Failed mock because all SPAs were subject to all 110 security controls
We failed our mock audit because we didn’t document in the SSP how every control applied to every SPA in our environment. My question is, is this standard? I’ve talked to another auditor briefly who said the SPAs should only be assessed against controls that that SPA is used to make compliant.
https://www.theneteffect.com/cmmc/20251112.php#relevant
See my example below.
In 3.1.8, limit unsuccessful logon attempts, we defined how we limited logon attempts onto the windows machine. We were not compliant because the SSP didn’t document how we limited logon attempts onto the Threatlocker cloud portal. Upon looking at the SRM for threatlocker, it states that the limiting of logon attempts is the customers responsibility. In the threatlocker settings, there is no way to increase the lockout timer or number of failed logons before account lockout. The only thing I could find is the ability to federate it to a domain in which threatlocker would inherit the windows group policy. We would prefer not to do this because the “fractional IT employee” is completely remote and this small business would prefer to not pay for their new computer and GCCH license. Regardless, does anyone else have experience or guidance on whether SPAs are subject to all 110 security controls or not? And if not, is this something we could push back on the auditor against or do we need to cut our losses and find another C3PAO?