CMMC-AB Standards Podcast

The CMMC-AB released the first of what is intended to be a series of video podcasts which are designed to help those looking to learn more about CMMC. The video includes a team of Directors (Jeff Dalton, Regan Edens, and Chris Golden) from the CMMC-AB Board of Directors. In the video they run through several complex concepts, including overviews of how assessors will conduct an assessment, what they will look for, and much more. Some highlights/insights include:

  • 8:23 – Although there is a perception that Maturity Level 1 (“ML1”) is “easy”, it may not be easy for less mature organizations to achieve. The practices are still robust. Rather than “easy,” a better characterization would be “non-managed”.
  • 8:40 – Practices are important, even at Maturity Level 1 although they don’t need to be documented at ML1.
  • 11:28 – There is a discussion of the kinds of Objective Evidence that is used during an assessment and how the requirements can change with the context of the organization being assessed. The Assessors will review the evidence presented by the organization seeking certification (“OSC”) to assess whether a particular requirement is being met in the context of the OSC’s environment. Assessors will primarily rely on 3 types of evidence: Examinations, Interviews, and Tests. There is a discussion of each form of evidence and how it is used.
  • 15:37 – The team discusses how to use the CMMC Assessment Guides. You must be 100% conforming with each of the objectives listed in the CMMC Assessment Guides (corresponding to each practice) to ensure you will pass the assessment. [The CMMC Information Institute’s Maturity Level 1 Gap Analysis Tool lists each practice and objective and helps you with this analysis].
  • 17:00 – The team then walks through the Assessment Guide’s listing of assessment practices (i.e., Examine, Interview, and Test) for a particular practice. It is important, as you build out your Objective Evidence and your assessment plan and if you are planning on using an interview as a form of Objective Evidence, that you select someone who has appropriate levels of responsibility and visibility as defined in the Assessment Guide’s “Interview” description for that practice.
  • 20:00 – The Examples provided are not intended to cover every objective that makes up a practice. They only illustrate how an OSC could demonstrate that they meet the specific objectives referenced.
  • 21:53 – The examples in the guide are meant as illustrations, and not explicit requirements. An OSC does not need to exactly follow the example. They are “descriptive not proscriptive”.
  • 23:30 – The team transitions to looking at the related requirements and documents including DFARS 252.204-7012.
  • 24:50 – There is a discussion of how Plans of Action and Milestones (“POA&Ms”) differ in the NIST SP 800-171/DFARS 252.204-7012 context versus CMMC. Under DFARS 252.204-7012, a POA&M can be used to define how you will address gaps between your current state and what is needed under NIST SP 800-171. Under CMMC, all requirements must be met to achieve certification. That doesn’t mean you can’t have a POA&M; you still can. But the POA&M will focus on how to further improve your environment. [So, for example, if your organization is seeking ML1 certification, you must demonstrate satisfactory adoption of all 17 practices and their related objectives. However, your organization may decide that it really wants to meet ML2 requirements, and it can create a POA&M for how to get there.]
  • 26:42 – There is a discussion of what a System Security Plan (“SSP”) is and how it can be structured. An SSP defines what should go into your operational program to protect data, including forward-looking aspects (i.e., things that haven’t happened yet). An SSP should cover technology, processes, people, timing, risks, and issues that are involved in the protection of the data. It needs to be a “living” document that is kept up to date as things change in the environment.
  • 29:00 – An SSP should describe not only what you are doing today, but what changes you expect to make over time. The more mature your organization becomes, the more forward-looking the SSP is likely to be.
  • 30:00 – It can be hard to get out of the assessment mindset where you’re trying to make it to the finish line so you can get the certification. With CMMC, there is no finish line. Instead, you should always be looking to the future and how you will address future technology, processes, and threats.
  • 31:20 – The team transitions to a discussion of CUI and FCI. It is important to note that CUI isn’t just information that is received from the government; it can be created in your environment. CUI is supposed to be marked, either by you as the creator or by the government before they give it to you. FCI can be trickier to identify, because it does not need to be marked.
  • 33:30 – Policies, procedures, and planning are discussed. Policies are “what is expected of you”. What assessors are looking for is whether the people understand what is expected of them. The procedure is a “2-dimensional manifestation of behavior;” what is it we want people to demonstrate while they are working. This approach allows you to create simplified documents.
  • 36:23 – The team talked about external service providers and how CMMC will apply to them. In the short term, the CMMC-AB is still waiting for DoD to make decisions around reciprocity. There is an expectation that OSCs will inherit at least some of the controls of certain assessments, but the details are still being worked through. At the end of the day, though, it is the OSC’s responsibility to prove that any external service providers are meeting the requirements upon which the OSC is relying.
  • 38:39 – The team also discussed what will likely be acceptable when it comes to storing CUI in a cloud provider’s environment. In short, if the data is encrypted before it gets into the cloud provider’s environment the OSC manages the keys, and the cloud provider is otherwise appropriately certified (e.g., FedRAMP, CMMC ML3, etc.), then it will likely be acceptable.
  • 40:00 – Documenting the flow of CUI within your environment is critical to ensuring you are managing it properly. The assessors will be looking for that information. You need to demonstrate governance and control over how the information flows within the environment. There need to be clear delineations that control who is authorized to access the information. As the authorized holder of the CUI, it is the OSC’s responsibility to ensure that the recipient is capable of handling the CUI appropriately.
  • 43:07 – The cheapest, fastest, and easiest way for small and micro businesses to begin working with FCI or CUI is to use someone else’s equipment.
  • 45:00 – Reminder: There is an upcoming webinar with DoD on January 26 where more information will be disseminated.