Ace Your CMMC Level 2 Assessment

Introduction

Kelly McDermott 00:01

Hello everyone. Great to see you here. We’re going to just give it one minute to have others come in and join the webinar today. So just hang on for about a minute and we’ll kick things off right at 12. You all right, it is top of the hour, and we’re going to kick things off. Welcome everyone to KLCC’s webinar. Ask the Experts, CMMC Level Two certification. It’s great to have you all with us today. Thank you for joining. My name is Kelly McDermott, and I work with KLC Consulting, and I’ll be the host of this webinar today. Here’s a little bit about KLC Consulting and our webinar. So as you may know, we are a CMMC third party assessment organization, or a C3PAO authorized by the Cybrary B to assess and certify companies in CMMC. KLC Consulting is also a CMMC compliance consulting firm that helps DIB companies attain us DoD Information security requirements. We were incorporated in 2002 and we have offices in Marlboro, Massachusetts and in Houston, Texas, and we work all across the country. So joining me today are our esteemed panelists. We’ve got Kyle Lai lead CCA and President and CISO of KLC Consulting, and also John Sciandra lead, CCA and principal CMMC, assessor advisor to KLC Consulting. So I’d like to welcome both of our panelists, Kyle and John. How you doing today? Thank you. Great. So before we kick things off, I just wanted to let you know that if you have questions, we’re going to get to as many questions as possible. But if you have additional questions, please put them in the Q and A down on your toolbar there, and we’ll be sure to get to those, or we’ll hope to get to as many of those as we can. And also a recording of the webinar will become available shortly after this meeting ends, and you will be sent the webinar recording directly. And also, if you would like a copy of the PowerPoint slides that Kyle and John will be sharing, you can email us at CMMC@KLCConsulting.net, and I’ll put that email address in the chat so you can you can get that, or feel free to email any of us here and we’ll send the slides to you. So now I would like to kick things off and get to our agenda, and I’m going to have Kyle kick things off and walk us through a little bit of things that you need to know. Go ahead. Kyle, Kyle, for some reason, I’m sorry, but you’re you’re muted your mic. Yeah. Thank you, Kelly, now we’re

Kyle Lai 03:34

going to pick things up. Yes, yep, yeah. Thank you. So we’re going to go through the CMMC certification process, some of the terminologies and also timeline and before we start answering questions, so we can just say some understanding about the process first, because these are common questions that we have we got.

Understanding the CMMC Level 2 Assessment Schedule

So okay, so let’s take a look at the CMMC assessment schedule. These are the typical schedule. These are KLCC’s process, right? So, and these processes are based on the cyber abs, the CMMC assessment process, the Cap, cap, 2.0 so there is a standard process as defined by cyber AB. So let’s take a look at this one. The step one, what we do is the pre-assessment, right? And obviously this is all based on the CMMC Level Two certification assessment. And the purpose is that if you are handling CUI control and classify information. And you have to, by contract, you know, you have to get the CMMC Level Two certification assessment. You’ll contact us, KLC Consulting, and we are one of the C3PAO, and we will conduct the assessment, John myself, and also Layla Paul. Paul, hello, hello. So we are, we have three lead CCAs within our organization, and we are have been busy conducting the assessment. This is where already conducted four, and they’re going to conduct the fifth one next week. So let’s take a look at the assessment.

