Are you in the right spot? If you are a CMMC beginner and trying to learn about CMMC Level 1, check this article first.
CMMC Level 1 Assessment Guide
This video is presented by Carnegie-Mellon University, Software Engineering Institute (CMU-SEI). They are the creators of the CMMC model and the CMMC assessment guide. Their explanations are highly authoritative.
The video can be found on YouTube here. For convenience, I’ve embedded the player on this page. This video is the property of CMU-SEI and is streamed directly from YouTube.
The CMMC Level 1 Assessment Guide can be found here:
Review of the CMMC Level 1 Assessment Guide:
Level 1 requires policy, records, processes?
One concern is that multiple Assessment Objectives at level 1 seem to expect policy, records, and processes. While not up to the full standard of “process maturity”, this does require some documentation and record keeping which is contrary to historic descriptions of CMMC level 1 by DoD representatives.
My best guess at why these level 1 Assessment Objectives are expected to have supporting documentation is because they are copied directly from the NIST Special Publication 800-171. 800-171 is roughly equivalent to CMMC Level 3. 800-171 definitely expects policy, records, and a certain level of process maturity.
The end result may be that this Assessment Guide establishes the official DoD stance on CMMC level 1 documentation. The guidance fits best practices for cybersecurity, and many businesses will want to voluntarily perform these actions (especially the inventory and user lists).
Here are some specific call-outs for policy, records, or process maturity:
AC.1.001 “Is a list of authorized users maintained that defines their identities and roles [a]?”
AC.1.003 “Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures.”
AC.1.004 “[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified.” “Does information on externally facing systems (e.g., publicly accessible) have a documented approval chain for public release [c]?”
PE.1.134 “are lists or inventories of physical access devices maintained (e.g., eys, facility badges, key cards) [a]?”
SI.1.210 “Is the time frame (e.g., a set number of days) within which system flaw identification activities (e.g., vulnerability scans, configuration scans, manual review) must be performed defined and documented [a]?” “Is the time frame (e.g. a set number of days dependent on the assessed severity of a flaw) within which system flaws must be corrected defined and documented [e]?”
Response – Process Maturity at Level 1
Andrew Hoover (CMU SEI) sent us the following response / clarification. Thank you Andrew!
No contradictions of NIST SP 800-171 and 800-171A
At CMMC level 1, all practices were already represented in the NIST SP 800-171 and 800-171A (assessment guide) document.
The assessment objectives look like they were copied directly from these sources without modification.
The sources and methods list look very similar (I didn’t scan these too closely)
If you are already compliant with NIST SP 800-171 you should be just fine. But if you are only seeking CMMC level 1, this is probably not your situation.
No scope guidance
The assessment guide does not define scope. It does have a section about scope, and says it will be included in a future version of the document. 800-171 gives about a paragraph worth of guidance on scope, which is the best we’ve got right now.
Federal Contract Information (FCI) for CMMC Level 1
The word “FCI” is all over the CMMC level 1 assessment guide. This appears to be the main target of cybersecurity protections, and probably will define scope in the future.
Page 2 of the Assessment Guide has a copyright statement which assigns ownership to Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC.
Note, I believe it is safe to quote small portions of these documents here under Fair Use Act, Educational. (don’t sue me!)
Why is copyright a concern? When CMMC professionals perform assessments, they will typically have an in-house version of the assessment guide to track their work against. This copyright means that assessment organizations will 1) need to mis-quote the assessment objectives internally, 2) violate copyright, or 3) deal with constant back-and-forth referencing multiple sets of documents during an assessment.
Note: This language also exists on the CMMC Model and Appendices documents.
What do you think?
Is the webinar from CMU-SEI helpful to wanna-be CMMC level 1 organizations or level 1 assessors?
Do you see anything in the Assessment Guide that doesn’t make sense?
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC.
Kieri Solutions LLC is in progress to become a CMMC assessment organization and has several Registered Practitioners and Certified Assessor candidates on staff. Amira is also the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification.