Tag: C3PAO

5 Tips To Prepare for CMMC Assessments

5 Tips to Prepare for CMMC Assessments

By Heather Bennett

February 7, 2023

Many OSCs (Organizations Seeking Certification) and C3PAOs eagerly await the final ruling on CMMC. In their CMMC Certification Overview, the CyberAB has stated that “organizations can and should be implementing the CMMC standard.” (https://cyberab.org/CMMC-Ecosystem/Ecosystem-roles/DIB-Companies-OSCs) Many OSCs are signing or have already signed agreements with C3PAOS for their assessment in anticipation of the final ruling. As a certified C3PAO, we want to share some insight and advice on getting ready for your CMMC Assessment while there is still time to prepare.

Here are five tips to prepare for a CMMC assessment. Considering these tips will help make the assessment process smoother and more likely to succeed.

TIP #1. Documentation Review

Outdated or misaligned documents can lead to confusion and even failure. Your processes and procedures should be living documents that show ongoing development and change. This is especially true for your SSP (System Security Plan). Your SSP should be solidly built upon your supporting documents. All wording in your SSP should match your process and procedure documents. This shows continuity and maturity in your environment, which is paramount to CMMC.

The CAP (CMMC Assessment Process) Version 1.0, section 1.5.6 supplies a list of items that the C3PAO will require:

Results of most recent OSC self-Assessment or any pre-Assessment conducted by an RP or Registered Practitioner Organization (RPO)
A preliminary list of the anticipated evidence
The System Security Plan and other relevant documentation; and
A list of all OSC personnel who play a role in the procedures in scope.

The Assessment Team then collaborates and coordinates with the OSC to correlate all of the above information to each CMMC practice. The purpose of this procedure is to do a preliminary “triage” of all of the available evidentiary materials and “map” or “cross-walk” each item to their respective CMMC practices to establish the mutual understanding that the OSC has, at a minimum, addressed each of the CMMC practices with some evidentiary basis. This inventory does not establish that any or all CMMC practices have been implemented adequately or sufficiently in accordance with the CMMC standard, but rather that no “gaps” exist with regard to a particular CMMC practice. This ensures that the practice was neither neglected, ignored, or dismissed.

Having these key documents polished and ready is vital to obtaining a CMMC certification.

TIP #2. Prepare Evidence and Logs

As you begin the CMMC assessment process, you will be required to provide evidence that you meet the requirements for each control. This means all supporting artifacts must be ready. You will need to have all evidence items in versions that can be shared safely and securely. As mentioned above, these documents and logs should show a history and level of maturity that is expected for their corresponding control.

Section 1.5.7 of the CAP version 1.0 clearly defines the evidence requirements. “Adequate and sufficient Evidence will be required to determine if the OSC is ready for the assessment.”

Adequate Evidence is the correct artifact, response, demonstration, or test that proves that the organization is implementing the CMMC practice. You should ask the question: Is this the appropriate evidence for this practice?

Sufficient evidence is the correct amount of evidence to verify that the CMMC practice is implemented correctly. This prompts the question: Are we providing enough proper evidence?

Applying these two questions to each piece of evidence will reduce the time wasted providing additional or correct evidence after the assessment has begun.

TIP #3. Resolve Existing POAMs

Currently, CMMC 2.0 rules do not allow pre-existing POAMs (which is different from NIST 800-171 High conducted as part of the DIBCAC Joint Surveillance Assessments). If pre-existing POAMS are discovered, it will result in an automatic failure. Any pre-existing POAMs must be resolved before your CMMC assessment begins. For more detailed information on POAMs and CMMC, check out our blog at https://provincia.io/poams-and-their-significance-in-cmmc/

The CAP version 1.0 section 2.3.2.1 lists criteria for items that are ineligible for a POAM:

Practices that could lead to significant exploitation of the network or exfiltration of CUI, aslisted in Appendix K, paragraphs (e) and (f);
Any practice(s) listed on the OSC’s Self-Assessment Practice Deficiency Tracker (validatedin paragraph 1.4.2);
Practices that were not implemented by the OSC prior to the current CMMC Assessment;
Any practice that changes and/or limits the effectiveness of another practice that has beenscored as “MET”

If any of these scenarios is found, it will render any applicable CMMC practice ineligible. The OSC will not qualify for the “Limited Practice Deficiency Correction Program”.

TIP #4. Prepare for Interviews

Preparing for interviews may seem daunting, especially for personnel who have never been through an assessment. Prepare in advance so that your assessment is kept on schedule.

To help you do this, here are four things you can practice before your formal interviews.

With a bit of planning, communication and practice, preparing for interviews can significantly influence the outcome of the CMMC Assessment.

TIP #5. Pre-Assessment by Certified C3PAO

It is highly recommended that all OSCs undergo a preassessment before their CMMC assessment. This process can identify and remediate areas of potential failure while you have time to make corrections. A preassessment can also save time, money, and frustration. During the preassessment, your assessor should focus on critical areas that will prepare you for a successful CMMC certification assessment.

