CMMC Assessment

Process (CAP) Document

Walking the Fine Line Between Consistency and Efficacy

Summit 7 - Business Sensitive

 Welcome!
Joy Beland, CISM|SSAP|CMMB-AB PA & PI
Edwards Performance Solutions
Senior Cybersecurity Consultant
CMMC Training Program Manager
jbeland@edwps.com (310) 590-9288

Reach out on LinkedIn!

Summit 7 - Business Sensitive

 Agenda

Background Challenges Your Voice

Summit 7 - Business Sensitive

 What’s The Big Deal?
• What is the CAP?
❑Assessment process guidelines
broken into four phases
❑Templates for C3PAO use
❑Role assignments
❑Criteria for scoring
❑Outputs at each phase
❑Criteria and flexibility for (some)
unmet practices—POA&M
Summit 7 - Business Sensitive
• Is it required?
✓Hell YES; stringent requirement
for adherence to exact process
✓OSC and C3PAO both have
mandatory roles
✓No flexibility in scoring criteria
✓Must generate required outputs
 Playing with a Full Deck of Cards

Summit 7 - Business Sensitive

 The Ecosystem
16 Authorized C3PAO’s
Others who received a copy from those who broke their NDA

LTPs who teach the CCP 2.0

classes (V5.4)
2022

CCP candidates (students who have

taken the class but not passed the
CCP exam)
LTPs who teach the CCP classes
(V3.1)
Who’s Even Seen It?

LPP’s who author the CCP

Classes including PIs who
contribute content (v1.2?)
2021
PA Training
Original Board Members and
Working Groups

Summit 7 - Business Sensitive

2020
 But Who Will Rely on It?

“The CAP, developed and maintained by the CMMC Accreditation

Body and reviewed and endorsed by DoD, is an element of official
CMMC canon and adherence to its procedures is required by C3PAOs
and their Assessors. While tailored for specific use by C3PAOs,
Certified CMMC Assessors (CCAs), and Certified CMMC Professionals
(CCPs), it is intended as a resource for the entire CMMC Ecosystem.”

Summit 7 - Business Sensitive

 Agenda

Background Challenges Your Voice

Summit 7 - Business Sensitive

 Why You Gotta Be So Difficult?
• The Cyber AB has one customer: The CMMC Ecosystem The DoD
• Stakeholders include
• OSCs in the DIB
• C3PAOs
• RPOs and consulting firms
• MSPs, MSSPs, and CSPs
• Vendors for CMMC Tools and Services
• LPPs and LTPs

Summit 7 - Business Sensitive

 Challenge of Consistency
• Consistency in official assessments is required for
success: • Reporting
• Contracts • Criteria
• Timeline • Milestones
• Process • Templates
• Roles and responsibilities

But the DIBCAC is not assessing C3PAOs using the CAP.

Summit 7 - Business Sensitive

 You Say Critical Path, I Say Agile
• DIBCAC assessments much more streamlined
and agile; The Cyber AB expects CAP to be
followed
• Whose assessment process will be used for
the Joint Surveillance program? Matt:
“Intention is that DIBCAC will use the CAP as a
procedural guide”
• C3PAOs will have to redesign project
management for assessments
• PMPs will likely commit suicide or homicide

Summit 7 - Business Sensitive

 The Phases
1. Readiness “Plan and Prepare the Assessment” +/- 35% of the specified activities
1. How will C3PAOs price the resources to handle the discovery process and contract
negotiations required before anyone shakes hands to proceed?
2. “Conduct the Assessment”
A. Resources – CCP role undecided; if only PAs can participate …
3. Report Recommended Assessment Results
4. Close Out POA&M’s (if applicable) and the Assessment

Summit 7 - Business Sensitive

 Hello, “External Cloud Service Providers”
For additional information on the definition of External Cloud Service Providers, see NIST SP
500-292, “NIST Cloud Computing Reference Architecture,” section 2.3.

Sept 2011 “A cloud provider is a person, an organization; it is the entity

responsible for making a service available to interested parties. A Cloud
Provider acquires and manages the computing infrastructure required for
providing the services, runs the cloud software that provides the services,
and makes arrangement to deliver the cloud services to the Cloud Consumers
through network access.”

Summit 7 - Business Sensitive

 Hello, “External Cloud Service Providers”

Note: External Cloud Service Providers who only store, process,

and transmit FCI must implement the safeguarding requirements
for CMMC Level 1. However, those with an external connection to
the CUI/FCI environment under AC.L1-3.1.20 must also meet all
the practices for CMMC Level 2.2

Summit 7 - Business Sensitive

 Just to be Clear … Readiness Phase
1.5.4.1 Ascertain the Use of External Cloud Service Providers
Does the external connection entity process, store or transmit CUI (AC.L1-3.1.20,
“External Connections: Verify and control/limit connections to and use of external
information systems)?

