March 27, 2024
Understanding the CMMC Assessment Guides
Many people are intimidated by the "wall of words" that appears when they open one of the CMMC Assessment Guides. They don't undertand how to use the Guides -- and this understanding is critical to your CMMC preparation! So let's go over the basics of the Requirements Descriptions, taken from the CMMC Assessment Guide Level One (L1AG):
First, we have the Requirement Number, Name, and Statement:
Notice that in the latest version (2.11) of the L1AG, the numbering scheme has changed. That's because L1 is now aligned with the FAR 52.204-21 Basic Safeguarding Rule, so the requirement numbers come from that document.
Next, we have the Assessment Objectives taken directly from NIST SP 800-171A (with the caveat that for L1, CUI was replaced with FCI):
This may very well be the most important section in the assessment guides. I often find that people don't know about NIST 800-171A, so they have never seen the assessment objectives (AOs), and don't realize that they aren't fully meeting controls that they have marked MET in their self-assessments. You must meet every AO in order for that requirement to be MET.
Next, we have the Potential Assessment Methods and Objects, again taken from NIST SP 800-171A:
This is a list of the types of evidence you might want to provide as proof you have met this requirement. Assessors will be looking for these things.
The Discussion section is taken from NIST SP 800-171 Rev. 2 (with CUI exchanged for FCI):
This may very well be the most useful section, as it gives insight into what the authors intended when they wrote the requirements and AOs (because truthfully, it's not always obvious).
Finally we have the Further Discussion section:
This section was written specifically for the CMMC AGs and did not come from NIST. I'm pointing this out because I have seen many people misuse this section. The explanations and the examples are great for helping get "unstuck," for coming up with ideas on how to meet a requirement. It's important to note, as stated in the AGs: "These examples are intended to provide insight but are not intended to be prescriptive of how the requirement must be implemented, nor are they comprehensive of all assessment objectives necessary to achieve the requirement."
This is important! There are two key points here:
(1) "intended to provide insight but are not intended to be prescriptive": You don't have to do the things in Further Discussion. Nothing said in Further Discussion is required. I've seen people take the examples from Further Discussion and think of them as requirements. Don't expand the scope of requirements! For example, in the Further Discussion section of PE.L1-B.1.IX – MANAGE VISITORS & PHYSICAL ACCESS [FCI DATA], it says "All non-employees should wear special visitor badges and/or are escorted by an employee at all times while on the property." While I am a fan of visitor badges, this is not required! Visitors must be escorted, their activity monitored, and their access logged. Badges are optional.
(2) "nor are they comprehensive of all assessment objectives necessary to achieve the requirement": Doing everything in all the examples will not necessarily mean you have fully met all the AOs of any particular requirement. Using the same example above, the phrase "wear special visitor badges and/or are escorted" seems to imply that if a visitor is wearing a badge, he/she does not need to be escorted. Untrue! Read the requirement again -- "Escort" is literally the first word, and it's the imperative form of the verb.
To reiterate then, while the Further Discussion sections are really good for providing ideas, food for thought, places to start, things to research ... they do not provide definitive answers.
If you still can't deal with the "wall of words" on your own -- you know where to find me!
Upcoming Virtual Workshops
CMMC 101: Getting Started with CMMC (April 10)
Reserve Your Spot
CMMC 102: Understanding the Requirements of Level One (April 17)
Reserve Your Spot
How old is your SPRS self-assessment score? Might want to review this. |
Sincerely,
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!