top of page

ArrowFall Thought They Were CMMC-Ready

Here's What Took Them Down


Act I: The Illusion of Readiness


In mid-2025, ArrowFall Systems, a midsized manufacturer with several DoD subcontracts, was confident they were ready for CMMC Level 2. They had endpoint detection, cloud backups, a stack of vendor-supplied policies, and the free NIST 800-171 self-assessment spreadsheet. Their MSP had followed the checklist. Their documentation was tidy. They booked their C3PAO.


The problem? They treated the framework like a checklist.


No one questioned whether the "yes" answers had any substance behind them.


Then the assessment came.


Despite their confidence, ArrowFall failed. Not a soft fail, not a narrow miss. A full stop. The kind of failure that turns into a memo from your prime, asking when you’ll be eligible again. The kind of failure that exposes not just technical gaps, but strategic ones.


Act II: The Breakdown

Where did it all go wrong?


ArrowFall’s audit report told a brutal story:

  • Encryption Missteps: Their data-at-rest encryption wasn’t validated under FIPS 140-2. Their OpenSSL implementation, while technically strong, wasn’t approved for use by the CMVP. This triggered an automatic failure under SC.L2-3.13.11 and SC.L2-3.13.16.

  • BYOD and Shadow IT: A lack of mobile device policies and unclear boundaries around personal and corporate data led to several POA&M-ineligible findings.

  • Documentation Decay: Their System Security Plan hadn’t been updated in nearly a year. Inheritance was unclear. Shared responsibility models were referenced but not documented.

  • Shared Responsibility Gaps: They assumed their GCC High environment covered everything. It didn’t. Many DIBs still don’t realize that GCC High is not compliant out of the box, the default tenant must be properly configured. Several services fell outside the FedRAMP boundary and required contractor-specific controls under DFARS 252.204-7012(c), but no one had identified them. Their team wrongly believed the platform’s default settings were sufficient, revealing a critical misunderstanding of shared compliance responsibilities.


They didn’t just fail technically. They failed operationally. Strategically. Culturally.

"I thought we had this covered," said ArrowFall’s CEO. "We did what our MSP told us. I didn’t realize how much we were supposed to own ourselves."


To make matters worse, their failure happened while the final Title 48 rule was looming. Based on previous DFARS rulemakings, they knew that once it dropped, the phase-in clock would start ticking. CAP 2.0 was approaching finalization and expected to reshape how assessment failures were treated. Rev 3 enforcement wasn’t yet mandated, but ArrowFall had no illusions. Based on past transition timelines, they estimated no more than 12 months before it became the standard. That looming possibility created a new kind of pressure: fix the issues and pass fast, or risk having to restart under a much more complex framework.


Do they try to pass Rev 2 again? Or switch to Rev 3 and risk even greater complexity and cost?

They needed answers. Fast.


Act III: The Pattern Behind the Pain


ArrowFall’s real failure wasn’t encryption. Or documentation. Or even misunderstanding GCC High.

Their failure was assuming compliance was a checklist.


What they lacked was a system, a strategic approach that connected IT, security, and compliance into a lifecycle. A framework designed not to survive a static audit, but to adapt.


They had started with the right tools, NIST spreadsheets, SPRS scoring, free readiness templates, but those tools only work if someone with a compliance background knows how to interpret them. Without a GRC platform to connect intent with evidence, their efforts stalled in documentation, not execution.


If their IT environment had been rooted in NIST’s Risk Management Framework (RMF):

  • Every data type would have been categorized

  • Validated encryption would’ve been selected upfront

  • Inheritance would be mapped, documented, and traceable


And if that system had been enforced by FISMA, as it is for federal agencies, ArrowFall would have operated with the same discipline expected of the government itself. Because they handled Controlled Unclassified Information (CUI) under federal contract, they were already subject to FISMA's underlying principles, even if not in scope for full agency enforcement. This made the need for RMF-rooted, FISMA-informed controls not just best practice, but vital to fulfilling their contractual obligations.


"We didn’t need another audit," said ArrowFall’s compliance lead. "We needed a system that thinks like the government does."


What finally bridged the gap for ArrowFall wasn't just realizing they needed help. It was discovering why their approach was doomed from the start.


What FISMA Really Means for the DIB


If you’re handling CUI under a federal contract, FISMA’s core requirements apply to you, especially around encryption, authentication, auditing, and continuous monitoring. You may not be a federal agency, but your data is being treated like it is.


Enter HACS: The Adaptive Engine


The Department of Defense doesn’t operate on checklists. It operates on the Risk Management Framework (RMF), enforced across federal systems by the Federal Information Security Modernization Act (FISMA).


To ensure federal agencies can rapidly defend against emerging threats, the government introduced HACS, the Highly Adaptive Cybersecurity Services under the GSA Schedule. HACS isn't a product or a toolkit. It's an acquisition vehicle that ensures any solution it supports can respond to constantly evolving cyber threats.


For defense contractors, HACS serves as a signal of assurance. Solutions approved under this category are recognized as both technically rigorous and strategically agile. This is critical because the compliance landscape, like the threat landscape, doesn't stand still. Aligning with HACS-backed services allows organizations to stay resilient as control baselines shift, threats evolve, and standards like CMMC transition from one revision to the next. It's not just about cybersecurity, it's about compliance future-proofing through continuous adaptation.


Here’s the critical insight:

  • RMF sets the methodology

  • FISMA enforces it across agencies

  • HACS ensures it’s responsive to real-world threats


Together, they don’t just ensure compliance, they create adaptive resilience.

If ArrowFall had implemented a system aligned with all three, they would’ve been prepared, not just for Rev 2, but for any new revision, clause, or control. They wouldn’t have been guessing at FedRAMP boundaries or misinterpreting encryption requirements.


They would’ve been operating from a position of strength.


That’s what set the stage for their next move.


Act IV: The Pivot


That’s when they discovered a strategy, not a product, that aligned their IT to the same lifecycle federal agencies use.


A solution that could:

  • Map every Rev 2 control to its Rev 3 equivalent

  • Flag what was already satisfied

  • Surface what still needed mitigation

  • Crosswalk against other frameworks like HIPAA or PCI when contracts required it


"If only there were a way to turn what we’ve already done into a path forward, without starting over," said the Director of Operations during the team’s postmortem.


There was.


They found an ecosystem built on RMF, enforced by FISMA, and powered by HACS, the Highly Adaptive Cybersecurity Services framework under GSA.


That ecosystem converged IT service management, cybersecurity, and compliance into one operational model.


It didn’t bolt tools together. It integrated them.

  • Tickets created audit artifacts

  • Control failures triggered service workflows

  • Compliance drift flagged risk in real-time


Of the 110 Rev 2 controls, this ecosystem fully met 58, and helped ArrowFall isolate and prioritize the 52 that remained. No starting over. No endless workshops. Just clarity.


Act V: The Recovery


ArrowFall used this clarity to make a fast decision. They began aligning to Rev 3 early, aiming to avoid CAP 2.0 uncertainties and to prepare for re-assessment before new rules took full effect.

Today, they’re back on contract.


“The solution wasn’t a tool,” said ArrowFall’s IT Director. “It was a strategy. One that wouldn’t let us get caught off guard again.”


Conclusion: From Failure to Future-Proof


ArrowFall’s journey isn’t rare. It’s common. And it’s getting more expensive by the day.

Compliance can no longer be a reaction. It must be adaptive by design.


ThreatKrusher is the convergence of IT service management, cybersecurity, and compliance, working seamlessly together.


Don’t wait to fail to realize what’s missing.


Start with a Rev 3 readiness assessment grounded in reality. Built on strategy.



The preceding story is fictional. ArrowFall Systems is not a real company. However, the events described here are grounded in real-world patterns and documented challenges experienced throughout the evolving CMMC ecosystem. This story draws on over a decade of CMMC readiness expertise, as well as our experience as a founding member of the Cyber AB.

Comments

bottom of page