Requirement Adoption
One of the things we at IntelliGRC focus heavily on, whether it’s in our service engagements or in the way we’ve developed our GRC application, is trying to ensure that the people we’re assisting go beyond just meeting the bare minimums to get by (i.e., through their initial formal assessment). We strive to help our members and peers understand and truly adopt the requirements at hand. It’s one thing to implement a requirement; it’s another thing to adopt the requirement as part of your organization’s processes and not just do it because the DoD or your Prime told you to do so.
A huge part of adoption is having a solid understanding of the requirements themselves. A cursory look at my own experience, and the conversations that I’ve had with clients and others in the industry, is sufficient evidence to show that it is EXTREMELY common for requirements to be misinterpreted, which leads to misunderstandings for the organizational context, which leads to misapplication, which, unfortunately, leads to insufficient implementation, adoption, and potential assessment failures.
When I teach MSPs and OSCs that are trying to become intimate with the CMMC requirements, we spend a lot of time going through the formal documentation that exists for the CMMC Program. For many out there, (and this is probably obvious) there are still significant knowledge gaps within the industry as well as with outsiders trying to either 1.) become a defense contractor or member of the supply chain for defense contractors or 2.) support DIB contractors as a service provider like an MSP, MSSP, etc., especially in regard to these documents.
So, in the spirit of refresher for people and organizations currently in-the-know as part of the DIB or who are currently supporting organizations in the DIB, or as an introduction/knowledge dump on those who would like to get more familiar with the requirements the DIB must employ as obligated by DoD in the DFARS, I’d like to spend some time focusing on a very important document. One that, if understood and used properly can help organizations understand, adopt, and truly see the value of the requirements the DIB is facing.
In this blog, I want to practically address a small portion of the critical information that is necessary to be understood to prepare for and maintain a cyber governance program that can be scrutinized by a C3PAO or DIBCAC when necessary and truly be understood and adopted by internal staff and stakeholders; the CMMC Assessment Guide for Level 2. (I’ll paste a link to the most updated version in the comments.) The reason I like to use Level 2 is it shares the same content and structure as that of the level 1 Assessment guide and Level 2 is the most common CMMC level that organizations and individuals we engage with are obligated to implement and prepare for due to the actual or potential storing, processing, or transmission of CUI in the performance of a DoD contract.
Why focus on the assessment guide in the first place? In my humble opinion, after spending a significant amount of time support DIB contractors with DFARS 7012 and 7019 implementation and maintenance, the CMMC Assessment Guide for Level 2 is one of (if not the most) helpful guidance documents that exists not just for performing assessments (Self or C3PAO), but also for implementing and preparing for such assessments! Other documents and resources are also extremely helpful, but this Assessment Guide is something every person working with CMMC as a consultant or as someone internally trying to learn and implement the requirements should have bookmarked in their browser of choice and as a go-to resource at all times when working on CMMC implementation. As I mentioned earlier, the assessment guide can be used as a foundation for successfully establishing a compliance program and thus adopting strong cyber practices. To get the most from the assessment guide as a tool for that purpose, it’s important to consider several nuances of the guide itself, such as its structure and flow. So, let’s dive in.
Assessment Guide Structure
The Assessment Guide’s entire structure and content is helpful from the table of contents all the way through the Acronyms and Abbreviations list in Appendix A at the end of the document. When I dive into teaching through the Assessment Guide, I always try to emphasize the practical use of the table of contents. Again, this may seem elementary but having a hyperlinked list of each of the sections of the document and, more importantly, each of the CMMC requirements (Control IDs and their friendly name) to provide some context and quick access if you’re not familiar with the control by memory is so helpful. All the controls/requirements in the table of contents are in order (under the previous CMMC Level 2 Assessment guide when CMMC 2.0 was announced, Level 1 and Level 2 requirements were split up and ordered differently).
After the Table of Contents, the Assessment Guide lays the groundwork for a solid understanding of its purpose and audience and discusses a bevy of different concepts and terminology related to the CMMC program. Things like what the different types of assessments (self vs. certification) are, terms that are unique to the CMMC program like Enduring Exceptions and Temporary Deficiencies, and much more are all defined and discussed. A huge benefit of the way these portions of the document is written, especially the CMMC-Custom Terms, is that for many of the unique terms and concepts it addresses, it’ll provide where in the 32 CFR Part 170 the concept and its associated requirements and criteria can all be found or at least is defined.
Next, the guide describes the assessment criteria and methodology for actually performing an assessment in a way that aligns with the CMMC requirements and heavily depends on documents that have been around for quite a while such as the NIST SP 800-171A, which is the assessment procedures for NIST 800-171, and the DoD Assessment Methodology required by DFARS 252.204-7019. This section is incredibly helpful in guiding an assessor (as well as the OSC preparing to be assessed) to an understanding of what types of items may be assessed (Assessment objects) and how they are to be assessed. It also includes the methods by which an assessor reviews these items to come to a determination as to whether the requirement has been implemented sufficiently or not. This section is riddled with awesome examples and context, and I couldn’t encourage people more to really get familiar with the content here as it regularly proves itself to be priceless to those trying to understand the intent of the requirement.
The Assessment guide then provides a very thorough summary of the different types of findings that exist as potential outcomes of an assessment of a requirement. It discusses the definition and means by which any given requirement is determined to be either “Met”, “Not Met”, or “Not Applicable (N/A)”. It also provides several paragraphs explaining different scenarios and requirements related to making determinations and setting a Finding value such as the requirement that all assessment objectives are required to be “Met” in order for the corresponding requirement to be found as “Met”. Getting an example of conditions that have met a requirement is sure to help give you confidence in your implementation.
The Assessment guide then introduces the reader to the main body of the guide that includes each of the CMMC level 2 requirements and an immense amount of helpful content related to each of the requirements and how they are understood and assessed. More on this in the next section.
Finally, A helpful appendix with all the acronyms and abbreviations that were utilized throughout the entire document are listed with the formal name or title that the acronym or abbreviation represented in case the reader wasn’t familiar with a certain term as they read through. When we assume we know what a word is supposed to mean, it often leads to the kinds of misinterpretations I encounter time and time again.
Using the Requirement-Related Content
Working with clients as a consultant, I spend a LOT of time in the “Requirement Descriptions” section of the assessment guide. The content found for each of the requirements here includes several things to aid in the discipline of understanding, preparing for/implementing, assessing, and, ultimately, adopting the requirement. Here’s a couple of tips or reminders for using this part of the document.
- Remember the Assessment Objectives – The assessment objectives (sometimes called the “Determine if statements”) are all the required parts of implementing a requirement. If even a single applicable objective is not satisfied, then the entire requirement is “Not Met”. Read the assessment objectives and tailor your implementation of the requirement to the assessment objectives themselves. Don’t try to just apply the overarching requirement without ensuring the objectives are covered thoroughly for the system.
- Don’t Overthink the Potential Methods and Objectives – The Potential Assessment Methods and Objectives portion of each requirement description, though not perfect or always applicable, are just that, only meant to be POTENTIAL assessment methods and objects. They’re meant to point the reader in the right direction in identifying what types of artifacts should be examined, who should be interviewed, and what should be demonstrated/tested as part of the assessment. Do not get hung up on assuming they all need to be applied and that you have to have all these things in place in order for the requirement to actually be implemented. This Assessment Guide, as well as NIST SP 800-171A Rev 2 both affirm clearly that not all methods nor objects are expected to be employed. Just use wisdom and let this section inspire you on what you might do to implement the requirements and, as an assessor, what types of things you might look for in your evaluation. It’s easy for us to look at all the assessment objects and methods and feel like we’re missing something when we’ve tried our best to implement the requirement in good faith. Don’t. Mitigate the risk that the requirement exists to mitigate, cover the objectives, and you should be fine.
- Use the Discussions – If you’re not sure what a requirement really is getting at, take the time to read through the discussion sections. The first is directly pulled from the NIST SP 800-171 (where the requirements come from) and the second discussion or “Further Discussion” is further context and helpful perspectives. What’s so beneficial about these discussion blocks is that they give you the obvious problem or concern that led to the requirement in the first place! There’s also several examples and questions you can ask yourself that the Assessment Guide poses to really help the reader understand the requirement and how it may be implemented. Again, these aren’t perfect and sometimes the interpretation of a control can slightly vary from assessor to assessor, but in general, these are super helpful perspectives!
- Stay Engaged with Other External Resources – The CMMC Assessment Guide for Level 2, although extremely helpful and insightful, isn’t all you need to consider. Another really helpful resource for deciphering a requirement and what an assessor may expect is the Evidence Plan spreadsheet that DIBCAC disseminated to C3PAOs and OSCs under the JSVA and other DIBCAC High Assurance assessments. Reach out if you’d like a copy to peruse!
Until Next Time…
For many, the CMMC Assessment Guide for Level 2, or any level for that matter, is already a well-known document. The first iteration was released in 2020 with the announcement of CMMC 1.0 and has been used by many with every iteration ever since. I’m incredibly grateful for the teams that were involved in putting this document together. Again, I can’t encourage readers enough, especially those who are new and trying to learn CMMC, the related requirements, and how they are applied and assessed, to use this guide as much as possible. Of course, there are other documents like the CMMC Level 2 Scoping Guide and the CMMC Assessment Process (CAP) which are incredibly important to be familiar with; so maybe we’ll do some dedicated content on them here soon. If you still have questions or would like to talk more about the assessment guide or other CMMC or general GRC-related topics, please don’t hesitate to touch base with us here at IntelliGRC!
Happy Implementing!
