January 21, 2021
I'm still going through my notes from various webinars, and have lots more nuggets to share.
Follow the data
Ask yourself these questions:
WHAT kind of data does your organization handle? Remember, the CMMC applies to two types of data:
- Federal Contract Information (FCI): This is " information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments." (see https://www.acquisition.gov/far/52.204-21-0)
- Controlled Unclassified Information (CUI): "CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies. CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract." (see https://www.dcsa.mil/mc/ctp/cui/)
Once you've determined what kind of data you handle, you will know which CMMC Maturity Level you need to achieve: ML1 for FCI, ML3 for CUI. Next, ask yourself
HOW is the data acquired by us? Downloaded from government websites? secure email? parcel delivery of portable media or hard copies? Once you have the data,
WHERE is the data stored? Local area network, cloud storage, hosted software, portable devices, portable media ... ? What about backups? Next, you need to determine
WHO has access to it? Is access controlled at all? Is access restricted by job function? Is access logged and monitored?
Hopefully, after working through these questions, you will be able to identify the boundaries of that portion of your information system that needs to be CMMC certified. This is what we call "Initial Review and Scope" and it is Phase One of TNE's System for Achieving CMMC Compliance. Contact me if you'd like to learn more.
Maturity is a moving target
In a previous edition of this newsletter. I stated “Remember, the “maturity” in the name requires at least six months of evidence for each practice and process in the CMMC audit.” They’ve walked that back just a bit, saying that it depends on the practice and some might only require 3 months. Of course it is up to the Certified Assessor to make his/her own determination, so . . . don't delay! Get started on your preparation now.
Is it an assessment, or is it an audit?
The official name of the process for achieving certification is a CMMC Assessment, but the words “assessment” and “audit” are used interchangeably by most of the speakers I listen to. The CMMC-AB has stated that this is an assessment, not an audit, because “it’s a holistic exercise,” "a framework for continuous improvement" and they want to "avoid the checkbox mentality” that has caused so many security breaches in ostensibly-compliant systems. Okay, I’ll accept that.
BUT it’s a 100% pass/fail situation, and the assessors are not allowed to help you during the audit process. Not at all. So, if they want to call it an assessment for their own reasons, they certainly can. For organizations seeking certification, however, I would recommend that you think of the official assessment as an audit. You must fully meet all the requirements of every single practice and process for your level in order to achieve certification.
Remember, the time to prepare is now, and I can help! Contact me with your questions, and let’s talk about the path forward for your organization.
Next Work(fromhome)shop January 26
This newly-updated online class will cover the basics -- what is it, why do we have it, applicability, terminology, timeline, and the assessment process. It's an introduction to my "deep dive" series on the specifics of achieving Maturity Levels 1-3 coming up in Spring 2021. Participants in this class will have the first chance at signing up for the spring series.
Tuesday, January 26 @ 10:00 AM - 11:00 AM (CT)
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!