If the OSC’s External Cloud Service Provider does not

possess a valid FedRAMP Moderate certification, then the
C3PAO Assessment Team will need to determine if the
External Cloud Services Provider’s security practices are
equivalent to those of the FedRAMP Moderate baseline.

Summit 7 - Business Sensitive

 But Wait, There’s More!
2.2.4 Determine FedRAMP Moderate Equivalency for Cloud Computing Providers

“To be
1. clear,
The OSCtheorC3PAO Assessment
the External Team
Cloud Service is nothas
Provider conducting a quasi-FedRAMP
provided a body of evidence
certification audit of
documenting howthe
theExternal CloudService
External Cloud Service Provider,
Provider’s for which
security controlsitare
is neither
authorizedequivalent to those
nor certified. provided
Rather, byC3PAO
the the FedRAMP Moderate
is applying thebaseline standard;
two criteria and
established by
DoD to determine
2. Said bodyifofFedRAMP Moderate
evidence has “equivalency”
been attested has beencredible,
to by an independent, attained and can be
professional source. recognized.”
Examples of items that could be included in such a BOE are an SSP that describes the system
“A FedRAMP
environment,Third-Party Assessment
system responsibilities, and Organization (3PAO),
the current status however,Moderate
of the FedRAMP retained by the
baseline OSC,
controls
required
mayforserve
the system, as role
in this well as
toaattest
Customer Implementation
to the credibilitySummary/Customer Responsibility Matrix
of the body of evidence.”
that summarizes how each control is met and which party is responsible for maintaining that control.

Summit 7 - Business Sensitive

 Just to be Clear … Readiness Phase
1.5.4.1 Ascertain the Use of External Cloud Service Providers
Does the external connection entity process, store or transmit FCI/CUI?
“…If the External Cloud Service Provider does not store, process, or transmit CUI, but
contributes to the OSC in meeting CMMC requirements (i.e., providing protection) for the
OSC’s environment containing CUI and FCI, then the External Cloud Service Provider must
only meet NIST SP 800-171 requirements and attain CMMC certification for CUI/FCI (or only
meet CMMC Level 1 requirements when only FCI is present and the flow of CUI is restricted
from the access through the external connection). The phrases “provides protection” or
“provides security protection” mean the External Cloud Service Provider contributes to the
OSC meeting at least one or more of CMMC practice requirements or other specified CUI
security requirements.”
SPA’s

Summit 7 - Business Sensitive

 Another Unknown

• Non-Duplication (Reciprocity)
• “Right now, with the CMMC AB, I don’t know if we’ve broached this
particular topic. We certainly have with the DIBCAC, and we’re giving
them credit. But we probably need to have that conversation with
the AB as well, just to make sure that they know that we do endorse
reciprocity.” ~ David KcKeown, July 6 Federal News Network
• What I’m hearing: “Dept not clear with one voice re: FedRAMP non-
duplication”

Summit 7 - Business Sensitive

 Physical Inspection Requirements
…”validation of the following 15 CMMC practice objectives must be
observed by the C3PAO Assessment Team in-person and on the
premises of the OSC..”
▪ CM.L2-3.4.5[d]: Physical access restrictions associated with changes to the system are enforced.
▪ MA.L2-3.7.2[d]: Personnel used to conduct system maintenance are controlled.
▪ MP.L2-3.8.1[c]: Paper media containing CUI is securely stored.
▪ MP.L2-3.8.1[d]: Digital media containing CUI is securely stored.
▪ MP.L2-3.8.4[a]: Media containing CUI is marked with applicable CUI markings.
▪ MP.L2-3.8.4[b]: Media containing CUI is marked with distribution limitations.
▪ PE.L1-3.10.1[b]: Physical access to organization systems is limited to authorized individuals.
▪ PE.L1-3-10.1[c]: Physical access to equipment is limited to authorized individuals.
▪ PE.L2-3.10.2[a]: The physical facility where organizational systems reside is monitored.
▪ PE.L2-3.10.2[d]: The support infrastructure for organizational systems is monitored.
▪ PE.L1-3.10.3[a]: Visitors are escorted.
▪ PE.L1-3.10.3[b]: Visitor activity is monitored.
▪ PE.L1-3.10.5[b]: Physical access devices are controlled.
▪ PE.L1-3.10.5[c]: Physical access devices are managed.
▪ SC.L2-3.13.12[b]: Collaborative computing devices provide indication to users of devices in use.

Summit 7 - Business Sensitive

 Physical Inspection Requirements
“Note: the above CMMC practices may be exempted from mandatory
on-site assessment if the OSC employs a cloud services provider to
manage them and the cloud services provider holds FedRAMP
Moderate certification or a valid determination of its equivalency.”

Laptops or cell phones only?

Home offices?

