April 20, 2022
Good afternoon, everyone!
The CMMC-AB Town Hall meeting on March 29 featured Nick DelRosso, Supervisory IT Cybersecurity Specialist for the Defense Contract Management Agency (DCMA), the entity responsible for DIBCAC, the group conducting NIST 800-171 assessments for DoD contractors. He had a lot of news for us.
And now there are eight. The 8th C3PAO has been authorized. Guernsey, based in Oklahoma, was authorized earlier this month. It’s hardly a tidal wave, but there is definitely momentum now.
Medium Assessments are Coming
The NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020 defines three types of assessments: Basic, Medium and High. The Basic assessment is the one you do yourself, while Medium & High are performed by DIBCAC. In a Medium Assessment:
The assessment will consist of a review of the system security plan description of how each requirement is met to identify any descriptions which may not properly address the security requirements.
Mr. DelRosso indicated that DIBCAC will begin conducting Medium Assessments on companies who have entered a self-assessment score in SPRS, across a variety of score levels, both high and low. DIBCAC will initiate contact on a Monday with the selected contractor, and ask the contractor to provide the already-created SSP, along with any accompanying documentation, by that Friday.
A Medium Assessment is just a paper review, no onsite visits. It will include a review of the SSP, how each requirement is being met. He said that the purpose of this new initiative is to get some metrics of what the security baseline is at different levels in the DIB.
What does this mean for you? If you entered a self-assessment score but don’t have a complete and up-to-date SSP, this should become a top prioroity. Many companies have entered a self-assessment score into SPRS without having an SSP and POAM, despite the fact that the DoD Assessment Methodology states that it is impossible to self-assess without an SSP, because the self-assessment is performed against the SSP. Don't let this be you!
Understanding Asset Categories
Next, Mr. DelRosso discussed the new asset categories defined in the scoping guides released in December. He emphasized the fact that scoping is key! Limiting the scope of your CUI environment enables you to limit the scope of your responsibilities under CMMC, and the scope of your official assessment.
At approx. 36:25 in the recording, he discussed Virtual Desktop Infrastructure (VDI), which has been one of the hottest topics of discussion since the scoping guides came out. Many professionals believe that if the VDI is totally locked down (no data transfer, no printing, no screen capture), then the endpoint is an Out of Scope Asset (OOSA). What Mr. DelRosso said, however, is:
The first thing we’re going to look at with any VDI is ensuring that data transfer is restricted, and that it cannot transfer to the endpoint. So, can you print things out? Can you move a file between an endpoint and the cloud? Are policies enabled to prevent that? […] Now, if all of that is done and all data transfer is prevented except the pixels on the screen and your keystrokes, what we’re going to look for is some level of documentation on what you’re defining the risk for that endpoint is and basic mitigations, so we’re probably going to ask you about AV, probably going to ask you about patching, and some things along that nature.
So, that sounds to me like DIBCAC considers VDI endpoints, even when totally locked down, to be Contractor Risk Managed Assets (CRMA), not OOSA. However, I also interpret his remarks to mean that CRMA do not have to be addressed in the SSP for every single control (also a hot topic of discussion), only for those that you identify as mitigating the risk of CUI escaping your controlled environment.
Security Protection Assets (SPA)
Mr. DelRosso also addressed another hot topic, how exactly will SPA be assessed? The professional community is split pretty much 50/50 on whether SPA will be assessed only on the controls that they are actually meeting for the contractor, while others believe that MSPs and MSSPs will be assessed against all of CMMC L2.
Mr. DelRosso seemed to indicate the former position. At approx. 55:45 he said:
If it meets that definition, the assets that provide security functions or capabilities to the contractor’s CMMC scope, irrespective of whether or not these assets process, store or trnasmit CUI, based on the scoping guidance, we are supposed to assess against CMMC practices. Now, through the course of understanding what that means, in terms of what that asset is or what its function is, some of those practices may not specfically apply to that asset but other ones will. So, for example, if you have your SIEM that’s a key part of protection out there, you should probably keep it patched, I think that one is a pretty obvious one. If that SIEM is popping up in a vuln scan and says you haven’t patched it in two years, that’s probably going to be a problem, right. So we’re not out here to drive a bunch of new requirements, but in terms of when we follow the practices and perform these assessments, we go by that written documentation, so we would like to see that your SPAs are meeting those CMMC practices.
So, he didn’t come right out and answer that head-on IMO, but it seems pretty clear that SPA will not be assessed against all the CMMC practices.
It’s also equally clear that Documentation is Key to Passing an Assessment.
CMMC Clauses Expected July 2023
At a recent industry event, the DoD’s CMMC director Stacy Bostjanick stated:
"Our hope and prayer is that we are accepted for an interim rule and by May of 2023 we will be able to have that interim rule and CMMC requirements will show up in contracts 60 days later.”
The time to prepare is now.