The Assessment Tango (How to speak during a CMMC assessment)

[00:00:01] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Hello Climbers and welcome to another episode of Climbing Mount CMMC. My name is Kaylee and this is Bobby and today we are going to be going over the Assessment Tango. We kind of came up with that name. Don't research it because I don't think you'll find it.

[00:00:31] I sure hope I don't find you dancing anymore either. But what we're going to talk about today is just honestly I feel like if you're one of the people that is preparing for a CMMC assessment, maybe your company is an organization seeking that assessment or maybe you are a new C3PAL or a new assessor or whatnot.

[00:00:58] You're trying to get some experience. You really want to understand the process of an assessment. And Bobby likes to explain it as a little bit of a dance. It's a back and forth, swaying back and forth between if you're doing it right. I would love to hear some theater references about how you can explain. Some theater references. I think in our last podcast or one of our last videos. Oh yeah, the last podcast you were so heavy on sports references and I was like I don't think I can track anymore.

[00:01:27] I've given up, you know. Yeah, I was looking. I was researching it on the side. Yeah, I need to think about some. I'm throwing the gala down. I want to hear some theater references to CMMC tank. Okay, I like it. Yeah, yeah, yeah. So one thing that is for sure is, you know, there's such thing as dialogue when it comes to theater. And I think that there is the same when it comes to your controls and your SSP. There's this dialogue, this back and forth. It needs to flow well, you know.

[00:01:54] And you don't want to be too stuck in one spot. I kind of like that better than my sports analogy to be honest with you. Because I think you're right. Maybe you should let me talk more. I don't know. Yeah. You cut me deep, girl. So, like, yeah, you've got to have that back and forth cadence and process or it just doesn't happen naturally, right? Yeah. And that's what we're talking about here is what does that look like in the audit?

[00:02:19] And, you know, another group that you sort of left out is main-ed service providers or somebody that's going to help you in a consulting capacity to implementation. And they may be shoulder to shoulder with you or may even try to reduce the burden of your audit. But, like, for us, we expect to be there with the client. And we want to talk a majority of the time, if we can, to help relieve that burden of the client having to be audited that way.

[00:02:44] And if you are going to try to take that tact with your client, you better know that tango so that you can guide them through it. Yes. Because you do not want to go in there. They need to have a script, too. Mm-hmm. And maybe that script is titled an SSP, you know, some may say. Yeah. And, yeah, and that is also very important. Yes. I'm so glad that you said that. So imagine if we ended the episode here. Okay, great. Make sure to dance in the end. No.

[00:03:11] What we really are going to do is give, like, practical ways to dance and what we mean by that. So the first and the biggest one that we talk about, Bobby, is being ready for each and every control and what that ready means for them. So, like, when we're talking about that, can you explain to people listening what you have to have ready for the controls?

[00:03:40] Well, you talked about SSP. Mm-hmm. Right? So when you have your SSP, let me ask you, Kaylee, like, don't you think you would want to use your SSP to help be your model to follow? Yeah. When the auditor is looking at you and says, okay, 311 Alpha, what you got? Tell me what your stance is and how you handle that. Mm-hmm. Well, you don't want to be doing everything.

[00:04:08] I don't see how you could possibly do everything off the cuff. Like, that's the purpose for your SSP is it's literally for you to go to and be like, this is what we do for it. Here is what we have for evidence. Here is the person in charge of that control. And it's all written out perfectly so you can see it and the assessor can also see it.

[00:04:30] And this is why having a well-written SSP is so critical because wouldn't it be great if when your auditor asks you 311 Alpha, you had your SSP written out to where you could say, okay, he's asking, he or she's asking me about 311 Alpha. I'm going to read my SSP. Kaylee, why would you read your SSP versus just going off the cuff and rifting? Well, I would guess you don't want to mess up what you say or say – You want to – that sounds like you're about to start digging yourself into a hole. Right.

[00:05:00] Because the more you go off script, the more opportunity the assessor has to pick apart what you say. That right there. Yep. Yeah. Okay. Absolutely. Because, you know, if you've ever watched any law movie, which they're incredibly accurate about how real courts go. So, you know, one of the things they say in movies all the time is you don't go on the stand without knowing how you're going to ask the questions and already have the answers to them. And it's the same way with your audit. Okay.

[00:05:30] So let's dive even deeper into this. So we talked about in the controls just a little bit. We said, you know, you should have the definition of like what you do for that control. Then you should have the person who is like primarily in charge of that. Right. And then let's dive into that part of it. Okay.

[00:05:52] That person, does that person always need to be in the assessment or no? Do they need to be prepared to be on the stand just like you're saying, you know, in all the Lincoln lawyer shows that I see on Netflix? I'm so excited. Are you ready for this? I'm ready. I've got a theater reference. You've got to – ain't no way you're pulling that out your butt. Right, so you have a call sheet.

[00:06:19] Like you know who's supposed to be on stage talking at the right time. A call sheet. I would have never thought you knew that that was. So you've got to – I have no idea exactly what a call sheet is. I'm just throwing that because I thought that sounded right. Okay, that's kind of right. Is it right? I don't know. It could be like what you do when you're firing people for all I know. But you're going to have like that list as you go through Alpha. You're going to know who's responsible. So for example, let's take 311 as a perfect example.

[00:06:44] A lot of times the person who's authorizing – so Alpha, Bravo, and Charlie in general in 311 is access control. So that's – someone has to authorize those users. Someone has to say they have permission to be added. Then you pass that to your IT company, and then they pick up the ball. And if they have a level two, which they should, it should be a straight inheritance because they've already passed. They know how to do it. That's another story for another podcast. Sure.

[00:07:10] But the client has to have someone who's responsible for authorizing those users. So for Alpha, Bravo, and Charlie, there's a good chance the client's going to have to talk even if you want to for them because they're going to have to speak to how they do it. Now, if you have policies and procedures written out in such a way that your client can have evidence that validates how they do it, then you could point to that. A lot of time assessors want to have – it's called assessment methodologies.

[00:07:39] So that's examine, test, and – like it's examine, test, and analyze or something. I can't remember the third one. Oh, my gosh. I'll look it up and see. I will fail my CCP and my CCA if I don't have that on my head. But basically it's – you're going to examine the information. You're going to test, and you're going to validate the documentation and other pieces. You don't have to do all three. You might only do one. You might do two.

[00:08:06] It's really up to the auditor about how many of those methodologies they want to utilize. And in those situations, you could go down the path of as the MSP or the consultant, you could speak for them and Alpha, Bravo, and Charlie and say here's the forms that they filled out. But there's still a decent chance they're going to say, well, I want to talk to Harry who's the HR person, and I want to hear from them how they follow that procedure, and they might have to talk.

[00:08:36] So the person that's authoritative, that's the person that is responsible for actually implementing it. It doesn't mean that the auditor won't let other people speak at that point, but it is very possible that they may want to interview those people. So even if you had potential – That's what it is. It's interview, examine, and test. Ah, okay.

[00:09:03] So even if you had – so like you had an assessment objective, let's say you had an assessment objective and you had evidence specifically for that assessment objective, but the person responsible for it is a specific person in your company, and they're not on that call, that the assessor could look at that evidence and still think,

[00:09:29] hmm, that's not enough, and call that person assigned in. Yes. And in theory, that should be defined in phase one because you're going to say how the assessment is – you're going to provide the documentation for them. Yeah. So I would push to have that established in phase one.

[00:09:55] That doesn't necessarily mean that that's how they're going to have that play out, but I would push for that in phase one and say, here's a list of all the assessment objectives, and here's who's going to talk about it, and then get the buy-in of the auditor because you don't want to be in the assessment, and then they go, okay, well, we're going to talk to the HR person now. Yeah. And you're like, what? Yeah. And you might think, well, but they should be able to ask them, and you're right.

[00:10:23] They should, but let's flip it around, right? And let's think about this tango from the perspective of the person being interviewed. Maybe they're not outgoing, and they get very nervous about these types of things, and they are the HR person, and they do a massively – they do an awesome, incredible job, and they do a lot of work, and they're moving a lot of massive amounts of onboarding, offboarding people, and they're crushing it. They do a great job.

[00:10:51] But they are not someone that you would want to put – They're not a speaker. They're not a speaker, and you want to put on the witness stand. So I get it, and you might put them into a lot of a tailspin by saying, you know what? You're going to have to talk to this auditor. They're like, ah, I don't want to do that. That's scary. It's a scary thing. So auditors need to understand that people are human. Yeah. So you have to have some grace and to be able to leeway. If they're obviously trying to stonewall you, and they don't want you to talk with certain people because that's something different.

[00:11:21] But, you know, so you can do yourself some favors there, just understanding how that tango goes, and there's things that you can do because they can examine and see some other aspects to work around that. Interview is not necessarily always the go-to for everything. Yeah. And so I also am curious about – So when you're getting ready for this assessment, basically what you would recommend is have the people

[00:11:48] that actually are listed as, you know, listed on the SSP in some way. If there are people that are listed on the SSP, they should just be prepared just in case. Yeah, absolutely. But if not – And is there like a max amount of people? Like if you – Like they're not going to bring in like – They're not going to bring in all of, you know, your employees kind of thing. So it's like I guess you've seen all the controls. You've seen all the assessment objectives.

[00:12:18] You've gone through them all. Mostly what type of employee is going to be pulled in if they will? Yeah. They're going to probably want to hit your HR person. They're going to want to at least talk with your CISO or CIO or someone who's doing the more technical design and architecture, maybe your chief engineer, you know, some other aspects of that.

[00:12:47] They're going to want to get into those types of conversations at certain times. It could be – it just depends on how large your organization – the larger your company is, the more people that could be pulled into the interview process just because of the way that organizations tend to get so siloed. It really – it varies. It could be anywhere. Like for our assessment, it was just two, me and Adam. And I've heard other companies that they've had 20 or 30 people

[00:13:16] hold departments that they didn't even realize that they were going to have to talk to. And as they started interviewing and talking with other people, they realized other departments were involved and didn't – that wasn't even made clear. And so the auditors are sort of following those rabbit trails. That's where the interview processes can be critical for them just to get a general feel of making sure that kind of stuff isn't happening. But you've – again, like you were saying, you've got to be prepared about that tango

[00:13:44] and understand who might be possibly pulled in. And so let me ask you, Kaylee, do you think you should just bring it on that person that day? Absolutely not. So how could you help them? I would think when you are making your SSP, if you have that person or that category that that user is in charge of listed specifically on the SSP,

[00:14:12] you should start that conversation then. Like, hey, I am listing on the SSP that it says this person is in charge of it. That would be considered to you in our organization. So when time for assessment comes, just know and be prepared for a potential situation where you could be pulled in. And I feel like by the time you're making your SSP versus when you're having your assessment, that should be plenty of time for that person to gather their belongings

[00:14:41] and move away to Canada if they chose not to do that. If they don't want to be involved, right. Yeah, if they don't want to be involved. You absolutely should project how that's going to go, have those people prepared. You even, I would go as far as for each assessment objective, know what they are going to say. They should read the SSP word for word based on how it's going to go, like a script.

[00:15:08] When it comes to the examine piece where you may want to provide additional evidence, walk them through documents, should perhaps show them a screen sharing. The person that's going to be doing that, what they're going to be saying should also be, in my opinion, in general, written out. Yeah. You just don't want to wing it. Unless you've just been crushing them for years and doing those types of things. So especially if it's a client that you're walking through, you want to coach them up.

[00:15:38] Here's what you're going to say when it's your time to speak. And there are some things that are acceptable are, well, that's a great question. Let me go to the documents that we follow and let me read it to you on how we process it. But you don't have to have it where you pop it off the top of your head. You take them right to the document that you already told them that you follow and just read it. Because then they're like, well, is that what you do? Yeah, I follow this document. Yeah. Okay. Well, that was smart. You know, I'm like, you don't just rift off the top of your head about how you're doing it.

[00:16:08] Read the document and how you're going to do it. Tell them how you're doing it right there. I would think the assessor would appreciate actually that more than anything, because it shows that you know where the documentation is, that you have that documentation, that you know exactly where it is so well that you can get to it at that quick time and be able to read it off. I think that speaks more than if you can just fluff during the time of when they say it to you. No theory should be discussed during that time frame. Yeah. It is known quantities. You speak as little as you have to.

[00:16:38] Yeah. And what do I say about how you want assessors to be inside your environment? You want to get them in and then you want to get them right back. Right on out. Right. Yeah. The least amount of dwell time possible. Yeah. And also, we only deal in certainties here. I think that also applies as well. Absolutely. So the one other thing that I was really curious about, and this is going to be like really technical, like getting down to like the very specifics of it.

[00:17:05] And I'm just curious when you're pulling those people into an assessment, because I've only been to like some mock assessments and whatnot, but I haven't seen this really happen. When you're pulling that HR person in and maybe they're sitting on the sidelines during the assessment day and they do end up needing to get pulled in, is it one of those things where you like bring them into the call right then and then push them out once it's done? It's like, that's how it works? Or like would the assessor be like, we're going to have to come to that another time,

[00:17:34] because you have to pull that person in? Or could you do it quickly like that? That's a great question. So that speaks to the maturity of the auditor. Okay. I have heard a good buddy of mine who was going through his JSVA for his C-3PO journey was teaching. And he talked about when he went through his GSVA, they were so organized. They had two or three people on there.

[00:18:00] As he was answering the respective controls, they were marking off the correlated controls and validating them. And they were able to like get the whole assessment done, I think in a day, I think is what he said. Because they were so organized with how they had it all connected when they were doing the interviews. It was just striking off chunks of things. Yes.

[00:18:24] And also I think what he did well is he had very good test examples that showed multiple control completions as he demoed those. Right. So you could go through and say, I want to show you how we do access control. As you go to do it, you're demoing the multi-factor authentication. It could show the banner login. So they were kind of marking that as evidence for those other controls. Boom, boom, boom. They were so used to it, they were just crushing it, marking them off.

[00:18:55] And so because of that, they were much more efficient with who they interviewed and what discussions they had. And this becomes an art for the C-3Os just as it is for the organizations being assessed. Wow, that's fascinating. Everybody's going to get better at this. And it will help compress the time, make it more efficient, make the assessments cost less as they get more auditors. Because what you find, some of the challenges for C-3Os is they're trying to find more seasoned auditors who understand that so they can compress that audit time.

[00:19:24] Because that is an art. It is absolutely an art. And it takes time and experience. And there aren't a ton of those out there yet. But that will change over the next year or two as more people get seasoned and this time starts to shrink. But absolutely, they should have the interviews compressed in such a way that you don't keep recalling people back in an inefficient manner. That to me would indicate a lack of organization by the C-3PO and how they had their assessments scheduled out in my opinion. Yeah.

[00:19:55] Wow, that really does change my perspective on things. Like I didn't really know that – like I didn't think about it from that side. But also like you're bringing clarity of like the C-3PO is paying each one of these assessors in this time as well. They want it to be efficient too, I would believe because of that. They want good ones. They want them to do well but also be efficient. And so that totally makes sense in that regard.

[00:20:23] And I do think that we should be able to see the evolution of their dance as well as ours continue to evolve and get even better. So that's really cool. Are there any other little tips or tricks that you can give before we close? Any other things that you can think of? I think the biggest one in this situation about knowing the dance is you can understand the theory. You can read the book.

[00:20:48] But unless you go through – just to take your theater stuff, if you don't go through some practices of the actual play of what you're trying to execute there. Right. You're just not going to have the proper cadence. Just reality does not kick in from theory. Everybody knows that's how it works. So how do you get around that? Find some trusted friends.

[00:21:14] This is where you phone a friend, and that friend hopefully is a CCA or someone who's been on JSV assessments. Cash cab. Could win you a lot of money. Yeah, cash cab on that baby. You want to talk with somebody who's trusted, reach out to a C3PO. It might cost you $5,000, and you don't have to have them do all of your controls. Only do a couple. And then you'll learn the cadence of how that works. So to kind of practice it – and we did this too.

[00:21:42] What we did is we gave them – we picked like three controls. We took the policies, trimmed them down to what's relevant to how that might go. We had the SSP trimmed down to those things so that you're not giving to this person all your SSPs, all your polishes. They're like, dude, seriously, we're doing three controls. Just help me out here. Do the work for me. You know, trim it down. Yeah. So that way I can just read the relevant things and be – as a mock auditor, they can be prepared about what they're trying to do. Yeah.

[00:22:11] And they can kind of look at that and go kind of look at the XSP pieces. It's referring to these policies. They – the policies that's referred specifically in the SSP. I have these sections here I can look at. Okay, now I see the connective tissue here. I'm ready to do the interview. And then that auditor should be able to say A, B, C, D. Okay, we've finished this one. I like how that is. I'm going to say that's met. All right, now let's go to 312. Go for alpha. And then they go through and they're doing it.

[00:22:38] And that way you can sort of start to have that feel of how it goes. And it will be so invaluable for your assessment because if you've never done one – I've never heard of anyone just go into it for the first time that they were wishing that they would have had some more practice about doing it from a realistic rehearsal. Yeah. Because it just usually doesn't go very well. Yeah, I was about to – I was about to correct you, but you corrected yourself at the end. It's called a rehearsal. Rehearsal. Not a practice. Practice is sports again.

[00:23:08] You're going back to sports. We're staying in theater for this one. It's called a rehearsal. So I – and I genuinely – you're absolutely like – I mean hit the nail with the hammer. Is that what it says? Wow. I forgot what that – hit the nail on the – Hit the nail on the head with the hammer. Why am I just – No, you messed me up. Yeah, I messed – no. You really – Hit the nail on the head. You really got that. That's what I'm going to say.

[00:23:34] You really got that exactly right because I could not imagine reading a script and practicing on my own and never doing a single rehearsal and just going out for a live show. That would be absolutely insane and I would be peeing my pants. So I couldn't imagine doing that with something like this as well. So you're hands down totally correct. I completely agree. And I hope that this episode was really helpful to you guys that just wanted a little bit more insight about an assessment,

[00:24:04] what it looks like when you're in it, how you can do it better, how you can help yourself prepare as far as the tango and the dance of it. We've talked a lot and I'll link it in the description below about like specifically SSPs and CRMs and how to prepare like the documentation side of it. We've talked about that a lot. Yeah, because when you're trying to do that practice one that we were at a rehearsal – sorry. Yeah, the rehearsal. A rehearsal.

[00:24:30] It forces you to have to think about what kind of evidence do I want to get together to present to that person. So you start to think about evidence gathering and all of that stuff. And you really want to build that muscle memory in that process. Yeah. So that will even help you with your documentation as well, which is – yeah, that's huge. So if you guys have any questions though about this, comments or even other recommendations too that has to do with this tango of the assessment,

[00:24:57] make sure to comment either on Spotify or YouTube or you can reach us on LinkedIn. And I'll keep all those links below so you have them. But I hope you guys enjoyed this episode and tune in next Thursday for another episode of Climbing Mount CMMC. But until then, guys, as always, keep on climbing. See ya. See ya. See ya. Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.

[00:25:24] We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.