Last Updated on August 26, 2021
Cybersecurity Maturity Model Certification (CMMC) and NIST 800-171/DIBCAC assessments are upon us. If your company needs to comply with either or both of these US federal government cyber frameworks, you should be doing all you can right now to set yourself up for success. This is especially true for CMMC assessments, which are “go/no-go” and don’t permit follow-up “plans of action” to get you off the hook.
Especially if your team hasn’t faced a lot of audits, one of the biggest hurdles in your CMMC/NIST 800-171 assessment will be the kickoff meeting with the assessment team from the DIBCAC or C3PAO. What will the assessors want to accomplish? What should your team be looking to accomplish? What are key things you should definitely do? Or be careful not to do?
To make sure you’re fully prepared and confident in advance of your CMMC/NIST 800-171 assessment, we debriefed two of our best consultants on a recent episode of The Virtual CISO Podcast—George Perezdiaz, CMMC/NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Lead with your SSP
“The first thing coming through the door, we prefer that you hand us over your System Security Plan (SSP),” says Caleb, a former DIBCAC assessor. “We want to start getting an idea of what you have in place, but then also all the rest of your policies and things that evidence that you have prepared. We want to get as much of it upfront as we can, so we can start deriving our targeted questions and reveal a little bit more detail here, a little bit more detail here…”
“So, [at this initial meeting] we’re kind of getting an idea of the organization,” Caleb continues. “What do you do? Who are you? One of the big do-nots is, for example, we had an organization where their point of contact who was briefing us when we came in decided to take half the morning to give us a history lesson on their organization and all the wonderful things they’d invented over the past 60 years. Which was cool, but didn’t necessarily fall into our timeline and our purpose there.”
“So focus on your actual security program and the things you’re doing, without getting into a huge amount of detail, because we’ll get to that in the interview sessions,” advises Caleb. “Just have that evidence and a good scoping perspective laid for us when we come in.”
George adds: “That executive presentation that shows how your enclave looks; your security in-depth—this is your opportunity to show and/or educate the assessment team, because they’re not necessarily technologists. They will not know every single tool or how you have your tools configured within your environment. So take that opportunity to educate and walk into the process all the way from the edge to your end point. What are the things that you’re doing and that you have in place to assure them that you’re taking security seriously, above and beyond potentially the regulatory requirement? Without saying too much…”
“With regards to the tools, perhaps rather than just using like a [name] like Graylog or Alert Logic, or whatever, just refer to, ‘Hey, Graylog, our SIM solution…’,” recommends John. “Make sure that you’re making it easy for them to stay in touch with what you’re saying and understand what you’re saying.”
As George notes, the place for details about your tools is in an appendix in your SSP or an accompanying document—not in the body of the SSP.
“You want to keep the SSP and even the policies as high-level as possible,” George explains. “You’re saying the ‘what’ and referencing the things that will inevitably change because your configuration items will change with time. Especially if you’re maintaining your environment with constant monitoring, the way it’s supposed to be, those things will change. Your SSPs and policies, you want to be as static as possible.”
If there’s a CMMC or NIST 800-171 assessment in your future, you’ll really appreciate all the “insider insights” in this podcast episode with Caleb Leidy and George Perezdiaz.