Last Updated on September 10, 2021
During your Cybersecurity Maturity Model Certification (CMMC) or NIST 800-171/DIBCAC assessment, the assessors will be looking for objective evidence about the “persistent and habitual” operation of each control. The forms of evidence they’ll be looking at include interviews, examination of your policies or documentation, and actually testing a control.
Their goal is not to put your team on the spot, but to gain confidence that you’re doing what you say you’re doing. Still, if an assessor examines a policy, interviews staff and then still want to test the control, feathers could get ruffled. Do you not trust us? Do you think we’re lying? Or what if an assessor finds fault and you think they’re off-base? What can you do?
To get insider tips on how to handle any contingencies during your CMMC or NIST 800-171 assessment, we asked two of our own consultants to join a recent episode of The Virtual CISO Podcast: George Perezdiaz, CMMC/NIST Security Consultant, and Caleb Leidy, CMMC Consultant/Provisional Assessor. John Verry, Pivot Point Security CISO and Managing Partner, is the show’s host as always.
Start by being flexible
“If I feel that I’m giving you everything that I have, and you still don’t understand it, it comes back to that flexibility,” George advises. “’What else can I show you?’”
Being combative won’t be helpful. Remember, your contract contains a DFARS 7020 clause. You’re obligated to make your facilities, systems and personnel available for this assessment.
“If you want to continue doing business with the government, you have to understand and respect those requirements,” asserts George. “If an assessor is difficult, that’s a different story. But there’s a path now—especially with the CMMC—to make those complaints in a formal way.”
Be ready to inform and educate assessors
Of course, you’re free to argue. But remember that the assessors aren’t there to defend NIST 800-171 or CMMC. If you’re unable to show specifically what the framework is asking for, you may have a legitimate nonconformity to address.
Regarding disagreements, Caleb (a former DIBCAC assessor) notes: “The majority of the time it can be worked out internally. I know for the DIBCAC we had 50 folks from various life backgrounds and walks of technology experience. We didn’t always have a network person assessing network controls. So be ready to do that explaining, be ready to do that training and work with your assessors.”
Work with your lead assessor
Remember, too, that the assessment team will include a certified (and highly experienced) assessment lead. “If you can’t hash it out with your assessor, bring it up with the assessment lead,” Caleb suggests. “I’d say 95% of the time you can work it out on that level. If not, you’ve got your formal process going through the CMMC-AB and other entities.”
If your organization faces a CMMC or NIST 800-171 assessment, this podcast episode with Caleb Leidy and George Perezdiaz will help you get prepared and feel confident about the process.