September 29, 2022
Lots of CMMC news coming out these days! Last week I attended CMMC Day in Huntsville, AL, with many informative speakers, and this week the (virtual) Cyber AB Town Hall Meeting. I will no doubt be writing several posts from these two events, but today I want to focus on two points that ranked high. Read on!
Basic and Medium Assessments
Remember awhile back when I wrote that Medium Assessments are Coming ? Well, they’ve started, but even before that, they revealed some very interesting things about self-assessment scores recorded in SPRS (Basic Assessments).
At the September 27 Cyber AB Town Hall Meeting, Nick Delrosso (DCMA) showed some slides with fascinating data on this topic. DIBCAC announced on March 1, that they would be starting Medium Assessments (this is a detailed review of a contractor’s System Security Plan (SSP).) Over the next four months, 156 contractors adjusted their SPRS scores downward more than 100 points. Yes, you read that right. 156 contractors, when faced with the possibility of a Medium Assessment, took a hard look at their SSP and slashed their self-assessment score more than 100 points. It wasn’t revealed how many total scores were reduced during this time, but it must’ve been a lot. One company downgraded their score from a perfect 110 to the worst possible -203!
Equally interesting were the results of the Medium Assessments conducted to date. At the start, the average self-assessment (Basic Assessment) score was 56. At the end, the average Medium Assessment score was -58. More than 100 points lower. This tells us that many contractors truly do not understand how to self-assess their implementations of NIST SP 800-171.
Remember, Medium Assessments are based entirely on a review and discussion of your SSP. So let’s talk about that!
What does your SSP look like?
At the CMMC Day last week, the first speaker I heard was Amira Armond, CMMC Provisional Assessor and owner of Kieri Solutions, an authorized C3PAO. She said that the most common problem she sees with small businesses who come to her for assessment is the quality of their SSP. Armond said that too many SSPs simply recite the requirement. Writing “We have strong passwords” is not enough. The SSP is supposed to describe, in detail, everything you have done and are doing to implement each control. Nick Delrosso said almost the same thing word-for-word this week. So what does your SSP look like?
Armond came right out and said “Don’t come to me with a 20 page SSP. Mine is over 100 pages long, for a 5-person company.”
Seriously? Yep. I’m afraid so. Many of my clients start out with a “baby SSP” that has just a paragraph or two about each control family. As we work on implementing each control, we add details to the SSP. It takes time, and effort, but we end up with the kind of SSP that (hopefully) will pass a CMMC audit.
What does your SSP look like? This document is the foundation of your NIST 800-171 implementation. It’s important.
John Ellis, a Director at DCMA, gave us a bunch of “You aren’t ready for a Medium Assessment if ….” lines which included
- Your SSP says “Insert name here”
- Your SSP has a bunch of controls marked N/A
Do you have any controls marked N/A? Most assessors I’ve spoken with say that you shouldn’t have any controls marked N/A. That’s considered a big red flag.
Ellis commented further: “We don't grade on style! There are an infinite number of ways to meet these requirements. As long as you dot your I's and cross your T's, you will be fine. Remember, if you give us documentation, we read it! Which leads to some really interesting conversations.
Say what you do, and do what you say. This simple reminder should keep you on track in preparing your CMMC documentation.
Need help? I’m just an email or phone call away!
The time to prepare is now.
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!
Glenda R. Snodgrass
The Net Effect, LLC
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!