Last Updated on July 14, 2021
Cybersecurity Maturity Model Certification (CMMC) Level 3 compliance assessments are finally happening, and many firms in the US defense industrial base (DIB) are looking to get the jump on their certifications. With so much riding on a “passing grade,” have you done all you can to prepare?
To paint the clearest and most up-to-date picture of what CMMC assessments will look like, a recent episode of The Virtual CISO Podcast features Stacy High-Brinkley, VP of Compliance Solutions at Cask. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
The three types of objective evidence
Stacy notes that there are three types of objective evidence for CMMC assessments: examine, interview and test. Typically, an assessor would only require of these for a given CMMC practice or process. But with many assessments being done remotely, will that change things?
“If you’re doing this remotely, sometimes you’re going to need three pieces of evidence,” cautions Stacy. “Because if you examine a document and then interview someone [remotely], they could be reading from the document. So, you might have to have a test done.”
“You really need to make sure that you have exactly what’s happening down,” adds Stacy. “But per the assessment guide, it’s two pieces of objective evidence if you’re on-site. So right now, it’s going to be up to the assessor whether they want two or three. I believe it’s probably going to stay mostly two for most of them.”
What does “persistent and habitual” mean?
“‘Persistent and habitual’ is a term that I’ve heard used with regards to your obligation,” John observes. “How long do you think an environment needs to run for, or how many samples of a particular control practice might you need to be able to gauge something as meeting the persistent/habitual requirement?”
“I’m going to examine the documentation, talk to the folks who are implementing that security control, and that should be good,” Stacy relates. “If I know that, I can see they’re obviously doing this over and over again. The goal is continuous monitoring. People need to continually monitor their networks to make sure they’re keeping threats out of their environment. You’re going to see that in their documentation flow and in their personnel, and in how they’re taking care of all their logs and auditing and access control and incident response plans… There are a lot of questions that get really in-depth where you can tell if they are truly doing this repeatable process in a persistent manner.”
“They want to see past data; that you’ve done things in the past,” continues Stacy. “Let’s say you started six months ago, and you’ve been doing it persistently every day, continually monitoring the things that are important to protect your critical data—I think that’s fine. I think if you just throw it together real quick, we’re going to be able to tell.”
The benefits of a compliance platform
What are some “top tips” for organizations that want to make the auditors’ lives—and hence their own—as easy as possible during the assessment?
“I think what they need to do first is get everyone who’s involved on the same page,” Stacy advises. “Have one authoritative place for all the documents you’re reviewing. You do not want to be emailing documents back and forth, over and under version control. You need to keep that version control really, really tight, so you know exactly where you are. Because it’s a lot of documentation to review. It’s a lot of documentation to obtain from your [finance people], from HR, from your corporate ops, your budgeting, your funding line for IT. [The auditors] want to make sure that they’re seeing everything. So [a compliance platform or equivalent] is the most important thing that I’ve found.”
“I always encourage people to either use the tools you have [e.g., SharePoint, Wrike, your help desk system] and have the management system meet you where you are,” agrees John. “Or, if you don’t have these types of tools, then purchasing some type of platform to manage this on is going to make their lives a lot easier—especially because then they can give [the auditors] access to that platform.”
“We [at Cask] have a compliance platform… and it saves me three people,” Stacy emphasizes.
Another huge benefit of a compliance platform is it gives you peace of mind in knowing that, as John puts it, “‘Okay, we’re going to ace this audit.’ Because you can’t afford not to ace your audit, right?”
If your company needs to ace an upcoming CMMC assessment, this podcast episode with Stacy High-Brinkley is sure to help you make that happen.