If you’ve taken the first steps of identifying and securing your controlled unclassified information (CUI), it’s time to get ready for your CMMC audit. At CyberSheath, we have created a three-piece model, where each component is critical to your success as you embark or continue on your CMMC compliance journey.
- Managed security – 24/7/365 security services and support enable regulatory compliance. This includes security monitoring, central event logging, vulnerability assessments, and configuration assessments.
- Managed technology – IT services delivered through the lens of security and managed in a compliant manner are key here, including support desk, patching and maintenance, configuration management, and technology project support.
- Managed compliance – Once you have achieved compliance, it’s important to maintain a compliant state. The government is looking to confirm that you are continuing to conduct internal gap internal assessments, update your system security plan (SSP), perform incident response testing, revise your plan of actions and milestones (POAM), review your policy and procedure documentation, monitor the regulatory landscape, and push out training to all the users.
Keep in mind that updating your POAM is essential, especially as many contractors face challenges related to personnel and organizational changes. If you fall out of compliance, your POAM should clearly document the necessary actions to regain compliance. However, it’s important to note that not all items can be placed on a POAM—certain critical requirements must be fully implemented to achieve certification. The ultimate goal is to establish operational processes and capabilities supported by technology. By layering maturity into your documentation practices, your organization can confidently approach the audit in a strong compliance posture.
The audit process
As it relates to the Defense Contract Management Agency (DCMA) and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audit, here is what to expect.
DIBCAC starts by sending a letter to provide notice of your audit—and to give you time to prepare and assemble your documentation. When the assessors do come on site and perform their assessment, it’s usually a one week timeline. Sometimes they narrow down the on-premise piece to only the amount of time they need to be on site to verify some physical things.
DIBCAC put out a study of their scores and they show that most contractors score themselves about a hundred points higher than their actual assessor-determined score. This is generally because of scoping and non-defensible boundaries. If you can’t defend your boundary, you can’t show evidence that your documentation is in place, or your documentation isn’t well-defined, that generally leads to a decrease in score.
Often our first engagement with a defense contractor starts with an assessment. Our first questions might be, “Where are you with your documentation? Do you feel like you’re fully documented in governing these practices with policies and procedures?” If the contractor replies, “We are 0% documented,” that typically means that everywhere where it says ‘defined’ in the assessment objectives is a failed or at least a partially failed state. To state another way, if you are not doing your documentation there is a significant negative impact on your scoring.
A key element of preparing for an audit is accurately defining the scope of your environment. Scoping determines which parts of your technology landscape are included in the assessment and ensures that boundaries between systems are clearly defined and defensible. For instance, if your organization’s environment includes Windows devices, an Active Directory domain, and Linux devices, you must establish a clear and defensible boundary separating the Windows and Linux environments. This may allow the Linux environment to be classified as out-of-scope if it is properly segregated from in-scope systems through technical and administrative controls, ensuring it does not process, store, or transmit CUI and cannot impact the security of systems handling CUI.
Without well-defined and documented boundaries, an assessor may raise concerns. For example, while your Windows environment might showcase strong security controls, any lack of clarity regarding its interaction with the Linux environment could lead to additional scrutiny. Clearly scoping and documenting these boundaries is vital in demonstrating compliance during the assessment.
Keys to a successful audit
Executive support: Executive buy-in is critical as the leadership team signs all of your policy documentation and makes sure you have the right resources available. When execs are showing interest, demonstrating that they are concerned about CMMC, and excited about implementing those controls, the rest of the company usually follows suit.
Mature documentation: Documentation is pivotal in the entire assessment process. You need a well-defined SSP, as that document is the guide ship of your assessment. If your SSP is poorly written or conceived within that SSP, you are going to have a hard time throughout your assessment. Assessors look at what you say you’re doing in your SSP and are going to see where else they can find that implementation or control.
Confidence in scope: Verify your flow controls and boundaries. When the assessor starts asking questions, you can get thrown into uncertainty, so take the time to prepare. You need to put eyes on and confirm that the scope is truly defensible.
Evidence-backed readiness assessment: Practice, practice, practice. Do the assessment on yourself. Don’t just trust that your IT or security staff has implemented the controls, ask for verification from your administrative perspective. Have them show you the control, gather evidence, and prepare an artifact repository. Make sure that you have a documented state of the configurations and when they were last checked.
Resource availability: During your assessment, if you are queried about a control, you need to have the right people available to answer any questions the assessors may pose. This helps avoid delays in your assessment, which could ultimately lead to the assessment not being finished.
Practical understanding of requirements: Understand the controls and how to communicate your compliance—and be aware that auditors have varying levels of experience. Make sure your scope is clearly defined so that you keep the focus of the assessment where it belongs. If you have a very perforated description or definition of what your boundary is, the conversation can take unexpected detours. You want to be crisp, and you want to have the scoping and boundaries defensibly in place.
Assess, implement, and manage your way to compliance
A continuous compliance philosophy enables your business to stay the course at any point along your compliance journey even as business needs and requirements evolve and expand. Auditability of compliance is continuous to avoid regression to non-compliance.
Perform a self-assessment on an annual basis. The interim requirements don’t state that you need to do an evidence-backed assessment, but if you want to have confidence in your own assessment, instead of pencil whipping through a questionnaire, gather the evidence, put eyes on the configurations, verify that your boundaries are as they are defined, do the flow controls to gain the confidence, and prepare for an audit or certification in the future.
If you have any questions about how to ready your company for an audit, contact us. We’re here to help.