The most current version of Cybersecurity Maturity Model Certification includes 110 practices or security requirements, also called controls. Supplier Risk Performance System (SPRS) scores are calculated based on these 110 practices, and any score that is less than perfect is considered not compliant. Obviously, this method of grading is particularly strict, and as such, it places a strong emphasis on an organization’s capacity to track requirements, the methods they use to address them, and the kinds of policies that support their ongoing maintenance. In this article, I’ll share three tips from DCG’s CMMC experts to help you track your efforts toward compliance (hint: we’ve linked a tool to help you do just that at the end.
Tip 1: Assessment Objectives over Practices
Because there are 110 practices listed in NIST SP 800-171, you might think that means there are 110 action items to be executed on the path to certification. As is typical of large bureaucratic narratives, this is misleading. Underlying the 110 practices are 320 assessment objectives (AOs). We recommend that organizations in the process of becoming CMMC-ready use AOs to track their progress. Let’s take a look at an example to see why.
The very first CMMC domain, or family or practices, is Access Control (AC). AC 3.1.1. requires Organizations Seeking Certification (OSCs) to:
“Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.”
Underlying this control are six AOs, including:
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users;
[f] system access is limited to authorized devices (including other systems).
By examining the AOs which underlie AC 3.1.1, we can see exactly how an assessor would determine whether or not the control has been addressed adequately and sufficiently. AC 3.1.1 becomes not one, but a series of practices and requirements.
AOs [a]-[c] imply a need for documentation; authorized users, processes acting on behalf of those users, and devices authorized to connect to the system must all be identified, or explicitly listed in a piece of documentation like a document listing, an Access Control Policy, or database. Meanwhile, AOs [e]-[f] require a complex action or the introduction of a process. Limited is a key CMMC-verb which in this case calls for physical or logical controls to dictate system access. Logical controls include digital barriers like two-factor authentication, while physical controls include tangible barriers like locked doors.
In select cases, a policy might also be sufficient to control system access. For example, AO [f] might be satisfied by a small manufacturer —operating in a single building, with a small network— by a policy which states only corporate devices are permitted to be connected to the network. This policy must be supported by 1) physical controls to the building, and 2) training which ensures employees are operating according to the policy which bans personal computer use. Ultimately, it will be up to an assessor whether or not a policy will be taken as an adequate and sufficient control, but small businesses should be aware that this option might be available to them under limited circumstances.
Tip 2: Inheritance & Shared Responsibility Matrices
As you start running down the list of AOs for each control, you might think, “Hey. I hired a company to do that.” Of course, you’d be right, and that would mean you have “inherited” compliant information security services or architecture from your external service provider. External service providers like MSPs and MSSPs can be required to provide a shared responsibility matrix in reference to either 1) how exactly they satisfy an AO, or 2) how responsibilities to satisfy an AO are shared between the service provider and the contracting organization. Building, maintaining, and tracking shared responsibility matrices will be crucial to your tracking efforts as your company moves toward CMMC compliance.
Tip 3: Periodic Item Tracking
The final tip I’ll share today to help you track your efforts toward compliance is periodic action-item tracking. Why is it important? Because there are actions that must be executed not on a daily basis, but weekly, monthly, quarterly, or annually. CMMC is not a forgiving space to drop the periodic item ball.
One good example of this is the development of policies and procedures. The National Institute of Standards and Technology (NIST) states that CMMC policies and procedures must be updated “periodically.” However, this periodicity is not left up to the discretion of the OSC. Rather, the DoD’s CMMC glossary defines “periodically” as “once a year.” This means that, unlike similar frameworks, a policy or procedure cannot be considered adequate or sufficient more than a year after its approval date. A control that requires supporting documentation cannot be satisfied by a piece of paper collecting dust on a shelf. Therefore, policy and procedure updates are an annual periodic item that must be tracked reliably, with evidence that demonstrates annual reviews actually take place. Don’t forget them! Having a mechanism for periodic action-item tracking might make the difference between certification and lost contracts.
Bonus: DCG’s Free Basic-Self Assessment & CMMC Tracking Tool
So far, we have covered three CMMC tracking essentials: assessment objectives, shared responsibility matrices, and periodic items. But where should an OSC begin organizing and managing these efforts? Good news. DCG has built a tracking tool for you, available for free here. This mechanism was inspired by Naval command periodic trackers, commonly known as the Command Tickler. It is designed to grow over time as you bolster your awareness of periodic actions that are needed to support your many compliance obligations, and has been in use with our own team for years. Now, it has been developed for use by OSCs of all sizes, and can be used to track other contractual control requirements as well. Increasingly, large prime contractors have been insistent that subs provide proof they are meeting information security requirements. Consider adding those requirements to the tracker yourself. Assessment Objective tracking, shared responsibility matrices, and periodic item tabs already exist to help you get started tracking your progress toward compliance today.
As always, questions concerning CMMC compliance or the tool itself can be answered by reaching out to firstname.lastname@example.org.