Some of these areas include:

Document Review
POAM Resolution
Evidence verification
Evidence preparation
Environment Analysis

Summary

Preparing for a CMMC assessment can feel like a monumental task. With the help of the right professionals, navigating your assessment can be smooth sailing. Contact us today to discuss how Provincia Government Solutions can help you successfully achieve CMMC Certification.

Here at Provincia Government Solutions, we believe knowledge is power. We make sure to stay informed regarding all things CMMC and pass this expertise on to you. We are here to help you earn your CMMC 2.0 certification. Your success is our success.

Upcoming Blog

We will continue our CMMC theme with “Am I ready for CMMC”. We will discuss the most important things to consider before diving in to a CMMC assessment.

Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments, security consulting, or CMMC certification, we have the expertise to help. Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.

POAMs and Their Significance in CMMC Assessments

POAMS and CMMC

By Sese Bennett

December 19, 2022

The use of POAMs are ubiquitous in the world of cybersecurity. As we get closer to the release of CMMC 2.0, many are wondering about POAMs and their significance in CMMC assessments. Providing a clear answer is difficult, but in this article, we will attempt to shed some light on the expected standards regarding POAMs and CMMC.

The National Institute of Standards and Technologies (NIST) defines a Plan of Action and Milestone (POAM) as “A document for a system that “identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”

POAMs are used across many different groups in an organization including IT, risk management, governance, risk, and compliance. POAM also applies to the CMMC ecosystem, including Organization Seeking Certification (OSC). As OSCs prepare for a CMMC certification assessment, they must consider any existing POAMs that currently have, understand how CMMC 2.0 defines acceptable POAM criteria, and how POAMs impact certification efforts.

How Does CMMC Define POAM?

CMMC defines a POAM as a document to remediate deficiencies and the respective timeframe for doing so. “The POAMs purpose is to identify, assess, prioritize, and monitor the progress of corrective efforts for security weaknesses found in an organization’s programs and systems.” (CAP)

The legitimacy and validity of a prospective POAM will be decided by the Lead Assessor at the time of assessment closeout. The CAP provides a list of criteria that must be included in a credible and effective POA&M

Why are POAMs So important to CMMC?

POA&M’s can make or break an assessment. Understanding a few key requirements will help you navigate the use of POA&M’s during your CMMC assessment. CMMC 2.0 was revised to make accreditation obtainable in situations where certain POA&Ms may be necessary. However, it is important to keep in mind that not all practices will be eligible for a POA&M. According to the CMMC Assessment Plan (CAP) version 1.0 (https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf) the following points must be considered when discussing POA&M’s:

CMMC will allow conditional use of Plans of Action and Milestones (POA&M) to remediate practices that are not fully or successfully implemented.

POA&Ms will be strictly time-bound with a validity period of no more than 180 days from the Assessment Final Recommended Findings Briefing (Phase 3).

POA&Ms will not be allowed for the highest-weighted CMMC requirements (currently understood to be level 5 requirements

The Department of Defense has established a minimum-score requirement to support Certification.

The Certified CMMC Assessor will validate the following criteria for an OSC to satisfy the requirements for receiving a CMMC Level 2 Conditional Certification:

80% of all CMMC Level L2 practices scored “MET” (Current CMMC L2 scoring would result in 88/110 Practices must be found as “MET”). In addition to that minimum score, “If any, practices on the POA&M Review fail to result in a score of ‘MET’, the Lead Assessor will recommend the OSC NOT be recommended for a CMMC Level 2 Final Certification”.
All POA&M items must meet the criteria in Appendix K, “CMMC Scoring with DoD Assessment Scoring Methodology” (Appendix K -TBD)

Summary

Cybersecurity is an ever-evolving organism and POA&M’s can be expected as new procedures and tools are implemented. CMMC will allow POA&M’s on a conditional basis, however, POA&M’s will not be allowed for the highest-weighted CMMC requirements. Also, to qualify for the POA&M process, a minimum score must be met (88/110 or 80%) and all qualified POA&Ms require remediation within 180 days.

The CMMC 2.0 POAM process makes CMMC Certification far more attainable than the previous model. This allows OSCs to mitigate less severe issues within their CMMC environment and continue their CMMC certification journey.

Other aspects of POAMs are still being finalized. PGS will keep you up to date as these aspects are finalized, but it is safe to say that minor updates and enhancements should be expected until CMMC’s final rulemaking is complete.

Upcoming Blog

We will continue our CMMC theme with “Am I ready for CMMC”. We will discuss the most important things to consider before diving in to a CMMC assessment.

Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified HUBZone small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.

C3PAO cmmc cybersecurity itaudit poam

5 C3PAO Red Flags

By Sese Bennett

November 14, 2022

In this blog, we discuss 5 C3PAO Red Flags that you should look for when interviewing a prospective C3PAO to perform your CMMC assessment.