CMMC Level 2 Assessment: Step-by-Step Process

So step one is the pre assessment phase. So overall it just it’s about 12 weeks, but first three weeks is the step one pre assessment. So this is the part that we kick things off and say, here are all the information we need right, including the SSP system, security plan, the scoping diagram, your CY data flow, provide us that information. We want to make sure that you understand what CY is, what is the environment, what is the scoping? Make sure that you have the proper scoping and the SSP you provided to us is adequate, so we’re not really conducting too much of the detail assessment at that time. We just want to make sure that you have a good understanding, and at the end of that three weeks, we’re going to make the determination to see if you are ready for the actual assessment. And if we determine that you are ready to move on to the actual assessment, that’s when we start the step two. And during this assessment, we will send you all the requirements artifact ask you to, you know, send us the artifacts, you know, in terms of putting to place the files into agreed upon repository, so we will be able to collect that information, collect the artifacts, documents, so we can start doing the review of these documents Right, and also asking you to work with you about the logistics. If you have any physical presence, physical CUI, then we will need to go on site to conduct the physical inspection, and we’ll work out the logistics with you during this assessment as well. Right? So the so on the eighth week is usually our week of conducting the assessment. So during this week, we usually have a start out from 8:30 or nine o’clock, nine to three we conduct the assessment. At the end of each day, we will do a touch point, daily touch points give you understanding in terms of if there are anything that we still need for the day, if there are anything that’s trending not met, if there are any anything that’s missing, artifacts that’s missing, we’ll go through that. And at the end of day four, at day five, we usually day four, usually day three or day four, that’s when we conduct the physical inspection. It will go on site. And day five, usually will let you know if you are trending. By that time, you will have a good understanding if you are, you know going to have 110 or if there are still something that’s missing. So we’ll let you know at day five of that the assessment week. And if everything is all good, we move on to the step three. That’s when we are all done with you know, you providing us all the artifacts, the remaining pieces of the artifacts. Then we get everything that we needed. We’ll go through the step three, which is to write up the results, assessment results, and we will at that. At that point, we’ll generate the report, the assessment report, and out brief, official out brief as well, presented to you within that next four weeks. If there are everything is all good, we will issue the certificate during our step three. You probably will see that in the cap the CMMC assessment process, the phase four. But in our case, we will deal with that within our process, step three will issue that certificate if you do have any POA&M The plan of action milestone. That means if you have any gaps, and if they are, say, if you have any deficiencies, and you’re following the SPR scores below, it’s between it’s above 88 but it’s now 110 then you will be in this conditional period, and we will work with you to close out these POA&M. We’ll wait for you to close the POA&M. Then we will assess. We’ll wait for you to contact us when you’re ready. But has to. Within 180 days completion of the assessment. If you have everything all done within 180 days, then we’ll convert the conditional status to a final status. But if you miss the time period 180 days, if you miss that time period, then we’ll have to start the certification assessment over again, right? I want to point out there’s a 32 CFR 170.17(c)(2) within this clause. If there’s anything that’s that is identified as not met, you will have a 10 day, 10 business day period to for us to re-evaluate these items, right these gaps, efficiencies, providing that there are three conditions have to be met in order for us to be able to do this, first is to just provide you have The evidence, you will be able to provide us the additional evidence so we can, you can show it to us and ready to go, so we can determine if these are really met or not, and also the the security requirements that we’re assessing cannot impact the other requirements. If there are something that will be impacting the other requirements, then we cannot, we cannot do a revaluation on that, because there will be changing, you know, changing the configuration for your system, for example, it’s going to be impacting the other requirements. So we will not, we will not be able to do the re-evaluation in that in that case, and also providing that we have not issued the CMMC Finding reports that our brief,

John Sciandra 11:54

yep, Kyle, it might also be worth mentioning. These time frames are not ours. These, these are prescribed by the CMMC program. So you know, if you came close to the 180 days, for example, and you were asking us for some leeway, again, a lot of this stuff is according to the cap, so just be aware of that.

Kyle Lai 12:24

Yep, yep. Great point. Thank you. Thank you. John.

CMMC Level 2 Assessment Costs

Okay, so this is a very common question, how much does it cost? And I know this obviously not cheap, and there’s a lot of requirements in terms of how many assessors? We can tell you that each assessment require three assessors, three assessors to certify, assessors to be involved, right to at least two assessors to conduct the assessment, and third assessor is the QA to doing the quality assurance so. But these are the if you are interested in getting a quote. This is the link, and also the QR code you can scan and get a quote, but the price starts at start from 40, about 43,000 and up depends on the size, and these are the different factors, right, the size of your organization, and also the system complexity. If you have, you know how many locations that you have, and how many locations we need to go on site to conduct the assessment, right? And if you are doing everything your own on prem, or if you have cloud based or if you have some things that are handled by MSP and a service providers, you know those could play the difference in the cost as well, as well as the number of cage codes that are going to be in scope, because the more cage codes that you have, or the different cage codes with different functions and there might take in, we will take those into considerations, because that may mean that we have to go to more sites to conduct the assessments.

Kelly McDermott 14:19

You can also get that price quote if you didn’t have a chance to do it here, but it’s on our website. Just in case, if you missed it, you can go to our website and get it as well. Get your instant quote.

Finding Reliable CMMC Resources

Kyle Lai 14:27

Great. Yep. Good point. Thank you. Kelly. Yep. And also, there’s a common question, Where can I find the reliable CMMC resources, you know, the documentation, and also the consultants, the C3PAOs, CMMC, third party assessment organizations like us right to conduct the assessment. Where do you find this information? So DoD CIO. DoD CIO office. They have the CMMC side. That’s the official side. Guide that listed out the program, and also assessment guide, scoping guide, passion guide, all that information is on the DoD CIO office, cyber AB, that’s the CMMC accreditation body, and they do have a marketplace where they have all the registered practitioner, the certified professional, certified assessors, and C3PAOs is all listed here. This is the official list that’s vetted by cyber ab. And obviously we have our website providing a lot of information, knowledge and also blogs and the resources that you can go there as well. Okay, and we will provide, like Kelly was saying in the beginning, we will be able to provide this slide to you if you can, if you want to send us the email, we can

Kelly McDermott 15:58

do that, and I put our email in the chat for those that want to request the slides.

Kyle Lai 16:04

Okay, great, thank you. Okay.

Understanding Cloud Service Providers (CSPs) in CMMC

And another question that’s pretty common is my manage service provider, a cloud service provider, right? Or, if the Enclave right, see why enclave I use that you know is that the cloud service provider and cloud service provider CSP, it is defined within the 32 CFR 170.17(c)(2) which means that that is the CMMC program rule. So if you go to this 32 CFR 170.17(c)(2) you will see that the the cloud service provider, that definition is really based on the NIST 800-145 and I provided the link here so you will be able to go to look at more detail. But in the high level is really have to be on demand, network access to a share pool of configurable computing resources, right? But one of the key words I always want to bring up is the on demand. When you say on demand, it means that a lot of automation, right? So if you actually have to subscribe to pay the with your credit card, and within, you know, a few minutes or very little manual setup, then you will actually have services available to you. That’s what I mean, on demand. If I have a service when I actually have to call them up, pay the credit card, then wait for a week because there are some manual configuration need to be done. Then that’s not on demand. That’s not qualified as the cloud service provider, but that you can actually look at the NIST 800-145 for more definition,

John Sciandra 18:01

yeah, and just real quick. You know, there’s some finesse in that. For example, if you were trying to set up a an environment like either GCC, SCADA, AWS, gov, you may not use your credit card right away if you have to go through a reseller. But the idea is still the same, that once you know, once you’ve made your purchase, that you can go in and pretty much configure yourself.

Operational Plan of Action, Enduring Exceptions, and Temporary Deficiencies

Kyle Lai 18:37

Yeah. Great point. Yeah. Thank you, John.Okay, there are three terms I like to introduce here, because these are newer terms. And as we are doing the assessment, conducting the certification assessments, we’re starting to use these quote, unquote tools right operational plan of action. There’s a the enduring exceptions, and also temporary, temporary deficiencies. I’ll go through each one of them. So operational plan of action, just want to bring up, just want to make sure that these are something that you will be able to work on as a plan of action. Operational Plan of Action is something that there’s a vulnerability or temporary deficiencies that you document, you can work on, and they still get the, have the the requirements still assess as met. But just want to bring up that this is not the same as plan of action and milestone. This is something that you already implemented, but there are some vulnerabilities or temporary deficiencies that you can address later on, after your implementation. So just want to bring up this is operational plan of action is allowed. So. Within the within the CMMC program, but plan of action and milestone is something you’re missing, something that’s assessed as not met you have time to address within 180 days. That’s something that’s different. Okay, anything to add? John, yeah,

John Sciandra 20:21

I was going to say there’s a lot of there has been in the past a lot of discussion. I don’t know if it’s contention, but for example, if a FIPS certificate is expiring, and if you’re directed to upgrade to a new FIPS certificate, I think the DoD and the CMMC program has kind of eased a little bit in making this operational plan of action, because you have some ability now to manage that situation, whereas in the past it was, it was thought that even though you have To upgrade, if you do upgrade, you’re no longer compliant, and so this, this kind of helps that situation. I don’t want to say they’re unique situations. It could also involve upgrading of equipment. Let’s say you’re moving to a new firewall, and you’re in a weird in between state where you still have your old firewall and you’re installing a new one. That’s where this operational plan of action comes in.

Kyle Lai 21:32

Yep, and, and we, we actually just conducted a certification assessment where we identified, you know, FIPS one. FIPS validation was actually an issue because the firewall that was implemented was okay, but then later on, the vendor actually decided not to support the FIPS validation after the expiration, right? So now they’re in this where state, but that’s where the temporary deficiency will be able to actually identify as a temporary deficiency, and then the OSC will be able to create a operational plan of action. Say, this is how we are going to address this issue. We are going to upgrade our firewall. In that particular situation, upgrade our firewall to this vendor that actually have the valid FIPS validation, the validation the certificate in that case, yeah, they have an operational plan of action in place to address the temporary efficiency. So in this case, by 32 CFR 170.17(c)(2) we’re allowed to assess the requirements as met, right? So these are the different things that different tools that allow the assessors and also oscs to address some of these deficiencies. There are some I’ll go to the temporary deficiency slide. We’ll go through. There are a little a few more items that need to be met, to be considered as a temporary deficiency. Okay, yeah, and during exception, this is newer term in the final 32 CFR 170.17(c)(2) as well. But this is enduring exception. Is that something you know, there is a vulnerability, but there’s nothing that you can do, for example, if you have a test equipment or or like test machine that’s been certified by FDA or certified by NIST, right? And saying this equipment, it’s used to to validate this, to do specific testing. And this equipment is running on Windows XP, right, for example. But Windows XP, we know is vulnerable. Is there? There are there’s nothing that we can do to upgrade from XP to Windows 10 or 11, because it has to be certified equipment by when, by Nestor, FDA, there’s nothing you can do. You can document say this is the certified equipment, just exactly as an example, right business certified equipment, we know there’s a vulnerability, we put them into a separate environment, and there’s nothing we can do this enduring exception so that, and if you have the enduring exception filed in this case, the requirements still can be assessed as met, because there’s nothing you can so and you can go to 3030, 32 CFR 170.17(c)(2), more. And this is the temporary deficiency we just talked. About. So just need to make sure that when you have a temporary deficiency, that you account you know you actually document this in the operational plan of action, and is something that you are working, paying attention and working towards closing. There is no standard duration in terms of when you must close your temporary deficiency, because it’s different from the plan of action. Anything to add? John,

John Sciandra 25:36

all good. I think you’ve got it. Okay, great.

Kyle Lai 25:40

Okay, so once we go through that, I just want to leave some time for us to go through these questions. And these are, there are questions that we we see a lot, and also, there are pre submitted questions. We’ll try to cover them as many questions as possible.

Kelly McDermott 25:57

Okay, so we will roll things right along here. I think the bubble above everybody’s head right now is, Will CMMC be impacted by the new Trump administration, with all the changes? Kyle, what do you have to say about that?

CMMC Program Updates and the Trump Administration

Kyle Lai 26:13

I know there’s only a slight delay, because when Trump administration take over the there is a executive order to hold all the, all the rules that’s not been finalized, right, hold it for 60 days. So there can be a review, in this case, CMMC, 48 CFR, that’s the second part of the CMMC. That’s the CMMC procurement acquisition rule, right? So that’s been reviewed, right? It’s not been finalized. So that’s been put in on hold for 60 days. Then you will be moving forward again. Katie Arrington, who who actually started the CMMC program during the first Trump administration. She is back as a DoD CISO CISO, so she is kind of a champion for for pushing the CMMC forward. So with and based on her, her post on the LinkedIn and some of the comments she has made, seems like there is not going to be any impact for the CMMC program going forward. John, is that why you hear as well? Yeah, yeah.

John Sciandra 27:39

So what I understand is whenever a new administration comes in, it’s not unusual to freeze the rule making process and to do this kind of a review. So I don’t believe that the CMMC program was targeted in any way, it just got swept up in the normal course of business. You know, my personal opinion is that this program is so vital to, you know, fixing part of the advanced persistent threat problem, I am doubtful that that, especially the Trump administration, would want to stop that. So I think we’re in a good place. Just, you know, there’s been lots of delays. This will be maybe one more delay, but I believe, you know, the ball is rolling now, so I’m, I’m fairly confident that I would not delay a decision of an OSC to move forward based on any concerns that the program might be canceled. Yeah, I don’t think so. Yeah, I

Kyle Lai 28:55

don’t think it will be canceled.

CMMC Certification Assessment Timeline

Kelly McDermott 28:58

Yeah, all is green lights looking like here. Um, so another question that comes up a lot, and John, I’m going to pose this one to you. How long does a CMMC certification assessment take?

John Sciandra 29:12

Well, that’s a that’s a great question. Kelly and and so we did, on a previous slide, look at kind of the timeline of things, but let me embellish that a little bit. We do have a set structure, and especially by the time we get to the actual week of interviews and doing the the actual assessment, there’s a lot of factors that could play in how well is the OSC prepared, and how well are they presenting the information we’ve we’ve had an assessment where we could not directly find artifacts that we were trying. Trying to, you know, match with a specific control, and we would have to go through a traceability matrix. It? It, you know, slowed us down a little bit because there was more digging around for things. So, so, you know, the the famous answer, it depends, overall, we have a structure and And so pretty much the timelines are correct.

Kyle Lai 30:34

Yeah, since I John is rose up a little bit, yeah, yeah, so I can, so I can continue. So based on the based on what we Oh, John is back,

John Sciandra 30:49

Yep, sorry about that. Oh, that’s okay. Rare event here with my FiOS high speed internet. But yeah, I was saying that, you know, the famous, the famous answer is, it depends, and, and a lot of it is how well the OSC can present the information. And, you know, have people available if we, if we need to do interviews, we’ve, we’ve had situations already where the certain control had to be assessed on another day because that person wasn’t available right away. But generally, you know, sticks to the timeline, and then the week of the assessment. You know, there can be some variants,

Kyle Lai 31:41

yeah, and and also just the the easier, the the easier that you make your documents, easier to read, easier to be to be found by the assessor, to be correlated by the assessor, then the Faster, the easier that we will be able to assess.

John Sciandra 32:04

There’s a lot, a lot of small tips. We’ve seen certain artifacts, artifacts to be labeled with the control number, so that you can see right away. Oh, there’s, you know, there’s the particular artifact we were looking for. It’s things like that.

Kelly McDermott 32:26

Yeah, thank you. Those are great answers. And you know, it speaks to the fact that preparation and organization is key, right? In really getting all of the artifacts labeled, as you said, John, and getting things prepared early in advance. It makes it for a smoother assessment. As an OSC John, this is directed to you. We are using a GRC tool for CMMC documentation repository. Can the assessor use our Geo GRC for assessment?

