August 11, 2021
Good morning, everyone!
I know that many of you have decided to just keep swimming – good for you! In the interest of making your swim as efficient as possible, I’m going to start writing about the CMMC assessment guides.
Understanding the CMMC assessment guides
In the past few months, I’ve had conversations with many people who tell me “I think we’re in pretty good shape” – until we start getting into the details of what is required to fully implement the CMMC Practices. Far too often, I see inaccurate assumptions, misconceptions, and incomplete understanding, especially of the Objectives. In this series, I’m going to start with explaining the CMMC assessment guides (“the Guides”). You need to know how to read these guides in order to accurately plan how to implement the Practices. After this week’s intro, I’ll start tackling the Practices one by one.
It’s an actual document
Actually, there are two of them so far:
- CMMC Assessment Guide Level 1 ( Version 1.10 | 30 November 2020)
- CMMC Assessment Guide Level 3 (Version 1.10 | 30 November 2020)
I encourage you to download the appropriate document for your organization and start studying along with me. If your information security program is not robust, I highly recommend starting with the ML1 Guide even if you plan to eventually assess at ML3. Baby steps! Learn the process and the vocabulary first.
The Practices of CMMC (often referred to as “controls”) are grouped into 17 Domains or families of controls. At ML1, there are 17 Practices across six Domains: Access Control (AC), Identification and Authentication (IA), Media Protection (MP), Physical Protection (PE), System and Communications Protection (SC) and System and Information Integrity (SI). (At ML3, there are 130 Practices across all 17 Domains, plus 3 Processes. More on that in later editions.) Practices are numbered in the Guides in this format:
- Two letters, uppercase, identifying the Domain
- A single digit, indicating the Maturity Level (ML1-ML5) at which the Practice is introduced
- A three-digit number, unique to each Practice
These three elements are separated with periods. For example, the very first Practice at ML1 is AC.1.001:
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Immediately after identifying the Practice, the Guides list the Assessment Objectives for the Practice. Heads-up: This section is very important. (The number of Objectives may vary by Practice.) In our example of AC.1.001, there are six Objectives:
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
In order to fully implement this Practice, you must meet the intent of ALL stated Objectives. For example, if you permit employees to purchase hardware and use it on the company network, without first registering the device with the individual or group responsible for your IT security and undergoing any review/process required, then you have not met the intent of Objective [f], and you have not fully implemented this Practice.
In the next edition of this newsletter, we will look at AC.1.001 in detail, and tackle a very common misconception: what exactly is an “authorized user”?
After the Objectives, we find “Potential Assessment Methods and Objects” – basically examples of the three types of evidence (Examine, Interview & Test) which could be presented to prove that this Practice has been fully implemented. Next is a “Discussion” section, which provides a high-level view of what this Practice actually encompasses in the context of your overall information security program, followed by “Further Discussion” which includes more detail of what is expected to be done for this Practice, as well as some very practical Examples.
Pro Tip: If this is overwhelming at the moment, just read the actual Practice description at the beginning, and skip to the Examples. You will begin to grasp the big picture of what needs to be done.
Important The Examples are just that – examples! They are not requirements. They are not intended to show you what you must do. They are intended to help you understand what can be done to meet the requirements of the Practice. They are not comprehensive. There isn’t necessarily an Example given to meet every Objective.
Finally, we see the “Potential Assessment Considerations” which give a bit more detail as to what the assessor will expect to see.
And that's the basic structure of the assessment guides, for all levels.
I think that’s enough for this week – even my head is starting to hurt a bit! It can be rough going when you first start reading the Guides, but understanding the terminology and the organizational structure will hopefully bring them into focus for you.