February 25, 2021
Good morning, everyone!
More About the CMMC Assessment Process
Fellow CMMC Registered Practitioner Amira Armond recently published her third interview with Jeff Dalton, Vice Chairman of the CMMC Accreditation Body (CMMC-AB) Board of Directors and Chairman of the Accreditation and Credentialing Committee, on the subject of the CMMC process. Today I’m going to talk about my key takeaways from this interview, which you will note has a few themes common to all three. (You can watch the entirety of this interview and read a partial transcript on Amira’s website, and also read my comments on part one and part two.)
Types of Evidence
There are three types of evidence that may be presented at an official CMMC assessment:
- Interview This is probably the most common, and likely will present one of the pieces of evidence presented for every practice and process. The CMMC Certified Assessor (CA) will treat this like a learning experience. This will not be a checklist of question sets, rather a discussion about how you do what you do within the context of possible answers (yes/no/NA/it depends). The Interview evidence addresses People & Process. Remember, as Dalton says repeatedly:
”The CMMC is definitely a People, Process, Technology evaluation.”Important note: The CA wants to interview the person responsible for actually performing the practice or process. You cannot present your IT director or General Manager and let him/her answer the questions. Network administrators will be interviewed about configuration settings and user permissions, firewall admins will be interviewed about configuration settings, remote access policies, and so on. If you have outsourced some of these functions, your vendor (and perhaps specific employees) will be expected to participate in interviews as well.
- Examine This means looking at things – documents, systems, configuration files, log files. Examination is a way of validating that something is happening.
- Test This is watching to see something happen. There is less clarity about what types of Test evidence will be requested by the CA. The DoD has said that CAs will not be hooking up their laptops to run scans on your network. So what types of testing might they do? Dalton mentioned “leaning against a door” as an example of testing physical security. Otherwise, the guidance on this is pretty thin at the moment, but this will be addressed in the Assessment Plan (more on that below).
Dalton states that evidence adequacy is “an ongoing discussion.” The evidence presented must prove that you are meeting the intent of the objectives in the CMMC Assessment Guide. Of course that is subject to interpretation, which is both a good thing and a bad thing. (Read my earlier writing on context and intent for more on this topic.)
The second question is how much evidence must be presented for each practice. Earlier reports indicated that at least two pieces of evidence would be required for each practice. In this interview, however, Dalton states ”We don’t have full agreement on two pieces of evidence yet.”
So, stay tuned for future updates on this subject, but for now, remember that your Assessment Plan will inform you of your obligations prior to the assessment.
The Assessment Plan
The Assessment Plan produced by the CA prior to the assessment is a critical document, outlining in detail everything that is expected to happen during the assessment process, the roles and responsibilities of all parties involved, the scheduling, location, etc. Dalton says “Planning is everything!” Every detail of the assessment is planned in advance, and the written plan is signed off on by all parties, so that everyone knows what to expect when the big day comes.
The Assessment Plan should detail all three types of evidence anticipated for each practice and process. Dalton states that an experienced CA should have a pre-filled template of what is typical for each practice. The CA will send that to you, asking you to customize it for your unique circumstances. There may be some back-and-forth to clear up any confusion. Developing the Assessment Plan is an opportunity for you and the CA to collaborate, always taking into account the context.
Dalton notes that ”language is a real problem with assessments” – so true! You may refer to this practice as “X” while the CA has always used “X” to mean something else, and suddenly you are talking about two different things without realizing it. I always tell my clients "words have meanings." Learn the vocabulary of the CMMC Assessment Guide, to be certain that you and your CA are on the same page. Watch webinars, take online classes, study the CMMC documents produced by the DoD.
From the beginning, the DoD has stated that even Maturity Level One assessments will require an onsite inspection, primarily to be certain that foreign actors don’t create “shell companies” and get them certified as government contractors or subs. And of course, many of the practices at all levels include physical security.
In the time of COVID-19, however, physical visits are somewhat problematic, and they usually increase cost as well. Dalton states that during the pathfinder assessments, some physical visits were done virtually (someone walking around with a camera). The pathfinder results are being evaluated, to see what worked and what didn’t. So right now a physical visit is required, to every building that is in scope, but that may change in the future.
The final step before the onsite visit is your Readiness Review. This is where the CA goes over the Assessment Plan with you in detail, every practice and every piece of evidence you plan to produce, the schedule, the people to be interviewed, etc., to make certain that you are prepared for a successful assessment.
“The planning and the readiness review are geared to help [you] pass.”
Remember, the CMMC is not about failing contractors, nor about causing problems, getting anyone in trouble nor damaging your business. The CMMC model was developed to strengthen the security of the Defense Industrial Base, to protect the sensitive data used in preparing and protecting our warfighters, and in defending our country. The CAs do not want you to fail your assessment! But they will have to judge fairly the evidence that is presented. Planning and preparation are the keys to your success.
And, don’t forget, the time to prepare is now. Each piece of evidence must be at least three months old prior to the assessment. This is not something you can pull together at the last minute, and you don’t want to spend the time and effort on an official assessment that you aren’t likely to pass.
My next work(fromhome)shop on March 3, “CMMC 101: Readiness Crash Course” is the perfect way to jumpstart your CMMC assessment preparation.
- Explore the CMMC Ecosystem
- Decode the CMMC alphabet
- Determine your organization's obligations
- Calculate allowable cost
- Define your timeline
- Identify the data you need to protect
- Understand the importance of scoping
- Avoid the most common pitfalls
- Prepare for the assessment
This 2-hour online class is Part One of my CMMC "deep dive" series. Only 30 places available! Class kept small to enable Q&A and discussions.
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!