In this episode, Kaleigh Floyd, Bobby Guerra, and Vincent Scott discuss the critical aspects of self-assessments in the context of CMMC compliance. They explore the different types of self-assessments, the importance of having a System Security Plan (SSP), and practical strategies for conducting effective self-assessments. The conversation emphasizes the need for thorough preparation, understanding assessment objectives, and the necessity of collecting evidence to support self-assessment scores. The episode also highlights the importance of continuous monitoring and the use of self-assessment tools to streamline the process.
Website: https://www.axiom.tech/
YouTube: https://www.youtube.com/channel/UCaJagoDasNG3MqLqw2Af_ZQ
Axiom's Linkedln: https://www.linkedin.com/company/axiomtech/
Bobby's Linkedln: https://www.linkedin.com/in/bobbyguerra/
Kaleigh's Linkedln: https://www.linkedin.com/in/kaleigh-floyd-079a52190/
[00:00:01] Hello, climbers, and welcome back to another episode of Climbing Mount CMMC.
[00:00:09] Today, I'm excited to have Bobby and Vince Scott here again.
[00:00:14] Thank you so much for joining us, Vince. We're excited to have you back.
[00:00:17] Thanks for coming back.
[00:00:18] I really enjoyed the last session. I'm glad to be here, Kaylee. Thanks for inviting me.
[00:00:22] Awesome. Of course. We love having you.
[00:00:24] Something that we talked about in our last session just for a little bit was self-assessments.
[00:00:30] And we said, hold on a second. We've got to dive into this.
[00:00:34] So we felt like this was going to really help you guys to learn, you know, first, where are you as far as the prerequisites of getting self-assessed yourself as a company?
[00:00:47] And then how do you properly self-assess your business, right?
[00:00:52] So we're going to talk about those two things today. Vince, I'm going to kick it over to you first.
[00:00:56] Just a reminder for everybody, there are two rules, right?
[00:00:59] One establishes the CMMC program. That's out now. Final. Go to the show.
[00:01:04] Certification assessments can start 17 December. All good.
[00:01:10] The contract clause rule that contains this, we've seen as a proposed rule.
[00:01:17] That is now back with comments for the DoD to rework and give us the final one.
[00:01:22] We don't expect that to go final until quarter two next year.
[00:01:25] So I want to differentiate kinds of self-assessments first.
[00:01:31] So when companies today talk about self-assessment, we're talking about submitting a score to the supplier performance risk system under the existing DoD contract clause that are enforced today and have been since December 1st of 2021, I think.
[00:01:52] Yeah.
[00:01:53] Right?
[00:01:53] For several years, these have been requirements and companies have been quote unquote self-assessing.
[00:01:59] What those current active in almost every DoD contract today things say is you must submit a score in order to be eligible for contract award.
[00:02:13] Now, under CMMC, we have a new assessment methodology that's different from the way we've been self-assessing before.
[00:02:25] The CMMC assessment methodology.
[00:02:29] And in that, then we get to Kaylee, under the CMMC bucket, we get to Kaylee's two mechanisms, a level one self-assessment, which is for federal contract information.
[00:02:43] I anticipate that everybody in the defense industrial base is going to have to do a level one self-assessment.
[00:02:51] I mean, there's almost no getting away from do I have federal contract information as a part of this.
[00:02:56] I was going to ask if that was even a possibility because it's like they're working in the government space.
[00:03:01] So how is it possible that they wouldn't have one?
[00:03:03] I can't think of one, but maybe, right?
[00:03:08] So just because I can't think of one doesn't mean there isn't one, but pretty much everybody, you're going to have to at least self-assessment level one, right?
[00:03:17] Right.
[00:03:18] In accordance with the CMMC methodology, which means all 17 controls or 15 requirements out of the FAR, they kind of divided up those 15 requirements into 17 requirements in NIST.
[00:03:35] Yeah.
[00:03:37] Those 17 requirements must be 100% implemented.
[00:03:42] There is no POAM.
[00:03:44] There is no partial.
[00:03:45] There is no extra credit.
[00:03:48] You got to have 100 on your quiz for federal contract information.
[00:03:55] That is the only acceptable grade.
