1
00:00:00,000 --> 00:00:16,000
Welcome to the Quick 10 Podcast brought to you by Quick Track, focusing on all things FedCon and cyber defense from different perspectives and different personalities, all in 10 ish minutes. Here's your host, Derek White.

2
00:00:16,000 --> 00:00:45,000
Alright everybody, thank you. Welcome back to another episode of the Quick 10 Podcast. For those that have followed along for previous episodes, you can find us and subscribe wherever you get your podcasts and actually catch these on YouTube as well. So today on episode five, we are titling this one. So you think you're ready for a CMMC assessment?

3
00:00:46,000 --> 00:01:05,000
And today our special guest is Glenda Snodgrass, who is the president and lead consultant at the NetEffect. She is also a certified CMMC assessor and certified professional. So taking this opportunity to go through some of these details, Glenda, we're excited to have you and how are you doing?

4
00:01:05,000 --> 00:01:08,000
I'm great. I'm happy to be here. Thanks for having me.

5
00:01:08,000 --> 00:01:35,000
You bet. You bet. Well, we go back quite a ways and when we caught up recently, this industry specific to the defense industrial base, CMMC and said requirements that have to go along with that, the things have changed over the last, we'll call it six months to eight months and really over the last few years as things get closer to being in front of people and require. And so they have to do it.

6
00:01:35,000 --> 00:01:57,000
So the topic today is going to focus on the, we'll say the mentality of I'm ready. Right. Well, I think I'm ready. And some people think they're ready. Some people know they're ready. And those are two different things. So we want to make sure that we focus on what we can do in this 10-ish minutes of this topic.

7
00:01:57,000 --> 00:02:09,000
From your perspective on somebody who works hands on closely and has been for years and years on people that are looking to do everything the right way, make sure they're ready. And then what the impacts of that really comes down to.

8
00:02:09,000 --> 00:02:38,000
So the first question that I am, you know, sitting at the edge of my seat to ask you is I am a organization that needs to be certified to CMMC level two. And I feel very confident that I can get there. So I am talking to you, Glenda, where and what is my checklist of things that I can go find right now to validate my confidence.

9
00:02:38,000 --> 00:02:58,000
Number one is your system security plan, your SSP. Right. I have discovered that a lot of people don't even realize that you technically cannot self assess 171 against the DOD assessment methodology without an SSP that meets the requirements of 3.12.4. Right.

10
00:02:58,000 --> 00:03:15,000
The assessment methodology specifically says that in the absence of a system security plan, an assessment cannot be made. So a lot of times doing an assessment before you have a fully compliant, fully fleshed out SSP is really putting the cart before the horse because the assessment methodology says you can't do that.

11
00:03:15,000 --> 00:03:29,000
So I always look first at the SSP because that's that is foundational to your compliance. Right. The only way you can self assess to start with. And also because that's where a lot of people I think just fall down. The documentation is the hardest part.

12
00:03:29,000 --> 00:03:48,000
And people try to put that off to the end, which you know, use some of that stuff you can put off to the end. But the SSP is one thing you cannot. It needs it's got to be right up front. Right. So my first question always when a potential new client comes to me and says, especially they say, you know, we're thinking about applying for a joint surveillance assessment.

13
00:03:48,000 --> 00:04:04,000
You know, JSBA, we think we're ready. And I'm like, OK, how long is your SSP? And frankly, most people, the answers I've gotten have in the last six months, it's between 12 and 41 pages.

14
00:04:04,000 --> 00:04:21,000
That's a problem. If you talk to most assessors, they expect an SSP to be somewhere around 100, 150 pages. I know one company that passed a Dibcac high with an 80 page SSP, but it was very succinct and it linked out a lot.

15
00:04:21,000 --> 00:04:34,000
So, you know, the first thing is to look at your SSP doesn't meet all the elements, all the requirements of the SSP. So where do we get these we get these from 3.12.4 right in this 171.

16
00:04:34,000 --> 00:04:51,000
It says, develop document and periodically update. This is a living document right system security plans that describes the system boundaries. So this is the scope of your CUI environment, the system environments of operation.

17
00:04:51,000 --> 00:05:05,000
This is your facilities. This is perhaps your shop floor related networks to where the actual CUI is held. How the security implements are implemented. This is when I find a lot of people mess up.

18
00:05:05,000 --> 00:05:16,000
I talked to a potential new client recently and I said, how long is your SSP? And I think his answer was 12 pages. And I was like, oh, the templates only 11 pages.

19
00:05:16,000 --> 00:05:25,000
You don't have a lot of information in there. Do you? And he and he flipped it up on the screen and all he had done was check either the not met or the met or the implement.

20
00:05:25,000 --> 00:05:35,000
And that's it. He just checked the boxes. It didn't say anything about how security requirements are implemented. And that's one of the requirements, the required elements of the SSP.

21
00:05:35,000 --> 00:05:51,000
And then finally, is the relationships with or connections to other systems. That's something that a lot of people leave out. All those cloud services that you use. Maybe you've got a third party manages your VPN for your remote access.

22
00:05:51,000 --> 00:06:02,000
There are a lot of connections to other systems in most organizations and those need to be documented in your SSP. They need to be in your network diagram. They need to be in your asset list.

23
00:06:02,000 --> 00:06:13,000
Because an assessor is going to be looking, you know, at reading this SSP. And at some point he or she is going to come to a point where he says, oh, how do you do that right there? And you're like, oh, well, that's blah.

24
00:06:13,000 --> 00:06:29,000
And he goes, oh, I don't see that documented anywhere. So that's something that we really need to focus on is having a high quality SSP that meets all the required elements of the SSP because you literally cannot self assess without that.

25
00:06:29,000 --> 00:06:48,000
The second problem, in addition to not being complete, is not using the 171A assessment guide. And I'll confess that in the first few years I was consulting with 171, I didn't know about 171A either. Not immediately. It took me a while. Somebody pointed me to it. And I was like, oh, looky there.

26
00:06:48,000 --> 00:07:04,000
So 171A, the assessment guide, is useful for two reasons. Number one, because the assessment methodology says that you have to use it. Right? It says that a control is not met unless all of the assessment objectives for that control have been met.

27
00:07:04,000 --> 00:07:19,000
And a lot of the controls have four or five or six assessment objectives. So that's something else that I find very commonly is someone will have an SSP and they'll have a three or four sentence description of how they meet this control and it looks pretty good.

28
00:07:19,000 --> 00:07:29,000
But then when I look at the AOs, I'll see that there's one and I'm like, but how are you doing that right there? And they're like, I don't know how to do that.

29
00:07:29,000 --> 00:07:36,000
So you need to look at all of those assessment objectives and make sure that you're covering those in your SSP as well.

30
00:07:36,000 --> 00:07:44,000
So basically, those are the problems that I find. 171A is also useful. It has a discussion section.

31
00:07:44,000 --> 00:07:56,000
And sometimes that discussion section in 171 and 171A and the CMMC assessment guides can help you a little bit understand better what those controls are asking for and what they're looking for.

32
00:07:56,000 --> 00:08:00,000
So, you know, the more you read, the better off you are.

33
00:08:00,000 --> 00:08:05,000
Yeah, and that's I like thank you for highlighting that the assessment guides.

34
00:08:05,000 --> 00:08:11,000
Personally, I think that makes you look at it differently. It makes you look at it from assessor's side, which is what this comes down to.

35
00:08:11,000 --> 00:08:18,000
You know, we talk about this all the time. Is it implementation and going through an assessment are two things? I mean, same thing.

36
00:08:18,000 --> 00:08:27,000
I've seen multiple, multiple SSPs that just say this control, this is how we meet it. We meet this by having MFA.

37
00:08:27,000 --> 00:08:39,000
It's like, oh, OK, to who, to what, you know, going back to the people, process technologies and a good system security plan really becomes the book for what you're doing and how you're doing it.

38
00:08:39,000 --> 00:08:48,000
Right. To the details that need to be in an assessment guide that are in an assessment guide that then assessor can say, aha, I see what you're saying.

39
00:08:48,000 --> 00:08:54,000
I know how it maps to this. You meant you mentioned linking out, right? I know where that information I can now find is.

40
00:08:54,000 --> 00:09:07,000
That's great. That's a portion of the assessment. The assessment now is show me. Right. Right. Show me the evidence that goes with that and then walk me through it so that I know that what you say here and what you show here is being done by that appropriate party.

41
00:09:07,000 --> 00:09:15,000
So you made two really important points right there and what you said, the first one was you said you can't just say, well, we meet this by having MFA.

42
00:09:15,000 --> 00:09:21,000
That's one of the most common complaints I've heard from the assessors that I've talked to who have started people in there.

43
00:09:21,000 --> 00:09:33,000
You know, so you think you're ready for an assessment that the opening phase of actually signing up for JSV is that how how we've met the requirement simply restates the requirement.

44
00:09:33,000 --> 00:09:47,000
So you can't say I'm meeting MFA by having MFA. You've got to say I'm meeting MFA because I have this service or this dongle or this software application or this box checked.

45
00:09:47,000 --> 00:09:57,000
And it's in our acceptable use policy that MFA cannot be disabled by users. You know, you need to be explained specifically how you're meeting that requirement. Don't just restate the requirement.

46
00:09:57,000 --> 00:10:08,000
That's not going to pass. And the second thing you said that I really like is that, you know, you want the SSP to tell the assessor everything that they need to know.

47
00:10:08,000 --> 00:10:21,000
The last thing you want is for the assessor to start asking questions, especially asking questions of your people during the assessment, because you never know what those people are going to say.

48
00:10:21,000 --> 00:10:30,000
So you don't want surprises coming out. You don't want the assessor asking you to explain a whole bunch of things and asking for supplemental documentation.

49
00:10:30,000 --> 00:10:42,000
You want that SSP to be so clear and concise, but complete that the assessor just reached through it and goes, yep, yep, yep. Good, good, good. That's your goal.

50
00:10:42,000 --> 00:11:03,000
They should know that when you're developing your SSP. Well, and you know, the other huge, I would say this is probably years back, but the requirements say, and this isn't to be a pain in the backside for a customer, but the requirements say you're going to keep this there and you're going to look at it every year.

51
00:11:03,000 --> 00:11:15,000
And so, you know, how many times do you talk to somebody who says, well, we have an SSP and we have our document, we have our policies and procedures, and then they have to blow the dust off it because it's been three years and half the people mentioned in there don't even work there anymore.

52
00:11:15,000 --> 00:11:27,000
Right. It's like, but that that's not a good practice and security in general. We know that. Right. That is a, but that's the point is you need to get there and then you need to keep it there.

53
00:11:27,000 --> 00:11:34,000
How do you keep it there and you know, this is something I'm sure you talk about. So maybe for like a minute or two, talk about some of that.

54
00:11:34,000 --> 00:11:49,000
What the at least annually means and maybe the, the things that within the SSP that people kind of glaze over if there are certain things that need to be performed, and that's another word that gets, I think, twisted around, but define and performed all that kind of stuff.

55
00:11:49,000 --> 00:11:57,000
Can you talk about that a little bit on some of the things you see don't get the focus but need to be focused every single year so that at least it's being performed?

56
00:11:57,000 --> 00:12:06,000
Well, that periodically thing is something that trips up a lot of people. So there are actually five controls in 171 that use the word periodically.

57
00:12:06,000 --> 00:12:15,000
Periodically do this. Periodically do that. Well, the CMMC model defines the word periodically as at least annually.

58
00:12:15,000 --> 00:12:25,000
So the five controls in 171 that say periodically do this, and I read one to you a minute ago when I read 3.12.4 because it said periodically update, right?

59
00:12:25,000 --> 00:12:34,000
So your SSP is supposed to be updated at least annually. And this is something that a lot of organizations don't do.

60
00:12:34,000 --> 00:12:41,000
Not too long ago, I spoke with an organization that had actually passed a Dibcac high assessment about three years ago.

61
00:12:41,000 --> 00:12:48,000
And they were looking at going through a JSVA now instead of another Dibcac high so that they could go ahead and get their CMMC cert.

62
00:12:48,000 --> 00:12:55,000
And they wanted to talk to me about the differences. And I said, so I mentioned right off the bat, you know, the periodically assess.

63
00:12:55,000 --> 00:13:01,000
I said, so you passed the Dibcac high three years ago. Have you updated your SSP every three years since then?

64
00:13:01,000 --> 00:13:08,000
And they said, oh, no, we haven't looked at it since the assessment. And I'm like, automatic fail. I mean, literally automatic fail.

65
00:13:08,000 --> 00:13:15,000
So you're supposed to do periodic risk assessments. You're supposed to periodically scan for vulnerabilities.

66
00:13:15,000 --> 00:13:23,000
You're supposed to periodically assess the security controls that you have in place to determine if they are effective in their application.

67
00:13:23,000 --> 00:13:31,000
And you're supposed to periodically update your SSP. So those five things at a minimum have to be done at least annually.

68
00:13:31,000 --> 00:13:41,000
And an assessor will be looking to see that you've done those annually. If the date on your SSP is four years ago, you've got a problem.

69
00:13:41,000 --> 00:13:51,000
You know, if version one is four years ago, but you've got a version two that's three years ago and a version three that's two years ago and the current version is version four, then you're in good shape.

70
00:13:51,000 --> 00:14:06,000
But if you don't have one and if you can't prove that you have been doing that and you don't want to just change the date on your own one every year, you need to have different versions to show that you've made changes.

71
00:14:06,000 --> 00:14:14,000
You know, another thing that I heard this organization say was, you know, we really do need to update it because we've actually changed a lot of the tools that we use.

72
00:14:14,000 --> 00:14:25,000
And I'm like, should have updated it when you changed the tools, you know, that's don't don't get caught playing, you know, catch up all the time.

73
00:14:25,000 --> 00:14:36,000
Do things along the way so that you're staying current, not to mention even if you've passed a Dibcac high three years ago, they can still anytime they want to call you for a Dibcac medium.

74
00:14:36,000 --> 00:14:47,000
Right. They call you up on Monday morning and say, hey, we'd like to have your SSP and all your company documentation by five o'clock on Friday. You know, send it to this email address or upload it, whatever it is that they do.

75
00:14:47,000 --> 00:14:54,000
I got a I got a call once a few months ago on a Tuesday morning from a colleague of mine who's an ISO 27001 auditor.

76
00:14:54,000 --> 00:15:06,000
And she said, hey, we got this call from this guy and he had gotten the call the previous morning for a Dibcac medium assessment and he didn't even have an SSP.

77
00:15:06,000 --> 00:15:12,000
Somebody who used to work for him had put a 110 in spurs and left the company.

78
00:15:12,000 --> 00:15:17,000
So don't get caught there. Right. You don't want to get caught by Dibcac.

79
00:15:17,000 --> 00:15:33,000
Number one and number two, you don't want to waste your money talking to see three PO if you're nowhere near ready to pass an assessment because you haven't done some of these very basic things, which is not put stuff into place in the first place, you know, but periodically updated.

80
00:15:33,000 --> 00:15:35,000
Review your documentation.

81
00:15:35,000 --> 00:15:43,000
Check your tools, you know, and when you review that documentation, make sure that it matches what you're actually doing in real life.

82
00:15:43,000 --> 00:16:04,000
Right. Say what you do. Do what you say. When Dibcac gave a webinar sometime last year, I think, and they had their top 10 problems in assessments like the first three problems that they identified were SSP doesn't match the written procedures, written procedures don't match the policy policy doesn't match the SSP.

83
00:16:04,000 --> 00:16:14,000
So it was this this big, you know, circular problem of, you know, the policy said we do this thing, but the written procedure said, you know, we do it every six months.

84
00:16:14,000 --> 00:16:20,000
The policy says we never ever three years or, you know, they both say we do it every three months.

85
00:16:20,000 --> 00:16:25,000
But then when they interview somebody, they go, you know, I can't remember the last time we did that.

86
00:16:25,000 --> 00:16:34,000
That's why I said you don't want your your assessors asking questions of your people if they don't have to, but make certain that your documentation matches. Okay.

87
00:16:34,000 --> 00:16:43,000
You don't have to do something every two weeks or every 30 days or every 90 days. It might not even make sense in your organization to do it that way.

88
00:16:43,000 --> 00:16:55,000
If there's nothing defined, then your default is at least annually. So at least annually, if your documentation says at least annually and you can prove that you have done it at least annually, then you're good.

89
00:16:55,000 --> 00:17:03,000
Now, some things I would like to see done more often than that vulnerability scanning, for example, no matter how much I would like to see it done more often than that.

90
00:17:03,000 --> 00:17:13,000
The control says periodically and CMMC says periodically means annually. So as an assessor, I cannot ding you if you only do it annually. If I'd like to see it done more often.

91
00:17:13,000 --> 00:17:22,000
Well, in some of the language says as defined by organization, right? There are, you know, periodically as defined by frequency and how often.

92
00:17:22,000 --> 00:17:37,000
But then that's not used to be the old standard ones because there are NIST requirements that aren't within 171, but are reference that do also mention at least annually is the NIST standard for something that needs to be performed frequently and periodically.

93
00:17:37,000 --> 00:17:52,000
And yes, that that is, you know, you mentioned another massive point there, too, is the controls are not prescribed like you don't have to do not everybody has to do everything the same way with the same things.

94
00:17:52,000 --> 00:18:02,000
But this is still a risk based world and that we're talking about here. So you know, you're 100% in right you.

95
00:18:02,000 --> 00:18:15,000
And I know that the minority in compliance or different things and you know it truly are. But the the scenario that is so frequent over the last couple of years is exactly that I have it all I have my documentation.

96
00:18:15,000 --> 00:18:31,000
This is how we do it. When we do it, who does it, you know, people leave people go somewhere else we had the we had the flurry of people entering scores into SPRS and wiping their, you know, sweat off their brow, but you know you're mentioned you're talking about

97
00:18:31,000 --> 00:18:46,000
the requirements and some other things that happen and then every three years well that's how the CMMC requirement reads is the CMMC requirement of being certified is active for three years but the requirements that you're being certified for that are in place,

98
00:18:46,000 --> 00:18:58,000
have periodic annual requirements and other things and weird. If you have a system security plan that's has all the details and you are performing things annually and you said it, you want to make a change.

99
00:18:58,000 --> 00:19:09,000
But don't make the change and then go back through everything and play catch up like you said I think that's a huge point it's assess why you're making the change, and that could be 100 different reasons why you have to make a change to your scope, your

100
00:19:09,000 --> 00:19:14,000
infrastructure your people your locations, new projects, assess that.

101
00:19:14,000 --> 00:19:21,000
See how it impacts and they're okay with that. They want to see that you identify that you're going to have some gaps as you make a transition here.

102
00:19:21,000 --> 00:19:30,000
But how did you get that risk down how did you implement the gaps and then redo which weird, if you're looking at that annually or even you are required.

103
00:19:30,000 --> 00:19:41,000
It says within the NIST General 171 controls, when you make a significant change to your right, your, your, your program or your infrastructure or whatever you have to reassess that you don't have to reassess the whole thing necessarily

104
00:19:41,000 --> 00:19:54,000
within the controls and so I think that's really really big, really really big point is that if you look at this and you're planning you're doing it right then you don't have to sweat as much about what happens if we change providers or infrastructure or open a

105
00:19:54,000 --> 00:20:01,000
location across the country where our scope is now going to be over there as well so I think that's really good.

106
00:20:01,000 --> 00:20:18,000
I know I know it's so easy to just blow through time here when we talk about topics like this because it's but that's the point and it's a place to start. If you are somebody who has found this conversation, very much hitting home for you.

107
00:20:18,000 --> 00:20:33,000
Reach out to Glenda, we will have her information below. And for those of you that think you're ready and those of you that want to know if you're ready, have the conversation, start to understand what that means what that evidence some of this stuff was

108
00:20:33,000 --> 00:20:43,000
a little bit like hitting home but you're not sure. That's the point here is that you need to know that you're ready before you start lining up to get on the ride right you have to know that you're ready.

109
00:20:43,000 --> 00:20:55,000
Before you reach the line that I'm tall enough to ride all that kind of stuff matters before you get to go have have the quote unquote fun within the CMMC space so thank you Glenda again.

110
00:20:55,000 --> 00:21:10,000
Really appreciate the time, the net effect great resource somebody we've we've we put a lot of time and effort into the last couple years it's been super super nice to get this clarity and see these these people within the day I'm trying to figure this out, come up with

111
00:21:10,000 --> 00:21:19,000
some ideas. So, thanks again, and for those. Yes, and again we've anywhere you find your podcasts.

112
00:21:19,000 --> 00:21:29,000
Check us out, look at the past ones will have Glenda on again in the future because we'll probably revisit the same conversation as things continue to come out and it'll be fun to see where it was, where it's going.

113
00:21:29,000 --> 00:21:41,000
Yeah, things change that is right and that's why you should look at stuff every year because things change, you know, at least, anyway, anyway, um, thank you again Glenda appreciate it and we'll see you all next time on the next episode of the quick 10 podcast.

114
00:21:41,000 --> 00:21:46,000
Right. Thank you, Derek and everyone else.

115
00:21:46,000 --> 00:21:56,000
Thank you for listening to this episode, and make sure to subscribe to the quick 10 podcast, wherever you get your podcasts and check us out on YouTube as well.

116
00:21:56,000 --> 00:22:08,000
For more information about quick track, visit our website at www.quicktrack.com. That's C U I C K T R A C.com.