Monthly Archives: October 2025

Is Your Cyber Safer Than the “Louvre”?

Posted on by
Reply

Short answer: it better be, because the Louvre just got hit (again), and the thieves’ “strategy” looked suspiciously like your average Tuesday for low-effort cybercriminals.

A ridiculous, low-budget caper (2025 edition)

Sunday morning in Paris. Four people in construction-ish gear roll up with a vehicle-mounted ladder, pop a window to the Apollo Gallery, and in roughly seven minutes smash cases, grab jewels dating back to the Napoleonic era, drop one crown on the way out (oops), and vanish on motorbikes. Total movie runtime: one coffee. Total special effects budget: a battery grinder and a lift (The Guardian, Washington Post).

Why so easy? Reports point to outdated cameras, blind spots, chronic understaffing, and long-delayed upgrades; exactly the “we’ll fix it next quarter” sins that doom security programs. French unions say staff cuts hollowed out protection while crowds surged; some rooms reportedly lacked CCTV altogether. You can almost hear the attackers whisper, “Merci” (The Guardian, Museums Association).

Bonus jaw-dropper: the jewels were uninsured (state-owned collections are “self-insured”). Translation for CISOs: if your crown jewels go missing, there may be no simple check coming (Newsweek).

“Legendary security,” back when the Louvre learned the hard way

This isn’t the first time the museum got humbled. In 1911, Vincenzo Peruggia, an ex-worker, walked out with the Mona Lisa after removing it from its frame and wrapping it up. No lasers, no Mission: Impossible harness, just a smock and some moxie. The incident (and years of embarrassment) eventually drove museum security to modernize: bulletproof glass, climate-controlled displays, and serious controls; for the marquee pieces. The problem? Controls weren’t uniform across the collection. Sound like any networks you know? (Time, KAB Gallery).

Why “legendary” turns into “lax” (and how that maps to your org)

  • Complacency: “No one would dare rob us” (until they do).
  • Patchwork controls: Mona Lisa gets a bank vault; other galleries get… vibes. (In cyber terms: the CFO’s laptop has EDR+MFA+hardening; the lab PCs are “best effort”) (WXII 12).
  • Budget drift & deferred upgrades: Everyone agrees security is important; somehow the CCTV still runs on yesterday’s tech (and tomorrow’s to-do list) (France 24).
  • Staffing gaps & alert fatigue: Fewer people, more crowds, more noise (your SOC feels seen) (France 24).

The cyber mirror: how thieves become threat actors

What happened in Paris is what happens online every day:

  • Simple tools, outsized impact. Battery grinders ↔ commodity malware & scripts. You don’t need a nation-state when the door’s propped open.
  • Seven-minute dwell time. That’s your RTO/RPO fantasy vs. reality; if your detection and response are slower than a coffee break, the jewels are gone.
  • Crown-jewel targeting. Attackers go where the value concentrates (privileged identities, finance systems, IP vaults), not where your dashboards look prettiest.
  • Insurance isn’t salvation. Cyber insurance exclusions and sublimits won’t rebuild trust or reputation; same lesson the Louvre is relearning.

Compliance isn’t glamorous, but it works

The U.S. is under sustained cyberattack across public and private sectors. The fastest way to stop being “the next Louvre story” is to do the boring but essential things consistently:

  1. Asset & data mapping: Know where your crown jewels actually live (and shadow copies).
  2. Uniform controls: EDR, MFA, logging, and backups for all “galleries,” not just the famous ones.
  3. Least privilege & PAM: Lock the side doors and staff entrances (service accounts, legacy shares, stale admins).
  4. Detect fast, respond faster: Test your MTTD/MTTR the way firefighters drill (tabletops, purple team, containment runbooks).
  5. Compliance with teeth: Map to NIST SP 800-171/CMMC so controls survive budget weather and leadership changes.

Okay, but… is your cyber safer than the Louvre?

If your monitoring only watches the “Mona Lisa” systems while the back-office “Apollo Gallery” runs on exceptions, then… probably not. That’s where Atlantic Digital (ADI) comes in:

  • vCISO + Governance: Make “uniform controls” a budgeted, auditable requirement, not a wish.
  • CMMC-ready buildouts: Implement NIST 800-171 controls with evidence (policies, SSP, POA&M) that survive audits.
  • Crown-Jewel Program: Identify, segment, and monitor your most valuable data and privileges, then prove it works.
  • Detection & Response Drills: Shrink mean time to everything (detect, contain, recover) with runbooks and rehearsals.