[00:03:59] And you must self-assess annually that you're doing all 17 using the CMMC process, which we'll get into a little bit because it's kind of the same process for level one and level two.
[00:04:13] It's very, very similar.
[00:04:16] And you've got to submit that to the DOD.
[00:04:22] Now, no one has done that yet that I'm aware of.
[00:04:25] The system, SBRS is planned to be modified, is my understanding, so that we can submit level one self-assessment scores.
[00:04:40] But I haven't seen that functionality yet.
[00:04:43] As far as I know, that's not in place.
[00:04:46] Then we have level two.
[00:04:48] So if you process, store, transmit, control, and classified information, which many contractors will, at least on a contract or two, they will have some interaction with CUI.
[00:04:59] You have to self-assess every three years and affirm every year that in an affirmation being the equivalent of a legal oath, somebody in your company has to be the affirming official who is swearing that you are the scorer that you say you are.
[00:05:35] Mm-hmm.
[00:05:37] Then there's the potential for that person to face personal, criminal, federal, fraud charges for making that affirmation when they knew that that was not the case or should have known.
[00:05:51] Mm-hmm.
[00:05:52] So I love that you're saying this because one, like one going into this as a company, you need to know what a self-assessment is and what it means.
[00:06:01] It does not mean the same exact thing that is happening right now as what you have said before.
[00:06:08] Yes.
[00:06:09] It is going to be different.
[00:06:10] So Vince, let's get back to the specific things that you'd like to see.
[00:06:15] Let's talk specifically about the now getting ready.
[00:06:20] Right.
[00:06:20] What are the things that you'd like to see or you think if you're going to try to do a self-assessment of yourself and we're doing it today, it's not the 32, but we're doing it today.
[00:06:29] What type of things would you like to see?
[00:06:32] Well, the number one thing is actually required in the regulation because it's required in today's DOD assessment methodology.
[00:06:42] And it's also required in the CMMC methodology explicitly.
[00:06:47] You cannot do an assessment unless you have a system security plan.
[00:06:52] Right.
[00:06:54] So if you do an assessment and you submit a score and then we're talking about doing your certification and you say, well, what's an SSP?
[00:07:05] We might have a problem.
[00:07:07] Failure to launch.
[00:07:08] You might not be ready for CMMC.
[00:07:10] Yeah.
[00:07:11] The system security plan, there is a template posted to the NIST 800-171 revision 2 webpage that is the standard starting point for everyone for a system security plan.
[00:07:26] So you don't have to start from scratch.
[00:07:28] There's a template.
[00:07:31] Everybody uses the template pretty much.
[00:07:33] There are a couple of things I would advise people in the nitty gritty to change about the template to better meet their requirements.
[00:07:41] But everybody starts with that and that's the place to start, right?
[00:07:44] Start with that is the template in the way.
[00:07:47] Let me interject something right here.
[00:07:49] This is a great time to inject a consultant, somebody that knows what they're doing, that has gone through assessments, that can kind of look at your SSP and give you some good insight.
[00:07:58] If you're wanting to kind of maybe perhaps take it on your own, having someone with some good wisdom so that you don't spend a tremendous amount of time creating a document that's absolutely useless.
[00:08:06] So we've talked about, I mean, you can't get this started.
[00:08:12] You can't self-assess without an SSP.
[00:08:15] And if you don't know where to begin and you need some help and some guidance, don't be afraid to ask somebody who has done this before.
[00:08:26] Especially these companies that have never really stepped into cybersecurity or this sort of space.
[00:08:32] Yeah, if you're starting completely cold, I think start with a gap assessment.
[00:08:38] Bobby talked about a qualified consultant, somebody who can come in and go through all 110 controls, all 320 assessment objectives with you.
[00:08:48] What are you doing today?
[00:08:49] What aren't you doing?
[00:08:51] You go through that and come up with a series of things that need to be done.
[00:08:55] And maybe you start with a blank SSP as a part of that process and start filling in your SSP template.
[00:09:02] And for me, the SSP tells the story of your architectural design, right?
[00:09:07] It's got to tell the story of what this scope looks like.
[00:09:11] So I think to me, having a good scoping document and diagram also would be a critical piece of that SSP.