Using GRC Tools for CMMC Assessment

John Sciandra 33:01

So again, I’m going to say this could be a multi part answer during the assessment. If we know how to use the GRC tool, then we certainly could do that. There’s there’s going to be an advantage for the OSC to export the artifacts instead, because, you know, towards the end, you will have to do this hashing of the artifacts. I’m not sure how each GRC tool could or does handle that. So the recommendation by us is, if your GRC tool can export artifacts, that would be the preferred way to to do it.

Kyle Lai 33:53

Yeah, because we have to make sure what we assessed is what’s been hashed. And when we talk about hash, for people who don’t know what hash is, is that we have to take a copy and to take signature of each file that we reviewed and maintain that integrity. So we, if there’s any audit come up in the future, say, Oh, what did you review? The OSC will bring up. Say, this is what’s reviewed. We’re going to compare the signature. If the signature match, we know that’s the file that we

John Sciandra 34:28

reviewed. Yeah, and just another piece of this, we get asked often, hey, we’re using a GRC tool. Does this lower the the cost of the assessment, and what I would say is, if you’re using a GRC tool, that is a great benefit for you the OSC but in the end, you know, we have, we get the files exported and have the same process consistently. For each engagement, you know, so by all means, use a GRC tool, have an MSP to help you. Use the tool a lot easier to get ready. But then, you know, we’re going to ask you to do the export and and then we will do our process, yeah,

Kyle Lai 35:21

I mean, during the pre assessment, if you provide that to us, we can take a look. That’s all good, before we start collecting the artifacts that’s all fine. But just want to add one thing, John, is that if we, if you provide us the access to the GRC tool, we only want to have the read only. We don’t want to have any access more than that. Great point, yeah, yeah, we have to touch your systems. Yeah, we don’t want to touch your system.

Kelly McDermott 35:54

Yeah, that’s an important distinction. So we’re talking about artifacts. Let’s continue along those lines. Kyle as an OSC what kind of artifacts do I need to provide?

CMMC Assessment Artifact Requirements

Kyle Lai 36:06

so when we what, when we are looking, what we’re looking for is the, at least the system security plan. There are policies and procedure for each requirements and also associated assessment objective, right? And also the screenshots, if you can provide the screenshots, settings that support the controls the assessment objectives, those are what we’re looking for. I mean, we’re going to still conduct the interviews and whatever you artifacts you provide to us, we are going to take a look at it, and if there are any questions, we’ll still ask you for demonstration during the assessment. So but those are the minimum, minimum items that we’re looking for, just the artifacts that will be able to demonstrate that you are performing the practices to support the security meet the security requirements effectively.

Kelly McDermott 37:08

Okay, great. So let’s do a deeper dive on this. What do the CMMC assessors expect to see when they examine the artifacts? John, I’ll let you take that one.

CMMC Assessor Expectations for Artifacts

John Sciandra 37:21

sure, and that plays into the the previous question. So the the cap has prescribed a, a, three, three, what is it? Three methods, methods, three methods, of, of examining the artifacts, and if you notice how the NIST documents are laid out. So there’s kind of a flow that happens, and you will see there’s usually an A and a B. And so we’re looking to see that you have defined how you handle a a requirement. We call them controls as well. A lot of you just know them as requirements, but we’ll we’ll see that you have a policy and a procedure in place, and a lot of times we’ll see just the screenshots of those, in the hopes that you know that satisfies, but the B part is usually, have you implemented the requirement? So we need to see that you’ve defined it and that you’ve implemented it. And for that, we would do a deeper examination of and I alright. I think I lost my video. I’m just going to switch. Yeah, sorry about that. And, and so we will. So the process, we will look to see if you’ve defined it, that you have the policies and and that you’re doing the implementation. Now, this is where a lot of the OSes get confused, because, just because you have some controls set up, let’s say, in, in in Azure, and you’re showing a list of users, for example, in intra, we still need to see a process where HR might request the addition of a new user, and we need to see that You’re also controlling that list, as assessors say in in the various forums, just because, you know, it’s in the intro that’s, that’s the that’s the reality, that’s, that’s not necessarily what you think is your list of authorized users. If an unauthorized user got put. The list, for example, you should have a way that you’re vetting, that you’re doing periodic reviews. So it’s more than just, you know, the the the SSP, the policy, we need to see the implementation, and that’s a big piece.

Kelly McDermott 40:22

Okay? Great,

Kyle Lai 40:25

yeah, what I’m and what I’m showing, what I’m showing here is that we have on our website, and then you can use the QR code to to get to this playbook. This is a playbook that we as the C review the assessors use to conduct the assessments. So you will see the artifacts, what we’re looking for, screenshots, interviews, or for, you know, looking for some demonstration, screen sharing session, and also, what, what? What’s the expectation for each control, then assessment, objective. So feel free to download this is something that you’ll be able to see what we’re looking for.

Kelly McDermott 41:11

Yeah, that’s a great resource too, because it breaks it all out for you. It makes it really easy to follow. Yes, so we’re moving on to number six here, and what are the factors that you as an assessor, John, consider as a smooth assessment? And you’ve alluded to this with the previous question, but can you clarify a little bit more about what makes for a smooth assessment?

Factors for a Smooth CMMC Assessment

John Sciandra 41:39

Yes, so so when we, when we get the list of artifacts, and that will be before the actual assessment week, we do spend an amount of time going through those artifacts we have. We have some sheets that will be uploaded some spreadsheets that go into eMASS, and we’re already making notes on there and developing questions of things that we are not seeing necessarily in the artifacts. So So again, it goes back to having a good layout of the artifacts we’ve had, we’ve had an assessment where the OSC actually had a screenshot for every objective level. So if it was, you know, 3.1, dot one, there was a, b, c, d, and so on screenshots. And so you, you are kind of guided very quickly to work your way through what the OSC is trying to present to you. We’ve had, on the other hand, artifacts that were labeled at at the requirement level, and it was up to us to dig through the SSP and try to line up, know, the the requirements being met, and so again, you know, this goes to a lot to to, not only preparation, but presentation of the artifacts. That’s one thing. Can you think of some other things? Kyle,

Kyle Lai 43:20

no, I think, I think you those are the good point, the most important things to make sure that you provide us something that we can easily find and be able to and the relevant,

John Sciandra 43:32

yeah, there, there is, there is another. I don’t know if we’re going to get to some tips and things that we see, but we’ve had, you know, the OSC is frantically scrambling around. They’re trying to get ready at the last minute. They’re still updating things, and we’ve seen version numbers get out of sequence. So, you know, just taking your time, dotting the i’s, crossing the t’s, that kind of thing,

Kyle Lai 43:59

yeah. And obviously, when there are thing, when there are changes need to be made, we’re going to ask, show us the changes, and make sure that changes follow your own change management process, right? So make sure that your change management process is effective. So those are the things that we were going to be for during the assessment. Yeah, right.

Kelly McDermott 44:27

So Kyle, I think a lot of people wonder this question number seven, what does an assessor do when they’re actually on site? Like walk us through what happens?

What CMMC Assessors Do On-Site

Kyle Lai 44:38

Yep. So when we are on site, we are looking for 18 controls, and these 18 controls are defined in the CMMC assessment process that’s created by cyber AB and approved and blessed by DoD. So these are the 18 control. Those, a lot of them, obviously, is going to be on the physical security. Some of them are in the media protection. We’re going to see, if you are using USB, are they protected? How do you label things, right? Shredders, if you have them, how do you shred these documents? So some of these things that will look at it when we are on site. And I brought up this the the playbook that we use as an assessor. This playbook actually have the 18 controls color coded so you will be able to see these are the 18 controls that we as the assessor will conduct assess when we’re on site.

Kelly McDermott 45:47

Excellent. That’ll be super helpful. And what are some of the common issues that we see in some of these assessments? John, maybe you can touch upon a few of those common issues that you see. Yeah,

Common Issues in CMMC Assessments

John Sciandra 46:07

so and I did mention one version numbers being out of sync. We’ve seen architectural changes that were not caught up within the network diagrams or the SSP. So this kind of goes to the configuration management process. And you know when we when we see things like this, and then we realize you’re not really following your configuration management process. You know that might be, that might be something that we have to look at further is, you know, are you really following your configuration management? So, you know when you, when you’re making these changes, just follow the process. I know the temptation is, oh, I just did this. I’m going to go over here and, you know, fix it in the SSP and change the documentation, and then you wind up skipping a step. Um, I’m not saying that’s necessarily bad, you know, practicality. There’s some things that could be minor, but you have to pay attention to versioning and things like that. So that’s, that’s, that’s one thing we have seen things with, you know, making sure our systems are all on the same. NTP server, time sources. Time sources, you know, when you have an enclave, you’re you’re juggling a lot of things, and you just have to make sure things are in sync the way they should be. What else have we seen? Kyle? We’ve seen a number of things.

Kyle Lai 48:00

Yeah, the configuration, the baseline. There are different systems. So we’re looking when we’re looking at the baselines. So we want to see the configuration baseline for all types of systems that within scope, right? If you identify Windows, Windows, Mac and Linux workstations, we want to see the baseline for all three, not just for Windows, right? So these are the things that a lot of people allow companies. They may only have windows, with only one or two Mac and one or two Linux, but when we’re looking for the baseline we’re going to look for all types of systems I might,

John Sciandra 48:46

I might throw in this thought as well. On the training piece, the requirement is that the OSC knows the risks to their organization, and that the you know down, you know, from top down management through employees, know the risk, and they’re trained on the risk. And a lot of times we’ve seen the use of a training company or a training resource, and that that should suffice to cover this requirement. But really we need to know that if you’re, if you’re just using a training source, and you’re not specifically, you know, selecting training to the risk that those risks are covered in in that course material. Um, so there’s a, there’s a lot of in a lot of cases, we see overlap between controls, where, where part of the training requirements actually are involved with the risk assessment requirements. And so those are just little things. To be aware of. Don’t just say, Oh, we use this company and that’s it. We want to know, okay, the content that you’re using lines up with the risks that you’ve identified to your organization.

Kelly McDermott 50:16

Excellent. All right, so we can, did you

Kyle Lai 50:21

want to there’s one, there’s one more. One more thing we talked about the the assessment. At the end, when you complete the assessment, you get your certificate. Say, Hey, we’re done. We we’re we complete the final status. So we are good. We’re good for three years. But just want to make sure that you know that you have to do the annual affirmation every year right, and then you have to do it before the anniversary date of that you know that one year mark, because if you have, if you’re not doing the annual affirmation, or if you actually go beyond the expiration or the anniversary date, then your certificate might be considered as labs. So, yeah, just be careful and make sure that you do the annual information and do the certification assessment every three years.

Kelly McDermott 51:20

Okay, that’s good to know. So in the 10 minutes that we have remaining, we have some pre submitted questions, and thank you all for those that submitted your questions in advance. And we also have a bunch of questions in the Q and A so we’re going to try to get to as many as we can. So the first question that was pre submitted here is some people state that if it’s FIPS encrypted, then it’s not CUI anymore, and then it can be in any cloud storage. Which is it? Because it can’t be both. Kyle, do you want to take that one?

CMMC and FIPS Encryption

Kyle Lai 51:59

yep. So, yeah, this actually show us the question too. It’s okay, I think, in terms of the CUI, if the CUI, if it’s considered as encrypted, you know, FIPS encrypted, it is still CUI, right? If it’s a CUI is encrypted. It still categorizes CUI So, and where do you find that information? So if you want to, if you’re familiar, if you go to the cyber A, B, every month, there’s a cyber AB town hall. So there is a cyber AB Town Hall from November 2024 that DoD, one of the representative from DoD actually clarified this exact point about 45 minute mark. So yeah, you can get that, that clarification directly from DoD. But yep, just encrypted. CY is still CUI,

Kelly McDermott 53:02

excellent. All right, we’ve got a question here. Can any assessment objective 5.3 point or single point be fixed for reevaluation during the 10 business days? Or is it the OSC limited to providing new evidence. Who would like to take that one?

CMMC Re-evaluation of Assessment Objectives

Kyle Lai 53:25

I think it’s going to be both. Feel free to jump in, John, but I think it’s going to be both. But to to the point that we actually covered right? So you have to meet some conditions, the three point or five pointers, the controls cannot. I mean, obviously you need to be able to provide the evidence within that 10 days to allow us to reevaluate and also whatever that control is, it cannot be impacting other other controls, right? So if you are changing one configuration, it’s going to change the system, how system is performing. Then that’s not, we’re not going to allow that, because that’s what the app, that’s what CMMC assessment process and the what’s that’s what, 32 CFR 170.17(c)(2) that’s what they specified. So other than that, yeah, 3.5 pointer. If it’s not impacting the other controls, then we’ll, we’ll be able to reevaluate within that 10 day period. Yeah.

Kelly McDermott 54:35

Okay, another question here, is it a blanket enduring exception for the asset slash network in question, or one must complete all the practices feasible, and then state enduring exception for the number that cannot be met.

CMMC Enduring Exceptions

Kyle Lai 54:53

I think it’s going to be case by case basis, and we’re going to take a look at what is actually. What is actually in scope for your enduring exception? Because obviously, have be something that you don’t have control over, yeah, but if you don’t have control over, or if you just like, have some machine that’s really old, have to put into another environment that’s locked down, secure, secure subnet or something, then we’ll look at the the exact situation, and that’s to be able to evaluate at that time. John, any anything?

John Sciandra 55:34

Yeah, that’s correct. I have anything else on that one. Yeah.

Kelly McDermott 55:39

Great. Question, is it required to have evidence time stamped or only advised?

Time Stamping CMMC Evidence

Kyle Lai 55:49

Anyone repeat that question?

Kelly McDermott 55:50

Sure. Is it required to have evidence time stamped or only advised?

