CMMC Level 2 Documentation: What Auditors Want to See – Source: securityboulevard.com

If you’re part of the defense industrial base and you’re seeking CMMC certification, there’s a very good chance you’re aiming for Level 2. Level 1 is mostly meant for businesses with a focus on federal contract information but not CUI, while Level 3 is meant for businesses handling the most sensitive kinds of CUI; since most businesses fall somewhere in the middle, Level 2 is the most common.

So, if you’re going through the process of evaluating the CMMC Level 2 requirements and you’re preparing for an upcoming audit, you likely feel the anxiety: are you ready? Do you have everything you need to pass?

Sometimes, it can help to think of things from the point of view of the auditor. What do they need to see to give you a passing grade? Let’s run down the list.

The biggest part of the audit preparation process is compiling your documentation. Documentation is a large packet of all of the information and proof required to validate your implementation of each of the 110 security controls across the 14 domains of CMMC.

Alongside all of this specific evidence, you will also need overarching documentation, like your self-assessment results and your system security plan.

Each control will have a specific kind of documentation you need to provide. This spreadsheet from StrikeGraph is a good list; below, we’ve provided a selection of examples to give you an idea of what you’ll need to compile.

• Acceptable Use Policy. You will need to have and provide a copy of your business’s Acceptable Use Policy.
• Backup Access. You will need a system-generated list of who has access to backups for various systems. Manual uploads need date and timestamps.
• Badge Assignment List. You will need a system-generated list of all badges in your business, with the unique badge identifier number and the name of the individual assigned the badge.
• Data Center Access List. When you operate a data center, you need to provide a system-generated list of all people with access to that data center.
• Data Deletion Scripts. Data has an expiration and must be automatically deleted via script. You will need to provide evidence that your scripts are in place and operating properly.
• Inactivity. You will need to provide evidence of the configuration settings that automatically log users off of systems when they are idle.
• New Hire Training. You will need evidence of completed IT security training modules for your most recent new hire. Certificates, a management sign-off, or a system report can all work.

All of these various artifacts are specific to their security controls. Some of them are simply uploads of documentation you have, like the acceptable use policy, as part of doing business. Most of the rest are system-generated log files and assessment reports for specific aspects of your security configurations. Those that aren’t are often more human elements or are physical evidence that is easier for auditors to view in person.

Physical evidence to be observed in person includes things like:

• Door locks.
• Security cameras.
• Alarm systems.
• Your visitor access process.
• Your HVAC systems.
• Your fire suppression systems.
• Your badging system.

Ideally, most of the work of the audit is done via paperwork, and the on-site visit is checking a handful of boxes that can’t be done remotely. Nevertheless, it’s thorough and needs to be handled appropriately, so be prepared.

Generally, as you work to implement your security according to the NIST SP 800-171 security controls relevant to CMMC, you will find it easy to implement a reporting system that generates these results. Most of the common platforms you can use to help you with CMMC compliance also have automatic artifact generation and reporting options.

One option you can use is the Ignyte Assurance Platform. While it’s not specifically a CMMC platform, we designed it to suit nearly any security framework, including CMMC, FedRAMP, StateRAMP, HIPAA, DFARS, and much more. As you gather and generate your artifacts, they can be stored in the Ignyte Platform for easy access by collaborators and easy review by auditors. Reach out to us with questions or book a demo to see how it can help with your attestation and auditing process.

Personnel Interviews

A big part of CMMC is the awareness that cybersecurity is no longer purely technical. The weakest link in any organization’s security is, more often than not, the people. This is why spear phishing and social engineering are so commonplace; they are simply more effective than the stereotypical hacker attempting to attack a hardened digital system without being detected and stopped.

By the numbers, most of the security controls in CMMC are focused on technical elements. However, in terms of pure work, a huge proportion of CMMC compliance is centered around employee training. After all, changing a setting in a server to log people out after 15 minutes of inactivity and recording the logs is a lot easier than getting every employee to pass a phishing awareness test.

Part of the audit process for CMMC involves the auditor coming to your business and selecting various employees to interview. These employees will be asked questions about the business, its policies, and their training to assess what they believe is true about your security.

If there’s a significant disconnect between what policies state and what your employees believe they state, or if there’s a disconnect between what your policies and employees state and what CMMC requires, it can be grounds for failing the audit.

Validation Testing

Another element of the audit is testing to make sure the things you say are implemented are actually implemented.

This may or may not be on the scale of a full red-team-style penetration test. More often, it’s simply things like using monitoring systems to check for data encryption, attempting to log into a system and being locked out, or checking other elements of configuration.

It’s unlikely, for example, that your auditors are going to simulate a fire to see if your sprinklers come on in the server room. They may, however, request power to be temporarily cut to see if your backup generators kick on and your UPSs work.

They won’t go through every security control – such a thorough audit would take way too long – but they will spot-check common points of failure. You also won’t know specifically what they are going to test until they’re testing it, so you can’t game the audit system with partial implementation.

Developing a Final Report

Your auditor will go through all of the 110 security controls that you’re required to meet for CMMC level 2 certification. They will review the documentation you provide and, if relevant, the testing or observation results from their audit. They will assign each control one of three statuses.

• Met. This means you have satisfactorily met the requirements for the security control.
• Unmet. This means you have failed to meet the requirements for the security control in some way.
• Not Applicable. This means the security control does not apply to your business.

For the purposes of the results of the audit, a security control that is not applicable is marked as successfully fulfilled to avoid opening up room for math mistakes.

Once this process is done, they will tally up the number of met and unmet controls to give you a final result.

If you have under 80% implementation, or if any of the six critical controls are unmet, you will fail your audit. Your C3PAO will give you the results of your audit and some advice on where to focus your efforts if you want to seek compliance again. This is the failure state; if you’ve been implementing CMMC properly, you should not be at risk of this status, but it’s not entirely uncommon if you aren’t really sure of what you’re doing along the way.

If you have over 80% but less than 100% controls implemented, and all six critical controls are met, you will be given a conditional certification.

A conditional certification is a temporary certification. It lasts for 180 days, during which you can use a plan of action & milestones document to outline the controls you have not met, the steps you plan to take to meet them, and the timeline to meet them.

For a deeper dive into POA&Ms and how to manage them, read our guide here.

POA&Ms need to be addressed proactively and completed within 180 days, at which point their implementation is validated. If you successfully complete all of your POA&Ms, you can be issued a final certification and granted full level 2 status. If you fail to implement all of the POA&Ms by the deadline, you will fail and be denied your certification. If you had used the temporary, conditional certification to start a government contract, you would lose that contract and potentially face penalties depending on the contract and the work you did in the meantime.

If you have 100% controls implemented, you will be granted final CMMC level 2 certification status.

Once you have achieved full CMMC status, you will be able to work with your government contracts on an ongoing basis. Your CMMC certification is valid for three years, during which time you must have continuous monitoring and ongoing upgrades to your security as the cybersecurity atmosphere changes; each year, you will require an annual affirmation of your continued status and a full audit every three years in perpetuity (until such time as you either choose to stop working with the government, lose your contracts, or the CMMC program changes.)

Potential Additional Investigations

One thing that can be worth knowing is that the DoD reserves the right to perform its own additional assessment of your organization. If they have some reason to suspect fault in your documentation, in your choice of C3PAO, or in your overall implementation of CMMC requirements, they can perform their own review.

Passing this review should be no problem if you successfully passed a standard CMMC audit. However, if the DoD finds fault in your implementation of the CMMC security controls, their assessment takes precedence.

Depending on what faults they find, if any, you may need to upgrade or update certain elements of your implementation, or you may have your certification revoked and face penalties.

The Key to Success with a CMMC Level 2 Audit

To give yourself the best possible chance of passing a CMMC level 2 audit, there are a few things you can do.

The first, which happens at a business level and often before you even start implementing security controls, is evaluating and limiting scope.

CMMC is concerned with the systems and employees that handle or have access to CUI, FCI, and other sensitive government information. Unless handling that information is the sole function of your business, chances are you have private-sector customers and employees who don’t handle CUI.

Thus, you can proactively set yourself up for some success by limiting the systems and people who handle CUI at all. Even something as simple as having different servers, which aren’t connected, where one handles CUI and the other doesn’t, can reduce the scope of your implementation. Ensuring that as few people as possible have access to systems and information relevant to the government is also key.

Essentially, you set yourself up to have as little as possible that needs review and implementation.

Obviously, it doesn’t hurt to secure your secondary systems as well. Your business customers will appreciate it. But, limiting the number of systems that need to be examined directly helps cut down on the room for error that could jeopardize your certification.

Beyond that, it’s a matter of just getting all of the security in place properly, documenting it all in an accessible way, and making sure you have the information ready for the auditors to review. Platforms like our Ignyte Assurance Platform can help with the last part, and our expert blog and other resources can assist with answering any questions you may have. If you’re interested, be sure to drop us a line!

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/cmmc/cmmc-level-2-documentation/