Certified CMMC Assessors click into place as just another cog in a much larger system that already exists.

Every objective that a CCA examines must already be legally met by Organization Seeking Certification. CMMC introduced no new requirements on Federal contractors. When people often complain about the cost of CMMC they do not mean the actual assessment but refer more to meeting the requirements a CMMC assessment measures.

After the continued exfiltration of data and failed self assessments A third party validation of the system security plan was added to increase the trustworthiness of systems designed to process, store, and transmit Controlled Unclassified Information.

According to NIST a system is a series of elements or components that together have a shared identity working towards a goal within the constraints of a specific environment and the requirements of the outcome.

Organization Seeking Certification engineer security in their systems through systems security engineering. Originally the Government placed trust in organizations seeking certification. However recent evidence calls into doubt the trustworthiness of self reporting. The lack of trust in System Security Plans in turns cast doubt on the trustworthiness of the overall security engineered into a system.

So through CMMC a third party assessment was added to assess trustworthiness and increase trust in the supply chain.

Trust and Trustworthiness

A CCA serves as the verification and validation method to assure with confidence that federal contractors protect the confidentiality of Controlled Unclassified Information. A CCA verifies the trustworthiness of the evidence an organization seeking certification includes in their System Security Plan. You validate that their tests to ensure the trustworthiness of their systems proves the Organization Seeking Certification

Trust is a belief that an entity meets certain expectations and can be relied upon. The terms belief and can imply that trust may be granted to an entity whether the entity is trustworthy or not. A trustworthy entity is one for which sufficient evidence exists to its claimed trustworthiness.

Verification and Validation of the System Security Plan

As a Certified CMMC Assessor you verify and validate that an Organization Seeking Certification meets the security requirements of NIST-SP-800-171. In order for a System Security Plan to be trustworthy the OSC must have a demonstrated ability to satisfy expectations of protecting Controlled Unclassified Information

Since trustworthiness is something demonstrated, you verify and validate the evidence that supports a claim or judgment of the CMMC practices being met.

As a Certified CMMC Assessor you also serve a dual role of trust. As a trained assessor the Government can put trust in your assessment. As a Certified assessor the Organization Seeking Certification can trust your credentials. Trust is value judgment based on authority and evidence.

In terms of Cybersecurity Maturity Model Certification program this means you examine the SSP and validate each CMMC practice to ensure there is sufficient evidence of trustworthiness in the claims being made by the Organization Seeking Certification.

A CCA validates the trustworthiness of each claim an Organization Seeking Certification makes about meeting the security requirements assessment of NIST-SP-800-171 to protect the confidentiality of Controlled Unclassified Information.

This means the verification and validation of each assessment objective. As an assessor you have to make sure the evidence is sufficient and adequate enough to ensure that each of the 110 security requirements has enough depth and breadth that the claims made in the System Security Plan can be trusted.

Your role in the system is to increase the assurance that the Nation’s controlled Unclassified Information gets protected. According to NIST,

Assurance is a complex and multi-dimensional property of the system that builds over time. Assurance must be planned, established, and maintained in alignment with the system throughout the system life cycle.

In your roles of dual trust as a CCA you help to build assurances in the overall supply chain system. You also verify the evidence an OSC includes in a System Security Plan and validate how an organization establishes the trustworthiness of these claims in the trustworthy context.

Trustworthy Context

The trustworthiness context involves decision making and evidence based demonstrations that a system security plan can be trusted to protect the confidentiality of Controlled Unclassified Information. The Organization documents how they develop and maintain their assurances of meeting the security requirements of NIST-SP-800-171 and how they demonstrate how the assurance is satisfied. A CMMC Certified Assessor verifies and validates the System Security Plan as a decision-making context.

When the Organization Seeking Certification writes how they meet the security requirements of each NIST-SP-800-171 objective they create an assurance case. This demonstrates how they cover the objective with enough depth and breadth to ensure we can trust the assurance case.

As a CCA you will verify and validate the evidence in System Security Plans with a variety of quality. An effective SSP acts as an assurance case playbook. First a claim is derived from from security objectives Then the OSC connects to and documents credible and relevant evidence that substantiates the claims. Often the evidence get validated through ongoing testing and good system development life cycle practices. Basically Say What you do, explain how you do it, and prove it gets done. Have an assurance case for every assessment objective.

Organizations with strong cyber hygiene present a compelling assurance case for all 325 objectives in NIST-SP-800-171.The result provide a statement that adequate security has been achieved and driven by stakeholder needs and expectations. Strong Systems Security Engineering helps to strengthen security and reduce the effort on validating and verifying assurance cases.