CMMC SSP Template
TLDR; Similar to my goal for our NIST 800-171 Assessment workbook post, I wanted to provide a brief overview of the newly minted CMMC 2.0 compliance framework and CMMC Assessment Process (CAP). Additionally, I want to provide a high-level process Organizations Seeking Compliance (OSCs) can follow to start moving towards. I also want to highlight what tools Compliance Cloud Solutions offers to help with the process. Once again, if you are only here for the tools, click the button below for access to our free CMMC Level 1 Workbooks, SSP, and POAM templates. If you are interested in CMMC level 2, click here to see a demo on how our cloud platform streamlines the journey to CMMC compliance.
Download our Free Assessment Template
What is the current state of CMMC?
Lucky for you, we already have an extremely robust post on the CMMC program.
As an update to that post for October 2022, here are a few items that have come out since the release of our CMMC post which are relevant:
- The first official CMMC assessments have begun. This is under the Pentagon’s “joint surveillance voluntary program,” where a C3APO will conduct the assessment and report results to the Defense Contract Management Agency (DCMA) for final approval.
- The CMMC Rulemaking process is still underway to officially codify the CMMC program into law. This is expected to be completed in early 2023, with CMMC contract clauses being enforced 60 days after, but this is not confirmed yet.
- In July, the CyberAB released the CMMC Assessment Process (CAP) in draft form. This will be the process used by all C3APO’s for official assessments.
How can organizations begin preparing?
From our CMMC post:
While voluntary assessments have begun, CMMC compliance is not currently required for any contracts. DFARS 70 series and the interim rule are still the requirements which need to be addressed. This means that no matter what type of data you deal with, NIST 800-171 and an SPRS upload is what you need to be concerned with.
If you want to start preparing for CMMC assessments, which should be contractually required starting next year, you should begin mapping out your road map to CMMC compliance using the assessment methodology outlined in the CAP.
The CMMC Assessment Process (CAP)
As stated above, the CAP was released in draft form in July 2022. The CAP is the playbook by which Certified Third-Party Assessment Organizations (C3APOs) will follow when performing CMMC assessments on behalf of the DoD. I would highly recommend reviewing the entire document which can be found here on the CyberAB’s website Official Link.
Organizations performing self-assessments, or preparing for official C3APO driven assessments, should be especially concerned with the methodology used when documenting compliance with each control. CMMC Level 2 is based directly off NIST 800-171, and will utilize the same methodology, NIST 800-171A. For those seeking CMMC level 1 (Those with only Federal Contract Information - FCI), the same methodology should be used. However, the 17 controls and associated assessment objectives should be the focus instead of the entire 110 outlined in NIST 800-171. Check out of NIST 800-171 post for a full breakdown of the methodology.
Using the CMMC Assessment Materials (WARNING)
I want to caveat this next part with a warning. CMMC compliance is not something that can be achieved overnight, and in 99% of cases, it cannot be achieved without the help of an expert, and development of an ongoing program. Anyone that is promising “CMMC Compliance in one day!” is either an idiot or liar. This also goes for any tools or services that is guaranteeing CMMC compliance. The only way to do CMMC right is to do an assessment to analyze the gaps (Plan of Action and Milestones), fix them (this is WAY easier said than done), and then develop an ongoing program which will continue to evaluate and react to changes in the environment (even harder). I WOULD HIGHLY RECOMMEND going to the CyberAB Marketplace and finding a Registered Provider Organization (RPO) to help with the process.
With that being said, the free assessment template we have created can be a valuable tool in beginning to understand your current CMMC status, as well as the depth and breadth of CMMC compliance.
Download our Free Assessment Template
What CMMC Level?
The first step of CMMC compliance is understanding what your CUI exposure is. I talk about this in our CMMC 2.0 state of the union post. Here is a table laying it out.
| Level | Data Type | Control Framework | Assessment Type |
|---|---|---|---|
| 1 | Federal Contract Information (FCI) | FAR 52.201-21 (17 Controls) | Self-Assessment |
| 2 | CUI Data | NIST SP 800-171 (110 Controls) | C3APO |
| 3 | CUI Data from Critical Programs | NIST SP 800-171 + NIST SP 800-172 (110+ controls) | DoD Assessment (DIBCAC) |
If you are looking at level 1 and 2, you are in the right place. We are not even going to talk about level 3. If your organization needs to achieve level 3, you are more than likely already aware if this information, and free tools are not going to get you anywhere!
Scoping
The first step in any assessment is scoping. CMMC compliance objectives are typically applied to a “system” the organization uses to create, store, process, or transmit CUI data. For this purpose, a “system” is defined as all of the components, (computers, servers, network device, etc.) which contain CUI data, or support the systems which contain CUI data. Functionally, this means that a system could be a single application with proper segmentation and control, or, it could be an organization’s entire network environment without proper segmentation controls. If you have any experience with PCI compliance, you are most likely familiar with the concept. This means that in practice, limiting the scope and footprint of CUI data to a single “system”, and applying the segmentation and access management controls to that system, is often much easier than applying the controls across the enterprise.