[00:09:19] Because it's, I mean, obviously it's required in the SSP to have that.
[00:09:23] And I think having, again, that consulting conversation with scope, because then you know your scope has been looked at by a professional.
[00:09:30] Then you hear SSP has been looked at by a professional.
[00:09:33] Then I think at that point you would be possibly ready to start doing looking at a self-assessment.
[00:09:38] That's a great point, Bobby.
[00:09:40] In that, that's a, the definition of scope is way more robust under CMMC than it has been under the existing regulation.
[00:09:53] Right?
[00:09:53] So when we talk about scope, we really mean, where do I have to do all this stuff?
[00:09:59] We have all these controls.
[00:10:00] They all have to be implemented.
[00:10:01] Where do we have to do that?
[00:10:03] Really?
[00:10:04] Right.
[00:10:04] Based on the CMMC assessment scoping guides, which we have one for level one and level two and level three now, right?
[00:10:12] How do I scope?
[00:10:15] And scoping in and of itself in CMMC has now become something that has a, at level two, it's like 14 pages.
[00:10:25] Right, Bobby?
[00:10:25] Something like that.
[00:10:26] Yeah, it's not, it's not too, it's kind of like almost like it wouldn't take you very long to explain chess, right?
[00:10:32] As far as in the principal moves and how things kind of move on the board.
[00:10:36] But it is freaking crazy hard to master.
[00:10:38] Yeah, no, it's the equivalent of saying here are the chess moves.
[00:10:41] Now let's talk about chess strategies, right?
[00:10:43] Yeah, that's a great point, Bobby.
[00:10:44] I love it.
[00:10:45] So let's get into, let's get into a, you know, real life visual example for them of like how you can go through controls and self-assess your business in a good way, right?
[00:11:08] Because this is still just like how we said before, this is, this is going to be on, on you guys as a business to do this properly when it comes to self-assessments.
[00:11:18] And so we want to help you guys and give you some practices that, that you can use along this journey.
[00:11:25] So Vince, I'm going to kick us over to you.
[00:11:27] And as you share your screen and do you want to walk them through some of the key points of this and tips that you want them to, to know throughout?
[00:11:37] Yeah, this is the tool, the self-assessment tool that we've created.
[00:11:43] Really, if you can see, it's an Excel spreadsheet.
[00:11:46] It's been honed over the last four or five years where I'm the chief security officer.
[00:11:52] And then we genericize this for defense cybersecurity group.
[00:11:57] And it's available on my website, www.cybersecguru.com.
[00:12:03] Look for basic self-assessment tool and then, you know, you can download it.
[00:12:11] There are a number of spreadsheets out there.
[00:12:14] There are also a budding number of GRC tools.
[00:12:21] So, for example, we've also partnered with a company called GovSky.
[00:12:27] They've been working with us to essentially make the spreadsheet a more GRC automated tool database and erase.
[00:12:36] Right.
[00:12:37] But the spreadsheet works.
[00:12:40] And if you're certainly if you're starting out, I think this is a great place to start.
[00:12:44] What we have have done is I have an individual line for every assessment objective.
[00:12:54] So, one of the key points about both the current DODAM process and the CMMC process,
[00:13:01] one of the fundamental big rocks of DOD cybersecurity compliance, CMMC or otherwise,
[00:13:10] is you got to look at this through the assessment objective lens.
[00:13:14] And the way we've set this up drives you to look at it and track by assessment objective, not by control.
[00:13:25] Why is that?
[00:13:26] What are these assessment objectives and who cares?
[00:13:29] Right.
[00:13:29] I have to do 171.
[00:13:31] There's 110, 171 things.
[00:13:33] I don't really assessment objectives are for assessors.
[00:13:36] Why bother?
[00:13:39] Well, and that was honestly the first time I heard about this.
[00:13:43] My thought about assessment objectives was get bent.
[00:13:46] The regulation says I have to do 171.
[00:13:49] So, you can do whatever you want with your assessment objective.
[00:13:52] The first document I looked at was not 171A.
[00:13:55] I can tell you that.
[00:13:55] Yeah, no, exactly right.
[00:13:57] So, I'm guilty of that.
[00:13:58] I read the regulation.
[00:13:59] It said do 171.
[00:14:00] We pulled 171 off the shelf.
[00:14:03] We, you know, blah, blah, blah.
[00:14:04] Well, it's a point that Jacob Horn has said, hey, I really wish those two documents were combined.
[00:14:09] Because it leads to this miss in many cases.
[00:14:14] I have a really good C story.
[00:14:16] Did a mock assessment on a large defense ACAT-1 contractor.
[00:14:22] They were ready.
[00:14:24] Hit me with your best shot.
[00:14:25] I want a mock assessment.
[00:14:27] We're down to just tweaking it.
[00:14:29] I want to make sure we're ready.
[00:14:31] Okay.
[00:14:33] They ended up with a negative score.
[00:14:36] Not even a little bit negative, but a lot negative.
[00:14:42] And about halfway through, I realized that the consultant that they had hired didn't know that they needed to look at assessment objectives.
[00:14:50] And what happens from a scoring perspective, if you follow the methodology, you have to get, so like for this first control, 3-1-1.
[00:14:59] Right?
[00:15:00] Limit information systems access to authorized users processes acting on behalf of authorized users or devices.
[00:15:06] And people look at that and go, yeah, I have, I use a username and password.
[00:15:11] We're good.
[00:15:12] Matt.
[00:15:12] Next.
[00:15:13] Next.
[00:15:14] Whoa, whoa, whoa, whoa, whoa, whoa.
[00:15:16] Wait a minute.
[00:15:16] There are six assessment objectives for this one control.
[00:15:23] All six of those assessment objectives must be met for me to get the points that they're met.
[00:15:32] And you start looking at things like authorized users are identified.
[00:15:39] So, looking at this through the assessment objective lens, now it's more complicated, right?
[00:15:44] Because there's six boxes I got to check instead of just one.
[00:15:47] Yep.
[00:15:47] And they systematically broke out everything, every conjunction in the sentence that was the control.
[00:15:58] And it said you had to do all of those things.
[00:16:02] So, authorized users are identified may not be a gimme.
[00:16:08] Right.
[00:16:09] Because are identified to me says is written down, authoritatively recorded in some way.
[00:16:16] Not your Active Directory database that you add to.
[00:16:19] Yeah.
[00:16:20] Oh, well, I put them in Active Directory.
[00:16:22] This is an argument I have all the time, right?
[00:16:25] Particularly people who've done government work.
[00:16:27] Oh, Active Directory.
[00:16:30] That's not identifying.
[00:16:32] Active Directory says who has access.
[00:16:34] It doesn't tell me who's supposed to.
[00:16:36] It doesn't tell me who are authorized users.
[00:16:38] It just tells me who are users.
[00:16:40] How do I know that those people are authorized?
[00:16:42] I made that mistake, all right?
[00:16:44] It's not that I'm pointing the finger.
[00:16:45] Like, I went down that path and said, oh, well, we'll use a dynamic system to be the authorized users.
[00:16:52] And that doesn't work.
[00:16:54] You have to have a process of proving that person.
[00:16:56] Those users have been identified.
[00:16:58] Yep.
[00:16:58] And they're listed.
[00:17:00] And that's where you get caught.
[00:17:01] And it's people doing what they believe is the right thing.
[00:17:04] They're not trying to be nefarious.
[00:17:05] It's just a misunderstanding conceptually what's going on.
[00:17:07] And that's why talking with someone like Vince is super helpful because that can kind of turn your brain a little bit to look at things that kind of help.
[00:17:14] I interrupted you.
[00:17:15] Keep going.
[00:17:15] Sorry.
[00:17:16] Yeah, no.
[00:17:16] So this is a great example of real technical detail one.
[00:17:20] I think this is one.
[00:17:21] And this is level one control.
[00:17:23] Right?
[00:17:24] So even on FCI, we're going to have to do this one.
[00:17:27] And it's not a gimme.
[00:17:29] No.
[00:17:30] Right?
[00:17:31] Okay.
[00:17:32] So authorized users are identified.
[00:17:34] So how do I know, particularly at level two, who the people are who are supposed to have access to CUI and that we're limiting access to just those people?
[00:17:47] And like I had a multinational company that said, oh, we do this in AD and we just have an AD group.
[00:17:53] And I was like, so you have system administrators in Malaysia that can add and subtract people from groups.
[00:18:01] So how do you know that the people that are in your group are the right people?
[00:18:09] It must be okay.
[00:18:10] No, not Matt.
[00:18:13] Oh, I can't believe you gave us not Matt for the first.
[00:18:16] We didn't get past 311a and we got a not Matt.
[00:18:19] Yeah.
[00:18:19] Well, but I think this case just shows real quickly that something we didn't touch on as a requirement, but I think it's starting to become a little bit more painfully obvious is the knowledge of what they're trying to say.
[00:18:30] NIST speak isn't necessarily English speak.
[00:18:33] And so you can go through this.
[00:18:35] And I've seen people, Amir even said this in one of our podcasts, is like a lot of people write the system security plan.
[00:18:41] And they'll say, we're going to do this thing.
[00:18:43] We're going to do this thing.
[00:18:44] We're going to do that.
[00:18:45] You didn't tell me how you do the thing.
[00:18:46] You just said you're going to do it.
[00:18:48] Basically, your whole SSP and your argument is a promise that you're going to do those things.
[00:18:52] You haven't really told us how you do it.
[00:18:55] And I understand you could reference that to policy, but that's not the same.
[00:18:59] So you really have to understand this documentation.
[00:19:02] So as you're going through this assessment, really think, am I really getting this?
[00:19:07] And don't trust that you're human and that you could be interpreting this wrong.
[00:19:14] Right.
[00:19:14] That your first interpretation could be wrong.
[00:19:18] And this is one of the things that I love about having Adam on staff with me.
[00:19:23] His perspective on a lot of these things are different than mine.
[00:19:26] And it creates this non-echo chambered environment for us to go back and forth and really try to have a better understanding as we're working through these AOs.
[00:19:34] Yeah.
[00:19:35] Yeah, absolutely.
[00:19:36] Every time I have gone through this process for what I would call a gap assessment, so not really a self-assessment per se, but somebody who is just trying to build this thing and say, hey, let's go through and identify all the things we're not doing that we need to do.
[00:19:52] Every time I've done that, I have found them answering the wrong question.
[00:19:58] And I love that you're bringing this up because I think you guys have so far told like a beautiful story so far of you said three things that I think are critical when self-assessing your organization.
[00:20:12] One, assessment objectives.
[00:20:14] Look at the assessment objectives or you will not pass.
[00:20:18] Two, understand the lingo.
[00:20:20] Understand the language of what you are reading.
[00:20:24] And three, know how to properly write these things, right, onto this document.
[00:20:32] And you can't just say will, you know, or will do soon, maybe tomorrow, you know, in your descriptions of things, right?
[00:20:40] So I think those are three critical points that I love that you guys talked about because it's like, that's like a foundation of this.
[00:20:48] Can we walk through just quickly what you would want to fill in these fields here, Vince, just to help them kind of?
[00:20:53] So this is all very stock, right?
[00:20:56] It's the ID, the CMMC ID.
[00:21:00] Here's the control practice.
[00:21:05] You will hear for this column of this list of 110 things that comes out of 171, there are three different terms.
[00:21:15] In government land, in 853 parlance, that's a control.
[00:21:22] And that's the one I generally use because I think it resonates with CFOs, honestly, because they understand control.
[00:21:29] The CMMC term is practice.
[00:21:32] And the 171 term is security requirement.
[00:21:36] I really hate that.
[00:21:37] We have three different names for the exact same thing.
[00:21:40] Just be aware of that.
[00:21:42] It's the list of 110 things you got to do.
[00:21:44] Assessment objectives is assessment objectives across the board.
[00:21:47] Now, what we do in here is met, not met, not applicable, right?
[00:21:51] That's your criteria.
[00:21:52] Those are the options.
[00:21:55] POC.
[00:21:56] This one, I think, is really important.
[00:21:58] I'm a huge believer.
[00:22:00] In fact, in my own version of this, I run it as a racy matrix, right?
[00:22:06] Responsible, accountable, coordinated, informed.
[00:22:08] So there's actually four columns.
[00:22:11] I found that to be too complicated for a lot of people.
[00:22:15] And so I've boiled it down to I got to have a person I can point to who is the POC for this.
[00:22:23] And I think that's really important.
[00:22:26] Fill that out.
[00:22:27] No, really, who is responsible for this?
[00:22:29] Who does this?
[00:22:31] Who is the assessor going to talk to when they come to your site about this one?
[00:22:39] That's such a good point.
[00:22:40] That's because that's one of the things that we really learned.
[00:22:42] And Kaylee, we have a video I think you can put on the screen where we talk about how we went through that experience.
[00:22:47] And it made us have to change our thought process because there are certain components from a compliance perspective where Adam would talk about it.
[00:22:56] But because I did a lot of the design architecture when it's talking about the technical implementations, I was more authoritative about that.
[00:23:03] So it would switch to me.
[00:23:04] And then knowing who's on the hook to talk about it, you need to be ready to defend that position.
[00:23:11] Yes.
[00:23:11] And having that person responsible, it's not just about like, oh, let me just feel this feel out.
[00:23:15] It's really you've got to think about that's the person who's going to be talking in front of the auditor.
[00:23:20] So you've got to make sure that you're ready for that.
[00:23:21] We just had, and that's particularly useful, the larger the organization is.
[00:23:28] Right?
[00:23:29] So where it gets more complex of who is really responsible for talking on this, we utilize this approach with a 3,000 person company that did a JSVA last week.
[00:23:40] They got a 110.
[00:23:42] Awesome.
[00:23:42] But we actually practiced with the POCs in the couple, because we've been working with them for years and they're really good.
[00:23:55] And they got a really smart guy leading their program and they were in good shape.
[00:23:58] Right?
[00:23:58] But, you know, in that final move towards I'm going to have assessors on site, we actually brought the various pieces of IT and legal and HR and risk.
[00:24:10] Right?
[00:24:11] We had little sessions with all of them.
[00:24:13] Here are the ones you're responsible for.
[00:24:15] Here's what we expect you to have to talk to.
[00:24:18] Here's your documentation.
[00:24:20] You know, you've got your policies and procedures on this.
[00:24:23] It's an open book test.
[00:24:26] Use your policies and procedures.
[00:24:28] Don't make stuff up.
[00:24:29] Right?
[00:24:30] We've worked really hard to make sure this all flows and works together.
[00:24:34] Don't go wandering off.
[00:24:36] Absolutely.
[00:24:37] Right?
[00:24:38] Open book test.
[00:24:39] Please read the SSB.
[00:24:41] Right.
[00:24:41] Well, and I think because they also need to know about these fields and be able to speak to them.
[00:24:46] Right.
[00:24:47] And then they're not surprised when the assessor says, hey, three, like I often have HR as authorized users are identified as the responsible POC,
[00:24:56] not a technical person at all.
[00:24:59] We're on the chief security officer.
[00:25:01] That's the director of HR.
[00:25:02] Hmm.
[00:25:04] And it's her because she nominates people for addition to the system to IT.
[00:25:09] And she's got to talk about the process by which we do background checks and blah, blah, blah.
[00:25:13] She owns this authorized users are identified.
[00:25:18] Can I ask something specific about that?
[00:25:21] Sure.
[00:25:22] I just am curious, when you're saying a specific person, you're going to type the role of the person.
[00:25:29] Am I correct?
[00:25:30] Not the name of somebody specifically.
[00:25:32] I generally do the role.
[00:25:35] Yeah.
[00:25:35] But I push back on Bobby because I don't want it to be so generic that you can't identify the person.
[00:25:42] Absolutely.
[00:25:42] I get that.
[00:25:43] Yeah.
[00:25:43] I just was like, you know, I don't, I just would, I would fear if, you know, if somebody left or there was a transition or whatever,
[00:25:49] you'd have to rewrite this thing every time you change the name of that person.
[00:25:52] My racing matrix says director of HR for that.
[00:25:55] Yeah.
[00:25:55] But I would, you know, if you're a company and you're small and it makes sense to put Fred Smith down in there.
[00:26:02] Okay.
[00:26:03] Put Fred Smith down.
[00:26:04] Fred's on the hook.
[00:26:04] You know, I, I, I think that would work.
[00:26:06] There is a, it wouldn't kill you in an assessment.
[00:26:13] But saying the IT department or let's say I, I, uh, network engineering is a group of 20 people in my large organization.
[00:26:22] Don't put down network engineering.
[00:26:24] Right.
[00:26:25] I get it.
[00:26:25] Yeah.
[00:26:25] Yeah.
[00:26:26] I get what you're saying.
[00:26:27] Right.
[00:26:28] I need to put it.
[00:26:29] We need to get this to a lot of people, the larger the organization, the harder that can be.
[00:26:38] Right.
[00:26:39] Right.
[00:26:40] This is a very people aspect of this, but we, we want to drive it to who's going to be answering the assessor for this.
[00:26:47] And me, the head of the CMMC program or the director of compliance, I'm not doing it for everything.
[00:26:54] Right.
[00:26:55] Right.
[00:26:56] Hey, Vince, can you slide to the right?
[00:26:57] Let's see more of those columns and kind of go through.
[00:26:59] So once you've identified that POC, uh, you have in there, the description, uh, some artifacts.
[00:27:07] There's some really good stuff in here.
[00:27:09] Yep.
[00:27:09] You know, we're, we're kind of short on time.
[00:27:11] So I, I, I do want to kind of touch on it, but, uh, so description of implementation, um, to me on the spreadsheet, this is very similar to what's in my SSP.
[00:27:21] I just have a general, some general words down there about how do we do that artifacts or objective evidence.
[00:27:28] So this is one of the things we really wanted to hit on this for a self-assessment under CMMC.
[00:27:38] They have now mandated that evidence is maintained for both self-assessments and certification assessments, both for six years.
[00:27:52] At the request of the Department of Justice, they, they put those words in the rule.
[00:28:00] So when you're doing a self-assessment now, you must collect evidence that supports what you, you're scoring yourself, right?
[00:28:11] So what is that artifact or objective evidence?
[00:28:15] Now we do this in two ways, uh, but we're pretty, pretty advanced, right?
[00:28:21] One is documentation often is the evidence, like where you have something that needs to be written down.
[00:28:28] And then you point to the documentation that it is written down.
[00:28:31] The documentation is the evidence.
[00:28:32] And I usually just point to that evidence, whatever that is.
[00:28:35] It's the SSP or it's the, uh, access control procedure or whatever that evidence is, right?
[00:28:41] From a written down perspective.
[00:28:43] If it is not the documentation, we generally take snapshots of something that supports that, um, it, that we put in our evidence locker.
[00:28:57] And I like to say we have one piece of evidence for every assessment objective where documentation ones are just the point pointer to the documentation.
[00:29:05] Um, that way we have something for everything and, but you need to collect evidence.
[00:29:12] Um, and that's why your first run through this could take time because maybe you don't have that evidence locker, right?
[00:29:18] And you could, your first run through could be collecting all of that and proving in your brain how you're going to do that and prepare to have that conversation.
[00:29:27] So, so generally from a gap assessment perspective, we try to make it through without connecting evidence on our sort of our first pass with a company starting from scratch.
[00:29:39] We just go through and write stuff down and try to get through it all.
[00:29:43] And then you start a second pass, you know, you have other passes that you take.
[00:29:48] And in fact, I would recommend to all companies that this is also the way you do continuous monitoring.
[00:29:55] Right.
[00:29:56] So there's a, so continuous monitoring is a requirement in the standard.
[00:30:01] You must continuously monitor that the security controls are operating effectively.
[00:30:07] Right.
[00:30:07] How do we do continuous?
[00:30:09] How do I do that?
[00:30:10] Well, the way I have approached that is to say that I take an hour a week with my team and we start at the top and we go through as many assessment objectives as we can get through.
[00:30:23] In an hour, collecting evidence, looking at the procedure, looking at the SSP, you know, really deep diving up.
[00:30:33] No constraint on how, how deep we go because there's always next week.
[00:30:39] And, and normally it takes us about five months to get through the whole 110 at an hour a week.
[00:30:46] Wow.
[00:30:47] With me.
[00:30:47] And so we have three or four people on those, you know, calls.
[00:30:52] So four man hours a week in continuous monitoring from a, from a corporate perspective.
[00:30:58] It takes us about five months to make a complete lab.
[00:31:01] Wow.
[00:31:02] Now I have seen another highly respected C3PO.
[00:31:06] They have actually prioritized these by risk and have some that they hit every week and some that they hit every month and some that they hit every quarter.
[00:31:16] And so their continuous monitoring is they do that same hour or so a week, but they, they just have it set up differently so that they're, they're getting the higher risk controls more frequently.
[00:31:30] Which I think is really brilliant, but I just haven't gotten there.
[00:31:33] So let's see gaps.
[00:31:38] That is a description of gaps.
[00:31:40] So if I go back here and I say not met, I might say, here's what I think is wrong.
[00:31:45] Required action to implement.
[00:31:47] So what do I need to do to, to, to correct this, to make this right?
[00:31:55] Any comments?
[00:31:57] Does this have a shared responsibility?
[00:31:59] Responsibility.
[00:32:00] So like Bobby is my MSP really the one that does this?
[00:32:03] Yeah.
[00:32:04] Is somebody, somebody else supposed to do that?
[00:32:06] This column, everybody in the, the ecosystem may find this column of interest.
[00:32:15] Dibcac, because they always ask what kind of evidence are they looking for?
[00:32:19] Yeah.
[00:32:20] That's a, when you really get into this and you start gathering evidence, you go, what the heck are they looking for here?
[00:32:25] Well, Dibcac published an access database that they used.
[00:32:33] And in there, they listed the type of evidence generally not required.
[00:32:38] This isn't, these are guidelines, not rules that they look for to meet this particular control control.
[00:32:45] We downloaded the access database, got it to run, extracted that piece of information from all the controls and put it into our spreadsheet.
[00:32:51] That's gold right there.
[00:32:52] That's a big deal.
[00:32:53] Cause that really helps you to kind of get a general idea of where you should be looking for that type.
[00:32:56] Exactly right.
[00:32:57] And it's just, it is just general, but that's what this column is, right?
[00:33:00] It is just the thing.
[00:33:04] And then over here, I've got this, a couple of columns that help it.
[00:33:08] So if you sort this, you can get it back to the right order because the way Excel sorts things.
[00:33:14] This is so helpful.
[00:33:16] Yeah.
[00:33:16] So I had said that every assessment objective has to be met in order for control to be met and for you to get the points.
[00:33:24] The way we have set this up is I actually have a separate tab.
[00:33:28] When, when you mark all the assessment objectives met in that other tab.
[00:33:34] Yeah.
[00:33:34] It does it.
[00:33:36] It cross references it.
[00:33:37] It updates it here.
[00:33:38] It updates the controls and it gives you a score, right?
[00:33:43] If you go through all the way through it, right?
[00:33:46] It will give you a score in accordance with the DOD scoring methodology.
[00:33:52] So this in CMMC controls are scored differently.
[00:33:58] They're one point or three point or five point.
[00:34:01] And you actually start from 110 and you subtract the number of points.
[00:34:05] If it's not met, it's kind of an odd way to do it.
[00:34:07] And that's why we end up with negative numbers.
[00:34:09] This tab is just spread set up to make the score work more easily.
[00:34:16] Yeah.
[00:34:16] If you have filled out this page properly.
[00:34:21] Right.
[00:34:22] This is great.
[00:34:23] Well, guys, I'm going to have this again.
[00:34:25] If you haven't already looked, make sure to look in the description.
[00:34:28] I will have the link to this from Vince in the, in the description so that you guys can check this out for your own business.
[00:34:35] Thank you again to Vince for hopping on here and sharing that because that, I mean, I, I really enjoyed this episode and I hope you guys that are listening to this and watching even on YouTube do as well.
[00:34:48] Again, make sure to tune in next Thursday to our next podcast episode.
[00:34:52] And don't forget to follow Vince and all that he's doing on his LinkedIn and on his website.
[00:34:58] But until next time, guys, keep on climbing.
[00:35:01] See ya.
[00:35:02] See you guys.
[00:35:03] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.
[00:35:08] We hope you guys enjoyed today's episode and listen out for the next one.
[00:35:12] But until then, keep on climbing.