Last Updated on January 19, 2024
The pre-decisional draft version 1.0 of the CMMC Assessment Process (CAP), released in July 2022, is a good starting effort to help standardize and reduce variability in CMMC assessments across different C3PAOs.
But is the CAP really what is needed most? One of the biggest holes in the entire CMMC ecosystem is the DoD’s emphasis on building an assessment program versus helping DIB orgs understand how to develop and maintain a security program. Organizations seeking certification (OSCs) need help implementing the CMMC controls, not paying someone to come to criticize them.
Today, we have significant movement within the DoD on how to assess nonfederal organizations that handle controlled unclassified information (CUI), how to evaluate the C3PAOs, and how to train more assessors. So, does the DIB need more training on securing information systems? Or on implementing CUI or NIST 800-171 programs?
Take the System Security Plan (SSP). Traditionally, an SSP is signed and approved by a person with: 1) The authority to do so; and 2) Technical know-how, including how to build, manage, and maintain the system. Where is the training for these folks? On what basis should a C3PAO assess an organization’s SSP solely signed and approved by a businessperson (e.g., a “one-person-army” staffing company or technology broker) without any knowledge of secure systems design?
What to do first with the CAP
As a starting point, OSCs should become familiar with the Roles and Responsibilities section of the CAP. Here you will also find guidance to identify your key stakeholders and systems/practice owners.
Next, stepping through the Assessment Framing section will give OSCs a rough order-of-magnitude (ROM) estimate, a good-enough way to get a preliminary idea of the potential investment from various C3PAOs for financial planning. Stepping through the “CMMC Assessment Scope” section will give OSCs an estimate closer to that of an RFP.
During the Assessment Framing exercise, be sure to include any requirements you may have for the Lead Assessor. These requirements may include a nearby physical location (to reduce travel cost) and experience in your field. Suppose the Assessment Team has no expertise in your line of business (e.g., manufacturing, construction, consulting). In that case, they will likely require more time to understand your business, thus potentially increasing the level of effort for your internal staff.
Meanwhile, before sharing too much information about the programs you support or your compliance status, OSCs should obtain a non-disclosure agreement (NDA) for assessment team members to sign.
Please note: The DIBCAC assessment is performed by DoD personnel with security clearances (Secret or Top Secret). OSCs are not guaranteed that level of assurance as a Secret clearance is not required to become a CMMC Certified Assessor (CCA).
Know your responsibilities under DFARS 7012
It’s extremely important for OSCs to read the DFARS 252.504-7012 clause in any existing contract, one of the main reasons being to ensure you are fully aware of your responsibilities. This includes using only cloud service providers with a FedRAMP Moderate ATO or its equivalent. At a minimum, the assessment team will want to see proof of that.
Another critical cloud issue for assessments is to know what is in your data center versus what is in the cloud. Pay close attention to the language on page 13 of the current CAP draft, which states, “If the External Cloud Service Provider does not store, process, or transmit CUI, but contributes to the OSC in meeting CMMC requirements (i.e., providing protection) for the OSC’s environment containing CUI and FCI, then the External Cloud Service Provider must only meet NIST SP 800-171 requirements and attain CMMC certification for CUI/FCI.” This requirement for Security Protection Assets (SPA) per the CMMC Assessment Guide is nowhere in the current DFARS requirements, nor is there clear guidance within the CMMC Assessment Guide or Scoping Guide. More information on this will be required from DoD.
More assessment tips
As you get into the flow of the assessment preparation, here are some tips to elevate your CUI Program and your SSP:
- Ensure all controls/security requirements, or at least the security requirements family, have an owner documented within the SSP.
- Include sufficient information on how to “rebuild” the system and reference supporting policies, plans, processes, and procedures. Build yourself an annex table.
- Ensure practice owners attend the CMMC Assessment Daily Checkpoint or Daily Review. (The CyberAB needs to clarify how/if these differ). This part of the process gives the OSC visibility into the progress of the assessment, including current scoring. It also gives the OSC a chance to provide additional information/evidence to support a request to update a finding and final score.
- Become familiar with the “non-negotiable” security requirements (highest-weighed), aka Ineligible Practices for Deficiency Corrections starting on page 26 in the pre-decisional CAP draft. These requirements do not allow a POA&M (Not Achieved). Thus, failure to implement them would prevent you from attaining your CMMC Level 2 Certification or a CMMC Level 2 Conditional Certification.
- Note the Final Results Criteria. A score of less than 80% equals Not Achieved, meaning the OSC will have to reapply for CMMC certification. A score between 80% and 99% equals Met, meaning the OSC may receive a Conditional Certification; however, any POA&M may need to be closed within 5 days or up to 180 days. A score of 100% equals Met.
- Become familiar with the “Credible and Effective POA&M” items and the POA&M Close-Out Assessment option. The OSC is responsible for closing these items within the allotted time (up to 180 days from the Final Finding Briefing).
- Don’t get hung up on seeing POA&Ms as bad. They can be created to improve existing controls or to retire systems from the ecosystem, not just to remediate gaps.
Next steps
A best-practice planning and preparation effort, including confident understanding of how to remediate any compliance gaps, is key to a successful CMMC certification assessment.
If you have questions about the assessment process or want expert support to build and maintain a CMMC-compliant cybersecurity program, contact Pivot Point Security.