FAQs based off the experience of completing the first successful assessment
The Joint Surveillance Voluntary Assessment Program (JSVAP) that supports the Cybersecurity Maturity Model Certification (CMMC) initiative is critical for maintaining the security and integrity of the Defense Industrial Base (DIB) cyber-infrastructure. The first successful JSVAP assessment has been a topic of interest for many organizations, cybersecurity professionals, and experts. As with any breakthrough, it’s natural to have questions and curiosity about the details of this achievement.
In this blog, we aim to answer the frequently asked questions (FAQs) about the first successful JSVAP assessment, giving you a more comprehensive understanding of the assessments, and their significance. So, let’s delve into the world of JSVAP and get all your questions answered:
Q: Do you know when NIST 800-171 r3 will be finalized and will that affect the JSVP?
A: NIST SP 800-171r3 should be available for public comment around May or June of 2023 and finalized sometime after those 60 days. We anticipate DIBCAC adopting r3 when completed, but it should not affect those organizations that have already completed an assessment. It is also anticipated that these changes will be rolled into the joint surveillance assessments and CMMC, once it is complete.
Q: Must deliverables be approved at each Phase before moving to the next Phase?
A: This question mainly surrounds CMMC, once approved. The simple answer is yes. If there are any changes to the assessment plan, throughout the assessment process, both the lead assessor and DSC sponsor must sign the updated document. If there are no updates, a final assessment plan is signed and submitted via eMass at the completion of the assessment.
Q: Did you inventory all CUI?
A: If you mean by inventory, data flow, yes. OSCs must understand their data and how it flows through the environment. Thus, one of the first steps in this process is identifying CUI. As far as actual inventories, those are completed for users, devices, and solutions that live within the environment.
Q: How did you manage the WFH risks (local storage resources, printing, security of the home Wi-Fi, removable media)?
A: The DSC has a hybrid approach, which most engineering and aerospace clients are steering towards. The GCC High cloud is used to store CUI data, while on-premises systems are segmented from the rest of the environment. This approach was utilized due to the graphic-heavy solutions they use. Placing these solutions in the cloud environment slows the processing down significantly, thus a decision was made to keep them on-premises. Printing was controlled and authorized for roughly 5 users. This is okay under NIST 800-171 and CMMC, there has to be a verification process to ensure those that are printing remotely are following the physical security practices to protect that printed information. WiFi is not used within the CUI environment. However, remote workers and those on- site connect via a Virtual Private Network (VPN) and Virtual Desktop Infrastructure (VOi), where most of the controls are implemented. Removable media is not authorized in their environment.
Q: What percentage of the practices did you cover with interviews or tests?
A: The interview session, known as phase 2, discussed every practice and all 320 objectives. Out of the 110 practices, roughly 40% to 50% were viewed with live demonstrations, via screen shares from system admins.
Q: Did the OSC generate and mark any CUI, in addition to receiving CUI from the Government customer?
A: Yes and yes. While the CUI the DSC creates is very minimal, they do receive CUI from their DoD partners.
Q: For the FlPS issue, were all of your devices current with their FlPS validation or were you running patched validated versions? If patched how was that handled?
A: All devices were running updated versions of the FIPS 140-2 validated encryption, minus the devices that were filtering emails. Those devices ended up being updated to newer models. As for the firewalls, the vendor has since updated their certificates.
Q: What types of evidence were provided for 3.1.1 processes and device authorization?
A: The DSC provided a screenshot of previous logs that were used for formal internal investigations. Live demonstrations were performed with the SIEM to see logs in “real-time.” While The DSC did not have any logs that launched a serious investigation, they did provide and walked us through, the procedures should an investigation be required.
Q: Was DIBCAC in agreement with Redspin about the importance of the printing security issues? And, control of the CUI if printing is allowed?
A: DCMA DIBCAC was in agreeance with Redspin about printing capabilities and the security practices of protecting the printed CUI data. However, it was not a finding under their DIBCAC High assessment be-cause The OSC’s addressed it rather quickly. However, under Redspin’s assessment, the gap was mainly surrounding a process to protect that printed data, as a process was not in place for remote workers. Again, the DSC addressed that gap within a few days after the assessment.
Q: Was separation of duties an issue for you?
A: The DSC did say it was a little challenging because they are a small company. They put a lot of thought processes into who should do what across the organization.
Q: Talk about Commercial 0365 vs GCC High.
A: Commercial 0365 does not utilize Ff PS 140-2 validated encryption, nor is Microsoft planning to do so with that solution. GCC was mainly developed for those organizations that deal with FCI, or CMMC level 1 practices, as GCC meets those requirements. However, if any organizations are seeking CMMC level 2, the GCC High environment is the only Microsoft solution that meets the requirements.
Q: What is your statement on the rulemaking delay until 2024?
A: The delay in rulemaking is the latest information received from the C/0 office and the DoD. Currently, the rule is still in the hands of the DoD and has not been sent to the Office of Information and Regulatory Affairs (GIRA) for processing. In conversations with the DoD and the Cyber AB, this delay is mainly due to all the stakeholders within the DoD that made comments on the proposed rule that must be addressed before sending it to OR/A. That part of determining when the rule will be final is all speculation and best guesses. There is no doubt that it will shift to 2024 though. While the rulemaking has shifted, there is still a requirement for DFARS 252.204-7012 that all organizations were supposed to comply with back in 2017…The bottom line is don’t wait for the rule!
Q: One of the SP 800-171 requirements at 3.11 is Risk Assessment. Can you describe the OSC’s risk assessment methodology and frequency?
A: Each organization tackles risk differently, but all have the same goal; reducing or mitigating it. the DSC performs weekly external facing scans, monthly scans of their website and applications, and quarterly internal scans. Critical and high vulnerabilities are addressed within 3 and 5 business days respectively. Items are prioritized, addressed, and documented. Annual risk reviews are performed before 4th quarter budget meetings and any risks that require resources are submitted at that time.
Q: Did you follow the flow for FCI too as that is what the Level 1 practices include?
A: Level 1 practices are addressed during the assessment. Typically, FCI does not reside in the CUI environment, so some scoping of the assessment will look at the environment where FCI data resides. While the technical processes for level 1 are not as robust as level 2 requirements, there is a lot of focus on governance via policies and procedures.
How Redspin can help >>
If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, contact us.