Last Updated on September 10, 2021
Thousands of SMBs in the US defense industrial base (DIB) face Cybersecurity Maturity Model Certification (CMMC) and/or NIST 800-171 assessments in the coming months. Now is the time to prepare for these business-critical audits, which can make or break your ability to bid on government contracts.
One of the keys to passing your assessment is your documentation. Your policies, procedures, and System Security Plan (SSP) should give the assessors a feeling of confidence that A) you’re doing what you say you’re doing, and B) what you say you’re doing addresses the intent of the regulation. So, what should your evidence look like to provide that confidence?
To help you prepare in the most efficient and effective way for your CMMC and/or NIST 800-171 assessment, two of our most experienced consultants—George Perezdiaz, CMMC/NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor—tag-teamed host John Verry on a recent episode of The Virtual CISO Podcast.
Good documentation starts with the SSP
“[Good documentation] starts with the SSP,” George stresses. “Before you go through your 110 or 130 controls, your SSP should start with a high-level policy statement, and potentially [outline] some processes for how you’re handling, controlling and protecting the data—and that’s your starting point.”
Be prepared to provide evidence in interviews
As Caleb explains, the next level of evidence you’ll need to provide will be in your interviews, which DIBCAC assessors in particular emphasize heavily: “It’s all broken down into the confidence levels. [The DIBCAC] would never give a high confidence to an assessment if we weren’t actually seeing things. A lot of people like to use artifacts, which is great. But if you’re showing me a screen shot of your active directory settings, I can pull that from Google and lots of other places…”
Start thinking about evidence during your self-assessment
Your starting point for gathering evidence should be your self-assessment, which should help you understand where you’re actually implementing each required control.
“What settings are being set? Who has control and ownership over that?” frames Caleb. “Coming out on the other end, when you have to answer to an assessor, it’s easier to say, ‘We know Bill has control over that and he can go ahead and show you the settings in our system live real-time.’”
“It comes down to that institutional knowledge,” George relates. “You can have a policy, but if no one knows that that policy exists or that there’s a process enforcing that policy, then you’re missing the entire intent of the requirement. And to Caleb’s point, there’s no magic number or approach to the evidence—it’s when your assessors will feel comfortable. Until they get comfortable with tests or the interviews or the sampling or the evidence itself, that’s when you can say, ‘Yes, we passed.’”
Make sure you have evidence for all aspects of a control
As part of your preparation, does it make sense to describe how you plan to evidence each control within the documentation for that control? Or is that overkill?
“It goes back to that NIST 800-171 self-assessment, which has those various objectives,” George notes. “If, when you’re going through each one of those 110 or 130 requirements or practices, you account for each one of those additional attributes [i.e., pieces of evidence], then that’s where you can be comfortable that you’re doing what is intended for that particular requirement.”
The goal is to ensure that, as your assessment is underway, you can quickly produce all the necessary attributes or pieces of evidence that the regulation mandates for a specific control, not just one or two. So, as part of your self-assessment, ask, “Can we generate evidence to show that we’re doing A, B, C and D?’ for a particular control.”
But don’t make the mistake of front-loading all these evidence details into your SSP. As Caleb describes: “No one expects you to have in your SSP for each control a very specific detailed layout of every setting and all of that. [Your SSP] can reference your other documentation and just say, ‘That’s in Active Directory,’ for example. Or ‘That’s handled by our SIM tool.’ And then whoever has ownership of that SIM tool would be able to go in and get the details on that for the assessment.”
If you want to give your business every advantage going into your CMMC or NIST 800-171 assessment, don’t miss this podcast episode with Caleb Leidy and George Perezdiaz.