Fidelis Consulting

Resources

CMMC – Adequacy and Sufficiency (!)

I just completed the CMMC Certified Professional (CCP) training (big shout out to Koren Wise – exceptional instructor with years of experience – highly recommend her classes).  The most important thing I realized from this class was the level of detail that is going to be required to “pass” a CMMC third party certification.  As a long-time veteran of DoD Cybersecurity with years of experience with Risk Management Framework (RMF) and implementing NIST SP 800-53, the DoD themselves do not have nearly the same level of documentation that will be required for CMMC.

What do I mean?  If you think that having a third-party assessment means that you will invite a Certified Third Party Assessment Organization (C3PAO) into your organization so they can review what you do and tell you what you do is acceptable – you are in for quite a shock. Assessors will not be evaluating your processes and procedures – they will be evaluating what you tell them you do by documenting it in the System Security Plan (SSP). If they agree that what you tell them you do meets the expectations for adequacy and sufficiency (see definitions below), only then will they check your processes and procedures, and it will only be the processes and procedures you tell them will show what you documented in the SSP will meet the requirements for a given control.

Effectively, that means you as an Organization Seeking Certification (OSC) have to already know what you are doing meets the requirements, document what your doing in the SSP, identify and provide evidence that you are doing what you say you are doing, and ensure that it is adequate and sufficient to meet all components that make up your CMMC/CUI boundary.  The amount of detail that is going to be required is nothing short of “enormous”.  So, if you are planning to wait until the CMMC rule becomes effective on December 16th, and then call a C3PAO to have them tell you what you are doing is acceptable with out any or very little preparation work – you are in for a rude awakening (not to mention that it will probably be months before you can actually get one to work with you).  If you are at all unclear on what is needed to prepare for your assessment – I HIGHLY recommend you reach out to an experienced and trained consultant to review where you are and provide recommendations on preparing the mountain of paperwork that is going to be required to be successfully assessed.

From the draft CMMC Assessment Process (CAP)

Share

Subscribe to our newsletter

Fidelis Consulting is a Cybersecurity consulting firm specializing in the design, implementation, assessment, and compliance verification of information system security controls for the US Department of Defense (DoD) and Defense Industrial Base (DIB) companies.