Last Updated on August 26, 2021
If you do business with the US Department of Defense (DoD), you’re probably in line for a Cybersecurity Maturity Model Certification (CMMC) and/or NIST 800-171/DIBCAC assessment. Whether that’s happening next week or it’s two years out, you should be setting yourself up for it now—because waiting until the last minute is just too risky. The DIBCAC allows you to take corrective actions, but these issues negatively affect your compliance score. And CMMC assessments are “go/no-go.” Suffice to say, a fail could mean you’re unable to participate in government contracts.
Especially if you’re an audit newbie, you probably want to know all about the audit process: How many auditors? How long will they be onsite? Who will they interview? What will they observe and/or test? Can the audit take place offsite? What level of time and effort should your team expect?
To unpack all the details of what your CMMC or NIST 800-171 assessment will look like, a recent episode of The Virtual CISO Podcast features two of our most experienced consultants—George Perezdiaz, CMMC/NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor. Hosting the show is John Verry, Pivot Point Security’s CISO and Managing Partner.
Look forward to document review and interviews
Both CMMC and NIST 800-171 assessments start with a kickoff meeting, where the assessors are looking to get an overview of your organization and your security environment. It’s anticipated that CMMC assessments, as well as many DIBCAC assessments, will also include a planning phase that will precede the assessors’ visit.
That initial “introduction” will generally be followed by document review.
From his experience as a DIBCAC assessor, Caleb relates:
“We were doing document review usually for the whole first day. That was just to get a better understanding of the policies and where to find things and where to look for information. It may not be quite the same for CMMC, but you’re going to want to break off right away into your interview rooms. You have your subject matter experts (SMEs) on your side and we have our assessment SMEs on our side and we’ll take each of those areas and knock out as much as we can.”
“That was typically with a team of about four assessors and an assessment lead for DIBCAC over the course of a week,” Caleb continues. “And it would sometimes take til every bit of that last hour on a Friday, eight hours a day of getting in there. And sometimes it would be almost wrapped up by Wednesday. [The company’s] level of preparedness can definitely make a huge difference on level of effort for an actual assessment.
CMMC assessments may involve fewer assessors
What about CMMC assessments?
“Coming into CMMC, we know we don’t have quite the same structure and resources as DIBCAC has set out,” shares Caleb. “So, for a level three assessment, we know we have a minimum of three assessors, so you could have something along those same lines.
“Break out into a couple different rooms or a couple of different areas, have different people look at certain control families. Or maybe some of the C3PAOs that are well-staffed or just have good processes in place will have everybody sit in one room and have everything laid out to target your questions and lay out your interviews in a way that just flows, so you can get things done in that amount of time. But starting now, I wouldn’t expect any more than the minimally required three assessors per assessment for CMMC,” Caleb indicates.
A lot of your people will probably be involved
John adds: “When I think of similar audits, like FedRAMP and SOC 2, there are certainly conversations with a broad cross reference of the organization: human resources, physical security, network security, applications—the same type of broad expectation. I mean, [the assessors are] going to be chatting with an awful lot of the people that work inside of the company.”
Whatever the particulars for numbers of assessors and how they approach their work, you will certainly face interviews and will need to provide documentation for assessors to read through. The assessors will also observe your controls in action and inquire about settings for key applications and policies.”
“You might need whoever’s managing your Active Directory or whatever it is for password management to log in and show [the assessor] that setting,” Caleb notes. “But it spans across all the [control] families. So, you have personnel security where you might be speaking to HR folks. You have physical security where you start talking to the facilities folks. It depends on the size of the organization and how many people they have [performing those various roles]. Sometimes you have one IT person who needs to answer all of it.”
“It can be very demanding on an organization,” George offers. “Because depending on the size, it can become quite complex. And, of course, there’s operations going on. The show must go on. So, there’s flexibility on both sides.”
Remember who you’re working for
Finally, as George points out, it’s important to remember who is working for whom: “When you invite someone into your home, you have to be kind, you have to treat them with respect and make sure that they’re welcome. It’s not the opposite. The auditors are not working for you. You are working for them, essentially. You’re validating that the government’s requirements are being met.”
To make certain you’re fully prepared for your upcoming CMMC or NIST 800-171 assessment, be sure to listen to this podcast episode with Caleb Leidy and George Perezdiaz.