Aaron is a commercial risk management leader by trade and a Commander in the U.S. Navy Reserves. He joined the Ignyte Assurance Platform team to help us raise the awareness and readiness of the emerging Cybersecurity Maturity Model Certification, as well as NIST 800-171, NIST 800-72, NIST 800-53, and soon FedRAMP, for organizations involved in dealing with sensitive information.
Level 1 (L1) & Level 2 (L2) Self-Assessment Guidance
The focus of an L1/L2 CMMC Self-Assessment is solely on the protection of Federal Contract Information or FCI, which essentially is “government contract information, that is not intended for public release” for L1; and Controlled Unclassified Information or CUI for L2 which is defined by the National Archives and Record Administration (NARA) as “information that requires safeguarding or dissemination controls, excluding information that is classified under Executive Order (EO) 13526 – Classified Security Information”.
An annual Self-Assessment is required along with a Senior Company official’s affirmation of Compliance in the Supplier Performance Risk Systems (SPRS) which:
- Can apply to an entire enterprise network, or specifically to an enclave
- Is based on the proper scope of FCI in how it’s processed, stored, and transmitted
Organizations seeking compliance should be aware of the CMMC specific terminology as it relates to the CMMC practices required for either L1 or L2 compliance.
Assessment Criteria and Methodology:
– Self-Assessments, at either level: leverage the assessment procedures found in NIST SP 800-171A Section 2.1. Self-assessment objectives are provided for each practice of either level and are based on the criteria found in the 171A.
– Each Assessment Procedure will contain: (1) an assessment objective and (2) a set of potential assessment methods and objects that can be used to conduct the assessment.
– Each objective contains a determination statement linked to the content of the specific practice being assessed. Assessment objects can contain:
- specifications – documented artifacts like policies & procedures,
- mechanisms – specific hardware, software, or firmware safeguards within a system,
- activities – protection-related processes or activities that your employees carry out, e.g., backups, monitoring network traffic, etc.,
- individuals – those individuals, or groups of people, responsible for performing the specifications, mechanisms, and activities.
– The Assessment Methods define the nature and extent of your self-assessment actions. These methods include:
- Examine – the process of reviewing, inspecting, observing, studying, analyzing, etc., the assessment objects (e.g., policy, procedures, training materials, system, and network diagrams, etc.). The goal is to gain an understanding of the assessment object, clarify anything that needs clarifying about the object or obtain evidence.
- Interview – holding discussions with the individuals or group of individuals responsible for the assessment objects of your FCI in-scope systems and controls.
- Test – actually executing specifications and mechanisms, under specific conditions, to see if they perform according to the expected behavior.
Note: Organizations have the flexibility to determine which assessment objects and methods they will employ for their self-assessment, based on level of effort (LOE), efficiency, and cost-effectiveness.
Primary Outcome of an L1/L2 Self-Assessment:
– The creation of a Self-Assessment Report – containing the findings associated with the self-assessment
– Captures the results of each practice assessed:
- Met – you’ve successfully met the practice.
- Not Met – self-explanatory. Include statements that explain why it is not met.
- Not Applicable – this practice does not apply to your in-scope environment and L1 or L2 assessment.
- Document – evidence to support your findings (Met, Not-Met, N/A).
L2 Assessment Guidance – Nuance
L2 is a bifurcated level, meaning, that if your organization is deemed to handle sensitive CUI as it relates to National Security, then you will be required to have a C3PAO perform your assessment as opposed to performing a self-assessment.
To recap, L1 & L2 self-assessment procedures are based on NIST 800-171A. Both are annual, and self-assessments require a signature from a senior company official. Organization Seeking Certification (OSC) has the flexibility in choosing assessment objects and methods based on LOE and Cost-Effectiveness. The primary result is to produce a report capturing assessment findings (i.e., Met, Not-Met, and N/A). And L2 is bifurcated, meaning you may not be able to do a self-assessment, but instead, have one performed independently by a C3PAO.
If you have comments or questions about the new CMMC 2.0 assessment guidance, please reach out to us at info@Ignyteplatform.com.
Download your copy of the slides used in this video at our SlideShare.