If you’ve ever picked up a self-help book, you may have come across the phrase “love is a verb.” This adage is designed to draw attention to the active decision-making necessary for relationships to succeed. Surprisingly, it also offers an important lesson for understanding the Cybersecurity Maturity Model Certification (CMMC) process.
Core documents associated with CMMC, including NIST Special Publication 800-171 and the Defense Federal Acquisition Regulation Supplement (DFARS), are couched in a series of key action words. Organizations Seeking Certification (OSCs) and Certified Third-Party Assessment Organizations (C3PAOs) alike must understand these verbs as guiding principles in order to begin building and assessing successful, federally compliant cyber architecture.
As first articulated by Michael Dempsey at CISEVE, CMMC verbs can be organized into essential categories. At DCG, we conceptualize three unique verb classes: 1) documentation verbs, 2) execution verbs, and 3) verbs requiring both explicit documentation and coordinated action. Note that these categories are meant to broaden general understanding, and that verbiage should always be reviewed contextually when implementing CMMC requirements.
1. Documentation Verbs
It is especially important to recognize CMMC verbs which primarily indicate a documentation requirement, These include:
If you see any of these words in an assessment objective or control (A.K.A. security requirement), it should be taken as an indication that documentation will need to be developed to satisfy that requirement.
In NIST SP 800-171, for example, Identification and Authentication control 3.5.1 requires OSCs to, “Identify system users, processes acting on behalf of users, and devices.” The CMMC Level 2 Assessment Guide indicates to Assessors that, in order confirm an OSC’s compliance with this control, they must reference the OSC’s: “...Identification and authentication policy; procedures addressing user identification and authentication; system security plan, system design documentation; system configuration settings and associated documentation; system audit logs and records; list of system accounts; other relevant documents or records.” In this example, system users, processes acting on behalf of users, and devices must be explicitly identified somewhere in the OSC’s documentation. In some instances this could be in an online database or listing of some sort. However, simply pointing at all accounts on a system and saying that constitutes identified system users is not sufficient. An account is not necessarily considered a user, and CMMC assessors will want to know how you verify and maintain those accounts as accurate.
Oftentimes, small and medium-sized enterprises will satisfy documentation verbs in their System Security Plan (SPP), a document described by NIST as, “A formal document that provides an overview of the security requirements for the system and describes the security controls in place.” Both the CMMC L2 Assessment Guide and NIST 800-171A list the SSP as an acceptable assessment object (evidence), but the written content which implements the objective must be adequate and sufficient, regardless of where it is written.
2. Execution Verbs
Another key class of CMMC verbs are those which state the need for an activity or the execution of a project. These include:
‘Control’ is a common execution verb embedded in the CMMC compliance process. This may at first be misleading, and is not to be confused with the noun ‘control,’ which in DFARS/CMMC lexicon represents a security directive. For example, security requirement 3.4.9 under the Configuration Management domain requires OSCs to, “Control and monitor user-installed software.” Assessors will check to determine whether mechanisms governing the installation of software by users are enforced, and that they match the documentation associated with this control. Many execution verbs will imply a documentation requirement. However, their core purpose is to indicate a need for a project or activity that must be executed in order to achieve compliant status.
3. Dual Verbs
As suggested above, many CMMC verbs will either 1) require an action while implying the need for documentation, or 2) require documentation while implying a call to action. Dual verbs are not rooted in either priority, and should be interpreted within the context of the assessment objective and supporting documentation. These might include:
An excellent example of a CMMC verb which incorporates both execution and documentation is ‘monitor.’ For example, Physical Protection control 3.10.2 asks OSCs to, “Protect and monitor the physical facility and support infrastructure for organizational systems.” Monitoring in this case may be constituted in part by an audit log of physical access to the OSC’s facility. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) also lists physical inspection of security cameras and alarm sensors as a means of ensuring the implementation of 3.10.2. Therefore, the satisfaction of this security requirement is both an active process and requires the creation of documentation. Dual verbs like this one cannot be considered satisfied until they have been both documented and fully executed.
Ultimately, CMMC’s foundational documents are couched in a unique language, which includes this series of highly intentional verbs. The exercise of categorizing this verbiage should not be taken as limiting guidance. Instead, each OSC should take the time to anticipate what might be necessary for a given assessment objective, and confirm that assumption using supporting guidance, peer collaboration and, if necessary, professional consultation.