If you don’t want your breach report to read like a low-budget ladder, a grinder, and a shrug, talk to ADI. We’ll help you lock the window and the gallery.

Risks and Remedies in CMMC Self-Attestation: Managing SPRS Scoring and Legal Exposure

Posted on by
Reply

In September 2025, the Department of Defense finalized DFARS updates implementing the Cybersecurity Maturity Model Certification (CMMC) program into the Federal Acquisition Regulation Supplement. Effective November 10, 2025, the rule makes both self- and third-party cybersecurity assessments contractually enforceable for defense contractors (Federal Register, 2025).

Under the final rule, contractors handling only Federal Contract Information (FCI) may continue to self-assess annually at CMMC Level 1, while those that handle Controlled Unclassified Information (CUI) will fall under Level 2 requirements. For Level 2, the Department of Defense differentiates between contracts that permit self-assessment versus those that require third-party certification by a CMMC Third-Party Assessment Organization (C3PAO). The DoD’s phased rollout anticipates that a substantial proportion of Level 2 contractors will require independent C3PAO validation prior to contract award (DoD).


This paper examines the operational and legal challenges posed by self-attestation and Supplier Performance Risk System (SPRS) scoring under CMMC. Public reporting through 2024 and 2025 shows persistent readiness shortfalls across the Defense Industrial Base (DIB), with low average SPRS readiness metrics and relatively few final or conditional CMMC Level 2 certifications compared to the estimated population of covered entities (Cyber AB, 2025; businesswire; National Defense, 2024). These gaps highlight the difficulty many contractors face in attaining the 110-point SPRS threshold required for final Level 2 certification and underscore the need for rigorous self-assessment practices and stronger verification mechanisms.

The following sections analyze these challenges and present evidence-informed mitigations, including structured gap analysis, cross-functional governance, automated evidence collection, and disciplined POA&M management, to help organizations attain accurate SPRS scores and preserve DoD contract eligibility. This shift from voluntary attestation to enforceable validation reshapes contractor readiness planning across the DIB.

When Self-Assessment Is Allowed, and When Third-Party Assessment Is Required

The 2025 DFARS final rule formalizes the CMMC assessment model across three levels:

• Level 1 – Self-Assessment Only: Annual self-assessment and executive affirmation in SPRS

• Level 2 – Mixed Model: Contractors handling CUI may perform self-assessments for lower-risk programs, but contracts deemed critical to national security require third-party assessment by a C3PAO.
• Level 3 – Government Assessment: Contractors supporting the most sensitive missions undergo government-led assessments against NIST SP 800-172 controls.

This tiered structure allows DoD to scale assurance based on risk while reducing unnecessary burden on small and medium contractors that handle less sensitive information (DoD; Federal Register).

Understanding SPRS and the Assessment Process

The Supplier Performance Risk System (SPRS) is the DoD’s authoritative database for supplier performance and cybersecurity assessment information. Under DFARS 252.204-7019, contractors must submit their NIST SP 800-171 assessment scores to SPRS, which DoD acquisition officials reference during source-selection and award decisions (Acquisition.GOV, 2025; SPRS).

SPRS scoring evaluates implementation of the 110 NIST SP 800-171 requirements. A fully implemented environment earns +110 points, while deductions for unmet controls can reduce scores to –203 under the DoD Assessment. Under current guidance, organizations scoring between approximately 88 and 109 points may provisionally qualify for CMMC Level 2 status if all deficiencies are documented in approved POA&Ms. Final certification requires a perfect score of 110, with all deficiencies addressed and POA&Ms closed within 180 days (CMMC Level 2 Assessment Guide v2; NIST; NIST).

In addition to scores, SPRS captures metadata, such as assessment dates and POA&M completion, which acquisition officials consider alongside numerical scores when evaluating supplier cybersecurity posture.

While SPRS provides a structured framework for tracking performance and cybersecurity compliance, accurately reporting and maintaining these records presents ongoing operational challenges for contractors.

Operational Challenges in Accurate SPRS Scoring

Defense contractors face persistent operational barriers when reporting cybersecurity posture through SPRS mechanisms. Despite expanded DoD guidance and automation efforts, accurately capturing and maintaining scores remains challenging.

