November 7, 2022
Lessons Learned from first CMMC Voluntary Assessments
The Cyber AB announced in July a new program dubbed "Joint Surveillance Voluntary Assessments." This program enables contractors who believe they are ready to pass an official CMMC Assessment to contract with an authorized C3PAO and undergo an assessment conducted jointly by that C3PAO and the DIBCAC, using the DIBCAC's assessment process. If it passes, that organization will receive an official CMMC certification once that is available (at least this is what we believe, though until the final rulemaking is complete, we can't know for sure).
During the October Cyber AB Town Hall Meeting, Matt Travis went over a number of "lessons learned" so far, and I think they are worth sharing with you!
Establish and understand roles upfront for DCMA/DIBCAC, the C3PAO and the OSC. Obviously this is a key concept that needs to be understood from the beginning. You can learn a fair bit about roles & responsibilities by reading the CMMC Accessment Process (the CAP), though it doesn't mention DIBCAC of course. For example, understanding who determines the scope of the assessment? Who is responsible for organizing? (Note: This is some of the info I'll be covering in my virtual workshop on Wednesday this week!) I think that "communication" is the most important piece of this puzzle.
Identify and make your internal experts available for the full scheduled assessment time. I've found that many people don't understand the "interview" portion of a CMMC assessment. The Assessors want to interview the person who actually performs the duties to implement the control in question. You cannot put your IT Director in the room to answer all the questions! They will want to talk to whomever actually maintains your systems, monitors your logs, etc. This includes third parties like MSP/MSSPs -- they will need to be available for interview, not just employees. And they all need to be available for the entire time of the scheduled assessment. Apparently there have been issues with people not being available on the right day and so forth. Again, have good communication!
Prepare your employees for the assessment, including demonstration practice (e.g., screen sharing). Practice, practice, practice! Make sure that all individuals know and understand which evidence they are responsible for producing and how they will do this. If it involves technology, make sure they know how to use it correctly and have access, that it's installed on whatever devices will be used, etc.
Expect additional emphasis on media protection (print, email and removable). Many organizations focus so heavily on network and endpoint protection that they forget about media. Physical copies of CUI must be protected according to federal regulations, and removable media (like thumb drives) have their own requirements in CMMC.
Do not forget about physical security. CMMC is not just about the Internet! There is an entire domain in the CMMC Model named "Physical Protection" with specific requirements for both Level One and Level Two.
Hopefully this gives you a few things to think about as you continue your CMMC preparation.
Back by popular demand! A second presentation on Wednesday, November 9: