A Day with CMMC Assessors

May 1, 2024

Image from CPPC24 workshop

Review the nearly final draft in comment-only mode through June 30th.  [Full Workshop Report]

Workshop Report composed by: 


 SEE BELOW FOR RESOURCE-PALOZA

Workshop Report

In the realm of cybersecurity, the Cybersecurity Maturity Model Certification (CMMC) framework can be likened to an apartment complex, where each unit’s security is managed individually yet contributes to the overall safety and integrity of the entire structure. Each entity must customize its cybersecurity measures to its contract’s requirements, maintain ongoing vigilance through scoping, and ensure focused documentation and access control, all under the guidance of the overarching CMMC governance.

 


Advertised Workshop Abstract

This full-day workshop builds on the community-created System Security Plan (SSP) responses from the 2023 Advanced System Security Plan Workshop (SSP). In 2023, community members found consensus to develop responses to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls in a hypothetical shared SSP. In this year’s advanced skill workshop, attendees will gain a better understanding of the preparation required for the eventual third-party Cybersecurity Maturity Model Certification (CMMC) assessment for research enclave(s) and labs by engaging with the Certified CMMC Assessors (CCAs).

This workshop will feature presentations and discussions with CCAs who will share exclusive lessons learned and tips. Content for this workshop is tailored to assess research activities by recognizing the similarities and differences between large prime contractors and higher education institutions. Those attending should expect to gain or build upon their fundamental grasp of cybersecurity compliance requirements for CMMC. This can enable organizational preparation for CMMC assessments in higher education and better preparedness to engage with Certified Third-Party Assessment Organizations (C3PAOs), which can help reduce an institution’s cost to CMMC compliance. Through presentations and group discussions, participants will walk away with expert knowledge of how to best position their institutions in pursuit of CMMC assessment certification.

Expected Outcomes: Participants will walk away with expert knowledge to best position their institution in pursuit of their CMMC assessment certification through presentations and group discussions. 

Agenda: The morning is dedicated to the early foundational work of self-assessing your CMMC enclave. We will then take a deep dive into scoping for your CMMC assessment, as it is the start and end of your assessment journey. How you define each of the asset categories, also determines how closely the assessors are obligated to evaluate each asset. Your defined scope will impact overall costs; it can either keep the costs down for the assessment or it can compound costs with over-scoped security assets.

After addressing scoping, we’ll move to building your SSP for success. This document should serve as guide for assessors and the U.S. Department of Defense (DoD); an SSP done well can save time and money. We’ll address how to approach cross referencing security controls and where to get the biggest bang for the effort within your SSP.

After lunch, the focus becomes preparing for the assessment (and operating within these new procedures, once you become certified). The Certified CMMC Assessors will engage around the other supporting pieces of documentation and how you know you are delivering the proper evidence. We’ll discuss the different ways you could prove you are satisfying the controls. During this topic, you will gain a stronger understanding around the connectedness of both Federal resource documentation and your institution’s documentation.

Finally, we’ll dive into what this relationship will look like with your C3PAO as you proceed in your CMMC assessment journey. This includes prior to committing to a C3PAO, interviewing for their degree of expertise, and fit for assessing a research institution. We’ll address how to prepare your institution’s team for what can happen during your assessment. Finally, after you have acquired your CMMC assessment certification, we will discuss the ongoing efforts to maintain compliance as your certified enclave evolves.

Download Presentation Material

Valuable Resources


Microsoft


Amazon Web Services (AWS)


Google 

RRCoP Resource Sheet