DIB Contractors should start considering an Evidence Locker for CMMC
Organizations seeking certification, or OSC, in the Defense Industrial Base (DIB) should start considering the creation and maintenance of an “evidence locker” for CMMC.
This is more work and I don’t like suggesting that OSCs add another thing to the CMMC list but I think OSCs (and our professional CMMC community that advises OSCs on their CMMC programs) should start down this path.
As I work through, “What will it take to pass an assessment?” I have been considering the concept of an Evidence Locker for over a year. How rigid and strict on it should we be? Is it needed at all? Increasingly I am becoming convinced that we need to be pretty rigid and we definitely will need one.
Well, several factors. These include:
The 100% compliance requirement for all 320 Assessment Objectives. This is a pretty rigid standard in my view. I know there is much discussion of “this is only the baseline,” and “everyone should have been fully compliant since 2018,” but still name me another assessment or audit standard that requires 100% “Met” for every single line item of every control, and breaks every control down into a set of very specific required assessment objectives? Perhaps there is one out there (feel free to comment), but I cannot think of one. And no 800-53 is not such a standard. Not close. The government can “risk accept” controls in their standard at their discretion, the government can POAM and risk accept “the plan to get it done someday” and the government can ignore their own rules and continue to report that they are “moving aggressively toward complete implementation” and that is sufficient. The recent IG report of DoD’s own 78% implementation rate of just 171 controls stands as evidence. For contractors under CMMC, the cost of missing even one evidentiary requirement is potentially very high. There is a small amount of space for the 45% if assessment objectives (AOs) that might be authorized for addition to a POAM and Interim Certification, but the allowance for that is pretty narrow.
Pre-assessment evaluation of evidence. Under the current DIBCAC methods and presumably under the CMMC Assessment Process guidance, C3PAO (commercial organizations conducting assessments) will need to evaluate the availability of sufficient evidence before conducting the actual assessment. This will likely necessitate an assessment readiness process that is fairly robust. Having a repository of evidence that can be accessed will be a critical piece of the process, and the OSC will have to prepare that before the assessment itself commences.
It makes sure you actually have a piece of evidence for absolutely everything. I found it in another of my regular conversations with an OSC today. In response to a specific AO, we said “there is a SIEM rule to cover that.” Actually a set of SIEM rules. Taking the time to go in, examine, and make sure those rules exist, taking a screenshot of them, and then placing that screenshot in your properly indexed Evidence Locker lets you see that you have at least one form of tangible evidence. You are not completely out of the woods of course. The possibility exists that your assessor will see it differently than you and not accept that piece of evidence, or want to see it in its current form by pulling up the live set of SIEM rules or want to see something else. It is a great start though.
It sets the stage for a successful assessment. I often fall back on my long-time Navy experience for so much in Cyber. If you have ever had the joy of undergoing an Operational Propulsion Plant Examination, and even more fun, doing so as the Damage Control Assistant, you have learned some survival skills when it comes to tough assessments. Presenting to the assessors that you had your act together out the gate was critical. The more concerned they are you know what you are doing, the more they dig. I believe those same rules of preparation and presentation still apply. So having an Evidence Locker will set the stage that you are organized and know what you are doing.
Personally, I am still kicking around the most effective way to construct this. I know a lot of folks believe in GRC (governance, risk, and compliance) tools for this sort of tracking. Unfortunately, I have not seen any yet (there are probably some coming online now) that are tailored specifically to CMMC and to the AO level. The standard SOX/ISO/SOC2 ones in my view should NOT be used for CMMC. Insufficient fidelity is the primary reason. A green block for mapped controls (ie a generalization of controls across multiple frameworks… one size fits all and sells to more clients) does NOT tell you that you have met all of the AOs that roll up into a control for CMMC. I think there is a lot of danger in these tools. So for now, I am building them myself. Sharepoint, folders by domain, named file for each of the 320 objectives. Still playing with the file types and integration of “evidence” where the evidence is the procedure and a few other places.
Have you seen any good tools for this you think are useful? Recommendations on how you think this should be constructed for the organizations you support? Comments below welcome and look forward to the dialogue.