Choosing the right Certified Third-Party Assessment Organization (C3PAO) for your CMMC assessment will take effort and time. This will be time and effort well spent if you find the right match and avoid companies that don’t have your best interest in mind

The Good, The Bad, and The Ugly C3PAO?

As the cybersecurity world gears up for CMMC, I was reminded not too long ago by a client, not all companies are the same. This includes how they approach CMMC assessments and what “style” of C3PAO works best for them. While it is true that most companies will perform the assessment correctly, the way they assess can feel like everything from a walk in the park to a root canal. Yes, compatibility of the two companies can make a huge difference. Although a company may have stellar recommendations, their approach and personalities may clash with the established culture of your organization.

But what about the bad eggs? As with any project or initiative your organization takes on, diligence is required with selecting a compatible C3PAO. Differing of opinion on implementation and requirements is common and normally not a showstopper. However, poor business ethics and ineptness are signals of future problems that could be major issues if you are not careful.

So how do you identify these bad eggs before they impact the success of your assessment? Awareness is key. Identification of these 5 C3PAO red flags will help you avoid C3PAO’s (or any other organization for that matter) who’s actions put the success of your CMMC certification efforts at risk.

5 C3PAO RED FLAGS

Red Flag #1 Almost Certified

In the world of CMMC C3PAO’s there is authorized and not authorized. C3PAO’s that have not officially completed the Cyber-AB authorization process cannot solicit business as authorized C3PAO’s. “As good as authorized” or “Almost Authorized” only means one thing – Not Authorized! There are so many things that could happen to delay or even prevent them from becoming authorized. If you make a “gentleman’s agreement” based on the expectation they will someday be authorized, this could leave you high and dry and place you in the back of the assessment queue.

Red Flag #2 No Action Plan

If your interview with a potential C3PAO leaves you with more questions than answers, that C3PAO may not have an adequate plan to execute your assessment. Coming up with a plan on the spot is not reassuring and could delay your assessment. Experienced C3PAO’s should be confident on what needs to be done. Although we are still in the early stages of rolling out CMMC, most experienced C3PAO have already allocated resources and created plans for executing successful CMMC assessments. You should leave any C3PAO preliminary discussion feeling confident that they can handle the assessment and the right fit for your organization.

Red Flag #3 Not Asking the Right Questions

An interview with a C3PAO should be filled with questions from both sides of the table. The C3PAO most certainly should be asking questions about the size and scope of the assessment. They should be asking about System Security Plan’s and the maturity of your documentation process. How can anyone give a fair proposal without knowing how much work is involved? If they are underbidding, they may become frustrated, and the quality and integrity of the assessment could suffer. If they are overbidding, you are eating the cost of their poor calculations. Neither of these possibilities is a win for your organization.

Red Flag #4 Promises, Promises, Promises

C3PAO’s should always be realistic in what they can deliver. Statements that over promise and under deliver will cause friction and frustration during an assessment. Promises such as “We will have you done in 10 days”, or “we guarantee that you will be at the front of the early assessment queue” sound great but are empty because C3PAO’s can’t guarantee what they don’t control such as how long an assessment takes, or which order the Department of Defense selects applicant organizations to be assessed.

Capable C3PAO’s present realistic documented expectations up front so that everyone is aware of engagement deliverables, activities, and timelines. If you start to hear promises that sound too good to be true, ask your C3PAO to back it up with facts and document it in your contract. If they cannot (or will not), run for the door!

Red Flag #5 Little or No Cybersecurity Assessment Experience

When hiring a C3PAO, it can be hard to gauge experience since CMMC 2.0 is relatively new for C3PAO’s performing assessments. However, CMMC 2.0 is based in NIST 800-171, which easily translates to the CMMC practices. This knowledge can come in handy when assessing the experience level of a potential C3PAO partner.

Basic questions you can ask to gauge the level of experience include:

What type of assessments have they done in the past?
Do these assessments include NIST based assessments such as 800-171, 800-53, FISMA, or similar?
What size organization have they work with in the past?
How many years have they been in the cybersecurity assessment field?

The last question is a very important one. Managing cybersecurity and assessing cybersecurity are two very different skill sets. Just because an organization is experienced in supporting cybersecurity, it does not mean they know how to assess cybersecurity. Experience in assessment work is invaluable when it comes to CMMC assessments because it gives the experienced assessor the advantage in knowing what to look and what to ask.

Summary

As a certified C3PAO, Provincia Government Solutions prides itself in the straightforward honest approach we take towards each and every client. We welcome vetting questions and want you to feel confident in selecting us to participate in your CMMC journey. Feel free to reach out to us and ask any questions that will help you make the best decision.

In our next article, we will address POAM’s and the role they play in the CMMC ecosystem. Be sure to subscribe to this blog so you do not miss out on any of the great articles coming up!

Upcoming Blog

We will discuss the significance of POAM’s in the next article. This article will help navigate this precarious aspect of CMMC.

Be sure to subscribe to our blog and check out our podcast for more in depth discussion of all things cybersecurity.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!