CMMC Rollout – Q&A

Cole French:

CMMC assessments began on January 2nd of this year. This was a major milestone a long time in the making. The rollout has brought with it a lot of questions. Some of these questions are new, specific to the rollout. Some are old, related to issues that implementation of the program can now clarify. Join us for this special Q&A episode where we answer the questions we’re hearing the most.

In episode eight of the Cyber Compliance and Beyond Podcast, we provided a rundown of the CMMC final rule, answering some questions and providing clarification. We anticipated many more questions on the horizon. Now that the CMMC program is a month into its official rollout, there are indeed more questions in areas requiring further clarification. On today’s episode, we’ll dig deep into the questions and issues we’ve been seeing thus far. Questions like, what’s the status of successful joint surveillance assessments? How is eMASS as the system of record? How long can I expect an assessment to take? What are some of the trickier implementations? We switch things up again for this episode. I’ll be sitting in both seats for today’s episode. I’ll summarize the questions and provide the answers. We hope you enjoy this episode.

So the first question we’ve been hearing is what is the status of successful joint surveillance assessments? And joint surveillance assessments, for those that don’t know are the assessments that took place during the interim rulemaking period between the CMMC draft rule and the CMMC final rule. And these are organizations that we consider early adopters and they wanted to combine a DIBCAC high assessment with a CMMC level two certification assessment. So the assessments were performed jointly by the C3PAO and the DIBCAC.

So as far as the status of these conversions, because companies that went through these assessments were assured that if they were successful and received that DIBCAC high, they would consequently get a CMMC level two once rulemaking was complete. So as of right now, the most updated guidance that is firm is that there will be a mechanism to display CMMC status in SPRS. SPRS is this Supplier Performance Risk System. There are some additional options that are on the table to confer and communicate that certificate of status. However, those options are still TBD on the DOD side. So as more information comes out, we can provide additional updates on that. But as of right now, it is going to be a mechanism within SPRS that displays the CMMC status.

So our next question gets into eMASS, which for those that don’t know, again, eMASS is the system of record for CMMC. It is where all of the assessment artifacts, and by artifacts I mean the pre-assessment form and the assessment results, not evidence. Evidence will not be stored in eMASS, but eMASS will be the system of record for all of the outputs of the assessment from the C3PAO. So it seems as though the rollout of eMASS for CMMC is going well so far. There have been some quirks, however that we have noticed. The biggest one being character limits within the forms. So obviously for organizations that are seeking to be assessed, this isn’t as much of an issue. This is more of a C3PAO issue or assessor issue. But just something to be aware of. We are aware that there are character limits in some funky places within the eMASS templates. So obviously as assessors we’ll iron out these details as time goes on. Either they’ll be corrected, we hope, or we’ll find alternate workarounds to make it work.

In our next question that we’re hearing a lot and this we’re hearing a lot from perspective customers. Let me start that over. This question we’re hearing a lot from folks that are wondering and wanting to know, let me pause again.

So our next question really gets to those companies that are still preparing and wanting to know when should they start scheduling their assessment. And that is what’s the queue like for an assessment? So obviously we can speak to this as a C3PAO ourselves. We can’t speak to the rest of the industry out there because we don’t have insight into that as much. But as far as what we are seeing, there is an increase in the queue in the sense that organizations are wanting to know and be prepared. Let me, all right. That being said, we are having more and more conversations than we’ve ever had about planning for a CMMC assessment. So our anticipation is that the queue is going to ramp up and space on the calendar is going to become quite limited very soon. And furthermore to that, we’ve always said that the Title 48 rule going into effect is really going to drive the queue because once the Title 48 rule goes into effect, then phase one of the implementation begins, and now it’s gone from the voluntary assessment period, which is what we’re in right now to CMMC requirements are on the horizon and we know when they’re going to go into effect, which is in phase two, right? Phase two is going to be when those CMMC level two requirements begin to be put into contracts.

So once people have a date, they’re going to start working backwards from that date. And I think we’re going to start to see the queue really fill up. But as of right now, the queue is really just more and more people asking about CMMC certification.

