CMMC case study: Inside a CMMC assessment

Meet the
panel
Leighton Johnson
Infosec instructor and CTO at ISFMT
Stacy High-Brinkley
VP of Compliance Solutions and Service at CASK
Government Services
Jeff Peters
Director of Content Marketing at Infosec

Today’s webcast
⮚ CMMC assessment and certification process
⮚ CMMC assessment levels
⮚ CMMC assessment criteria and methodology
⮚ CMMC timeline
⮚ CMMC Q&A

CMMC assessment and
certification process

OSC certification process
Organization Seeking Certification
(OSC) details
⮚ Contractors can achieve a CMMC level
for their entire enterprise network or
for a particular segment or enclave,
depending where the protected
information is handled and stored.
⮚ Plan at least six month to get your
CMMC certification
OSC benefits
➢ Certification valid for 3 years
➢ Can bid on DoD contracts where CMMC
Level requirements are designated

CMMC model and assessment guides
Office of the Under Secretary of Defense for Acquisition &
Sustainment (OUSD(A&S)) website
➢ CMMC Level 1 Assessment Guide (editable)
➢ CMMC Level 3 Assessment Guide (editable)
Other resources
➢ CMMC Model v1.02, its appendices and appendices in tabular form
➢ CMMC Model Errata v1.0
➢ CMMC Glossary (editable)

CMMC assessment process
Certification provides assurance of practices and processes
Certified Assessors use the same assessment methods for each contractor.
Once a contractor is assessed and certified at a level, other entities (e.g.,
government sponsors and prime contractors looking to hire subcontractors)
have assurance the certified contractor meets CMMC practices and processes.
Methodology the same regardless of size
The CMMC assessment methodology follows a data-centric security process
that applies the practices equally, regardless of the contractor’s size,
constraints or complexity. All CMMC levels are achievable by small, medium
and large contractors.
Assessment scope pre-determined by OSC and C3PAO
Prior to a CMMC assessment, the contractor must define the scope for the
assessment that represents the boundary for which the CMMC certificate will
be issued. Additional guidance on assessment scope will be available in the
next version of the CMMC Assessment Guides.

CMMC domains and levels
17 capability domains CMMC model with 5 levels
measures cybersecurity maturity
Access Control
(AC)
Incident
Response
(IR)
Risk
Management
(RM)
Asset
Management
(AM)
Maintenance
MA)
Security
Assessment (CA)
Awareness and
Training (AT)
Media Protection
(MP)
Situational
Awareness (SA)
Audit and
Accountability
(AU)
Personnel
Security (PS)
System and
Communications
Protection (SC)
Configuration
Management
(CM)
Physical
Protection (PE)
System and
Information
Integrity (SI)
Identification and
Authentication
(IA)
Recovery (RE)

CMMC Level 1
6 capability domains, 17 practices, 0 processes
Access Control
(AC)
Media Protection
(MP)
System and
Communications
Protection (SC)
Physical
Protection (PE)
System and
Information
Integrity (SI)
Identification and
Authentication
(IA)
Level 1 of CMMC addresses the protection of Federal Contract
Information (FCI) and encompasses the basic safeguarding requirements
for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21,
which defines FCI as:
Information, not intended for public release, that is provided by or generated
for the Government under a contract to develop or deliver a product or
service to the Government, but not including information provided by the
Government to the public (such as on public websites).
DoD contracts that specify the need for a contractor to process, store or
transmit FCI require the company to comply with CMMC Level 1 practices.

CMMC Level 3
17 capability domains, 130 total practices (Level 1: 17, Level 2: 55, Level 3: 58), 3 total processes
Access Control
(AC)
Incident
Response
(IR)
Risk
Management
(RM)
Asset
Management
(AM)
Maintenance
MA)
Security
Assessment (CA)
Awareness and
Training (AT)
Media Protection
(MP)
Situational
Awareness (SA)
Audit and
Accountability
(AU)
Personnel
Security (PS)
System and
Communications
Protection (SC)
Configuration
Management
(CM)
Physical
Protection (PE)
System and
Information
Integrity (SI)
Identification and
Authentication
(IA)
Recovery (RE)
CMMC Levels 1 through 3 consist of the security
requirements specified in National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-171,
Protecting Controlled Unclassified Information in Nonfederal
Systems and Organizations; 20 additional CMMC practices;
and 3 CMMC maturity processes per each of the 17 domains.
CMMC Level 3 addresses the protection of Controlled
Unclassified Information (CUI), which the National Archives
and Record Administration (NARA) defines as:
Information that requires safeguarding or dissemination
controls pursuant to and consistent with laws, regulations and
government-wide policies, excluding information that is
classified under Executive Order 13526, Classified National
Security Information, December 29, 2009, or any predecessor or
successor order, or Atomic Energy Act of 1954, as amended.

CMMC assessment criteria and
methodology

Assessment criteria and methodology: Objects
Defined in NIST SP 800-171A Section 2.1.
Assessment objects identify the specific items being assessed and can include:
Specifications
Document-based artifacts (e.g.,
policies, procedures, security
plans, security requirements,
functional specifications,
architectural designs)
associated with a system.
Mechanisms
The specific hardware,
software or firmware
safeguards employed
within a system.
Activities
The protection-related
actions supporting a system
that involve people (e.g.,
conducting system backup
operations, exercising a
contingency plan and
monitoring network traffic).
Individuals
Or groups of individuals,
are people applying the
specifications,
mechanisms or activities
described above.

