What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

December 3, 2024

Preparing Assessment Evidence: Adequacy & Sufficiency

While not exactly a "hot topic" in the CMMC ecosystem right now, I believe this is something that many OSCs do not fully understand, so I want to tackle this concept now.

The CMMC Assessment Guides tell us:

Assessors exercise judgment in determining when sufficient and adequate evidence has been presented to make an assessment finding.

What these guides do not tell us is what exactly that means! What is sufficient? What is adequate? These topics are also not addressed in either NIST SP 800-171 nor 171a. I learned them only in my CCP and CCA classes, where we dug deeply into the assessment process.

The short version is this: Adequacy means the right kind of evidence, and Sufficiency means enough of the right kind of evidence. How do these concepts apply in real life?

Adequacy. You are presenting evidence that correctly answers the question asked. For example, if you are talking about identifying processes acting on behalf of authorized users (AC.L2-3.1.1[b] ), don't show the list of users in Active Directory. Show the list of approved processes that is maintained by IT and approved by your Change Management Board.

Sufficiency. You are presenting enough of the right kind of evidence, covering all assets that are in scope for this control. For example, if you have multiple operating systems (Microsoft PCs, Macs, Linux devices) in your environment, you will need to provide evidence of how each control is met on each operating system. Administrative controls will often apply across the board, but technical controls may be implemented differently on different platforms. Be prepared to show evidence of how each assessment objective is met on each platform in your CUI environment. Another example, if you have different configuration baselines and control sets for groups of assets (e.g., laptops that travel vs. PCs that don't), you will need to demonstrate how each assessment objective is met for each group of assets with similar configurations.

It's a lot, I know! Many organizations have the technical controls in place, but lack the administrative procedures and documentation. Even if you have all that covered, providing the right evidence for assessment is a big job. We can help!

PS: If you need help in developing a plan to properly secure and/or document secure configurations for Linux or MacOS, let us know. Our VP, Mitch Adair, is a longtime Linux/Unix system administrator, and TNE has always been a Linux/Mac shop.

We have many years of experience available. Don't hesitate to reach out! email, call or schedule a time to chat.

How old is your SPRS self-assessment score? Might want to review this.



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy