Evaluating Organizations Seeking Certifcation: Document Based Requirements to Start a Conversation
You do not jump out of a plane without first making sure a parachute works. Yet many Organization Seeking Certification (OSC) want to make a leap of bling faith about their compliance to the practices in the Cybersecurity Maturity Model Certification.
When an Organization Seeking Certification (OSC) contacts a Certified Third Party Assessor Organization (C3PAO) they will not immediately accept ytheir business. Having someone pay for an assessment when a five minute phone interview can evaluate readiness, or lack there of, of an organization would lead to unethical profits. Assessments are a tandem jump between the C3PAO and and the OSC. Both parties have a vested interest in knowing the parachute opens and covers all in-scope assets.
A C3PAO evaluates an organization as much as a OSC evaluates the assessment team they hire.
Where should an OSC expect a C3PAO to begin?
Scoping. The C3PAO needs to scope the assessment which means they need to understand how you scope your networks and systems and how CUI flows through the assets, people, technologies, and facilities, that make up your systems.
For example a C3PAO needs to understand the difference between virtual and physical locations of your assets. Do you have servers, “on prem” or do employees connect to an enterprise cloud? Can employees share and hold CUI on mobile devices? Do employees at home store and transmit CUI?
All of these questions impact the annual cost of your engineering and non-engineering costs each year. They determine the cost of a CMMC assessment. In fact no assessment should occur without knowing the difference between the logical and physical locations where in scope and out of scope assets exist.
What documents should I have ready?
As an OSC you must have a system security plan. You can not have an assessment without one. Yet your documentation needs stretch beyond the SSP. In fact to even begin a CMMC scoping conversation an Organization seeking certification should have the following document based specifications:
- Network Diagrams
- Data Flow Diagrams
- Reference architecture
- Asset Inventory
- Access Control Policies
These documents will not only explain the difference between your physical and logical techniques of separation used to protect CUI but also identify the owners and maintainers of the assets. As an OSC you can limit the numbers of assets in scope and reduce the cost of the assessment.
NIST SP 800-171 Rev 2, which states:
those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g.,implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. Basically when considering the logical and physical locations we always want to make sure the separation of assets legally authorized to process CUI. Logical boundaries, "set is physically (wired or tirelessly) connected to another asset or set of assets, but software configuration prevents data from flowing along he physical connection path." Your data flow diagram will demonstrate how Controlled Unclassified Information moves through your system. This will help you understand how to develop a more detailed network diagram. The network diagram would show all the firewalls that route traffic and only allow authorized assets to connect to the system. An access control policy identifies the authorized people with a matrix of role based access or other ways of user separation. We include an asset inventory to identify authorized devices. The asset inventory needs to track the software development life cycle of the device and includes information about the device owner and maintainer.
Why do these documents matter?
These documents prove a state of readiness for a CMMC assessment, but your really need to think of them as part of your life cycle approach to proving you implement the 110 security requirements of NIST-SP-800-171.
Basically you need to develop a systems engineering approach. In fact the most subjective of almost all of the security practices in CMMC revolves around security engineering.
SC.L2-3.13.2 – SECURITY ENGINEERING
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
ASSESSMENT OBJECTIVES NIST SP 800-171A
Determine if:
- a architectural designs that promote effective information security are identified;
- b software development techniques that promote effective information security are identified;
- c systems engineering principles that promote effective information security are identified;
- d identified architectural designs that promote effective information security are employed;
- e identified software development techniques that promote effective information security are employed; and
- f identified systems engineering principles that promote effective information security are employed.
Adjectives and adverbs add a degree of scale to assessment objectives but also subjectivity. What does “effective” mean? How do we demonstrate to an assessor, as an organization seeking certification we identify and deploy “effective information” security, techniques, and principles?
It begins with the document based artifacts that will have specifications proving you identify and deploy effective practices. “Effective information” architecture relies on technical information but also good project management. For example moving your security plan to a six month or annual cycle where you revisit the SSP and POAM while triaging not met practices during monthly meetings helps to support the technical understanding necessary.
So many examples of effective information practices exist. So do many more ineffective examples. Of course you must establish security policies, you may develop layered protections so multiple boundaries protect key architecture. Some organizations place controls as the foundation for their design. Everyone must incorporate security requirements into the system development life cycle. In other words has a devices passed end of life for security patches. Reference architecture contains your network diagrams that delineate physical and logical security boundaries. It will list all the key security assets that protect key boundaries.
