June 26, 2020
Now that you’ve identified your target maturity level and decided if you need help from external security or vendor services, it’s time to take a look at your IT infrastructure like a Cybersecurity Maturity Model Certification (CMMC) assessor.
Step 3: Conduct self-assessment and update supporting documentation
The self-assessment is where the action really gets going. This will be your preliminary walkthrough that helps you get an understanding of how your organization implements security controls. With this self-assessment you will uncover if your security controls are sufficiently documented, captured in policy, managed, or reviewed per the requirements of the CMMC maturity level you’re targeting.
PRO TIP 1: The NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements is a great resource to reference as you build out your self-assessment. While the CMMC requirements go beyond those included in NIST SP 800-171, this handbook addresses most of what is required to get you to the CMMC Level 3 target maturity level (check out this post if you need a refresher on the five maturity levels and their requirements).
Once you’ve built your self-assessment, it’s time to talk a bit about documentation. Now, the word “documentation” can elicit a range of responses in people. There are some people who consider documentation a lifesaver, and it is something they rely on to do their jobs every day. There are other folks who consider documentation the bane of their existence. Regardless of where one lies on this continuum, two things are clear when it comes to documentation and the CMMC:
- Documentation is very important. It is the evidence that will be evaluated to decide whether you are or are not CMMC compliant.
- The quality and clarity of your documentation will determine how long your CMMC audit will take.
Here’s a look at the sort of documentation you will need to ensure you have in order before you schedule your CMMC assessment.
- System Security Plan (SSP). If you don’t have an SSP, you need to create one. If you have an SSP, now is the time to update it.
There is no specific format for an SSP. However, the plan must describe how your security requirements are implemented, the system boundary, the operational environment, and the relationships among IT systems as evidence to support compliance with NIST SP 800-171. If you hold Controlled Unclassified Information (CUI), the SSP should describe the CUI in context with the company’s operations—including where CUI is stored, transmitted, or processed. This plan also needs to state what controls are in place to protect CUI.
PRO TIP 2: If building this plan sounds daunting, you may want to use a software solution designed to guide organizations through how to document security controls and their implementation.
- Plan of Action & Milestones (POA&M). The POA&M is the document where you capture all the gaps you’ve discovered between your current security infrastructure and where you need it to be per the requirements of the CMMC maturity level you want to attain. This is also your to-do list, which includes details on who is responsible, the planned dates for remediation, and information about how the weakness was identified so that it can be re-evaluated later.
- Internal policies and procedures. Depending on your target CMMC level, you will likely need supporting documentation that shows how internal processes support and enforce your cybersecurity program.
Some examples of these supporting documents include: a Security Test and Evaluation (ST&E) plan that describes how security controls are tested; a Business Continuity Plan; an Incident Response Plan; and a human resources plan that details personnel security processes, including provisioning user access to IT systems and facilities.
These additional policy and procedure plans overlap with other government contractor requirements, so you may already have much of this documentation in place. For example, DFARS 7012 requires that cybersecurity breaches must be reported to the DIBNet Portal if you handle CUI.
If you are doing your own self-assessment, you can find templates for both a SSP and a POA&M as supplemental material on the NIST website for NIST SP 800-171. If you are using external security consultants to assist in this step, they should review the existing documentation you do have and update them with recommendations. Expect to also receive a Security Assessment Report (SAR) that contains your results and a summary of your security risk posture.
If your security strategy includes migrating to a secure cloud environment and software-as-a-service solutions, your cloud service provider (CSP) should be able to provide you with information to support your documentation. Look for CSPs with third-party security attestations and authorizations, such as FedRAMP, which are evidence of the CSP’s familiarity with this kind of security audit.
CSPs and the software they provide can also help you with some of system security control deficiencies most often found at defense contractors. A recent industry report cited multifactor authentication, monitoring unauthorized use, and controlling the flow of CUI within and between information systems as frequent deficiencies found in NIST SP 800-171 compliance audits.
CSPs can mitigate these common deficiencies for you through supporting capabilities for user authentication and authorization, audit logging, and secured system interfaces. Even better, they may have policies that enforce the security controls in their common control environment, which significantly reduces the burden on the cloud customer to maintain those security configurations and tools.
And, that’s step 3. This is arguably the most daunting and involved step of the five we’ve built to help you prepare for the real deal. Anticipate this step will take a lot of time and energy from staff, if you do have the in-house expertise to execute the self-assessment and documentation collection on your own. If not?
PRO TIP 3: Work with a CSP or an external security consultant specific to CMMC.
If you are still researching your options and educating yourself on the CMMC, take a look at our Cybersecurity Maturity Model Certification (CMMC) Best Practice Guide for more information.