What it takes to be “CMMC Ready”

First you must know what information you must protect, how much info there is, where that info resides, who handles the info, and then describe the lifecycle of the CUI you possess, from first receipt / generation to final disposal or destruction.

Identify, document, and inventory all hardware, software, firmware, users, facilities, and documentation assets that support any of the phases of the CUI lifecycle as determined in the first criterion

• Using the results of the CUI lifecycle characterization exercise and asset inventory, trace how and where CUI flows through your organization, and depict this flow in a data flow diagram.
• Create a network topology diagram identifying how the assets within your assessment scope are interconnected and interrelated.
• Overlay the network topology diagram with the CUI data flow diagram, if possible.
• Include the Federal Contract Information (FCI, associated with CMMC Level 1) network topology and data flows, if there is overlap 

• Conducting a self-assessment requires that you’ve developed a System Security Plan (SSP), Plan of Actions and Milestones (POA&M), and the necessary SSP-supporting artifacts.
• Using the DoD Assessment Methodology, your organization should be at a full score of 110, or at least have a score of 88 with no deficient CMMC L1, 3-, or 5-point controls.
• Post the resultant score to the DoD’s Supplier Performance Risk System (SPRS)

• You can identify the sources of compelling evidence for each NIST 800-171 control in a requirements traceability matrix (like a spreadsheet), directly in the System Security Plan (SSP), or both.  This creates a map for you and the assessor and will speed up the assessment.
• Assessors will choose from the three following types of evidence:
  • List of the documents or procedures to examine, 
  • List of the responsible personnel to interview, and/or,  
  • List of the processes, procedures, or systems to demonstrate. 
• Organize the CE documents in folders or repositories, named by the control ID for quick reference.

There are several hundred Assessment Objectives in NIST 800-171 (320 in rev 2, 509 in rev 3).  Every Assessment Objective should be covered by at least one of the forms of compelling evidence identified above.

• External Service Providers (ESP) include all Cloud Service Providers (CSP), Managed Service Providers (MSP, “day-to-day” IT), and Managed Security Service Providers (MSSP, the security operations folks that help you monitor your environment) that provide CUI processesing, storage, transmission, or protection services.
• Get a NIST 800-171-based Shared Responsibility Matrix (SRM) from every ESP that is within your assessment scope, and reference the SRM from — or include it in — the SSP.
• The SRM must show any consumer-shared responsibilities, and those responsibilities must be addressed in the SSP. 
• Understand what controls/objectives your organization can and cannot inherit from from the ESP. 

• Cloud Service Providers (CSP) not listed on the FedRAMP marketplace with a Moderate or High ATO must meet the FedRamp equivalency requirements.
• The C3PAO will be reviewing the Body of Evidence (BOE) from the CSP. 

• The IRP must include both user- and organization-response procedures for dealing with cyber incidents in the covered system or affecting CUI. 
• Run tabletop exercises, test your team, and document the lessons learned.
• Totem’s CMMC Level 2 Readiness Workshop includes instructions on developing an IRP and a table-top exercise.

CUI incident reporting is a requirement of DFARS 252.204-7012. If an incident happens, and you are on a tight timeframe, you do not want to then learn your DIBNET login isn’t working.

• Artifacts are separate documents, such as an Acceptable Use Policy, that support and/or provide compelling evidence for your SSP implemenation.  Gather these in a structured repository, and have them controlled and approved by your organization’s Information Security Officer (or designate).
• A great tip is to name your documents with the applicable control number that it first applies to, e.g. “3.1.1-Access Control Policy”. This helps organize and structure your evidence.

• If you say you do it in your SSP, then make sure you do it, and make sure you don’t contradict yourself in your policies, procedures, forms, etc. 
• C3PAO are assessing you against your SSP. Scrub it at least 1-2 more times than you think you should.
• A great example of a contradiction is a different password policy called out in the SSP vs. the Account Management procedure. 

Make sure that your organization has documentation that shows a senior official has approved and “signed off” on the SSP.  This indicates leadership “buy-in” and that your organization has “institutionalized” its cybersecurity program. 

This is an easy-to-miss step, especially on a revised version of the SSP.

Do not wait until the month of your actual assessment to try to get everything updated and ready. You will have plenty to do, and time goes fast. The more you have ready and done, the easier it will be for you, the fewer grey hairs you will acquire, and the better you will sleep before and during the assessment.