Six Ways a CMMC Certified Professional Can Help Companies During Assessments

As CMMC classes across the country begin many people have taken interest in following the Certified CMMC Professional pathway. The CCP provides a person with the skills to start on their CMMC assessor journey but many consultants, marketing team members, or employees at an Organization Seeking Certification may want to earn a CCP certificate.

While it makes sense for marketers to understand the CMMC model, so they don’t mix up basics such as classified information and data protected by NIST-SP-800-1871, we want to focus on helping small manufacturers.

So what can a consultant do with a CCP to help an OSC prepare and survive a CMMC assessment.

We have identified six core areas a CCP can help as an implentor and not an assessor:

  1. Establish a Baseline
  2. Help an OSC Understand the Assessment Guide
  3. Help Plan and Prepare an Assessment
  4. Support the OSC During Assessment
  5. Help the OSC Understand Report Ratings
  6. Assist in Remediation of Outstanding issues.

Any of these six steps, guiding an OSC through the CMMC Assessment Process (CAP) lifecycle can provide opportunity for someone who seeks their Certified CMMC Professional  Certificate

Establish A Baseline

We recommend providing an OSC a self checklist before engaging them on helping to establish a baseline. This helps you ethically scope out your responsibility. Making an OSC pay for a gap analysis without a System Security Plan would be like taking money to survey the Gran Canyon and writing a report thaty says, “There is a big hole.”

Instead of pointing out the obvious provide steps to help an OSC reach a baseline.

As a CCP you will need to know what we require for a minimum baseline such as the minimum information that must be in a CMMC Policies, Procedures, and Plans and knowing when an OSC has gathered enough h records and artifacts to ensure relevance, timeliness, completeness, and sufficient and adequate evidence of each practice and process documentation.

This baseline includes NIST SP 800-171.

You also need to know, however, that the NIST-SP 800 172 supplement to 171, which due to timing did not get included in the CMMC model. enhanced security requirements that ” provide the foundation for a multidimensional, defense-in-depth protection strategy that includes three mutually supportive and reinforcing components: (1) Evidence and *999 Policies

You need to validate that policies exist that address all CMMC domains. You do not make a policy for each Domain as you might have existing policies that exist from ISO 27001 or CMMI assessments. You may have an employee handbook full of policies.

As a CCP you want to ensure that the OSC addressed all of the domains in their policy.

Evidence and the *998 Procedures

When addressing the 998 you need to validate all procedures for a CCP to ensure their baseline readiness for an assessment. The assessors need to determine which procedure goes with each of the 130 practices of CMMC.

You do not need to make an exhaustive rehash of the system security plan. The marketing department may own the procedures for ensuring nonpublic information stays off the web and the HR department owns the procedures for ensuring credentials get revoked when an employee gets terminated.

You as a CCP help organize these procedures into one document using a tool such as wiki or a shared document folder. The format for the procedures will differ within an OSC let alone across the ecosystem. Just work to make the baseline explicit. Connect each procedure to a practice.

If you need to assist the OSC in connecting the dots turn to the Assessment Guide.

Help an OSC Understand the Assessment Guides

As a CCP you need a good command of the assessment guides. You should know how to find each practice and the assessment objectives. You should know if this practices comes from 171 or from another cybersecurity framework.

CMMC Practices

As a CCP nobody expects you to know the CMMC practices by heart but you should know how to use the assessment guide to find each one. You need to familiarize yourself with NIST-SP-800-162 to help the OSC prepare, and NIST-SP-800-18 to help the OSC write a System Security Plan to address each assessment objective.

If you search the web and see a link to a PDF on a NIST website it may come up such as:

You have to know this document, given a warning notice that points to the withdrawl date and a superseding publication that the version you found no longer meets compliance needs.

If you get to the website of a withdrawn document you need to know how to show an OSC to navigate to the current version.

You should know key reference documents and use these when reviewing the assessment guide with an OSC.

Key References

Regulatory Standard Primary References CMMC Related Area
48 FAR 52.204-21 Basic Safeguarding Requirements
FAR 52.204-21 Federal Contract Information
32 CFR, Part 2002 Controlled Unclassified Information (CUI)
NARA/ISOO and CUI Registry Executive Agency, CUI Guidance and Requirements
48 CFR 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (DEC 2019)
DFARS 252.204-7012 🡪 Requires Self-Attestation

Deadline 31 DEC, 2017

Safeguarding Covered Defense Information and Cyber Incident Reporting (DEC 2019)
NIST SP 800-171 R2 Protecting Controlled Unclassified Information in Nonfederal Systems

and Organizations

NIST 800-171A Assessing Security Requirements for Controlled Unclassified Information

You will need to teach the OSC how the numbering system works in the assessment guide

You can see how a practice always begins with a domain, followed by a level, followed by a practice number. Recognizing the how to read each practice will help the OSC understand how to read the assessment guide page:

Garder, D., SEI Blog. How to use CMMC Assessment Guide https://insights.sei.cmu.edu/blog/how-to-use-the-cmmc-assessment-guides/

Once an OSC has a grasp on the assessment guide the CCP can review the types of evidence used to meet each assessment objective in the CMMC Practices

Types of Evidence used in Assessment Guide

The CMMC methodology relies on three common methodologies we call touch, talk, and test. An assessor may want to examine artifacts, interview employees, or observe a test. In the CMMC methodology an assessor will not directly test a system.