All right, onto our next question. Have there been any updates on FedRAMP equivalency? So FedRAMP equivalency was something that was defined before the rule went into effect, and it’s also included in the rule itself and what was defined before the rule went into effect and what’s in the rule are in sync with each other and consistent. However, there was also some speculation that the FedRAMP equivalency requirements, specifically the memo that was released at the beginning of 2024 would be updated, clarified, modified in some way. We haven’t seen any of that take place so far. So from our perspective, FedRAMP equivalency remains unchanged. So proceed as normal.

All right, our next question, “I’m a FedRAMP authorized cloud service provider. So do I need to pursue CMMC level two if I have customers in the defense industrial base?” So this is a question we’re starting to see a lot more as CMMC is in effect and cloud service providers are sort of kicking the tires on what is required of me because I have a lot of customers in the defense industrial base. So the answer to this question, I’ll answer this question at a high level, but then provide a bit of a nuance or footnote to it as something to consider. So at a high level, if you’re a CSP and you have a FedRAMP moderate or higher authorization, you do not need to pursue CMMC level two to support customers in the DIB.

However, there are some additional things to consider and questions to answer to ensure that that is the right answer for you. And those questions involve flow downs of the DFARS requirements. So there are additional requirements beyond FedRAMP equivalency that must be flowed down by a cloud service provider. So ensure that you are able to meet those requirements. If you’re a SaaS product that is leveraging other cloud services, ensure that those cloud services are also compliant as part of your SaaS offering.

If you’re a SaaS provider and you’re leveraging products that do not use FedRAMP authorized services that meet CMMC requirements in addition to the FedRAMP equivalency requirements, that could bring CMMC level two into consideration for you. So just keep those two things in mind. But as a general rule, being authorized a FedRAMP monitor to hire clears the bar for CMMC level two. Onto our next question. What’s the assessment timeframe and how long can I expect my assessment to take? So we hear this a lot. Going back to our question about the queue. When discussing the queue, we get this question probably more than any other question, and that is how long will the assessment take? So right now what we’re saying is eight to 10 weeks is what you should expect for an assessment to take. Now I’ll break that down a little bit more.

So there’s what’s called a pre-assessment phase, that’s phase one. And phase one we anticipate taking around four weeks. So we’ll conduct a kickoff meeting as the beginning of your engagement. And then from there we’re going to request some initial documentation and that documentation is required for us to review ahead of your assessment. So four weeks is the ideal timeframe that is needed to review that documentation and also begin preparing the logistics for the assessment, which is everything that goes into carrying out an assessment, schedule, personnel, file sharing, all of those logistical things that need to be planned for, for the assessment to actually take place. And then a key component of that phase one is the readiness review, right? So a readiness review will be conducted ahead of the assessment. Now this is not to determine whether controls are in place or not in place. This is really to determine is the organization ready to go through the assessment?

And the biggest thing here is we’re looking for ship stoppers, right? So if an organization can’t provide an SSP, they’re not ready for an assessment. That’s an extreme example, but there are some others that, some of those three and five point controls that you can’t put on a POAM. If we look at documentation and we can tell that those are not in place, we would raise the flag and say not ready for the assessment. So four weeks for phase one. So now we move into phase two. So phase two is the actual assessment, and this can take anywhere between one week to three weeks.

So if an organization comes in, goes through their assessment, which includes the interviews, demonstrations, and us matching up the interviews and demonstrations in that week with the documentation artifacts that are either provided beforehand or provided during the assessment, that organization gets a 110 perfect score. We’re good. Phase two is complete at that point. So we’ve completed that in a week or potentially even less, but at most a week. So then we would move into phase three. So I’ll come back to that in a moment. So phase two could go up to three weeks. If an organization doesn’t meet all 110 requirements within that first week, they are then entitled to a 10-day evidence clarification period. And during that evidence clarification period, the organization can provide additional evidence, they can provide clarity. So if we assessed a particular control and our understanding was one thing, the organization has a chance to go back during that evidence clarification period and provide clarification that would then lead us to potentially marking that controls met.

