Story Time - Using Documentation To Tell Your CMMC Compliance Story
If you are looking at a future CMMC assessment, there is a good chance that you have asked yourself what the critical component to a successful CMMC assessment are. This article hopes to shed some light on that with some practical guidance. You can use your documentation to set the stage with a CMMC assessment and help control the narrative. This can not only save you assessment-related costs, but it can start the assessment off on the right foot to steer the conversation in your favor!
Many people overlook a critical component to having a successful assessment/audit - it comes down to the company being assessed being able to tell a compelling story about its compliance efforts and back it up with clear and concise documentation. What story does your documentation tell? Is it a compelling drama, a horror story, murder mystery, or worse yet, a slapstick comedy of errors? Can you even tell a story with your documentation at all?
Focus On The Mission – Do Not Get Sidetracked
When it comes to a CMMC assessment and dealing with the Certified Third-Party Assessment Organization (C3PAO), your mission is to demonstrate Minimum Security Requirements (MSR) for each requirement that is in scope for the assessment. The C3PAO's assessment team just wants to see if you are tall enough to ride CMMC – demonstrate you are! That is your mission! It is yours to succeed or fail by how you approach it.
Your compliance story needs to explicitly illustrate to the C3PAO how people, processes & technology come together to address NIST SP 800-171A assessment criteria. If you don’t explain it, no one will and you lose a significant advantage in the assessment process.
MUST HAVE documentation to tell your story:
- Policies, Standards & Procedures
- System Security Plan (SSP)
- Plan of Action & Milestones (POA&M)
- Asset Inventories (hardware & software)
- Network & Data Flow Diagrams
- Incident Response Plan (IRP)
- Assessments Are Team Activities
Assessments are rarely “single player” activities - this requires stakeholders to have an involvement in both preparing for and participating in the assessment. This includes involving your third-party service providers.
- Policies & Standards – It is feasible for one individual or team to address policies & standards.
- Procedures – Due to the decentralized nature of procedures, various stakeholders will likely be interviewed.
- SSP – Someone needs to “own” the story of the SSP and be a subject matter expert on what it contains.
CMMC Kill Chain - It Can Help Tell Your CMMC Compliance Story
Directly tied to the concept of dependencies is the CMMC Kill Chain. This free resource can help tell the story from how you started your CMMC journey all the way through sitting in front of the C3PAO team for the CMMC assessment. This can help explain a Plan, Do, Check & Act (PDCA) approach to your compliance efforts. If you are not familiar with the CMMC Kill Chain, it was created a proof of concept for an efficient way to plan out a roadmap to successfully pass a CMMC assessment. The end result is a viable approach for anyone to use in order to create a prioritized project plan for CMMC pre-assessment activities. The bottom line is this model breaks down CMMC into 24 major steps, which can then be translated into a project plan.
Compliance Is Not The Same Thing As Security - That Is OK In This Context
It is important to educate stakeholders that a focus on the minimum amount of controls for compliance generally leads to poor security. However, being “compliant” simply means your organization can demonstrate it has successfully addressed a minimum level of security practices. DO NOT try to impress the assessor with how secure your organization is! That has nothing to do with the assessment – the assessor only cares how compliant your organization is! Remember your mission - pass the CMMC assessment by presenting evidence of compliance and do not get sidetracked on irrelevant matters. It ruins the story you are trying to tell that is specific to passing a CMMC assessment.
Take The Initiative - CMMC Kick Off Meeting
- WRONG APPROACH: Waiting for the assessor to tell you what they want to see and reacting. This wrong approach is a golden opportunity for an assessor to setup camp and rack up endless hours asking you question after question.
- CORRECT APPROACH: Take the initiative and set the battlefield by not only having documentation readily available, but start off by telling the story of your compliance efforts and serve up the documentation on a silver platter that supports the story you tell and having subject-matter experts/stakeholders coherently back up the story. Keep in mind that these assessors temporarily work for you – tell them to sit, listen and learn. Take the initiative and control the conversation!
Understand What Controls Are & How To Explain Their Function
In practical terms, a control is the power to influence or direct behaviors and the course of events. Controls are technical, administrative or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting or lessening the ability of a particular threat from negatively impacting business processes. CMMC “practices” and “processes” are controls.
If you are not familiar with the Common Criteria model, it is well worth evaluating as a way to help explain how your controls work. The premise is that if the controls are sufficient, threats to assets & data will be countered. The assumptions in this model are:
The controls are correct and do what they claim to do; and
Assets and data are properly categorized so the appropriate level of control is implemented so as not to overdo or underdo, when required.
Understand The Difference Between Due Care & Due Diligence
Think of being “assessment ready” as a two-sided coin with due diligence on one side and due care on the other – both sides must exist.
Evidence of both due diligence and due care is needed to demonstrate compliance in a CMMC assessment. It is important to understand that to be compliant, an organization has to actually implement and manage controls, not just have high-level policies and standards written down (e.g., "shelfware"). Without this documented evidence, you will fail the assessment. That is the reality of documentation needs.
A free resource to help understand how to create evidence of due care and due diligence is the Operationalizing Cybersecurity Planning Model from ComplianceForge. This is a high-level concept that paints the picture of how individual contributors will actually operationalize your business plan, as well being able to prove it.
You Need To Tell The Story of Control Dependencies – That Will Be A Requirement
It is a common problem for people to forget about control dependencies, so don’t fall into the trap of glossing over control dependencies! Address control decencies as part of your story telling so that you are up-front and honest with the C3PAO - you don't want your assessor to feel you are hiding information from them, otherwise they will dig deeper and that won't be in your favor.
Keep in mind that CMMC controls need to address the systems, applications and services that directly & indirectly impact CUI where it is stored, processed and/or transmitted.
- Clear & concise documentation is half the battle
- Stay calm and focus on the fundamentals
- Check out the CMMC Center of Awesomeness (CMMC-COA) for useful guides