August 24, 2022
Good afternoon, everyone!
I will confess, my brain is a bit fried right now, as I spent all of last week in a class to become a Certified CMMC Professional. (I completed the class, but the exam won't be available until October, so watch for my badge to change this fall). I learned a lot in this class and plan to share some with you in upcoming newsletters. Meanwhile, this has been on my mind the last couple of weeks:
What can/should you be doing now?
I’ve spoken with several people recently who are truly confused about what they can and/or should be doing right now. Medium Assessments have begun, and Voluntary Assessments should start by the end of this month. More details on each below.
Meanwhile, here’s a brief rundown, in order of importance IMO, of what DIB contractors should be doing now:
Figure out whether you need to be CMMC L1 or L2
There is still much confusion in this regard. The difference in requirements (burden, effort, expense) between L1 and L2 is ENORMOUS. You don't want to officially assess CMMC-L2 if you don't have to! Work through this sequence:
Do you actually handle CUI on your internal information systems? Here's a handy guide. Note that not all CUI is marked "CUI":
- Some legacy CUI is marked FOUO
- Some CUI has only a "Distribution Statement" (distribution statements B through F indicate a document is CUI)
- If you collect PHI and/or PII on behalf of the government to fulfill the purpose of a contract (providing contract employees, for example, or applying for clearances) then that information is CUI and you are the one responsible for marking and protecting it as such.
If no CUI, you have the option of self-attesting to Level One. There's no reason you can't implement additional controls to improve your security (in fact, I strongly encourge this!) but official CMMC certification is not required for CMMC-L1.
If you handle CUI and you need to certify at CMMC-L2
If you do in fact handle CUI and will need an official CMMC-L2 certification to receive DoD contracts and subcontracts in the future, do seriously consider scope reduction options. If you can contain your CUI in an enclave, and self-attest the rest of your network L1, you will greatly reduce your compliance burden. You may even create an enclave for CUI and another for FCI and leave the majority of your enterprise network out of scope entirely. There are many options and you may need professional expertise to work through them all. Don't hesitate to ask for help! Scoping is the most critical decision you will make with respect to CMMC.
If an official CMMC-L2 is in your future, here's what I recommend you be working on now:
(1) Prepare for a Medium Assessment. DIBCAC has been ramping up their Medium Assessments. In this scenario, someone from DIBCAC will contact you on a Monday morning and ask you to submit your most current System Security Plan (SSP) and any relevant documentation (e.g., network diagram(s), software data flow diagram(s), asset list(s), etc.) to their office no later than Friday of that week. Someone from DIBCAC will review your SSP and call you to discuss. By "discuss" I mean they will ask pointed questions, like "How exactly are you implementing this control? And this one? And this one?"
How do you prepare?
- Review your 800-171 Self-Asessment
- Read 800-171A.
Too many people read only the control statements in NIST 800-171 without reading the actual Assessment Guide, which details how to assess whether that control is MET or NOT MET.
- Apply the AOs to your responses.
In 800-171A, for each control, there are Assessment Objectives (AOs) that detail the steps in determining whether that control has been MET. The control is MET only when every single AO has been met. For the 110 controls in 800-171, there are 320 AOs in 800-171A. They are important.
- Prepare your documentation.
As you read the AOs in 800-171A, you will repeatedly see the phrases “is identified,” “is defined” and “is specified.” Assessors will expect to see actual documents to meet those objectives.
- Read 800-171A.
- Update SSP as necessary.
If reviewing the AOs causes you to realize that you haven't actually met all the controls you thought you had, now is the time to update that SSP to reflect your current reality.
- Update POAM as necessary.
If you had to modify your SSP to mark some controls NOT MET, then those need to be added to your POAM.
- Re-calculate SPRS score.
Again, if you had to change some controls from MET to NOT MET, you need to recalculate your self-assessment score and update it in SPRS.
(2) Set a realistic schedule for the level of compliance you need to achieve. Don't put on your POAM that you will be fully compliant by December 31 of this year. You probably won't be. Follow these steps:
- Review the controls which are now marked NOT MET
- Identify available resources
- Tackle the low-hanging fruit
- Update your SSP & POAM
- Tackle the next hardest set of controls
- Update your SSP & POAM
- Lather, Rinse, Repeat.
NOTE: A reliable source recently stated that a minimum SPRS score will likely be required for all DoD contracts in the spring of 2023. This is likely to derail more contract opportunities than CMMC, at least for the near future. Don't get left behind! Close those POAMs!
DIBCAC is teaming up with authorized C3PAOs to begin conducting "Voluntary Assessments" by the end of August. In this scenario, the C3PAO and DIBCAC will jointly assess organizations against NIST 800-171A. OSCs that receive a perfect score will be transitioned to a CMMC-L2 cert when it becomes available.
If you need to achieve L2 and you truly believe you are ready for an official assessment, it's time to choose your C3PAO (there are now 21 authorized and a handful more awaiting final approval) and get on their waiting list. No official assessments can be scheduled just yet, but the waiting lists are growing.