Our Thoughts on CMMC Level 3 Assessments

May 27, 2021 Redspin, Inc.

As a candidate C3PAO undergoing our own Level 3 assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), this experience has provided our team here at Redspin with insights into the CMMC assessment process, which we believe are valuable to all organizations seeking CMMC certification.

We have created CMMC-Spin, a newsletter that focuses on all things CMMC. In this first installment of CMMC-Spin we will highlight two areas of significance within the assessment process: documentation and training.

Documentation >>

The documentation of practices enables individuals to perform them in a repeatable manner

While often overlooked, policy and procedural documentation is vital to achieving CMMC Level 3 compliance. CMMC adds an additional layer to its compliance framework called Processes. Processes are designed to ensure that the organization has implemented practices (security controls) and processes that are repeatable and lasting. Documented processes that are not known to operators cannot be performed or performed consistently. Within most organizations, there is an understanding of the roles within the team as well as the processes and procedures, which take place regularly within the network and the organization. To achieve compliance with CMMC Level 3, an organization must demonstrate maturity in its security controls and the policy documentation must reflect this. This includes documenting each of the 130 processes within Level 3 to clearly define roles, responsibilities, and oversight. These processes include areas of an organization outside of the traditional IT team to include human resources, management and potentially production teams. This makes CMMC more than just the responsibility of IT, rather it becomes an organizational responsibility.

CMMC Level 3 Assessment

A breakdown of FCI & CUI CMMC Practices & Processes for CMMC Assessment Levels 1-3

Training >>

Ensure staff is properly trained and understands how to securely handle CUI

Staff training is also a key element for not only key stakeholders but all users with access to Controlled Unclassified Information (CUI) and the CUI enclave, which is designed to isolate CUI from the rest of the organization that does not require access to CUI.

Users need to be aware of their responsibilities in how CUI is accessed, as well as how it is securely handled and stored. There are specific procedures that need to be followed in labeling CUI data, which also need to be accounted for. Additionally, mishandling of CUI or storage of CUI outside of the segmented CUI enclave within the network can potentially lead to additional areas of the network falling into scope for CMMC.

As part of the certification process, the assessor team will be interviewing users within the organization to ensure that they are following the proper designated procedures. A lack of understanding within these interviews can lead to a failure of the certification. This makes training team members on proper CUI data handling a vital component for any organization seeking Level 3 certification. Staff training can be performed internally or by an outside party through a variety of methods. Whichever method is selected, the key is to ensure staff participation and understanding.

How we can help >>

These are just two CMMC topics we are touching on from a very high level. Additional CMMC resources can be found on our website.

If you have questions on any related aspects of CMMC Level 3 compliance or would like to have a more detailed conversation with a CMMC assessor on documentation or training, click the button below to schedule a call.


About the Author

Redspin, Inc.

Redspin is a leading provider of risk assessments using various frameworks including NIST CSF, CMMC-AB, ISO 27001, PCI DSS, and healthcare cybersecurity consulting. We’ve helped many Fortune 500 and leading growth companies in highly regulated industries including government, financial, technology, and manufacturing improve their cyber readiness and resiliency through a strategic and proven approach to reduce cyber risks and safeguard sensitive information.

Follow on Twitter Follow on Linkedin Visit Website More Content by Redspin, Inc.
Previous Article
How GCC-High and a VDI Environment Can Help Clarify your Scope for Meeting CMMC Requirements
How GCC-High and a VDI Environment Can Help Clarify your Scope for Meeting CMMC Requirements

When preparing for a CMMC assessment, whether it be Level 1 or Level 3, we at Redspin advise organizations ...

Next Article
Introduction to Redspin, a Cybersecurity Maturity Model Certification (CMMC) Third Party Assessment Organization (C3PAO)
Introduction to Redspin, a Cybersecurity Maturity Model Certification (CMMC) Third Party Assessment Organization (C3PAO)

Dave Bailey sits down with CMMC Provisional Assessor Tony Buenger and Registered Practitioner Robert Teague...