In last week’s episode, we gave a high level overview of all things CMMC. Dave, Tony, and Robert discussed their CMMC related rolls, walked through the different levels of CMMC certification, and touched on how organizations can prepare. This week we deep dive into Redspin’s CMMC Gap Assessment. As a fly on the wall, listen to CynergisTek’s Director of Security Services Dave Bailey walk through a CMMC gap assessment with Redspin’s CMMC Provisional Assessor Tony Buenger and Registered Practitioner Robert Teague. Learn what a gap assessment it is, why it’s important, and what you get.
Subscribe to CyberSpin:
LAUREN FRICKLE, HOST: Welcome to Cyberspin, the podcast that brings you expert insights to today’s hot topics in cybersecurity, privacy, and compliance for highly regulated industries, including the tech industry, defense, industrial base, contractors, financial institutions, and more.
Each episode features an inside listen in to the conversations between Redspin thought leaders, subject matter experts, and industry guest speakers who share insights of the latest in cybersecurity.
Subscribe to Cyberspin on Apple, iTunes, Spotify, or your preferred podcast platform. New episodes are released weekly, and a transcript of each episode can be found at www.redspin.com.
LAUREN FRICKLE: Hello and welcome back to Cyberspin. This week we’re back with Dave, Tony, and Robert, our CMMC experts. Dave is a director of security services. At CynergisTek, Tony is a CMMC provisional assessor at Redspin and Robert is a CMMC registered practitioner at Redspin. As promised in last week’s episode, they
are here today to talk about the details of a CMMC gap assessment by Redspin so to kick us off, take it away, Dave!
DAVE BAILEY: Well, hello everyone. I’m Dave Bailey. I’m actually Director of Security Services for CynergisTek, and I’ve got both Anthony (Tony) Bunger. Hi Anthony, how you doing today? How’s everything?
TONY BUENGER: Doing pretty good.
DAVE BAILEY: Outstanding and also have Robert Teague with us as well.
ROBERT TEAGUE: Good to see you, Dave. How are you?
DAVE BAILEY: Doing fantastic, I’m glad we could be back here together. You know we kicked off this series, talking about CMMC, you know what it is, and why do we do it. Well, we said we’d follow up and I think we’ve got a very good topic today.
We know every company that does business with the DoD or is part of that supply chain has to go through this particular process and I think you’re going to find companies that are in varying degrees of their maturity. Some of the companies they’re used to this type of rigor and process when it comes to, being able to certify with the framework. You’re going to find folks all throughout the spectrum. One thing that we do know because the certification process is a rigorous process, and it is something that it is definitely more like a true audit, no matter where you are readiness wise, a certifier will come. They will evaluate you against whatever your scope is and against the controls. And it’s really going to be pass or fail, and if you fail, you’re going to have to go through mediation process. So, I think an important thing everyone that’s going through the process needs to consider is having a company like Redspin come in and do a gap assessment.
So, with what we know today we’re here to talk about what that gap assessment process is like.
First, I’m going to throw it over to Tony and really just ask probably the most simplistic question: In certification, what would Redspin be doing with the gap assessment?
TONY BUENGER: Why, Dave, I’m glad you asked. Hopefully, I can answer a simplistic question in a not overly complex way, ha-ha.
Basically, the difference between an assessment and a gap assessment is the assessment is the one that you’re going to be graded on for real, whereas opposed to the gap assessment that gives you an opportunity to have someone come in independently to look at your level of compliance with CMMC and it gives you an opportunity to fix those before you actually schedule for the formal assessment.
Now you may have heard that many companies are CMCC C3PAOs and/or are a Registered Provider Organization. So C3PAO is the certified third-party assessment organization. Those are authorized and certified to conduct formal assessments to be certified. The Registered Provider Organizations, the RPO’S. Those are the folks
who are authorized through the CMMC to go ahead and conduct gap assessments or pre-assessments you know, to help you determine where you are and where you need to fix and then prove.
DAVE BAILEY: Is the process very similar to the to the overall certification process and what does the process look like, if we were to come and do a gap assessment?