So they have a 10-day window in which that can take place. So that completes phase two. Now we’re up to between five and eight weeks, between phases one and phase two. And as I mentioned already, phase three we go into after phase two, and that’s the reporting phase where we compile everything that we collected, our notes, evidence, references, all of that gets compiled in phase three and that takes one to two weeks depending on the assessment. So now that phase three is complete, we are between eight and 10 weeks at this point. From there we do phase four, which phase four kind of is a two part thing. So if an organization has met all of the requirements, then phase four is simply issuing that certificate and having the close out meeting. However, if an organization conditionally meets the requirements, meaning they do have findings that are eligible for a POAM and they put those findings on a POAM, we do issue the certificate in a conditional form.

We do have the closeout meeting, but then we go into that POAM closeout period where the organization has 180 days to close any findings and then we come back, reassess whatever those remediations were that were put in place. And assuming all of that is done correctly and adequately, sufficiently, then we reissue the certificate at the end of that POAM closeout period to be a final certificate. So going back, phases one through four take about eight to 10 weeks. Depending on that evidence clarification period really is the determining factor on whether it’s eight weeks or 10 weeks. And of course every assessment’s different, so it could be longer, it could even be shorter in some instances, but what we’re pushing people towards is an eight to 10 week assessment timeframe.

So moving to our next question, can you explain inheritance and how it works? So inheritance comes into play when an organization is either leveraging a cloud service provider or an external service provider. And inheritance simply is this external service provider or cloud service provider provides me with this service and therefore, as a result of providing that service provides this security control implementation. So inheritance really lessens the burden on an organization. When it comes time for them to conduct their assessment, they’re only going to be assessed on what they are responsible for. Which gets us into our next question, which is how should I document inheritance? So documenting inheritance, it should be specific to what that inheritance is for a particular control and the level of inheritance involved.

So if I’m in a completely enclave environment hosted fully within the cloud, then my inheritance is going to be full for some controls, particularly in the physical protection domain. However, in some other instances I may be relying on a cloud service provider only to a certain degree to provide control implementation, and I have responsibility also to implement aspects of a particular control. And in that case, the inheritance should be documented as partial and there should be a reference to what exactly is it that I’m inheriting from that cloud service provider or external service provider. And then you should go right into how are you as an organization addressing that control where you are responsible.

So moving from inheritance and documenting inheritance into another documentation question that we hear a lot, which is, does my documentation need to be directly aligned to the CMMC framework? The answer pretty clearly on this one is no, it does not need to be. Then the follow-up question, we get to that a lot, is what is the best way to demonstrate how my documentation addresses specific CMMC requirements? So since my documentation doesn’t have to be directly aligned to the CMMC framework, how can I assure an assessor that it does address all the CMMC requirements? So what we advise in this situation is what we call a documentation matrix essentially. So take the CMMC framework, all the requirements and map those requirements to the specific sections of your documentation. Obviously your system security plan is going to be aligned to the CMMC framework. Your policies, procedures, plans, standards, other documentation does not need to be.

However, to make an assessor’s life easier, a matrix that maps your documentation back to the CMMC requirements is something we highly recommend. And a big reason why we recommend the matrix is number one, like I mentioned already, it makes an assessor’s life easier. And number two, the assessor then doesn’t have to go rooting around in your documentation, which can result in the assessor asking a lot more questions, which can lengthen the timeframe of the assessment. You end up going off and having to address things that really aren’t pertinent to the assessment potentially. Because, right, if you have documentation that you’re mapping to CMMC in theory, it also addresses other aspects of your organization that potentially might not even be in scope for CMMC. So can’t say this strongly enough. Documentation matrix, map your documentation to CMMC requirements, it’ll make your life easier.

Moving into our next question, which gets in kind of more of a lessons learned and stuff we’ve seen in assessments, questions we’ve had to answer that I think would be beneficial for those of you out there that are thinking about when do I need to go through an assessment? What should I be considering? And that’s your plan of action and milestones.

