While we await the release of the CMMC assessment process from the AB, we can look to how the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducted Level Three assessments of Certified Third Party Assessment Organizations (C3PAO) to understand their methodology.
As we know, Cybersecurity Maturity Model Certification (CMMC) assessments happen in four phases. With each step, you decide to continue with the next phase of assessment. At a brown bag luncheon DIBCAC released their go/no-go decision trees.
This provides a road map for companies that may want to prepare for their CMMC journey now.
Documented SSPIf you do not have a documented System Security Plan (SSP) you cannot be scored against the 171 framework or CMMC.
If you utilize the NIST templates for 171a self-assessments, your SSP will not include all of the domains, practices, and assessment objectives necessary for Level 3 CMMC certification.
Policy, Procedures, and PlansDo you know how much documentation CMMC takes? A lot—a lot—like hand falls off from writing amounts.
At Level 2, you need a policy for every single one of the 17 domains in CMMC. This does not necessarily mean you must have 17 different documents, but you can. At Level 3, you need to document the procedures for implementing these policies, in addition to having a plan to budget and resource for these procedures.
If you miss any of the necessary policies, procedures, or plans, you will not be allowed to proceed. If any of these three exist in draft form, you will not be allowed to not proceed. If you have confused procedures and plans, you will not be allowed to proceed.
Completed Self-AssessmentYou need to certify that you have assessed yourself, and have no open action items on the 705 assessment objectives of CMMC.
The information owner of the organziation seeking certification must validate the completion of the self assessment.
No Open Plans of ActionLevel 3 CMMC certification is a binary assessment. Do or do not—there is no try. If you score a 704/705, and therefore are compliant on 99.85% of assessment objectives, you will fail. While there is no penalty for a low score on Medium, High, or Basic Self-Assessments, Level 3 CMMC Assessments follow Yoda rules.
Customer Responsibilities MatrixIf you use a Managed Service Provider or a Managed Security Service Provider, you need to know what assessment objectives they help you meet, which ones they do not, and which ones you share with them.
You then have to work these matrices into your procedures to make sure you complete your shared obligations.
If either step goes missing, you will not be allowed to proceed with certification.
Procedures are RepeatableYou must have your procedures written in such a way that an assessor can repeat them and get the same result you get, every time.
If you cannot follow your procedures, or if they are not reliably replicable, you will not be allowed to proceed.