Assessment criteria and methodology: Actions
Defined in NIST SP 800-171A Section 2.1.
The assessment methods define the nature and the extent of the Certified Assessor’s actions:
Examine
Process of reviewing, inspecting,
observing, studying or analyzing
assessment objects (i.e.,
specifications, mechanisms,
activities) to facilitate understanding,
achieve clarification or obtain
evidence.
Interview
Process of holding discussions
with individuals or groups of
individuals to facilitate
understanding, achieve
clarification or obtain evidence
Test
Process of exercising
assessment objects (i.e.,
activities, mechanisms) under
specified conditions to compare
actual with expected behavior.

Assessment actions: Interview
The Certified Assessor has discussions with individuals
within an organization to understand if a practice or process
has been addressed.
Interviews of applicable staff (possibly at different
organizational levels) determine if:
➢ CMMC practices or processes are implemented
➢ If adequate resourcing, training and planning have
occurred for individuals to perform the practices

Assessment actions: Examine
Examination includes reviewing, inspecting, observing, studying
or analyzing assessment objects (documents, mechanisms or
activities).
Documents need to be in their final forms (drafts are not eligible to
be submitted as evidence because they are not yet official). Common
types of documents that can be used as evidence include:
➢ Policy, process and procedure documents
➢ Training materials
➢ Plans and planning documents
➢ System-level, network and data flow diagrams
In other cases, the practice or process is best assessed by observing
that safeguards are in place by viewing hardware or associated
configuration information or observing staff following a process.

Assessment actions: Test
Testing is an important part of the assessment process.
➢ Interviews tell the Certified Assessor what the contractor staff
believe to be true
➢ Documentation provides evidence of intent
➢ Testing demonstrates what has or has not been done.
For example:
➢ Contractor staff may talk about how users are identified
➢ Documentation may provide details on how users are identified
➢ Seeing a demonstration of identifying users provides evidence
that the practice is met
The Certified Assessor will determine which practices or objectives
within a practice need demonstration or testing. Not all practices
will require testing.

Assessment findings
The assessment of a CMMC practice or process results in one of three
possible findings: MET, NOT MET, or NOT APPLICABLE.
➢ MET: The contractor successfully meets the practice or process.
For each practice or process marked MET, the Certified Assessor
includes statements that indicate the response conforms to the
objectives and documents the appropriate evidence to support the
response.
➢ NOT MET: The contractor has not met the practice or process.
For each practice or process marked NOT MET, the Certified Assessor
includes statements that explain why and documents the appropriate
evidence that the contractor does not conform to the objectives.
➢ NOT APPLICABLE (N/A): The practice or process does not apply.
For each practice or process marked N/A, the Certified Assessor
includes a statement that explains why the practice or process does not
apply to the contractor. For example, SC.1.176 might be N/A if there are
no publicly accessible systems

Assessment findings: Inherited practices
A contractor can inherit practice or process objectives. A practice or
process objective that is inherited is met because adequate evidence is
provided that the enterprise or another entity, such as an External
Service Provider (ESP), performs the practice or process objective.
➢ Evidence from the enterprise or the entity from which the objectives
are inherited should show they are applicable to in-scope assets and
that the assessment objectives are met.
➢ For each practice or process objective that is inherited, the Certified
Assessor includes statements that indicate how they were evaluated
and from whom they are inherited.
If the contractor cannot demonstrate adequate evidence for all
assessment objectives, through either contractor evidence or evidence of
inheritance, the contractor will receive a NOT MET for the practice or
process.

Are there any expenses associated
with CMMC for Organizations
Seeking Certification (OSC) that
can be reimbursed?

What is the status on ISO 27001
reciprocity and how will this effect
the appraisals for certifications?

The industry has conflicting rules regarding CUI. If you
go by the DoD CUI registry, it includes a lot. But we are
not seeing the government mark many documents as
CUI. Is CUI only the documents marked by the
government as CUI, or are contractors to also mark their
documents as CUI (e.g., proposals and such)?

Per the CMMC assessors guide, Assessors must
select from two of the following three: examine,
interview and test. Can they select to just examine
and interview for a specific practice? If so, then do
they collect evidence?
Is evidence (screen shot, documentation, reports or
tickets form a ticketing system) always collected to
be sent to the CMMC-AB Assessor for review?
How far back in time is evidence collect for —
3 months, 6 months, a year?

Do businesses using M365 need to
upgrade to MS Government GCC High
(Govt Community Cloud) to comply
with CMMC Maturity Level 3
requirements?

Additional CMMC resources
CMMC career path: How to become a CMMC Certified
Assessor
⮚ Available on-demand
⮚ Watch Now
CMMC rollout: How CMMC will impact your organization
➢ Available on-demand
⮚ Watch Now
All Infosec CMMC resources: infosecinstitute.com/cmmc

About us
Infosec believes knowledge is power when fighting
cybercrime. We help IT and security professionals advance
their careers with skills development and certifications
while empowering all employees with security awareness
and privacy training to stay cyber-safe at work and home.
www.infosecinstitute.com

CMMC case study: Inside a CMMC assessment

More Related Content

What's hot (20)

Similar to CMMC case study: Inside a CMMC assessment (20)

More from Infosec (20)

Recently uploaded (20)

CMMC case study: Inside a CMMC assessment