Office Hours with a CMMC Assessor: Key Takeaways

As organizations continue to prepare for Cybersecurity Maturity Model Certification (CMMC), we understand that staying up-to-date and informed is critical. On August 15th, 2024, Right Hand Technology Group hosted an Office Hours session with a CMMC assessor to provide clarity, answer questions, and share key updates. If you missed the session, don’t worry—we’ve got you covered with a recap of the main topics discussed.

Key Takeaways and Updates on CMMC Compliance

1. Preparing for Assessments: Start Early and Stay Informed

   One of the consistent pieces of advice was to start conversations with assessors early in the process. Establishing a relationship with an assessor and understanding their methodology can help avoid surprises during the official assessment. However, it’s crucial to be cautious when engaging assessors before the official rollout. Deposits and scheduling assessments should wait until the formal process is in place.

2. Clarifying Scope and System Security Plans (SSPs)

   Deciding whether to have one System Security Plan (SSP) or multiple depends on your organization’s environment. While it’s often recommended to maintain a single SSP for systems within the same scope, different systems might require separate SSPs if they are distinctly unique. However, keep in mind that more SSPs could mean higher assessment costs, so strategizing this aspect carefully is key.

3. New CMMC Rule Updates: Clarity in Contract Requirements

   The discussion highlighted recent updates, including new clauses that will be included in DoD contracts specifying the required CMMC level. This clarity is a positive step, ensuring that contracting officers are explicitly indicating which CMMC level is needed, whether it’s self-attestation or full certification. The proposed rule also introduces a DoD Unique Identifier (UID) that will link your certification to the environment where CUI (Controlled Unclassified Information) is stored.

4. Handling Remote Workers and Small Remote Offices

   Assessors emphasized the importance of understanding the scope when it comes to remote workers. Generally, individual remote workers are treated similarly to work-from-home employees, focusing on policies and governance. However, if sensitive data or CUI is stored on a server in a remote office location, it could change the assessment scope, making physical inspections necessary. The key is ensuring CUI is securely managed according to the defined scope.

5. FedRAMP and Third-Party Providers: What Counts as Compliance?

   There were multiple questions regarding the role of SaaS providers and third-party solutions in CMMC compliance. The general guidance was clear: if your provider isn’t FedRAMP certified, you may need evidence that their security capabilities are equivalent. For cloud solutions, FedRAMP equivalency is essential, covering not just the 110 controls required by CMMC but also additional FedRAMP moderate baseline controls.

6. Understanding CUI and Avoiding Over-Markings

   Identifying and marking CUI can be a challenge. The session highlighted that while the responsibility to mark CUI lies with the government and primes, it’s crucial for organizations to maintain open communication with their customers regarding what constitutes CUI. This reduces the risk of over-marking documents unnecessarily, which can complicate your compliance efforts. Internal communications that are proprietary and not derived from CUI sources generally don’t require CUI markings unless shared with the government.

Tips for a Successful CMMC Compliance Journey

• Engage Early: Build relationships with assessors well before you begin the formal assessment process.
• Strategize Your SSPs: Balance the need for clear documentation with cost-effective assessments.
• Stay Informed on Updates: Keep an eye on evolving rules and clauses that impact how and when certifications are needed.
• Clarify CUI Boundaries: Open dialogue with primes and contractors to ensure accurate handling of CUI and avoid unnecessary markings.
• Review SaaS and Cloud Providers: Ensure they are either FedRAMP certified or provide clear evidence of equivalency.

What’s Next?

As CMMC evolves, staying proactive is crucial. Right Hand Technology Group is here to guide you every step of the way. Whether you need support understanding scope, preparing for assessments, or selecting the right providers, we’re ready to assist.

If you have questions or want to discuss your CMMC readiness, feel free to reach out. Let’s ensure your journey to CMMC compliance is smooth and stress-free.

Join us for our next session!

We hold Office Hours every month to keep you informed and up-to-date on CMMC developments. Don’t miss out—mark your calendar and join us next month for more valuable insights and guidance.