What to expect during your CMMC assessment
Even before the headline-grabbing announcement of the expansive SolarWinds supply-chain hack, the U.S. Department of Defense (DoD) was busy rolling out the Cybersecurity Maturity Model Certification (CMMC), beginning in March 2019.
The CMMC builds on the Defense Federal Acquisition Regulation Supplement (DFARS) standards, adding additional compliance, evaluative methods and maturity assessments that organizations can achieve for their ability to protect controlled unclassified information (CUI) before they can be awarded DoD contracts.
Ultimately, the CMMC and the 17 functional domains it evaluates, which range from access control to configuration management to incident response, classify organizations into one of five certification levels that reflect an organization’s ability to safeguard FCI (Federal Contract Information) and CUI (Controlled Unclassified Information).
This classification is determined as a result of a CMMC assessment conducted by Certified CMMC Assessors (CCA) and confirmed by the CMMC Accreditation Board (CMMC-AB).
So what goes into a CMMC assessment, and what does it mean for the more than 300,000 organizations that service the DoD? This article will lay out the key sections and actions that comprise the CMMC assessment.
For more information, watch our webinar, CMMC case study: Inside a CMMC assessment.
Earn your CMMC certification
Overview of CMMC assessment
In order for an organization to bid on and be awarded DoD contracts, they need to be assessed and accredited at one of the five CMMC maturity levels.
The assessment criteria and methodology include three parts, informed by National Institute of Standards and Technology's (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements. These include:
- Objects: These are the elements that will be analyzed during the assessment.
- Actions: The actions and activities that the CCAs and their team will take to inform their CMMC assessment.
- Findings: At the end of the assessment, one of three assessment findings will be made. In some cases, a CCA can make a determination if a revaluation can occur within 90 days.
CMMC assessment: Objects
The CMMC assessment focuses on four main assessment objects. These include the following:
Specifications
These are the document-based policies, configurations, procedures, security plans, requirements and other artifacts that define the security controls in place and how they are managed and monitored.
Mechanisms
These are specific tools in place to implement the security specifications. The mechanisms include hardware, software and firmware in use to deploy the necessary safeguards across the enterprise systems.
Activities
These are the security features that involve people, including the actions taken to secure, update and support a security-focused system. These actions can also include system and data backups, exercising contingency and incident response plans, and actively monitoring and investigating network traffic and security alerts.
Individuals
These evaluative methods review the security professionals or groups involved in applying the specifications defined, including their resources and capacity to perform the required security work.
CMMC assessment: Actions
During the course of a CMMC assessment, a CCA will perform three main types of actions. These include:
Interviews
This is accomplished by conducting formal discussions with the individuals or groups involved in security processes and administration. These interviews are done to gain an understanding of or receive clarification of the necessary security controls and procedures in place for the maturity level being considered.
In particular, the CCA will also investigate if adequate resources, training and planning have gone into the organization’s security program in order to sustain the maturity level identified.
Examinations
The CCA will review, observe, analyze and inspect the deployment of the necessary security controls and features to better understand their performance and application.
The CCA will only review documents and processes determined to be in final form. In other words, drafts and working documents cannot be submitted for review. Documents that are reviewed include, but are not limited to:
- Policy and procedure documents
- Training materials
- Activity and resource plans
- System, network and data flow diagrams
Tests
The CCA and their team can also perform exercises and structured assessments of the objects mentioned above in order to determine if the actual performance matches the expected or defined results.
The CCA will make the determination of which practices or controls within a domain need to be tested. Not all practices will require in-depth testing.
CMMC assessment: Findings
At the end of the assessment phase, the CCA will make one of four possible findings. These include:
Met
With this finding, the CCA believes that the contractor successfully meets the process and practices outlined for their assessed maturity level. For each practice or process scored with “Met,” the CCA outlines how the organization conforms with that standard and their specific evidence for that claim.
Not Met
For those practices marked with “Not Met,” the CCA has determined that the identified standards or practices are not in place. The specific missing elements and other evidence will be identified so improvements can be made.
Not Applicable (N/A)
In some cases, a practice or process will not apply for that maturity level under consideration in the assessment. For each of these, the CCA will mark N/A and state why the element does not apply. This can be the case if a standard could not be evaluated because the system does not exist.
For example, S.C.1.176 can be marked N/A if the organization does not have any publically accessible systems in place.
Inherited
In this case, the organization can prove to the CCA that another entity, such as a third-party supplier or External Service Provider (ESP), performs or meets the practice. Evidence of those processes and controls also needs to be provided and assessed by the CCA. If they cannot be, then a “Not Met” finding will be given.
Earn your CMMC certification
Learn more about CMMC
Going forward, organizations wishing to win DoD contracts will need to begin the process to achieve CMMC compliance. Understandably, the CMMC-AB is issuing more guidance and information about the CMMC assessment process and the rest of the contractor community is still learning more about the actual implementation of these standards.
This is why it is vital to stay on top of the latest news and resources on the CMMC Certification. If you want to learn more about the CMMC, get access to free CMMC resources, and find a CMMC Licensed Partner Publisher and Training Provider, you can review the resources found here.