CMMC Assessment: In Systems Security Engineering the Environment Drives Evidence
From A Systems Security Engineering perspective, the environment will drive the evidence collected to ensure an organization seeking certification meets security requirements.
For both the assessor and the contractor considering the impact of scope on how their systems gets deployed will be the largest driver in the cost of engineering a system and meeting security requirements. An Organization Seeking Certification must collect to meet the 320 objectives of a CMMC assessment. Assessors will need to consider the environment and the separation techniques used when deciding on what assessment procedures to use.
Systems rely on the separation of physical and logical boundaries to ensure only those with a legal and authorized need access Controlled Unclassified Information. In fact, when designing controlled environments as part of our systems we must consider the environmental constraints of each possible deployment.
The security requirements for storing, processing, or transmitting CUI for any deployment are the same. The requirements for export-controlled data are the same regardless of the environment. Incident reporting requirements are the same no matter the system an OSC engineers.
You have a CMMC assessor come and verify the trustworthiness in your meeting the security requirements of NIST-SP-800-171. The environments used in the system will have an impact on the evidence used to justify a rating. The assessment procedures used by a certified CMMC assessor will change based on the environment.
By analyzing constraints and requirements across the life cycle of a contract, thus utilizing systems security engineering, an organization identifies the type of evidence a Certified Assessor may collect to verify the trustworthiness of the System Security Plan based on their deployment
Environmental Constraints and Separation Techniques
When engineering a system an organization must consider how Controlled Unclassified Information does or does not move through logical and physical boundaries. Utilizing separation, or “system architecture design concept that can provide physical/logical isolation of assets that process, transmit, or store CUI from assets not involved with CUI” an organization can protect CUI from unauthorized disclosure.
When an OSC accounts for different environments and their constraints they collect the unique evidence needed to demonstrate the security requirements get met.
Where Do In Scope facilities Exist?
Modern deployments range from on-premises where an organization maintains responsibility for all software, equipment, and physical to cloud based software-as-a-service platform where the organization maintains only limited control over domains such as access control and the vendor handles all other security requirements.
Unless organizations utilize separation, techniques and keep all CUI in a system with security measures such as DMZ , layered boundary protections, and air gapped systems or an organization keeps an entire system in scope an assessor will be working with cloud environments.
“Cloud Smart,” rather than “Cloud First” was initiated in 2017 as a result of the Report to the President on Federal IT Modernization. Cloud Smart emphasizes the three pillars of security, procurement, and workforce. These three principles work in systems security engineering while also introducing specific requirements and constraints to the environment.
The biggest impact Cloud has on a CMMC assessment is introducing a shared services layer to the environment. As soon as an organization uses a cloud vendor for in-scope services or uses security tools in the cloud they share the security requirements and must document who and how they get met across the organization. The CSP is not assessed during a CMMC assessment, but the assessor will need to establish the trustworthiness of shared responsibility.
These requirements and constraints have an impact when assessing organizations. As you engineer a system that meets the security requirements of NIST-SP-800-171 you need to determine your environment and consider the constraints and requirements across the lifecycle of your deployment.
This is the fourth post on using NIST-SP-800-160 Systems Security Engineering to meet the requirements of SC.L2-3.13.2 – SECURITY ENGINEERING
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
First post: Evaluating Organizations Seeking Certifcation: Document Based Requirements to Start a Conversation
Second Post: CMMC and Systems Security Engineering
Third Post: CMMC and Asset Inventory
img credit: Drive flickr photo by astarothcy shared under a Creative Commons (BY-SA) license