A Day with CMMC Assessors
May 1, 2024
Workshop Report composed by:
Louis Daher, University of Michigan
Erik Deumens, University of Florida
Cynthia Grigorescu, University of Illinois
William Haskell, Buffalo University
Jesus Olmedo, Midland University
Tina Rimbeck, Buffalo University
Christian Sousa, Colorado University
SEE BELOW FOR RESOURCE-PALOZA
Workshop Report
In the realm of cybersecurity, the Cybersecurity Maturity Model Certification (CMMC) framework can be likened to an apartment complex, where each unit’s security is managed individually yet contributes to the overall safety and integrity of the entire structure. Each entity must customize its cybersecurity measures to its contract’s requirements, maintain ongoing vigilance through scoping, and ensure focused documentation and access control, all under the guidance of the overarching CMMC governance.
No One-Size-Fits-All: Just as every apartment reflects its inhabitants' different needs and preferences, the CMMC framework must be customized to fit the unique requirements of each contract.
Ongoing Scoping Process: Scoping is akin to the continuous maintenance and updates needed in an apartment building. It begins before the assessment (or ‘move-in’) and is a constant process to ensure security measures are up to date.
Building Blocks for Foundation: The CMMC program provides the foundational ‘building blocks’ much like the infrastructure of an apartment building. Each contract, or ‘apartment’, then builds upon this to create a secure environment tailored to its specific needs.
Controlled Access: The flow of people in and out of the apartment building represents data and network traffic. It’s essential to ensure that only authorized individuals (owners and their guests) have access to any given ‘apartment’ (contract).
Varied Sizes and Features: Apartments come in different sizes and with various features, paralleling the diverse nature of contracts within the CMMC framework. Each requires a different approach to security, reflecting its unique characteristics.
Focused Documentation: In the same way that residents wouldn’t provide a stranger a detailed tour of their home, it’s important to avoid volunteering unnecessary information to assessors. Stick to what is required by the controls and point to the exact sections of policy that apply.
Efficient Scoping/Documentation: Effective scoping and documentation are like having an organized apartment; the better they are, the more time you save, which translates to saving money.
Advertised Workshop Abstract
This full-day workshop builds on the community-created System Security Plan (SSP) responses from the 2023 Advanced System Security Plan Workshop (SSP). In 2023, community members found consensus to develop responses to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls in a hypothetical shared SSP. In this year’s advanced skill workshop, attendees will gain a better understanding of the preparation required for the eventual third-party Cybersecurity Maturity Model Certification (CMMC) assessment for research enclave(s) and labs by engaging with the Certified CMMC Assessors (CCAs).
This workshop will feature presentations and discussions with CCAs who will share exclusive lessons learned and tips. Content for this workshop is tailored to assess research activities by recognizing the similarities and differences between large prime contractors and higher education institutions. Those attending should expect to gain or build upon their fundamental grasp of cybersecurity compliance requirements for CMMC. This can enable organizational preparation for CMMC assessments in higher education and better preparedness to engage with Certified Third-Party Assessment Organizations (C3PAOs), which can help reduce an institution’s cost to CMMC compliance. Through presentations and group discussions, participants will walk away with expert knowledge of how to best position their institutions in pursuit of CMMC assessment certification.
Expected Outcomes: Participants will walk away with expert knowledge to best position their institution in pursuit of their CMMC assessment certification through presentations and group discussions.
Agenda: The morning is dedicated to the early foundational work of self-assessing your CMMC enclave. We will then take a deep dive into scoping for your CMMC assessment, as it is the start and end of your assessment journey. How you define each of the asset categories, also determines how closely the assessors are obligated to evaluate each asset. Your defined scope will impact overall costs; it can either keep the costs down for the assessment or it can compound costs with over-scoped security assets.
After addressing scoping, we’ll move to building your SSP for success. This document should serve as guide for assessors and the U.S. Department of Defense (DoD); an SSP done well can save time and money. We’ll address how to approach cross referencing security controls and where to get the biggest bang for the effort within your SSP.
After lunch, the focus becomes preparing for the assessment (and operating within these new procedures, once you become certified). The Certified CMMC Assessors will engage around the other supporting pieces of documentation and how you know you are delivering the proper evidence. We’ll discuss the different ways you could prove you are satisfying the controls. During this topic, you will gain a stronger understanding around the connectedness of both Federal resource documentation and your institution’s documentation.
Finally, we’ll dive into what this relationship will look like with your C3PAO as you proceed in your CMMC assessment journey. This includes prior to committing to a C3PAO, interviewing for their degree of expertise, and fit for assessing a research institution. We’ll address how to prepare your institution’s team for what can happen during your assessment. Finally, after you have acquired your CMMC assessment certification, we will discuss the ongoing efforts to maintain compliance as your certified enclave evolves.
Valuable Resources
Acquisition.gov – FAR Part 52, Section 204: https://www.acquisition.gov/far/52.204
Acquisition.gov – DFARS Part 252, Section 204: https://www.acquisition.gov/dfars/252.204-reserved
CUI FAQs: https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/21-10-13%20CUI%20FAQ%20FINAL.pdf
Cyber AB: https://cyberab.org/
DIB Cybersecurity Services: https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/
DISA STIGs: https://public.cyber.mil/stigs/
DoD CIO CMMC: https://dodcio.defense.gov/CMMC/
NIST Cybersecurity and Privacy Reference Tool (CPRT): https://csrc.nist.gov/projects/cprt/catalog#/cprt/home
Project Spectrum: https://www.projectspectrum.io/#/
DIBCAC Asset Inventory Spreadsheet created by presenter Michael Snyder
800-171r2 Self-Assessment Remediation Worksheet - created by presenter Wendy Epley
No Cost CMMC Services assembled by presenter Derrich Phillips
CyberMD Series - Understanding CUI References in your Contracts assembled by presenter Michael Snyder
OSC Objective Evidence List created by presenter Michael Snyder
Microsoft
Amazon Web Services (AWS)
RRCoP Resource Sheet
RRCoP: www.regulatedresearch.org
Monthly Webinar Recordings: https://www.regulatedresearch.org/monthly-webinars/rrcop-recordings-and-presentations or attend webinars https://www.regulatedresearch.org/monthly-webinars
Advocating – Share your Use Cases: https://www.regulatedresearch.org/advocacy/perspectives
Purdue End-To-End CUI Workflow deliverables: https://www.regulatedresearch.org/resources/peer-practices/purdues-end-to-end-cui-workflows
Join the Mailing List: https://www.regulatedresearch.org/join
HigherEdCUI Slack Community (~1000 members and growing) – please name yourself with your institution FIRST LAST (Institution) https://join.slack.com/t/higheredcui/shared_invite/zt-5f81k2he-76Prue4J_P8TunGAeySQfg
Regulated Research Workshop Series output: Higher Education Regulated Research : A Collective Perspective Learn about the 6 major pillars of each of our regulated research programs and how to leverage existing resources for moving each of those forward.
Advanced System Security Plan writing workshop deliverable: (if not an EDUCAUSE member, please email info@regulatedresearch.org ) 43 of the 110 controls created as a baseline for your own depth of information contained in your System Security Plans.
Cyber-AB Academic Advisory Council - https://cyberab.org/About-Us/Advisory-Groups
EDUCAUSE 800-171 Community Group https://www.educause.edu/community/heisc-800-171-community-group