Summit 7 - Business Sensitive

 The Phases Limited Deficiency Program

Plan and Prepare the Assessment Conduct the Assessment Report Close Out
Recommended POA&M’s (if
Assessment applicable)
Results and
Assessment

Max six (6)

months

Summit 7 - Business Sensitive

 Limited Deficiency Controls
One point controls found during the Phase 2 assessment to not be fully implemented:

1. A practice that was implemented, but missing minor updates (e.g. updates to
policy signatures, procedural documentation that exists but is outdated, etc.), but
where the practice Evidence demonstrates the implementation has been in place
for a period of time; and
2. Consensus among the C3PAO Assessment Team that the practice in question does
not change and/or limit the effectiveness of another practice that has been scored
as “MET.”

Summit 7 - Business Sensitive

 Limited Deficiency Controls
CMMC practices should not be placed on the limited practice deficiency correction
program if:
The practice changes
The practice(s) is listed
and/or limits the
on the OSC’s Self-
effectiveness of
Assessment Practice
another practice that
Deficiency Tracker
has been scored “MET”

The practices could

Practices were not
lead to significant
implemented prior to
exploitation of the
the CMMC Assessment
network or exfiltration
of CUI

Summit 7 - Business Sensitive

 Limited Deficiency Controls (52)
AC.L1-3.1.20
AC.L1-3.1.20 AC.L2-3.1.14
AC.L2-3.1.14 CM.L2-3.4.3
CM.L2-3.4.3 IR.L2-3.6.3 PE.L2-3.10.6 SC.L2-3.13.14
AC.L1-3.1.22
AC.L1-3.1.22 AC.L2-3.1.15
AC.L2-3.1.15 CM.L2-3.4.4
CM.L2-3.4.4 MA.L2-3.7
MA.L2-3.7 RA.L2-3.11.3
RA.L2-3.11.3 SC.L2-3.13.16
AC.L2-3.1.3
AC.L2-3.1.3 AC.L2-3.1.21
AC.L2-3.1.21 CM.L2-3.4.9
CM.L2-3.4.9 MA.L2-3.7.6
MA.L2-3.7.6 CA.L2-3.12.4
CA.L2-3.12.4
AC.L2-3.1.4
AC.L2-3.1.4 AT.L2-3.2.3
AT.L2-3.2.3 IA.L2-3.5.4
IA.L2-3.5.4 MP.L2-3.8.4
MP.L2-3.8.4 SC.L2-3.13.3
AC.L2-3.1.6 AU.L2-3.3.3 IA.L2-3.5.5 MP.L2-3.8.5 SC.L2-3.13.4 22 total is
AC.L2-3.1.7 AU.L2-3.3.4 IA.L2-3.5.6 MP.L2-3.8.6 SC.L2-3.13.7 the
AC.L2-3.1.8 AU.L2-3.3.6 IA.L2-3.5.7 MP.L2-3.8.9 SC.L2-3.13.9 maximum
AC.L2-3.1.9 AU.L2-3.3.7 IA.L2-3.5.8 PE.L1-3.10.3 SC.L2-3.13.10 allowed
AC.L2-3.1.10 AU.L2-3.3.8 IA.L2-3.5.9 PE.L1-3.10.4 SC.L2-3.13.12
AC.L2-3.1.11 AU.L2-3.3.9 IA.L2-3.5.11 PE.L1-3.10.5 SC.L2-3.13.13

Summit 7 - Business Sensitive

 The POA&M
• If any practices on the Limited Practice Deficiency
Correction Program FAIL to result in a score of “MET”
within five (5) calendar days prior to submission of
Final Findings report into eMASS, the Lead Assessor
will recommend moving the OSCs practice
deficiencies to a POA&M.
• Maximum 22 that can qualify
• Stacy Bostjanik: SC.L2-3.13.11 FIPS-Validated
Cryptography at a 3 (not 5) can be POA&M’d; this is
the only practice with two possible scores (not in
writing any where)
88 110
✓ Conditional CMMC Level 2 Certification

Summit 7 - Business Sensitive

 Who Gets to Say “N/A”?

DRAFT CAP V5.4 – Do not subtract points (5) if practice not permitted:
AC.L2-3.1.12 Monitor and control remote access sessions
AC.L2-3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
AC.L2-3.1.16 Authorize wireless access prior to allowing such connections
AC.L2-3.1.17 Protect wireless access using authentication and encryption
AC.L2-3.1.18 Control connection of mobile devices

Summit 7 - Business Sensitive

 Agenda

Background Challenges Your Voice

Summit 7 - Business Sensitive

 The Ecosystem
16 Authorized C3PAO’s
The Ecosystem
Others who received a copy from those who broke their NDA

LTPs who teach the CCP

classes (V5.4)
2022

CCP candidates (students who

have taken the class but not
passed the CCP exam)
LTPs who teach the CCP
classes (V3.1)
Who’s Even Seen It?

LPP’s who author the CCP

and CCA Classes including PIs
who contribute content
2021
Original Board Members and
Working Groups

Summit 7 - Business Sensitive

2020
 Public Comment Next Town Hall
30 days – Aug 23-25 August 30

Summit 7 - Business Sensitive