So a lot of times people think of the plan of action and milestones as something that is only specific to CMMC or a certification framework. Right. That is not the case however. A POAM is just a plan of action and milestones. It is a means by which you document plans you have in place and the milestones associated with them to increase, improve or fix security issues within your environment. So really you should look at a POAM as, okay, I found a vulnerability on my environment, or I missed a particular control and an assessment. I drop those on my POAM, put dates associated with them, I review that POAM on a monthly basis. I close these things out in accordance with the timeframes I’ve set.

However, there’s also issues like, okay, we’ve decided we’re going to migrate from one security solution to another security solution because we believe that that other security solution provides more value to our organization, increases our security posture, et cetera. So it’s not tied to a vulnerability necessarily, but it is tied to a milestone and a plan to increase the security posture in our environment. We definitely want to put that on a POAM. As an assessor when looking at a POAM, I want to see more than just items that came out of an assessment or a gap analysis or something specific to CMMC or a framework. I want to see items on a POAM that deal with increasing the security posture in your organization.

Now to clarify, if we go through a POAM closeout assessment and a CMMC assessment, yes, what’s going to be considered and addressed and needs to be remediated are the issues that came out of the assessment. Anything else on that, like the migration to another security tool like I mentioned, would not be in scope for that evaluation. However, would highly advise that those items like that still be included in your POAM.

All right, moving on to our next question, which gets into security control implementations. So are policy implementations acceptable and if so, under what circumstances? So to clarify, a policy implementation is implementing a control via policy when a technical means to implement that control is either not available or not feasible.

So an example of this would be controlling user install software. For instance, a lot of organizations use whitelisting or blacklisting tools to control software installation and software use. However, the practicality of implementing those particularly overnight is very difficult and challenging. Typically, whitelisting in particular is going to be a long-term rollout where you need to spend a lot of time learning about the software usage within your organization before you can really hone that whitelist and avoid massive disruptions to your users in terms of their ability to do their jobs on a day-to-day basis. So we do allow for policy implementations in situations like that and the policy can state that software that is not included on a written whitelist is not authorized for use.

So policy implementations are acceptable in those circumstances. We’ll look at that and say as an assessor, that’s an acceptable implementation of the control. However, the biggest thing to consider here and to keep in mind is that we’re going to want to see evidence that that policy is implemented and that actions are taken associated with that policy. So in the instance of whitelisting or blacklisting, if you’ve defined a whitelist or a blacklist in policy that users must adhere to, we’re going to want to see associated actions taking place for instances that are discovered outside of those policy requirements.

So if you’re finding that a user is using a particular piece of software that is not in line with your whitelist or blacklist policy, we’re going to want to see, okay, did someone reach out, contact that user and remediate that and bring that user’s software posture into compliance with policy. So just keep in mind, policy implementations are acceptable, but the burden to prove that they’re implemented effectively is higher, right? Because if I have a whitelisting solution in place and that whitelisting solution is turned on, there’s a technical control, I can quickly demonstrate the effectiveness of that whitelisting solution and I’m good to go. But on the policy side, you’re just going to have to do a little bit more homework. It’s more of a manual process to ensure that it’s implemented and prove to an assessor that it’s implemented.

So moving on our next question, how are security protection assets being assessed? So kind of going back to one of our previous questions about FedRAMP equivalency, the final rule provided clarification on FedRAMP equivalency as it related to security protection assets and security protection assets now that are strictly only providing security to the system are not within the full scope of the CMMC framework any longer. So they’re not being assessed against all of the controls. However, we are still assessing security protection assets as it relates to the relevant controls or as we say, the relevant security that they’re providing to the system. So the easiest example here, RA2, is vulnerability scanning. We’re going to look at your vulnerability scanning tool and evaluate its effectiveness in accordance with that particular control because vulnerability scanning is what’s required. However, we’re not going to go look at any other, we may look at your vulnerability scanning in other areas of the CMMC framework, but in general, we’re only going to evaluate the vulnerability scanning tool as it relates to its ability to perform vulnerability scanning.