The takeaway here is that limiting the footprint of CUI data on a network is a VERY effective way to reduce the cost and level of effort when becoming compliant with CMMC. Scoping is a very critical part of the assessment process so make sure to account for all possible locations of CUI and once again refer to the CAP for a full explanation of scoping.
Using the Workbook
Now that you have identified exposure to be CMMC level 1, and your scope is definied, it’s time to download the workbook. There are 4 tabs.
- Usage – Some details on how to use the document.
- Summary CMMC – Some basic graphs showing the current status of the assessment. These will update based on the status set in “Current Status”
- Current Status – All the good stuff from NIST to document your compliance with the controls
- POAM Progress Tracker – The important information from “Current Status” which.
Let’s start with the meat, “Current Status”. This sheet has the following columns:
- Column A – CMMC Control ID
- Column B – Control Domain
- Column C – Official Control Text from NIST SP 800-171/CMMC
- Column D – Assessment Objectives to be evaluated in order to justify compliance with the control.
- Column E – Discussion content from the CMMC Assessment Guide.
- Column F – Explanation of the control from the CMMC Assessment Guide.
- Column G/H – Control examples 1 and 2 from the CMMC Assessment Guide.
- Column I – The corresponding NIST 800-171 control ID
- Column J – Status of the Control – This should be set to “Satisfied” / “Not Satisfied” / “Not Applicable” based on your evaluation of the assessment objectives.
- Columns K – Comments from the assessor on the overall control.
- Columns L-U – A place to record data/evidence/comments for each of the assessment objectives.
Most of these should be fairly self-explanatory but the let’s take a look at the most important component, the Assessment Objectives.
One of the biggest challenges with the starting review of CMMC controls is that extremely complex cyber security tasks are summed up in extremely short control statements. While the control text might only be a sentence or two, it addresses very complex tasks that require a combination of technology, policies, procedures, and people to properly implement.
How can an organization comfortably decide if they are meeting a control from such a short statement? Fortunately, just like with NIST 800-171, CMMC utilizes the NIST 800-171A methodology. The goal of NIST SP 800-171A is to provide organizations assessment procedures and a formal methodology for conducting NIST 800-171/CMMC assessments. The procedures outlined within the methodology can be used to generate evidence to support the claim that the security requirements have been satisfied.
For each security requirement outlined under NIST SP 800-171, an associated Assessment Procedure has been defined under NIST 800-171A. An Assessment Procedure consists of the following:
- Assessment Objectives
- Assessment Objects
- Assessment Methods
Each Assessment Objective includes a determination statement linked to the CUI security requirement to ensure traceability of the assessment.
Assessment Objects identify the specific item being assessed under the Assessment Objective:
- Specification – Document based artifacts (policies, procedures, standards, security plans/requirements, functional specification, architectural designs, etc.)
- Mechanism – hardware, software or firmware safeguards present within a system (e.g., Firewalls, IDS/IPS, SIEM, backups, etc.)
- Activity – Protection related actions (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic)
- Individual – People applying specification, mechanisms, or activities
Assessment Methods are the nature and extent of an assessor’s actions when reviewing an Assessment Objective:
- Examine – The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities) for the purpose of facilitating understanding of the control, achieving clarification on the implementation, or to document evidence of the control.
- Interview – Holding discussions with individuals or groups for the same purpose.
- Test – Exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior. i.e., traditional audit process including sampling.
Organizations are not required to employ all assessment methods on all assessment objectives, or even address every assessment objective associated with a control. This determination is made based on how the organization can accomplish the assessment objectives in the most cost-effective manner and with sufficient confidence to support the determination that the CUI requirements have been satisfied.
In summary, the Assessment Objective defined for each Assessment Procedure is achieved by applying the designated Assessment Methods to the selected Assessment Objects and compiling/producing the evidence necessary to make the determination associated with each control.
Getting back to the workbook, for each CMMC control text (Column C), the associated assessment objectives are located in Column D. For each control, review the assessment objectives based on the methodology listed above and include the response in Columns J-U. To properly prepare for the for a formal assessment, this should include links and reference to evidence for the C3APO to review.
Once your review is complete, set the value of Column J to the control status (“Satisfied”, “Not Satisfied”, and “Not Applicable”). This will automatically update the tables on the “Summary CMMC” tab and the “POAM Progress Tracker” tab.
Now, it is time to review the items in the POAM and develop your plan of attack for remediating the gaps. Once again, I HIGHLY RECOMMEND going to the CyberAB Marketplace and finding a Registered Provider Organization (RPO) to help with the process.
Once you have completed remediation and have good evidence for each control, update the SSP tempalte with the high level results.
Shameless Plug
Does this process sound like a lot? Not something that should be managed with Excel? Thats because it is. Check out the video below to see how Compliance Cloud streamlines the CMMC assessment process, and automatically generates your SSP and POAM. Additionally, consider contacting us if you need help. We are here to help and will point you in the right direction, or can help with the whole process!