As the first C3PAO having undergone our own Level 3 assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and as the only C3PAO to conduct two of the first successful JSVAP assessments, these experiences have provided our team here at Redspin with unique insights into the CMMC ecosystem, which we believe are valuable to all organizations seeking CMMC certification.
In this blog we will highlight two areas of significance within the assessment process: documentation and training.
The documentation of practices enables individuals to perform them in a repeatable manner
While often overlooked, policy and procedural documentation is vital to achieving CMMC compliance. CMMC adds an additional layer to its compliance framework called Processes. Processes are designed to ensure that the organization has implemented practices (security controls) and processes that are repeatable and lasting. Documented processes that are not known to operators cannot be performed or performed consistently. Within most organizations, there is an understanding of the roles within the team as well as the processes and procedures, which take place regularly within the network and the organization. To achieve compliance with CMMC Level 2, an organization must demonstrate maturity in its security controls and the policy documentation must reflect this. This includes documenting each of the 110 practices within Level 2 to clearly define roles, responsibilities, and oversight. These processes include areas of an organization outside of the traditional IT team to include human resources, management and potentially production teams. This makes CMMC more than just the responsibility of IT, rather it becomes an organizational responsibility.
Ensure staff is properly trained and understands how to securely handle CUI
Staff training is also a key element for not only key stakeholders but all users with access to Controlled Unclassified Information (CUI) and the CUI enclave, which is designed to isolate CUI from the rest of the organization that does not require access to CUI.
Users need to be aware of their responsibilities in how CUI is accessed, as well as how it is securely handled and stored. There are specific procedures that need to be followed in labeling CUI data, which also need to be accounted for. Additionally, mishandling of CUI or storage of CUI outside of the segmented CUI enclave within the network can potentially lead to additional areas of the network falling into scope for CMMC.
As part of the certification process, the assessor team will be interviewing users within the organization to ensure that they are following the proper designated procedures. A lack of understanding within these interviews can lead to a failure of the certification. This makes training team members on proper CUI data handling a vital component for any organization seeking certification. Staff training can be performed internally or by an outside party through a variety of methods. Whichever method is selected, the key is to ensure staff participation and understanding.
How Redspin can help >>
If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, contact us.