All right, moving on to our next question. So I’ve built an enclave and it’s ready to be assessed. However, certain things like incidents or security incidents haven’t occurred in the context of the environment yet. What should I expect when I go through an assessment? So this is a great, great question and I would say also falls in the category of a lesson learned throughout assessments for us as assessors and how we address these particular controls and instances in which this happens. And this is especially relevant in this initial phase of the CMMC rollout where we are seeing a lot of organizations building enclave environments and then immediately after standing them up, developing everything, putting everything in place, want to take them through an assessment, as you might imagine. So what we would advise in this situation is ensure that your documentation and processes associated with everything in your environment is fully documented and can be fully evaluated all the way through.

So the reason we advise that is because let’s take security incidents, which was the example cited in the question. Security incidents sometimes don’t happen for quite some time. You can go a long, long time before something rises to the level of a security incident in which reporting is required. So you don’t have to follow your incident response procedure or process, right? So in cases like that, we’re going to want to see that your documentation and the process you have in place to address security incidents is well documented, well understood, and we can evaluate it. And we would also say tabletop exercises, things like that that test your security incident response capability would also be key and would go into addressing, do you meet the control of having an incident handling capability in place? Right. Because the reverse is you don’t really document. It’s documented kind of in an open-ended fashion and you don’t have a real-life incident to evaluate along with your open-ended documentation, right?

That creates problems in an assessment. I can’t match what you’ve documented and you said you’re going to do with what you’ve actually done in the real world. So when you don’t have a real-world example, you want to make sure your documentation and process is as detailed as possible and also that you’re testing it because testing it does constitute a real-world example. So when it comes to things that haven’t happened in an environment, make sure they are documented with as much detail as possible so that an assessor can evaluate that documentation. And then make sure that the folks providing answers to questions during the assessment are also going into that level of detail as to how that particular control would be met if it were to have presented itself within the environment.

All right, and now it looks like we’re at our last question here, which are, what are some tricky issues that are arising and how would you suggest addressing them in an assessment? So I’m going to cover three things here as we close out this Q&A session. So the first one I’m going to go into is risk assessments. Then I’m going to go into defining frequency, and then scope will be the last one. So first is risk assessments. So there is a control in the security assessment family that deals with risk assessments and performing risk assessments. And what we see a lot is organizations citing their preparation for CMMC, or a gap analysis for CMMC, or a gap analysis for another security framework as their risk assessment. This is acceptable at a high level. However, additional risk assessment activity needs to take place. There needs to be other risk reduction activities taking place within the environment aside from just gap analysis against a particular framework.

And the reason is we’re looking to discover what the risks are in the environment and in order to discover risks, we need to do more than just evaluate control implementation. We need to look for what are other things in the environment that pose a risk to the business and mission of whatever the system is. So risk assessments should be more broad than just a gap assessment against a particular framework. Number two, define frequency. So make sure that frequencies in your assessment or in your documentation and policies are measurable. And by measurable that means annually, monthly, weekly, quarterly. I can measure those particular timeframes. Ongoing, I can’t measure that. Real time, I can’t even really measure that. And one more pointer on this, it needs to be annually or less to be an acceptable defined frequency.

And finally, scope. So scope is something we’ve seen issues with, more on the consulting side of things when we work with organizations getting ready for assessments. But make sure your scope is as cleanly, neatly defined as possible because that is the foundation and will determine your success in an assessment. If there are issues with scope and definition of scope, it will increase the level of questioning that comes in your assessment. It could even bring additional assets into scope for you. So make sure that your scope is well-defined. Spend extra time, consult with an expert on defining your scope, making sure it includes everything that needs to be assessed. And that’s it.

So that wraps up our Q&A session for today. Thank you again for tuning into the Cyber Compliance and Beyond Podcast. We’re grateful that you’ve chosen to spend time with us and we hope that our perspective on these important, challenging, and very actively evolving topics is of use to you on your CMMC journey.