Many businesses are starting to recognize the need for a strong cyber compliance program and are looking to NIST SP 800-171 and CMMC as the basis for their programs. At the same time, many consultants, managed service providers (“MSPs”), managed security service providers (“MSSPs”), and related service providers are entering the compliance services market, trying to help these businesses meet their legal, regulatory, and contractual obligations. The following engagement process can help service providers ensure they are asking the right questions of their clients, and that they are following a well-defined, structured approach to the related engagement(s).
Recommended CMMC Gap Analysis/Assessment Preparation Process
- Initial discussion with client
- Send client questionnaire (below or in our updated 800-171/CMMC Self-Assessment Tool)
- Enter into a nondisclosure agreement with the client (send with questionnaire)
- Analyze questionnaire. If client identifies that any of the following are missing, create agreement and SOW with entries for the following, as needed:
- Conduct hardware inventory
- Conduct software inventory
- Conduct cloud service inventory
- Conduct information inventory
- Use inventory information to define “systems”
- Create network diagram
- Create data flow diagram
- Create role-based org chart with information and system authorization
- Determine whether the environment should be managed under a single System Security Plan (“SSP”) or if the nature of the work performed or the information handled suggests treating the environment as discrete systems with their own SSPs.
- For clients with questionnaire scores less than 70 and those who do not handle CUI, conduct targeted gap analysis:
- Recommendation: gap analysis focusing on FAR 52.204-21 (CMMC 2.0 Level 1)
- Define scope of the gap analysis (controls, systems, facilities, cloud services, etc.), with client feedback and approval.
- Enter into Gap Analysis Agreement.
- Collect any policies, procedures, plans, and other documents relevant to the scope.
- Analyze environment against requirements and identify gaps.
- Create gap remediation plan for all gaps.
- As appropriate, enter into Gap Remediation Agreement with clearly defined SOWs to address each action item (POA&M).
- For clients with questionnaire scores equal to or above 70 and those who handle CUI, conduct additional gap analysis/analyses:
- Recommendation: break the gap analysis into multiple segments using the FAR and Above approach.
- Define scope of the gap analysis (controls, systems, facilities, cloud services, etc.), with client feedback and approval.
- Enter into Gap Analysis Agreement.
- Collect any policies, procedures, plans, and other documents relevant to the scope.
- Analyze environment against requirements and identify gaps.
- Create gap remediation plan for all gaps.
- As appropriate, enter into Gap Remediation Agreement with clearly defined SOWs to address each action item (POA&M).
- Repeat as necessary until all relevant requirements have been analyzed and corresponding gaps are closed.
- Prepare for assessment by collecting artifacts:
- Interview – Ensure accountable and responsible roles/individuals are identified for each requirement. These are the people the assessment team will likely interview, although the assessment team has the discretion to interview others.
- Examine – This is the “meat” of the artifacts. Collect documentary evidence that demonstrates how the client’s environment is meeting a requirement. These documents will likely be made available to the assessment team in advance, along with the SSP, network diagram, data flow diagram, and related information.
- Test – Identify the relevant tools and services that can be tested to ensure compliance. The assessment team may want to see different test-based evidence, but it is helpful to have something to offer.
20 Questions for Prospective Clients
- At how many physical locations (offices, data centers, or other facilities) does your organization handle CUI or FCI? ___________
- How many employees do you have, and how many are authorized to access government information?
- Total: ______
- Government Information Authorized: ________
- How many accounts of the following types do you have in your organization’s systems?
- User: ___________
- Local Administrator: _________
- Application: __________
- Service: __________
- Domain Administrator: ___________
- Other: __________
- Do you allow employees to access your systems, including E-mail, collaboration, and cloud resources, from their personal devices (i.e., BYOD)?
- No
- Yes
- Can any of your employees work remotely? If so, can they work remotely using their own equipment or only organization-provided equipment?