John Sciandra 55:57

Yeah, I’m going to say advised, meaning just presented within the context of what the artifact references. That’s that’s fine. We don’t look for a time stamp. It just needs to be current. If, if you’re giving an artifact that’s outdated, then you should, obviously, you know, let’s say it’s a screenshot. Redo the screenshot with updated information. But we, when we’re doing the assessment, we’re not going through looking, looking for when, when was this screenshot taken? We are, you know, the the OSC is presenting, this is, this is the state of affairs of that current state. Yeah, yeah. So, so now we don’t, we don’t look for time stamps. We look for current, current artifacts, yeah, even if it was taken, you know, a while back. Mm,

Kyle Lai 57:04

hmm. And obviously, for the policies procedures, we want to have the preferred version number and version number, and usually there’s approval authorities, authorized approval dates for those. Yeah, we’ll look for those. But yeah, like, like John was saying, if there’s just screenshots, we just want to have, we want to we’ll just want to confirm. Those are the at the point in time when we’re doing the assessment. That’s the state

John Sciandra 57:36

that, of course, of course, you know if the if the requirement is something that has to be revisited a minimum of annually, you know, if you’re presenting something from two years ago, and I think we actually had one of those, that’s, that’s not good Enough, you know, make sure your your your your, your artifacts. We’ve had a tabletop exercise that was way out of date, but that got corrected. So in that regard, there’s time stamping, but not for the actual physical artifact itself.

Kelly McDermott 58:20

Okay? Another question here is, what portion of the assessment do you perform from your certified dibcac enclave. So what portion of the assessment do you perform? So 100% Yeah.

C3PAO Assessment Environment

John Sciandra 58:39

yeah. Go ahead. Kyle, yeah,

Kyle Lai 58:43

as I think if the question is talking about from, from KLCC or C3PAO, how do we conduct our environment? So the the assessment, during the assessment, we are going to conduct the assessment from our own certified impact, approved, authorized environment, and all C3PAOs, I think they are all required to do that.

John Sciandra 59:11

Okay, yeah, the the only thing we might do on the low side is, is in the very beginning, when you’re working with our contracting, when we’re, you know, just building the relationship that would be done on our our low side emails, but once we start engaging, things are moved over to the high side. That’s where they stay,

Kyle Lai 59:31

and the high side means to our authorized environment,

John Sciandra 59:35

yeah, the secure environment. Yep.

Kelly McDermott 59:41

Alright. According to our viewer here, this is a sticky question for OSC who’ve received DoD contracts prior to 2024 what False Claims Act risk do they take when telling prime contractors that they have implemented 100 or more. Of the Level Two controls when they actually have not this is when they answer the prime CMMC questionnaires.

CMMC, False Claims Act, and SPRS Submissions

Kyle Lai 1:00:10

I’m not a lawyer, so I cannot really tell what that yeah, what was the risk? Or yeah, I think. But I mean for companies that I think they can go back into the sprs and adjust their score, but what we usually tell our consulting clients is like, not to just stay the fact right, stay to where you are right now, and they just don’t, don’t, you know, don’t, don’t give the score that you’re not very that’s not verified, right, even with a self assessment. Just put down the score that you are comfortable, that you can show that, yeah, we’re at the score. I know one of our consulting clients, they put down 110 luckily, they’re really 110 and deep tech actually called them two weeks after they updated their score. It’s like, hey, we want to do a pack high assessment. So yeah, they dip tech they are watching.

Kelly McDermott 1:01:16

All right, I’ll get through these quickly. There’s just a couple more here. How detailed should procedures documented? I think it’s how detailed should procedures be documented, and be detailed in a separate document than the policy?

Detailing CMMC Policies and Procedures

Kyle Lai 1:01:34

John, John, you want to take this? Yeah, so in in terms of the documentation, we don’t dictate, and I don’t think the NIST 800-171 or CMMC documentation specify how you should document your your policies or procedures, as long the guidance is that you create your own policies and procedures to make sure that you cover the security requirements and assessment objectives. Obviously, the more you can cover in the show how you be able to how you meet the requirements. That’s the going to be important, just to make sure that you demonstrate how you how your policies and procedure meet the security requirements, that’s what we’re looking for. And I know we’re at the top of the hour. We

Kelly McDermott 1:02:34

are at the top just so that everybody knows the recording will be sent to you automatically. So I know there was a question about that, if the recording will be made available, and the answer to that is yes. And I just want to quickly thank you all for joining us today. And I also want you to know that as your C3PAO, we’re we’re hoping you pass, like we are here to help you, and we want you to pass. We’re not a firm that is a has a gotcha mentality where we’re trying to trip you up and and catch you. We’re on your side, and we we want to help you. We’re looking to see that, as Kyle and John both mentioned in the webinar, we’re looking to see that you’ve shown us the evidence and have implemented the evidence, the security practices, and you can demonstrate it, and we exercise professional discretion within the constraints, constraints of the requirements, and we want to see the evidence that you’ve implemented the requirements and and then you pass so that’s that’s really the goal here. Please go to the website, download the materials and request the PowerPoint of the slides, also, if you’d like. And I just want to thank you on behalf of Kyle and John, thank you for joining us today, and look forward to seeing you again soon.

Kyle Lai 1:03:56

All right, thank you.