You also need to consider in scope people when developing a systems engineering plan. For example anyone with privileged access, meaning they control security of assets or perform functions on systems others can not need different training on how to deploy secure software. Other employees may do risk awareness training and perform threat models to mitigate risk.
To provide enough evidence for the depth and breadth for the assessment objectives of this practice you basically need to demonstrate that you have system architecture policy that can act like a guide and explains the architecture. You will include, for example, if you deploy different networks to logically separate in-scope and out of scope assets.
SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if:
- a publicly accessible system components are identified; and
- b subnetworks for publicly accessible system components are physically or logically separated from internal networks.
Network diagrams will docmument to a CMMC Certified Assessor that an OSC should provide the necessary logical and physical separation of in-scope and out of scope assets.
Controlled Unclassified Information takes an authorized legal need to access, store, or transmit. You can not just give access to the public to the CUI nor to the networks on where it gets transmitted and stored. In fact separating public accessible systems, like a company website or public wifi from the servers storing encrypted Federal Contract Information is a level one control. Remember the practices are cumulative . A CCA will assess all level one and level two practices for a Level 2 assessment.
Often companies will use a cloud enclave for CUI to keep the data stored away from the public. Other companies will create a DMZ, a demilitarized zone, or subnetworks. An OSC may have one subnetwork for employees, one for the public, and one for in-scope employees to transmit and store CUI.
By providing a C3PAO with a network diagram you provide readiness for your assessment. This also provides evidence that would speak to the breadth of your your security requirements. A CCA would add to the depth of the coverage by interviewing the people who protect the boundaries.
CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if:
- a physical access restrictions associated with changes to the system are defined;
- b physical access restrictions associated with changes to the system are documented;
- c physical access restrictions associated with changes to the system are approved;
- d physical access restrictions associated with changes to the system are enforced;
- e logical access restrictions associated with changes to the system are defined;
- f logical access restrictions associated with changes to the system are documented;
- g logical access restrictions associated with changes to the system are approved; and
- h logical access restrictions associated with changes to the system are enforced.
In fact a CCA will assess how an Organization Seeking Certification restricts access to people who can make critical changes to your system.
Basically in order to have the system engineering in place for an assessment an organization should harden physical security at a uniformed layer. What must any employee or guest do to enter the building. You will need to monitor who comes in and control how they enter. If someone needs access to areas where systems changes can be made you need Follow them while they are there, and document why they are there. These steps must be spelled out in policy and procedures ahead of time. .
So your access control policy, a key document in getting a conversation started with a C3PAO should, “Define, identify, and document qualified individuals authorized to make physical and logical changes.” This could include employees or managed service providers whp have access to the organization’s hardware, software, software libraries, or firmware
Overall before you begin an assessment you need to demonstrate that you implement physical access control that prohibits unauthorized users from gaining physical access to an asset. You may use a key card or key pad entry to enter a server room. Your access controls should not allow regular users to log into security software. Some companies may use software that has automation with management workflow rules that define tasks such as seeking approval to change a server. A common technique is to use multiple boundaries such as only allowing patched from a specific IP management system but still requiring a manager to authorize execution.
The network diagram, asset control policy, and asset inventory will all help a C3PAO understand the difference between the logical and physical controls of an OSC’s location. These documents will demonstrate how separation gets protected with access control.
An Organization seeking certification not only must demonstrate their scope and network to a C3PAO but they should also explain how they perform system maintenance control on a system.
MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]
Determine if:
- a tools used to conduct system maintenance are controlled;
- b techniques used to conduct system maintenance are controlled;
- c mechanisms used to conduct system maintenance are controlled; and
- d personnel used to conduct system maintenance are controlled.
These tools do not store or process CUI assets on a system but do “diagnostic and repair actions on those systems.” Viruses and malware get introduced all the time through bad patching or remote management maintenance tools.
Companies have flexibility in implementing these requirements but this control illustrates how important asset inventory is when starting a conversation with a C3PAO. You can not approve maintenance tools without knowing what maintenance tools you need.
Once you know the tools you need you should include the who is in charge of the maintenance and link to a document tracking the software development life cycle, basically when di you add the software, the version, operating system, controls it meets, business function it plays, when it gets updated, and when the software is no longer supported.
Scoping Matters
The four controls highlighted demonstrate how document based artifacts help to provide the breadth of evidence you utilize to demonstrate you meet the requirements of an objective. Yet these documents also provide a jumping off point for a C3PAO to evaluate an organization seeking certification.
If a company has not documented the differences between the logical and physical locations of their assets than they can not get a CMMC assessment.