploit generation included, but it is also expensive to run and generates a significant volume of false positives that still require human judgment to sift through. To get real value from AI in a security or compliance context you need enough domain expertise to know when the model is wrong, which means the fundamentals matter more now, not less.

What I tell junior practitioners who ask is to invest first in learning the frameworks, the control objectives, and how organizations need to meet these controls in the real work, and to treat AI as something that accelerates that work rather than replaces the need to understand it. The people who will be valuable in this field over time are the ones who can look at an AI generated finding, an AI drafted policy, or an AI suggested control mapping and tell you confidently whether it is right, partially right, or wrong.

For a mid-market defense supplier staring down a CMMC Level 2 assessment in the next nine months with a small team and a tight budget, what are the two or three moves you have seen work that are not in any of the official guidance documents?

The most important thing is not to wait. CMMC is complex from readiness through assessment, and starting early is what gives you the runway to scope your environment properly and bring in the expertise you need to hit your target certification timeline.

The first step is understanding exactly where your sensitive data and CUI live. Once you know where CUI is stored, processed, transmitted, and ingested, you can make deliberate decisions about where to limit it. The key to a manageable CMMC effort is scoping in as little as possible. A small environment, or an enclave dedicated to CUI and in-scope assets, will save you significant pain during both readiness and audit compared to trying to bring an entire corporate environment into scope.

The second step is configuration. Working with a provider that knows CMMC well is critical because choosing an enclave platform like GCC High or Google Workspace will not automatically get you CMMC compliant. Those platforms give you the foundation, but the systems inside them still need to be configured against the 110 requirements and the 320 underlying assessment objectives. Organizations that assume the platform does the work for them are the ones that struggle most during assessment.

The third step is choosing the right assessor. Having early conversations with C3PAOs in the industry about your environment, your scope, and your timeline will help you identify which assessors are most experienced with services and architectures similar to yours. An assessor who has worked with environments like yours will move faster and ask sharper questions than one who has not, and that difference shows up directly in how smoothly the assessment runs.

Download: Simplify security management with CIS SecureSuite Platform