March 1, 2021
Good afternoon, everyone!
ExoStar recently presented a webinar “From NIST 800-171 to CMMC: The Roadmap to Ensuring DoD Contract Wins” with lots of good info. (You can watch the video and download the slide deck here). Darren Van Booven with Trustwave had one slide in particular I’d like to talk about today. He stated:
You can have the best, most robust controls in place, but if you can't generate the artifacts to prove them, you won't pass.
If it isn’t written down, it doesn’t exist
Last week we talked about the three types of evidence. In this newsletter, I want to go into a bit more depth on the subject of written evidence to be examined, because I find this to be one of the biggest struggles for smaller organizations.
At CMMC Maturity Level Two (ML2), you are expected to establish a policy and document the practices to implement the policy, for each of the 17 domains. The CMMC Level 3 Assessment Guide gives us a bit of clarity here:
A policy is a high-level statement from an organization's senior management that documents the requirements for a given activity…. Senior mangement should sign policies to show its support of the activity.
So a policy document comes down from the top, and it’s a formal document. Practice documentation, however, doesn’t have to be a formal document:
The format of a documented practice can vary, from a handwritten desk procedure to a formal organizational standard operating procedure that is managed and controlled.
I’ve been working with a number of clients who are new to the defense contracting world, and who don’t have documented practices. It can seem overwhelming if you think of documenting 130 practices, so don’t think about 130 practices! Think only of the one you are doing right now. Take a couple of minutes to write down a brief description of this one practice you are working on. File it away. One practice a day documented will get you there just a few months, with minimal disruption of your normal workday.
At CMMC-ML3, you are expected to "establish, resource and maintain a plan" for each of the 17 domains.
The plan can be a stand-alone document, embedded in a more comprehensive document, or distributed among multiple documents.
The plan should be maintained and followed.
Oh boy, pay careful attention to that last sentence! Let me repeat: “The plan should be maintained and followed.” The absolute LAST thing you want to do is have written policies and plans that you aren’t following! This will show up in your official assessment, and it will cause you to fail.
One last tip: every document should have a Revision History table at the end, like this:
All three columns of data are critical in preparing for your official assessment:
- The Certified Assessor (CA) will want to speak with the person who wrote this document. That person will be interviewed.
- The CA wants to know how long this document has existed, and when it was last revised.
- The existence of prior versions provides evidence of process maturity.
One more note from the Assessment Guide:
Documents need to be in their final forms; working papers (e.g., drafts) of documentation are not eligible to be submitted as evidence because they are not yet official and are still subject to change.
What’s the difference between a policy and a plan?
Ah, I’m glad you asked that question! This is one of the many topics I’ll be covering in my work(fromhome)shop on Wednesday, and you still have time to register!
- Explore the CMMC ecosystem
- Decode the CMMC alphabet
- Determine your organization's obligations
- Define your timeline
- Calculate allowable cost
- Identify the data you need to protect
- Understand the importance of scoping
- Avoid the most common pitfalls
- Prepare for the assessment
This 2-hour online class is Part One of my CMMC "deep dive" series. Only 30 places available! Class kept small to enable Q&A and discussions.
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!