I'm often asked about my observations during CMMC assessments and what challenges organizations run into. This may become a series as the program progresses, but one of the most important things I see right now is the need for proper documentation.
OSCs are required to have a System Security Plan (SSP), whether you are Level 1 (self-attesting) or Level 2 (C3PAO assessed). The SSP is the focal point of the entire assessment as it has the implementation statements for each control objective.
1. Presentation Matters
I have seen firsthand the importance of having proper documentation in place to make sure your organization is compliant with the regulations and standards.
During an assessment, it is clear when an SSP is not ready.
For example, the SSP includes high-level statements such as “We meet this objective” and references several supporting documents. However, it fails to clearly describe the specific implementation details within the SSP itself or indicate exactly where in the referenced materials the implementation evidence can be found.
The assessor's job is to validate what you say you are doing; it is not their job to look for and find your responses.
2. Inheritance vs Responsibility
Another issue is that ESPs may be performing the functions (add users, grant permissions, etc.), but that is not an inheritance; there are few Level 2 certified ESP actions that can be fully inherited.
For example, the OSC conducts background checks on staff; if the ESP is L2 certified, then you can inherit the background checks on their staff, but that would be a “Hybrid” or “Partially inherited” control, as the OSC also has to conduct background checks.
3. Asset Types vs Control Types
I have seen organizations struggle to properly identify the types of assets and control types in their SSP.
- The Asset type identifies whether an asset (people, facility, technology) is CUI, SPA, CRM, Specialized, or Out of Scope.
- The Control type determines who had responsibility for the objective - whether it's a "System" control (OSCs fully controls the objectives), "Inherited" (fully performed by an outside entity), or "Hybrid" (both the OSC and an outside entity have responsibility).
4. Documenting CUI Dataflow and Network Diagram
Proper documentation of the CUI dataflow and network diagram is also crucial. This includes identifying;
- Where and how the CUI comes into or leaves the environment (e.g., email, client portal, DoD SAFE, etc.)
- Who uses CUI
- Where it is stored, including backups of the CUI data.
- etc.
Final Thoughts
My takeaway is that understanding the requirements and properly documenting your implementation statements are important to make sure your organization is prepared for and able to pass a C3PAO's CMMC Level 2 assessment of your environment.
Whether you're preparing for a CMMC Level 2 assessment or any other type of audit, it's important to have the right documentation in place to demonstrate your compliance and protect your organization from potential legal and financial penalties.
Ready to book your assessment, or want to talk to someone? Contact us.