As a CCP you need to help an OSC prepare  minimum of one piece of evidence for their SSP, prefereably two, for every assessment objectives. You utilize the reference documents to determine the most relevant. b. Determining the assessment method(s) that would best fit an objective, and when the OSC has collected sufficient and adequate evidence for compliance.

Help Plan and Prepare for an Assessment

As a CCP you have a key role in supporting the OSC prepare for an assessment. Once a C3PAO receieves a request the OSC has a job to complete and a Certified CMMC Professional can help.

Pre-Assessment

You must:

As a CCP you can help an organization seeking certification with each of these four steps. For scoping you will need to provide high level scoping during phase one and provide detialed scoping during the assessment.

Only CCPs with strong backgrounds in network IT should do any more than high level scoping. During the high level scoping an OSCV may need assistance in separating their corporate data with the data considered controlled unclassified information (CUI) and thus in scope.

Assessment Plan

As a CMMc certified Professional you should also cover what needs to go into the assessment plan with an OSC. In order for an assessment to occur a CCP can help an OSC:

Documented SSP

If you do not have a documented System Security Plan (SSP) you can not get scored against the 171 framework or CMMC.

If you utilize the NIST templates for 171a self-assessments your SSP will not include all of the domains, practices, and assessment objectives necessary for CMMC.

Policy, Procedures, and Plans

Do you know how much documentation CMMC takes? A lot a lot, like hand falls off from writing amounts.

At level two you need a policy for every single of the 17 domains in CMMC (though you do not need 17 different documents but you can). At level three you need to document the procedures for implementing these policies AND have a plan to budget and resource for these procedures.

If you miss any of the policies, procedures, and plans you do not proceed. If any of these three exist in draft form you do not proceed. If you confused procedures and plans you do not proceed.

Completed Self-Assessment

You need to certify that you have assessed yourself and have no open action items on the 705 assessment objectives of CMMC.

The information owner of the organziation seeking certification must validate the completion of the self assessment.

No Open Plans of Action

CMMC is a binary assessment. You do or do not. Yoda rules. There is no try. If you score 704/705, a 99.85% of assessment objectives you fail.

Customer Responsibilities Matrix

If you use a Managed Service Provider or a Managed Security Service Provider you need to know what assessment objectives they help you meet, which ones they do not, and those you share.

You then have to work these matrices into your procedures to make sure you complete your shared obligations.

If either step goes missing you do not proceed.

Procedures are Repeatable

You have written your procedures in a way that an assessor can repeat them and get the same result you get every time.

If you can not follow your procedures you do not proceed.

CMMC Readiness Review

As a Certified CMMC Professional you can also help any OSC who believes they can pass a level three assessment with a readiness review.

An OSC may do a self-assessment readiness review or request one from a C3PAO who then assigns a Certidfied Assessor or CCP to conduct the readiness review. This will establish a go or no go decision on an assessment before getting deep into the process and helps to feed into execution planning.

As CCP you may have to use a standard self assessment template or mechanism of the C3PAO or develop one yourself.

Once the readiness review gets completed an OSC can move on to the Assessment.

Support the OSC During Assessment

An organization seeking certification may find an  CCP invaluable during phase two of a CMMC when the assessment occurs.

Presenting Phase I Evidence

For each relevant Practice in the CMMC, the Assessment Team will collect Artifacts to demonstrate that the practice is being performed, or that the control is effectively implemented. The list of Artifacts to be examined is provided to the CA during Phase I.

Understanding Evidence

As a CCP you know artifacts may not have a one-to-one relationship with CMMC Practices. You will have to provide multiple pieces of evidence with the OSC. Therefore you need to ensure that the artifact is current, and was produced by the individuals who are performing the work. Finally as a CCP you need to illustrate artifacts  that not just show policies and procedures but also demonstrate deployment and adoption by the affected team members. Work with an OSC on developing these demonstrations.

Explaining the Ratings

The Organization Seeking Certification may have questions about how an assessment team member rates a practice. An assessor will measure each assessment objective as pass, fail, or not applicable and record the evidence as either an interview, an artifact review, or an observed test. While preliminary findings get generated a CCP may help with daily check in that give opportunity to provide feedback, additional evidence or clarity.

Each C3PAO may have a different system for collecting data and we do not know the final requirements for CMMC eMASS. As a CCP you can help an OSC during an assessment by understanding the data collection tool. This will help when addressing recommendations from the assessment.

This will allow you to connect how the C3PAO developed the  final findings and associated information and how they  incorporated these findings into the Assessment Report. Helping an OSC on these steps will reduce issues of remediation.

Assist in Remediation

Organizations Seeking Certification (OSCs) get o  dispute the results of a CMMC Assessment within 14 days of completion of Phase II of an assessment if they believe a  the certified assessor, or CMMC 3rd Party Assessment Organization made an error or acted incorrectly.

As a CCP you can help an Organizations Seeking Certification (OSCs)  dispute the outcome of an assessment by assisting them in submitting a request for adjudication within 14 days of the completion of Phase II. If allowed the OSC gets 90 days to resolve all adjudication processes.

All adjudication activities must be completed and resolved within 90 days.

The adjudication process can allow for a preliminary review and a second opinion. As a CCP assisting an OSC you can help during both these phases of the adjudication process.

Featured image a remix by jgmac1106 of “Day 71 – Dreidel Die” by slgckgc is licensed under CC BY and

“Turtles all the way down.” by robin_ottawa (I’m on a phone!) is licensed under CC BY-SA

Leave a comment

Your email address will not be published. Required fields are marked *