February 22, 2021
Good morning, everyone!
The CMMC Assessment Process
Fellow CMMC Registered Practitioner Amira Armond recently published two more interviews with Jeff Dalton, Vice Chairman of the CMMC Accreditation Body (CMMC-AB) Board of Directors and Chairman of the Accreditation and Credentialing Committee, on the subject of the CMMC process. Today I’m going to talk about my key takeaways from the second one. (You can watch the entire interview and read a partial transcript on Amira’s website.)
Templates just don’t get you there
The CMMC is not about templates, it’s about People, Process and Technology. “The CMMC Certified Assessors are watching for well-known policy templates. Copy-paste won’t pass.” (more on this below) Templates are interesting, but not relevant, because the CMMC assessment process is context-driven.
Let’s talk about context
”CMMC is a context model, it’s not an audit model, so it isn’t like there’s yes or no questions to every single practice. There are some, but a context model means that understanding the context of the organization – you know, size, scope, culture, product line, things like that – are going to to affect the decisions that you make in order to achieve a level of CMMC.”
One example I use in my workshops is visitor access control. How you handle this practice can vary widely, especially based on size. Three scenarios:
- A small subcontractor with a handful of employees decides not to allow visitors at all. When someone’s kid gets locked out of the house and a neighbor drives him to mom’s work to get a key, they meet in the parking lot. No logging or monitoring required. Zero cost.
- A medium-sized business has a clipboard at the front desk, where all visitors have to sign in and out, and get their badges. Generic visitor badges were purchased at an office supply store. Employees are trained that visitors should be monitored at all times, and reported if alone. Very little cost.
- A larger company with multiple government contracts and a commercial business arm has an electronic badging system to record every entrance and exit. The badges are programmed to allow access only to the specific areas that individual (whether employee or visitor) is authorized to access. Badges are color-coded and easily recognized at a distance. Employees are trained that anyone wearing a visitor badge must be escorted, and reported if alone. Significant expense.
Do you see how People, Process and Technology fit into each of these scenarios? This is why “templates won’t get you there.” What standard template document could you write that would adequately describe each of these three scenarios? One of the great things about the flexibility of the CMMC is that many of the practices can be handled mostly with just a policy (no visitors allowed), mostly by process (clipboards and generic badges), or mostly by technology (electronic badging system). Every business can make the choices that best fit with its unique constraints of budget, operational flexibility, organizational culture, etc.
Is it an assessment or an audit?
Dalton says the CMMC is an assessment, not an audit, because it is context-driven, and emphasizes that the CMMC practices are descriptive rather than prescriptive. Let’s visit dictionary.com:
descriptive: having the quality of describing; characterized by description
prescriptive: giving directions or injunctions
Okay ... what does that mean? The CMMC practices and objectives describe the state of security that you want to achieve, but they don’t prescribe the steps to get there. Basically they tell you what to do, but now how to do it! This can be frustrating, because it means you have to work harder to figure out the right steps for your organization, rather than just following a detailed plan. It’s also beneficial, though, especially for smaller organizations, because it gives you more flexibility in how you meet the intent of the objectives, based on the context of your organization. (see “visitor access control” above)
Let’s talk about intent
Dalton says that the point of an assessment is to determine “are they meeting the intent of the practice?” The objectives and examples in the CMMC Assessment Guide are intended to clarify the intent of the practice. The goal of the CMMC Certified Assessors is to validate that the intent of your actual practices matches the intent of the objectives of the CMMC Model. CMMC Certified Assessors have significant flexibility in interpreting the evidence presented, and judging whether it meets the intent of the objectives.
So, maybe it is an assessment rather than an audit. Except you have to perform at 100% conformity to be certified, which sounds more like an audit. Sooooo, it's a hybrid.
Well, I think that’s enough for today!
Next Workshop: CMMC 101: Readiness Crash Course
My next CMMC workshop is March 3:
- Explore the CMMC Ecosystem
- Decode the CMMC alphabet
- Determine your organization's obligations
- Calculate allowable cost
- Define your timeline
- Identify the data you need to protect
- Understand the importance of scoping
- Avoid the most common pitfalls
- Prepare for the assessment
This 2-hour online class is Part One of my CMMC "deep dive" series. Only 30 places available! Class kept small to enable Q&A and discussions.
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!