While self-assessments may identify many deficiencies internally, third-party C3PAO evaluations often uncover documentation or technical gaps that internal reviews overlook, requiring objective verification and remediation. For contractors pursuing third-party certification, additional challenges include coordinating evidence reviews, maintaining consistent control implementation across business units, and responding to assessor findings during the remediation window. These implementation difficulties can lead to compliance deficiencies, contract disqualification, or potential legal liability.

Below are notable pain points:


1. Incomplete or outdated System Security Plans (SSP)

SSPs serve as foundational evidence. Common deficiencies include outdated or incomplete control descriptions, missing system boundaries, or absent evidence of implementation. Because DoD assessors validate SSP-described controls against actual practice, SSP shortcomings surface during assessments (CMMC Assessment Guide Level 2 v2.13).

2. Limited internal expertise for accurate scoring

Small and medium contractors often lack dedicated cybersecurity and DoD-assessment expertise, making accurate interpretation of NIST SP 800-171 and SPRS scoring difficult. Industry guidance and DoD small-business outreach resources confirm that limited internal capability is a major readiness barrier (DoD; Defense.GOV).

3. Failure to track POA&M remediation timelines

DoD guidance ties conditional status to documented POA&Ms and expects timely remediation of deficiencies. Contractors that fail to maintain POA&M discipline risk losing certification or contract eligibility.

Together, these operational challenges can result in inaccurate self-attestations, exposing the organization to serious legal and contractual consequences.

Legal and Operational Risks of Inaccurate SPRS Reporting

Inaccurate or exaggerated SPRS self-assessments expose organizations to both legal and operational risks, including False Claims Act (FCA) liability, contract ineligibility, potential suspension or debarment.

Both self-assessment and third-party verification data must now be entered into SPRS. Under DFARS 252.204-7020 and the 2025 final rule, each contractor’s assessment, whether internally completed or validated by a C3PAO, receives a unique identifier (UID) used by contracting officers to verify compliance before award. Misstatements tied to these UIDs may be considered material to DoD’s payment decisions.

Legal Accountability and Executive Attestation Under the False Claims Act

The Department of Justice’s Civil Cyber-Fraud Initiative has pursued multiple enforcement actions against defense contractors that misrepresented compliance or inflated SPRS scores. Under the False Claims Act (31 U.S.C. §3729 et seq.), violators may face treble damages and statutory penalties. For example:

  • Raytheon Technologies (RTX) paid $8.3 million following a whistleblower complaint about cybersecurity misrepresentations (OPA, 2025).
  • MORSE Corporation paid $4.6 million to resolve allegations of false SPRS scoring (OPA, 2025).
  • Higher-education contractors and others have likewise reached settlements resolving FCA allegations tied to cybersecurity non-compliance. For instance, The Pennsylvania State University agreed to pay $1.25 million in 2024 to resolve related allegations (OPA, 2024).

Each contractor must also ensure that the Affirming Official (AO), typically a senior company executive, signs off that the SPRS assessment is accurate and complete. False affirmations may trigger FCA liability (SPRS; SMITHERS).

Impact of expired or missing SPRS entries on contract eligibility

Beyond legal exposure, inaccurate or expired SPRS entries can directly affect contract eligibility and award timelines. Beginning November 10, 2025, contracting officers will be required to verify contractors’ SPRS assessment scores before award or renewal, in accordance with DFARS 252.204-7019 and associated rules. Organizations without a current and validated SPRS entry may be deemed ineligible for new contracts, and existing awards may be delayed or suspended pending compliance verification (Federal Register, 2024; Acquisition.GOV).

Best Practices to Improve CMMC Self-Assessment Accuracy

Given the heightened legal and contractual risks associated with inaccurate self-attestation, precision in CMMC self-assessments is essential. Contractors must adopt structured, repeatable processes to address the vulnerabilities identified across the Defense Industrial Base (DIB).

1. Conduct structured gap analyses to validate CMMC readiness and engage cross-functional teams

Begin with a structured gap analysis across all 110 controls and 320 assessment objectives (NIST SP 800-171A Rev. 3). Involve leadership, compliance, IT, and business units to ensure complete visibility and accountability.

2. Leverage automation for continuous evidence validation

Automated evidence collection tools help maintain compliance accuracy by continuously validating control implementation across cloud and on-premises systems. Integration with environments such as AWS GovCloud, Azure Government, and Microsoft GCC High supports generation of traceable documentation consistent with CMMC and NIST evidence requirements.
3. Maintain annual SPRS updates and executive affirmations

Contractors must conduct and affirm at least one self-assessment annually in SPRS. The Affirming Official should certify that the assessment accurately reflects the organization’s compliance status. The CMMC Level 1 Assessment Guide recommends routine internal reviews to ensure continuous readiness and prevent score degradation that can jeopardize contract eligibility (Acquisition.GOV, SPRS, CMMC Level 1 Assessment Guide).

4. Prepare for third-party assessment proactively

Contractors anticipating third-party assessments should adopt pre-assessment readiness reviews to identify documentation gaps and technical deficiencies before engaging a C3PAO. Early preparation reduces costs, minimizes findings during formal assessment, and improves the likelihood of achieving a passing score within the remediation window.

Implementing these measures is especially critical as CMMC 2.0 enters Phase 1 of its enforcement rollout in November 2025, when contracting officers may begin including CMMC requirements in solicitations and contracts, especially for self-assessments of Level 1 or 2 systems.

Conclusion

CMMC 2.0 compliance marks a pivotal shift for defense contractors operating in an increasingly regulated cybersecurity environment. Many contractors continue to report scores below full implementation. And because the Department of Justice’s Civil Cyber-Fraud Initiative actively pursues false or misleading SPRS attestations, accurate self-assessment has become both a compliance obligation and a legal imperative.

Under the False Claims Act, organizations and their Affirming Officials, may face treble damages and civil penalties for knowingly submitting inaccurate information. Addressing core challenges (misinterpretation of NIST requirements, incomplete SSPs, inflated self-assessments, limited internal expertise, and lax POA&M discipline) is essential as CMMC 2.0 requirements phase into DoD solicitations and contracts starting November 2025.

To mitigate risks and ensure readiness, organizations should institutionalize disciplined, evidence-based assessment processes, maintain verifiable SPRS records, and prepare for third-party validation. Those that adopt these practices will be in the strongest position for contract eligibility, legal defensibility, and competitive stability as CMMC enforcement unfolds throughout FY 2026.

At Atlantic Digital, we help contractors bridge the gap between self-assessment readiness and successful third-party certification. Our team provides tailored readiness assessments to identify compliance gaps; implement required security controls aligned with NIST SP 800-171; assist with policy development, System Security Plan (SSP) and POA&M creation; and conduct pre-assessment or mock-audit exercises to reduce surprises during formal C3PAO engagements. For contractors already approaching their SPRS scoring thresholds, we ensure that both self-attestations and third-party assessments are conducted with confidence, supported by verifiable evidence sufficient to meet DoD contracting and CMMC 2.0 requirements.

Contact us today for a complementary consultation.

The SA-24 Update: Critical Implications for Defense Industrial Base Compliance

Posted on by
Reply

The recent update to NIST SP 800-53 (Release 5.2.0) on August 27, 2025, introduced a significant new security control, SA-24 “Design for Cyber Resiliency,” that warrants immediate attention from Defense Industrial Base (DiB) organizations (NIST 2025).

Rationale for SA-24 Introduction

The inclusion of SA-24 in NIST SP 800-53 Release 5.2.0 addresses the growing need for systems to be designed with inherent cyber resiliency. This control emphasizes the importance of anticipating, withstanding, recovering from, and adapting to adverse conditions, stresses, attacks, or compromises on systems that utilize or are enabled by cyber resources. This proactive approach aims to reduce mission, business, organizational, enterprise, or sector risk associated with cyber dependencies. The decision to introduce SA-24 was influenced by stakeholder feedback highlighting the necessity for a structured framework to embed cyber resiliency into system design processes (NIST 2025).

Strategic Significance for DiB Organizations

This update establishes a critical bridge between security compliance frameworks and systems security engineering, and, for DiB contractors, this development is particularly consequential for several reasons:

  1. Anticipatory Compliance Requirements: Although SA-24 is not currently included in NIST SP 800-171 Revision 3, it is anticipated that future revisions will incorporate this control. The alignment of SP 800-171 with SP 800-53 Revision 5, as seen in the recent updates, suggests a trend towards harmonizing security requirements across NIST publications. Organizations should proactively prepare for this integration by familiarizing themselves with the SA-24 control and considering its application in their current security practices (secureframe 2025; NIST 2024).
  1. CMMC Implications: Organizations pursuing Cybersecurity Maturity Model Certification should recognize this update as a potential indicator of future assessment criteria, particularly for higher maturity levels where resiliency requirements are emphasized.
  1. Competitive Differentiation: DiB contractors who proactively adopt cyber resiliency principles may secure advantageous positioning for future contract opportunities where robust security engineering is evaluated.

Technical Implementation Considerations

The SA-24 control establishes comprehensive requirements for cyber resiliency that align with strategic objectives outlined in SP 800-160 (NIST 2021):

  • Definition of organization-specific cyber resiliency goals and objectives
  • Implementation of designated cyber resiliency techniques and approaches
  • Integration of cyber resiliency design principles into systems engineering processes
  • Systematic review procedures as part of organizational risk management

To operationalize SA-24, organizations should map its elements to existing risk management frameworks and business continuity plans. For instance, the “organization-defined cyber resiliency goals” can be aligned with risk appetite statements in the risk register. Likewise, “cyber resiliency techniques” may be integrated into business continuity or disaster recovery strategies to ensure critical functions persist through and recover from adverse events. NIST SP 800-160 (Vol. 2) offers a technical foundation for selecting and applying techniques (e.g. redundancy, diversity, isolation, adaptability).

Procurement vehicles are increasingly reinforcing this convergence between compliance and resiliency. A prominent example is GSA’s OASIS+, a government-wide, multi-award IDIQ contract vehicle for acquiring complex professional services across domains (GSA. GSA). Under OASIS+, contractors responding to task orders may be required to fulfill J-3 “Cybersecurity/Supply Chain Risk Management (C-SCRM)” deliverables, which call for a documented cybersecurity program (mapped to NIST guidance), a C-SCRM plan, incident response capabilities, and business continuity/disaster recovery practices (GSA, GSA).

While OASIS+ is not itself a resiliency framework, its contractual deliverables illustrate how procurement requirements can drive adoption of resiliency-by-design principles like those in SA-24.


Implementing SA-24: Practical Examples:

Organizations can adopt various techniques to implement SA-24 effectively:

  • Redundancy: Implementing redundant systems and data paths to ensure availability during disruptions.
  • Diversity: Utilizing diverse technologies and vendors to mitigate the risk of widespread failures.
  • Isolation: Designing systems to contain and limit the impact of potential breaches.
  • Adaptability: Ensuring systems can evolve in response to emerging threats and vulnerabilities.

These techniques should be tailored to the organization’s specific operational context and risk profile (GSA, NIST 2021).

Who Should Be Paying Attention

  1. Prime Defense Contractors: Organizations directly contracted with DoD handling CUI must closely monitor how this update will influence contractual requirements.
  2. System Security Engineering Teams: Technical specialists responsible for architecture design and security implementation need to integrate these resiliency principles into development lifecycles.
  3. Compliance Officers: Professionals tasked with maintaining regulatory adherence should begin evaluating how SA-24 principles align with existing control implementations.
  4. Risk Management Leadership: Executives responsible for enterprise risk governance must consider how cyber resiliency objectives will factor into broader business continuity planning.
  5. Supply Chain Security Managers: The emphasis on cyber resiliency complements the Supply Chain Risk Management (SR) family introduced in NIST SP 800-171 Rev. 3 (NIST 2024), suggesting an integrated approach to supply chain security and operational resilience.

This development underscores the evolving regulatory landscape’s increasing focus on proactive, resilience-oriented security engineering rather than merely reactive compliance measures. Organizations that recognize this shift and adapt accordingly will be better positioned for both regulatory compliance and operational security effectiveness.

Conclusion

The introduction of SA-24 signifies a pivotal shift towards embedding cyber resiliency into the fabric of system design and operation. For DiB organizations, proactively adopting these principles not only ensures compliance with evolving standards but also fortifies the organization’s ability to withstand and recover from cyber adversities. By aligning with SA-24, organizations demonstrate a commitment to safeguarding critical missions and maintaining trust with federal partners.

At Atlantic Digital, our CMMC Strategy Experts help defense contractors translate evolving requirements like SA-24 into practical, actionable programs. From readiness assessments to ongoing compliance support, we partner with organizations to strengthen resiliency and secure their position in the defense supply chain.

Contact us today to learn how ADI can support your compliance and cyber resiliency journey.