- No
- Yes – remotely (e.g., from home) with their own equipment
- Yes – remotely (e.g., from home) with organization-provided equipment
- Do your organization’s employees periodically receive security awareness training regarding the risks associated with their activities and any applicable policies, procedures, standards, etc. relevant to the systems they use to conduct the activities?
- No
- Yes – Administrators and privileged users receive periodic, formal training (3 points)
- Yes – All employees, including senior management, receive periodic, formal training (5 points)
- Is your staff trained to recognize and properly handle sensitive information, such as bank accounts, social security numbers, design specifications, blueprints, Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”)?
- No
- Yes (3 points)
- Do you have a comprehensive list of all of the types of sensitive information (including FCI, CUI by type, and non-government information) in received, created, processed, stored, and/or transmitted by your organization? (If yes, we will ask you for a copy once a nondisclosure agreement is in place)
- No
- Yes (5 points)
- Do you have a comprehensive list of all hardware (including laptops, mobile devices, workstations, servers, printers, networking equipment, “smart devices” (like TVs, Alexas, etc.)) in use by your organization? (If yes, we will ask you for a copy once a nondisclosure agreement is in place)
- No
- Yes (3 points)
- Do you have a comprehensive list of all software (including operating systems, end-user software, and drivers) installed on the organization’s equipment? (If yes, we will ask you for a copy once a nondisclosure agreement is in place)
- No
- Yes (5 points)
- Do you have a comprehensive list of all cloud resources (including E-mail, file sharing, chat, collaboration, HR, payroll, and other resources) used by the organization? (If yes, we will ask you for a copy once a nondisclosure agreement is in place)
- No
- Yes (5 points)
- Do you have a network diagram? (If yes, we will ask you for a copy once a nondisclosure agreement is in place)
- No
- Yes (5 points)
- Can you show how and where sensitive information, and in particular FCI and CUI, is received, processed, stored, and transmitted within your organization? (If yes, we will ask you for a copy once a nondisclosure agreement is in place)
- No
- Yes (10 points)
- Do you have a list of all of your employees and contractors that includes their roles? If so, have you defined which roles are authorized to handle different categories of information (e.g., CUI vs FCI)?
- No
- Yes – without role-based access definitions (3 points)
- Yes – with role-based information access definitions (5 points)
- Do all of your users have administrative privileges on their local computer (i.e., they are local administrators)?
- No (5 points)
- Yes
- Does your organization require multifactor authentication for:
- Remote administration:
- No
- Yes (5 points)
- All user remote access:
- No
- Yes (3 points)
- All administrator logins:
- No
- Yes (5 points)
- All user logins:
- No
- Yes (3 points)
- Administrator access to cloud resources:
- No
- Yes (5 points)
- Access to cloud resources:
- No
- Yes (3 points)
- Remote administration:
- Does your organization deploy WiFi? If so, is the WiFi network part of your corporate network or external to it?
- No (3 points)
- Yes – WiFi is part of our network
- Yes – WiFi goes to a guest network separate from our internal network (3 points)
- Does your organization have an incident response plan that describes roles and responsibilities? If so, do you routinely test the plan? (If you have a plan, we will ask for a copy once a nondisclosure agreement is in place)
- Plan:
- No
- Yes (3 points)
- Roles and Responsibilities:
- No
- Yes (3 points)
- Testing:
- No
- Yes (5 points)
- Plan:
- Has your organization already performed a self-assessment against NIST SP 800-171? If so, did your assessment consider only the requirements themselves or also the objectives defined in NIST SP 800-171A? (If yes, we will ask for the results once a nondisclosure agreement is in place)
- No
- Yes – without objectives (3 points)
- Yes – with objectives (8 points)
- Do you have a comprehensive set of policies, procedures, plans, and/or other documents that define your IT and cybersecurity programs? (If yes, we will ask you for copies once a nondisclosure agreement is in place)
- No
- Yes – Partial/incomplete (3 points)
- Yes – Comprehensive (8 points)
An automated scoring worksheet based on the questionnaire above is available as part of our Self-Assessment Tool: