What is CMMC Inheritance and How Do I Apply It? (feat. Adam Evans)

[00:00:01] Hello Climbers and welcome to Climbing Mount CMMC. Boxing up by 6. Good job. What is it doing? Look at that. Hello Climbers and welcome back to another episode of Climbing Mount CMMC, the podcast. My name is Kaylee Floyd and this to my, maybe it's my left, maybe it's my right.

[00:00:30] I'm not sure, it depends on what we edit, but it's Adam Evans. Adam is basically the guy that tells us yes or no when it comes to compliance internally with Axiom, also known as our compliance officer. And what I'm excited to talk about today is a little session that we're calling Adam's Hot Takes, which if you don't, if you guys don't know, or you haven't had the privilege of getting to know Adam at maybe some conferences or even some of our other podcast episodes, Adam has some really excellent

[00:00:59] hot takes. And so today we're going to talk about how inheritance isn't real. No, it is real, but we are going to talk about how it's real, but kind of sort of what it means, because I think some people think it's something that it's not. And so, Adam, first, I would love for you to explain to the people that are listening who might not know what inheritance is. Could you kind of set the stage here for those people who might not know?

[00:01:28] Yeah. So in short, inheritance is when you operate portions of a system inside of a larger system where someone else is responsible for security controls and you get to basically reap the rewards of their work. In a simple, more practical example of that, if you're using a Microsoft environment, you're not the one responsible for swapping hard drives on Microsoft servers. They do that for you. You're not responsible for the physical security of a Microsoft data center. They do that for you. So you get to inherit their protections from that. That's one of the benefits

[00:01:57] of cloud service providers and part of the FedRAMP process. Or in a more, even much more simpler example, if you rent an apartment, you're inheriting the building maintenance from your landlord. Yeah, that's a good, yeah, that's a good example. And then once you end up buying your own home, you realize how screwed you are at having to figure out all this stuff yourself, because you don't have a landlord that can come in and fix it for you. Yeah, yeah. Going through the home buying process and looking into all that right now,

[00:02:23] I'm just doing a lot of reading. And I don't know what I prefer more, CMMC or all the details of homeownership. No, I love that example. That's great. Talking about inheritance too in a general term, let's dive more into it in the CMMC sense. So I feel like there's two sides of inheritance that you hear thrown out a lot in the CMMC ecosystem. One side is from the CSP, which you already talked

[00:02:53] about cloud service provider perspective, and how inheritance works with cloud service providers and the word FedRAMP, or I guess, you know, the authorization comes up when you're thinking about that. And then the other side of it is external service providers that aren't cloud service providers,

[00:03:13] like maybe an MSP that is CMMC level two certified and trying to inherit things from that perspective. So let's talk about those two perspectives and start with the cloud service provider side. Yep. So to set the stage super quick, when you read through 3248 CFR and the requirements for CMMC, cloud service providers that store, process, transmit CUI must meet a FedRAMP moderate baseline or higher.

[00:03:42] There's a little carve out for FedRAMP equivalent, which is essentially just FedRAMP, but not formally assessed and authorized by the government. So what happens is when a company goes or an organization goes to the FedRAMP process, they have to meet the series of controls under NIST special publication 853. And then they go through an assessment to determine what, you know, that things are not only met, very similar to CMMC, but there's also a portion of risk management where the government may decide that certain things

[00:04:10] are allowed not to be implemented depending on the risks involved. Government gets to kind of have their say in that. The FedRAMP equivalent side of stuff, however, is you have to meet all of it, still go through a process, but the government's just not signing off on it. In both cases, there's a lot of documentation that comes around with it. And what typically we have to see from the client side of stuff is one major piece of documentation is the customer or shared responsibility

[00:04:37] matrix. And also the implementation statements, usually customer implementation statements, CIS worksheet, something along those lines. What those two documents plainly do is they tell me what does the CSP do under their FedRAMP authorization and what do I have to do? Right. So what often comes around and what I often see is kind of a CMMC myth that floats around is, well, if you just get the FedRAMP solution, you can just inherit it and you're good.

[00:05:05] It's the easy mode. It's the get under jail free card, basically. And that's not the case. That's like me walking into the local planet fitness and just solely by walking into the lobby saying that I'm now a bodybuilder. Spoiler alert, I'm not. You still have to put forth work, not nearly as much work as you would if you had to go through the entire process yourself, but companies still have to go through that responsibility matrix, understand what they have to do, document appropriately in their SSP, and also make sure it aligns to their policies too. And if it doesn't deal with that.

[00:05:33] Well, you have real world examples of this in assessments that you've been a part of. Let's say we're talking about the, you use the example of Microsoft and you're, let's say you're in a GCC high tenant and that's where your company uses their cloud services and lives in that environment. When you get to that part of the assessment and you're supposed to, you know, talk about that,

[00:06:01] do you say it's inheritable and then it's done? Like, how does that work for somebody who doesn't understand that? Yeah. So, so, you know, we, we initially in our first run through, we basically tried to do the, oh, it's inherited per Microsoft's FedRAMP ATO. And our assessor said, cool, which controls? So in terms of the documentation, you know, we, like I said, we, we tried to go through the process where we just said, yes, inherited per Microsoft. The assessor said, which control? So, but, so going through the responsibility matrix,

[00:06:27] we can start to see what exactly does Microsoft do or what exactly does the CSP do and what exactly my responsibility is. Yeah. Depending on the provider, some will map those to the 853 controls, others to the 800-171 controls. It may vary depending on the provider. Microsoft, if you can find the documentation, that's your first challenge, but if you can find the documentation, you can get ahold of Microsoft's

[00:06:53] SSP and other documents, which will align to the 853 controls. So you can say, this is inherited per, you know, Microsoft's FedRAMP ATO for AC7 or whatever the number is. I really hope AC7 is actually an inheritable control because it'd look really cool if it was, but for anyone listening, I'm making the number up right now, but that also takes you down the path of the documentation to figure out exactly what does Microsoft do so you can document appropriately.

[00:07:19] And then again, what do you have to do? An excellent example of that in practice is FIPS validated cryptography. For certain systems Microsoft has it handled, there's nothing that I can do to modify, change in any way, shape or form, just Microsoft does it. But if we look at some of the communications and stuff in Windows, there's actually a setting that needs to be toggled on. And it's my responsibility as the customer to make sure that setting is toggled on for that inheritance statement to be true. Hmm. Hmm.

[00:07:45] So that's where this really comes full circle to tell you what to do so you can inherit those protections or in some cases understand where your responsibilities lie, exactly how to navigate that. Another example, Microsoft will provide all the password requirements built into ENTRA, but those password policy requirements still have to align to your company policies. Microsoft's not writing your company policies for you. Well, they could if you asked Copilot, but I wouldn't, I wouldn't use that.

[00:08:14] Wouldn't fully rely on that one. Right. But anyway, so the general gist of that is you still have to go through and understand that. And that way you're just, no one's making assumptions. Because what happens is if you want to assume, we all know the old saying about assuming, and you don't want to run into that situation during an assessment where you think, because I do X, Y, and Z, that Microsoft has my back on this one. There are documentations out there and they might, they might not, but you need to know that before you get into the assessment.

[00:08:41] Mm-hmm. Mm-hmm. Yeah, that's huge. I mean, you said it there too, even talking about toggling something on or off, like still during the CMMC level two assessment that's done by a C3 PAO and an assessor, they're going to come in. And when you say that it, that it is inherited by, you know, let's say Microsoft or something like that, if, if it does point to, well, that toggle

[00:09:06] needs to be on or will that, you know, that permission needs to be turned off or whatnot, you have to still prove that in the assessment, right? It's not just, oh yeah, that's that. And, and now let's go on to the next control, right? So the other thing I wanted to say too about assessments, Adam, and I, I want you to just, before we switch over to the ESPs, not CSPs side, I want you to kind of share just from your personal experience of us as an MSP going into an

[00:09:35] assessment. What would you say was the most shocking part of like the, maybe the cloud service provider side and something that you assumed maybe would be a little bit easier when it comes to inheritance, but it was actually harder when you got into the assessment itself. Like, do you have any examples of that for somebody who is maybe not done an assessment before and is a little bit nervous about it? Yeah. So, I mean, the, the big guiding documents, like I said, are those implementations,

[00:10:02] statements, and the responsibility matrix. I've seen some really good ones for better or worse. Microsoft's documentation is incredibly thorough. It's nearly impossible to find, but once you find it, it is very thorough and it has so much information that makes my job a lot easier to document because I can specifically say Microsoft does X, Y, and Z in this way per these

[00:10:24] documents. Look at me, I'm done. I've also seen some that have been pretty horrendous. I've had to reach out to the vendor because I've looked at a statement that says it's my responsibility to control cryptographic modules in their platform or something. And I've, and I've literally had to look at that with our engineers and say, call me a delusional fellas, but we can't actually do this, right? And you know, they'll come back to me and say like, yeah, no, there's no way we can do this.

[00:10:52] So I have to take that, had to take that back to them and say, guys, your responsibility matrix says it's my responsibility to do something. I don't have any ability to actually do this. I think your, your matrix is wrong. And they actually had to update their matrix. Wow. Repeat for 320 assessment objectives where I had to apply the context of the tool and have the technical understanding of it to validate that their statements were in fact accurate. Because if I had

[00:11:19] made the assumption that their documentation was correct, I would have said, it's my responsibility to do this. And assessor would have said, show me how, and I couldn't. So the vendor documentation trail gets really complicated. And one other thing that's useful for people to know, if you have more than one cloud service provider, you may have to have and go through multiple matrices and document multiple products. Even in the Microsoft ecosystem, you have different documents for Azure and Microsoft

[00:11:46] 365. And you still have to be able to navigate them both. Yeah. What if you add in a FedRAMP authorized password manager? You have to figure out those ones relevant to that as a security protection asset. Are you doing software development and using the FedRAMP version of GitHub to store CUI code? If that's the case, you have to understand GitHub's documentation or a FedRAMP RMM as an MSP. So you can actually be having multiple cloud systems with multiple different versions of those

[00:12:15] matrices to go through with a whole bunch of documentation to do. Even if you're inheriting the same control across all of them, they may have it handled slightly differently. But we still have to go through and understand that. Going back to the fitness example, and I recognize the irony of this because I'm definitely not physically fit. But it's like having those different physical trainers for different muscle groups and stuff like that. You're still working out, getting your muscle groups in good order. But someone that's really good for like, you know,

[00:12:42] your abs and stuff like that might not be the best for like legs and arms. You know, there's the whole memes about skipping leg day for a reason. If you skip leg day, aka looking over your responsibility matrix for your password manager, you could find yourself in some problems as the assessor assesses that as a security protection asset. I love this. I love these examples. I feel like Bobby's here with us right now with all of your analogies. That's great.

[00:13:07] I feel like a lot of I'm hoping that MSPs too that are listening to this that are taking their clients through or maybe even themselves through as well through this process are hearing what you're saying because the documentation and the I don't know how to how to describe this to somebody. But like when we're talking about the assessment tango, you know, like what it's like to go through these

[00:13:33] things and be ready actually to show evidence during an assessment, you know, is just a whole nother ballgame. Like it's it's a totally different thing to be ready for that. And I feel like the cleanliness of your documentation or the order of it is is so important to be able to successfully do the assessment tango and have these things prepared. And what you're describing already shows this huge

[00:13:59] complexity when it comes to bringing cloud service providers in and the different CRMs in in documentation that come with it, because like not only are you saying you have to guide through sometimes depending on the vendor different types of documentation that they give you, you also which I think should not be understated that you said some of them are based upon NIST 853 and not NIST 800-171A,

[00:14:27] you know, and so that that is like the mother document to NIST 800-171, but it's not the same. Like the numbers are not the same in there. And you have to, you know, kind of guide yourself through of where they where they connect. And there is a cheat sheet for that. But still, you have to know your way around it. Oh, what were you saying? I got to throw one more curveball at you on that. Oh, boy. Which version of 853 was the documentation authored around at the time of their assessment?

[00:14:56] Oh, God. Because there is a notable difference between the current revision and a previous one. That's a good point. And CMMC and 800-171 Rev 2 points more to the previous one. So in some cases, we have to go back and loop around. I think a good control relevant to that is control and monitor the use of VoIP technologies. Weird, right? Yeah, that's a weird one. I'm going to spill a smidge of secret sauce here. We don't consider Microsoft Teams to

[00:15:23] be VoIP in a traditional sense, because it does not really conform to the definition of VoIP at the context and time that 800-171-R 2 was written. Kind of your collaborative meeting software came along much later down the road. That's true. Yeah. So we still have to speak to that, because we can't just, you know, our other stances, we don't really go down the, you know, non-applicable control route, because that's a whole other challenge for a whole other day. Yeah.

[00:15:49] But that all being said, I still needed something to write. I couldn't just say, I don't think this applies to me. And this also, for context, for anyone that's paying attention, this also assumes the Teams ecosystem is not set up with the ability to do call forwarding or anything like that. Just your native Teams desktop app, you know, where you just jump on a meeting and that's about all you can do. No dial-in options, none of that fun stuff. Mm-hmm. So we still had our statement saying, yeah, we consider it this way, blah, blah, blah. You

[00:16:17] know, what if an assessor disagrees and says, nope, I still think it's VoIP because I'm going to define VoIP differently than you define VoIP and I'm your assessor and I get to do that. So I had to try to route through and say, Microsoft does do some stuff around this. What exactly do they do? So I had to kind of wrapper that through, write a bunch of documentation around that to tie those FedRAMP statements together to present that compelling argument. And at least I think that worked out really well. We've got some, you know, plenty of successful assessments that would agree with that statement.

[00:16:46] But someone out there probably listening, and I'm sure we'll find out in the comments below at some point, might disagree and have a really compelling argument telling me that I'm wrong. But that's where the, you know, again, our default answer for CMMC is everything always depends. It depends, yeah. But that gets to a whole separate topic about assessor variability. And that's probably another hot take for another day. Another thing. So I think you've touched really well on this, the CSP side.

[00:17:12] But there is another side that I did, you know, mention earlier, which is ESPs that are not CSPs. So that could be somebody like a managed service provider, managed security service provider, or somebody of that nature. There are requirements for CMMC when it comes, when it comes to them. You have to have a customer responsibility matrix, which like you described, cloud service providers that you're trying to inherit stuff from. You also have to have,

[00:17:38] you know, a CRM from them and the agreement between them. Another thing I wanted to mention is this idea of inheritance through an ESPs, or even specifically a lot of the time, more managed service providers like us, inheritance through their CMMC level two certification. That's another way that you'll hear the word inheritance come up. And do you want to speak a little bit to that perspective? Yeah.

[00:18:07] And what you can inherit when it comes to that? Yeah. So that's a tricky one. And we've seen it kind of go around. And I know even like our stance on it has kind of evolved a bit over the years as more and more information has come out. You know, if we rewind a couple years ago to before, you know, 32 and 48 CFR went through the final rulemaking process was adopted, there was a lot of thought about, well, if an MSP or an ESP has a level two, what is stuff inheritable? Yeah. That's a pretty, you know, now that time's gone by,

[00:18:35] that's a pretty flat. No, you just can't inherit from that because if you're likely going down that inheritance route, you're probably a CSP and not an ESP. So what does that look like though, when I'm going through this process and I'm responsible for doing system maintenance and defining those system baselines and all that other stuff on behalf of the client? They can't inherit that from me. I'm not providing them the system. If I was, I'd be a CSP, but my responsibility matrix and agreement will point back and say, oh, Axiom is responsible for performing system maintenance

[00:19:05] and maintaining baseline configurations and all this other stuff. So that speaks to is the delegation of responsibility and the performance of the control. So it's not the inheritance, it's the performance. Going back to my gym analogy from earlier, if, you know, under the CSP approach, you know, I can't just walk into the gym and, you know, inherit being a bodybuilder, but I can send Kaylee to go to the gym on my behalf to be a bodybuilder. No, thank you. I decline. Is that not in your responsibility matrix?

[00:19:35] It's not. It says I'm not responsible. Exactly. So, so all that being said, just to wrap that around, you know, we can inherit from CSPs. We still have to go through the work, but from the ESP perspective, ESPs can be responsible for the performance of controls and duties based on the agreement and the matrix. Right. And from the OSC's perspective, so if you're an end client out there paying attention to this, you need to understand all of this and be able to have that paperwork available,

[00:20:05] ready to present that during an assessment and understand what exactly your responsibility is. Simple example. We author and work with our clients on our policy work. That aligns to what Microsoft does, the vendors that we recommend, how we operate, reflected in our responsibility matrix, rapid through our SSP. And that allows our clients to basically get the easy option. However, in our matrix, it still says the client must review these policies and work with us to tailor them to their business.

[00:20:34] Right. There's no get out of jail free card here. They still have to do some work. We try to cut down as much work as possible. But companies that just want to sign off on those documents and say, yeah, we're good. We're ready to go. Let's get CMC certified next week. You're going to have a bad time. Yep. Yeah. And it's so funny to me because I feel like the word, I'm going to use an analogy. Here I go. Let's see if this is a good one.

[00:21:04] When I hear people saying the word inheritance and trying to describe that as they can use it in a sense of like with an external service provider of any kind, whether that's a CSP or MSP or whatnot, I feel like they're describing a like group project, you know, where they're the ones that say, hey, you got this right. And then like, you know, there's always the one person in the group project that does all

[00:21:30] the work and brings the actual project to its full capability. And then the other people are just standing there and they kind of assume that it's going to be something like that. But when it comes to being an OSC, like the actual organization that's going to be assessed, you still have to know all of these things and there's still work to be put in. Like you cannot just show up and the other people did the work for you, you know, and

[00:21:57] especially when it comes to when you're talking about cloud service providers and the craziness that can sometimes happen with trying to find the evidence of their documentation and their CRM and being able to define it when it comes to your SSP. It's very much showing me that the OSC still has to do a lot of work. It is not just a, you know, wash your hands clean and you're good to go. You know what I mean? Yeah, exactly. Because at the end of the day, CMMC isn't an IT department problem.

[00:22:27] It's not a security department problem. It's certainly not just an MSP problem. It's something that impacts the entire organization. We can get cute and adorable in how we scope that, but it still is a business function. And the business needs to take that on because using your analogy from earlier, I'm not getting graded on it. Microsoft's not getting graded on it. Any of your other vendors aren't getting graded on it. You're getting graded on it. So, and that grade is either a pass or fail. Yeah.

[00:22:54] So there's no C students slipping through there as you're getting an A or you're getting an F. Yeah. Yeah. And now is not the time to phone it in because of that reason that you said right there. Yeah. Any other things that you want to know before I close it out that you feel like is important to share about inheritance? I mean, I think that's mostly it. I mean, it's not the get out of jail free card that we all hope it is, but companies that

[00:23:21] have gone through the FedRAMP process generally have their stuff together. Their documentation can always use improvement. So can ours. So can everybody else's. So can Microsoft's. No one's documentation is ever going to be completely perfect. But navigating through that process, it's just a lot of reading and just understanding how things just map together. Yeah. And the nice thing is when you look through 800-171A, you see the FedRAMP, you know, the 853 controls cited there, which makes it easier to do those mappings back and forth.

[00:23:49] So it's really just a lot of just reading, understanding, and just making sure all the dots connect and then writing it down. And for ESPs listening, be smart. Know what your clients are likely going to have. Propose solutions that are standard to your operations and think about that and work to build how they operate into your processes to make your job infinitely easier. And just take a step back and put a little bit of planning behind it so we're not having

[00:24:14] those extra conversations and challenges because the client will inevitably throw one at you when it's the 11th hour and they say, oh, by the way, we need to have this solution spun up and it's going to, you know, but hey, it's FedRAMP. It'll be easy, right? Because you've already done the exercise. You're better equipped to handle those situations. And because you've standardized and thought ahead, you have less work to do for the assessment. And then it just becomes a matter of just documenting the differences and being ready to speak to it and show the evidence. Yes. Could not. I've said it better myself.

[00:24:44] I really, truly hope that the external service providers that are listening to this hear what you are saying. I also hope that the OSCs kind of got a little bit of a punch in the face of how difficult some of these things can be and you cannot just phone it in. So please make sure to have these things in order. Have the documentation in order for all of your cloud service providers that are in your system.

[00:25:10] Might I say, I say all of them because there probably is multiple, just like what Adam was saying earlier. There could be multiple external service providers. So having all of that documentation in order. Please make sure to comment below if you think of any other, you know, things that have to do with this subject, maybe that you wanted to point out. We're trying to keep a community going here. So, uh-oh. Wait, hold on. Adam is holding his finger to his mouth like he forgot something. And that's always a scary sign.

[00:25:40] It's a scary sign. Yes. And I'll try to keep it nice and quick. Remember that one of the M's in CMMC is maturity. That implies that things will change over time and improve. Oh, boy. Keep in mind, how many times does Microsoft update stuff? Oh, they've never done it. I've never seen an update from Microsoft. Right, yeah. That's satire. I was kidding. I just thought patching was broken in your system or something. I was kidding.

[00:26:10] Would you like us to contact your IT department? I think Teams just updated for me today, actually. Yes. But anyway, so speaking of other things that Microsoft does that updates, they update their documentation. Yeah. And as they add services, remove services, rename services, because they never knew that. So keep in mind, documentation from your vendors will evolve as well and will change over time. So make sure as you're looking through these processes, when it comes time for your self

[00:26:36] assessment or whatever your maintenance checklist suggests, double check that those documents that you have on file that you need for your assessment are, in fact, up to date. The last thing you want to do is run into your assessment. You know, you've gone through the process. You've got your level two. Everyone's happy. You come out three years down the road with the responsibility matrix from Microsoft dated four years ago. Because an assessor is going to look at that and go, I'm pretty sure Microsoft made an update or two since then.

[00:27:03] And then you have to go through the whole rigmarole of finding the right document all over again, pulling your hair out, trying to find the right location, figuring out how many of those links are broken now. All under a time crunch for an assessment for something that a little bit of proactivity would have solved. Yep. Yep. And that's exactly why we say that your SSP and your documentation is a living, breathing organism, right? It's like it's a living document. It changes. It evolves. Well, it needs to.

[00:27:32] It should if you're doing it right. And so, yeah, that is a great point. A whole nother level of maturity that an organization has to have to keep tracking that. And if you're new to the CMMC ecosystem and you don't know, you do have to get, if you're trying to go for a level two certification, you have to be reassessed every three years by a C3 PAO. And you have to self-attest once a year. So you should be doing these things consistently.

[00:28:02] So like what you're saying, Adam, if that documentation updates, you should be updating that every single time you're doing that. Or if your SSP says something sooner, you should be doing it at that cadence, right? So, yeah, no joke. I'm glad you said that. Thank you for saying that because that's a really big part of this. Okay, good deal. Well, guys, you heard it here. It's super, super easy to do all this documentation stuff. I don't even know why, Adam, you know, took so long for all this.

[00:28:30] So make sure, I'm just kidding, it is very complex and should not be taken lightly. Like I said before, comment down below if you think of any other things that maybe we didn't mention that it would be important to note for somebody who is new and starting their documentation journey. Also, please make sure to tune in and subscribe to our podcast episodes for more hot takes when it comes to Adam's hot takes specials.

[00:28:55] We are going to be trying to do more of these as we can and make sure that if you're a MSP that's going through this or even an OSC that's going through this, that you have good resources of things that can help you along your journey. So please make sure to follow along in every Thursday. We have a new episode, so stay tuned next Thursday for another episode of Climbing Mount CMMC. But until then, guys, as always, keep on climbing. See ya.