ROBERT TEAGUE: Great question Dave. So, there is a little bit of a difference, but they’re both seeking the same outcome, if you will. The assessment is actually looking to make sure they are (the organization) is doing the controls, the practices that are required for that level certification. The gap assessment if we come in or you have somebody else come in, is to really identify where they are now. And then where they need to be at the end and in there is that gap. So, what do you fill in that gap to get to that endpoint? And that’s what that assessment would help you do.
DAVE BAILEY: Now great, and I know for me having looked at this process and have been dealing with frameworks for a very long time in many industries.
I think one of the most challenging things in this whole entire process is the scoping process.
Normally when folks looking like an enterprise risk assessment, hey, you’re just doing an assessment on the entire organization. Complete policies, procedures, and the business as a whole. This particular process does require scoping.
Tony talk a little bit about what that scoping processes like you know what should a company expect from a scope and how can a gap assessment help with that scoping process?
TONY BUENGER: Yeah, very good question. Scoping is very critical. It is the foundation for what’s going to set the complexity of your CMMC assessments. So basically, what scoping does is ensure that you understand clearly where your CUI in your FCI is being processed, stored, and transmitted for exchanged. You need to understand that so you can know how to segment it. Segmenting is a big portion of scoping. Otherwise, if you don’t do the segmenting and understand your scoping, then your entire company is under the CMMC scope, which means the assessors are going to come in and look at your entire company to ensure that it’s meeting your Level 3 or Level 1 requirements. So, it’s very important to get that right, and if you don’t get that right from the beginning, that’s going to set the stage wrong for your system security plan. Your system security plan is going to be built upon your scoping effort.
ROBERT TEAGUE: Yeah Dave, if I could also add you know as Tony said, it’s scoping the entire network itself, so remember that has to include both wired and wireless. If wireless is accessing that information.
DAVE BAILEY: Yeah, and I know companies are going to be familiar, or at least if they’re not already familiar they will have to become familiar with the NIST special publication series and you know those that have worked in around the federal government understand that there’s a process at which you know you can identify based upon the system you know the type of controls that you have to assess.
This is not a process where it’s not every control you have to make a determination based upon that scope, what you are assessing and what level you’re going to as well, so you know, I think that scoping process is really key and it’s the first step because it’s going to define then all of the documentation. all of the artifacts that come in.
You know when we look at you know those controls and look at what we have to identify. You know hey Rob what are some of the things that we know an assessor’s going to come in and ask for?
ROBERT TEAGUE: Sure, it’s great question, Dave. Policies, starting there. First thing we’re going to look at is some of the policies that govern your security in the architecture. And another thing that we’re going to look at its procedures. Do you have the procedures documented for the different solutions and systems that you have operating on the network? The other thing we’re going to look at is playbooks/ runbooks, they go by a few different names, but we’re going to take a look at that and make sure not just that you have it, but that the folks that work in and around those types of documents know them and understand them and practice them.
DAVE BAILEY: And Tony, what is the main document that comes out of that scoping process?
TONY BUENGER: Yes, well, the main document out of that scoping process is your system security plan. Which will have your architecture network diagrams in it, and it’s going to be very clearly marked on how your environment is scoped. You know what is in scope, what is not in scope. For FCI and/or, CUI so that is going to really help to understand how you apply those practices and processes within CMMC.
DAVE BAILEY: Obviously there’s different levels of CMMC you know Levels 1, 2, and 3 and beyond. There is a difference between what’s required at a Level 1versus Level 2 and 3 and some of that is not just about having the document. But talk a little bit about how an assessor is going to look to see not only do you have that process formalized through that documentation, but it’s effective. What does that process look like?
TONY BUENGER: Right, the one document that I recommend everyone get very familiar with is the CMMC assessment guide. There’s a Level 1, and there’s a Level 3 assessment guide that is the guide that the Certified assessors under the provisional program. Provisional Assessors are going to go through and mark, for each practice and each process on whether the contractor passes or fails, each control. It’s available online at the CMMC website that is also there for contractors to use as well, so I highly recommend the contractors get a copy of that assessment guide, because it would also help them to understand exactly what the assessors will be looking for. And it’s very prescriptive in those for, for example, the CMMC assessment guide for Level 3 has all 110 NIST 800-171 controls plus 20 more that CMMC is added plus 3 very important processes. So, I highly recommend that they get a copy of that and get to know it very well because that is a tool that we would use for our gap assessments as well.
ROBERT TEAGUE: Yeah, so Dave if I can add on to that. I mean, Tony is absolutely right it. What’s amazing about this program is that it’s not like anybody is trying to catch somebody off guard or anything like that. They’re literally giving you the answers to the test. You just have to go out and get ’em. Follow those answers and put them into practice. It’s very simple.
DAVE BAILEY: I happen to believe that a gap assessment will provide the playbook to you, right it’ll tell you what you do have, and what you don’t have, and then what it’s gonna take, or at least identify what those gaps are. It may take some additional work on top of that, then to close those gaps.
Rob, we’re going to show up on-site right? Or obviously, with COVID, there’s always opportunities to do things remotely, but let’s just say in this scenario, we can show up on-site, What’s the experience like? What is a company going to experience from an assessor?
ROBERT TEAGUE: So, when we come o site, the first thing we’re going to do obviously is meet your team. We want to establish repour right away. The more repour that we can build with you, the easier it is to talk about these procedures and the controls. We’re not here like I said earlier to poke anybody in the eye. We’re not here to catch anybody off guard. We’re not here to say we know more than you. We’re here to help you follow the guidelines that the DoD has set in place. More importantly, to assist you in getting that certification level that you sees o that you can win that contract for those that are competing. For those that already have contracts in place, you have to think of us as an extension of the team. If we’re coming out to assist you as an RPO, we come out to assist you and are there to help you prepare so that you can keep that contract.
Not only that, when we come out on-site and we do something like that if it’s a pre-assessment. You’re going to get the feel of what the actual certified assessor is going to be like when they come onsite and you’re going to realize they’re not a machine. There are an individual person like you, and they’re just asking questions looking for what you’re doing so that they can get you through the process.
DAVE BAILEY: Hey Tony, I have a question for you. I know you know folks that have been in and around the assessment business. You hear a lot of terms about checklist assessments. Do you see the CMMC process as a checklist process?
TONY BUENGER: Yes, that’s a very good question. It may seem like a checklist approach because the Assessor is going to come in and look at each of those requirements and annotate, pass, or fail. But keep in mind that for a Level 3 maturity, which means you’re managing your cybersecurity program based on CMMC, means that you have to prove that you have institutionalized processes. And it is a specific process. It’s a Level 3 process that’s called resource a plan. Which means the assessor is going to come in, and for each of the 17 domains and these domains are from access control, incident response, audit, and accountability, and so forth. For each of those domains the company, this is not the IT department, not the security Department. The company will have to prove that they’ve institutionalized processes from a kind of like a, I would look at this as a kind of a governance component here, to ensure that you’ve actually got proactive management for every one of these domains. Meaning do you have the budget that you need to incorporate security practices? Do you have the budget to ensure that your employees have the proper skill sets are they trained?? And what happens if you do lose some employees? What is your contingency plan to backfill them?
So that is very extensive. It may look like one control, but it’s one that CMMC has added, so that’s outside of 171. That will be looked at to ensure that they have had these processes in place. So, if an Assessor comes in and it looks like the contractors put this in place a month ago. That could be a failure, and that’s something we’ve been talking with the CMMC Board of Directors about this and that’s the intent of this process here is to measure that the contractor’s been doing this all along and didn’t just stand it up.
ROBERT TEAGUE: So, Dave, if I can, I mean Tony hit on a keyword. I’ve been getting a lot of calls from folks that are still trying to understand the CMMC process and they all asked me, well, we’re a small company, we can’t afford these big solutions to help us control our network. If you notice, Tony never said anything about a system or solution. He said all processes and procedures. Take for example a data loss prevention solution, a DLP. Most people can’t afford that. Our parent company, CynergisTek, does a lot of risk assessments and a lot of the organizations they work with cannot afford a DLP. Rather, they adopt A DLP strategy, which means they lock down the USB they control what leaves the environment. They control what comes in the environment we’re talking ingress and egress. All of these things play into a strategy. You don’t need a big solution; you just need the processes and procedures in place with security in mind.
DAVE BAILEY: So, one of the things that I did hear out of this right now certainly is that if you’re a company that knows that they, they’ve got some work to do, or they need an understanding with the gap assessment. You really can’t take the motto that I used to have back when I was in college that “if you wait till the last minute it only takes a minute”. So probably you need to get ahead and really start this process now
I think one of the key things that Tony and Rob have said during this time is I that this process isn’t a checklist process. There is structure to it, that’s what’s great about it. You know there is a structure to the CMMC assessment process, but it’s far beyond just being able to demonstrate a document or you know some diagram you know you’re going to have to be able to demonstrate that, you have these controls in place and that you’re safeguarding the information in the processes and your people are trained.
Tony if Redspin were to come in, you know The Tony and Rob Consulting Show walks in and they do a gap assessment, what can you do with the output? What is the output going to show that company?
TONY BUENGER: The output is going to be as close as possible to what they would see from the actual formal CMMC assessment. So, we would provide them with tools that they would expect to see for their assessment. So, when we provide him with the product after this gap assessment is done it’s going to be in the same type of formats that we as a C3PAO would send to the CMMC accreditation body. You know the results so the final product will be that package that we would actually send to the CMMC accreditation body.
DAVE BAILEY: And then if there were any gaps, what kind of insight is provided on those gaps?
TONY BUENGER Yeah, that’s a very good question. You know during a formal assessment to be certified, the C3PAO and the Certified Assessor or during this provisional program, the Provisional Assessor, as I am, cannot provide any remediation or recommendations, it’s just pass/fail, if you fail, they are just going to say you did not meet this requirement, but with the gap assessment, we have the flexibility, of course, to let them know “well, you did not meet this control, here’s why you didn’t meet it, and here’s what we recommend you do to remediate this so you can pass this requirement”.
ROBERT TEAGUE: Yeah Dave, and if I can CynergisTek, Assessors that go out with that organization and do assessments are very knowledgeable, so when they give recommendations, there’s stuff like what we call “low hanging fruit” you know, add this to the policy, there’s stuff like, well, if you can afford this solution, get this solution. If you can’t afford the solution, try these two or three different things. Those are the kind of responses that we’ll be able to give these organizations in the gap assessment that will help them.
DAVE BAILEY: Then I would assume based upon that gap assessment or those recommendations that you know the key things is to be able to take that information and develop a plan. You can take all of those recommendations and really, codify that into a plan of action. The good thing about the plan of action from the gap assessment is once you start working that plan. It’s really demonstrating that you’re actively, mitigating risk and, that you’re working an overall security program from that. So, it’s a big part of an overall maturing., security program.
I think one of the things that if companies aren’t used to this process, that is extremely important. Is that it is a journey. This process is a journey. It doesn’t stop you don’t get certified and then it’s like thanks will see you 20 years from now you can go back to not doing what you just said you did. No, it’s a process that you have to demonstrate. You really want to be able to demonstrate to the government that you’re capable of managing, safeguarding all of the data that’s entrusted to that company. Or you know how you do work within the federal government.
Well, thank you Tony and Robert for talking about the gap assessment and I know here at Redspin we’re excited about the overall CMMC program and really having two folks as passionate as you two about this process and we’re motivated and ready as a company to be able to go and assist.
I think some of the biggest things that we want to be able to help companies with is to say hey if there’s things out there that you’re not comfortable with or you really don’t know yet, this gap assessment process is the way to go. It’s going to tell you where you’re at, it’s going to give you exactly where you’re at, and it’s going to give you the roadmap to what gaps you may have and I think what we’d like to do in the next conversation that we have is to say, OK, now that you have those gaps, what’s the remediation process like? You know what are things that you can expect from the remediation process and how can you turn that plan into action to get you to certification?
So, thanks again, Tony and Rob. Really appreciate the opportunity. I enjoyed the conversation today!
LAUREN FRICKLE: So, there you have it, from playbooks to workbooks to roadmaps. Redspin can help you with a CMMC gap assessment. Please reach out to us if you’re interested or just to have a conversation at www.redspin.com.
Thanks for listening.