August 10, 2022
Good afternoon, everyone!
What does the CAP mean for your organization?
The Cyber AB recently released a “pre-decisional draft” (not yet endorsed by the DoD) of the CMMC Assessment Process (known as “the CAP”). It’s an eye-opener to be sure. Industry groups are working to gather feedback to present to the CyberAB within the comment period. I participated in two sessions last week, and was very impressed with both the number of professionals engaging in the discussions, and the quality of their comments. It gives me hope that significant changes will be made before the final version is released.
Meanwhile, what does this draft CAP mean for you, an Organization Seeking Certification (OSC)? Without getting too much into the weeds, and trying to avoid the most controversial topics (that we hope will be greatly modified in the final version of the CAP), here are a few of my thoughts:
Official CMMC assessments are going to be expensive. I know that big figures have been floating around for a long time, with a lot of people saying “that’s hyperbole,” “it’s market forces, the price will go down when there are enough assessors,” and even “that’s just plain ridiculous!” Well, based on this draft CAP, the number of warm bodies required to do an official assessment, and the amount of paperwork required -- it’s going to be expensive. Period.
So, what can you do to mitigate this expense? Three things stand out in my mind: (1) Scope. (2) Scope. (3) Scope.
Seriously, the smaller you can make your CUI environment, the smaller your CMMC assessment scope will be, reducing the effort and expense required to achieve compliance.
Remember, the CMMC is a data-centric standard, so to reduce your scope, you need to “Follow the Data” and then lock it down as tight as you can. Start with a few basic questions:
- What kind of data do you receive?
- Where is it stored?
- Who has access to it?
- Who is it shared with?
- Where is it backed up?
Now start trying to pare it down. Who really needs access to CUI? Can you wean everyone else off of it? Where can you store it to restrict access as much as possible? Can you encrypt it locally so that backups won’t be in scope?
If you have multiple locations (or even just multiple buildings), are there people in every location that need access to CUI? If not, use some combination of physical, logical and/or technical segmentations to restrict your scope to only those locations which actually need CUI to perform their jobs. Eliminating locations from the scope will not only reduce the effort and expense of meeting all 110 controls (and 320 Assessment Objectives), it will reduce the expense of the official assessment. The CAP prescribes 15 controls which “must be observed by the C3PAO Assessment Team in-person and on the premises of the OSC” so the more locations you have with CUI, the more time and travel expense involved in the official assessment (repeated every 3 years).
The CAP doesn’t prescribe the documentation that the OSC must produce for an official assessment, but I think now is a good time to remind you of the NFO Controls in Appendix E of NIST 800-171A and also the text of the 320 Assessment Objectives in 800-171A. Note the repeated use of the phrases “is identified,” “is defined” and “is specified.” Ask yourself, how do you expect to identify, define and/or specify something to show a CMMC Assessor if it isn’t documented?
In our work with DoD contractors the past few years, I can say without hesitation that the lack of documentation is the single biggest stumbling block to compliance. If you haven’t started work on that yet, don’t delay – block off some time tomorrow!
Remediation & POAMs
When I first did my initial CMMC-RP training, we were told that small problems found (with any controls) during an assessment could be fixed within a 30-day window, and the Assessor could re-check just the corrections to certify an OSC, without “failing” it. When limited POAMs were added to CMMC v 2.0, however, this process was changed.
The CAP describes a new process, “Limited Deficiency Correction,” which is applicable only to a specific subset of controls. These corrections must be made within five days, not 30. If a control is found “NOT MET” which is not eligible for this process, or which cannot be corrected within five days, it must go to the POAM, which gives the OSC 180 days to correct all deficiencies. Note that the POAM is available only to OSCs that score a minimum of 80% (88/110 practices “MET”) on their official assessment.
Well, I think that’s enough for one week! I’ll tackle more of the CAP in future editions of this newsletter.