𝐂𝐌𝐌𝐂 𝐀𝐬𝐬𝐞𝐬𝐬𝐦𝐞𝐧𝐭 𝐒𝐩𝐨𝐭 𝐂𝐡𝐞𝐜𝐤𝐬
“𝘐𝘧 𝘤𝘰𝘯𝘵𝘳𝘢𝘤𝘵𝘰𝘳’𝘴 𝘳𝘪𝘴𝘬-𝘣𝘢𝘴𝘦𝘥 𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘱𝘰𝘭𝘪𝘤𝘪𝘦𝘴, 𝘱𝘳𝘰𝘤𝘦𝘥𝘶𝘳𝘦𝘴, 𝘢𝘯𝘥 𝘱𝘳𝘢𝘤𝘵𝘪𝘤𝘦𝘴 𝘥𝘰𝘤𝘶𝘮𝘦𝘯𝘵𝘢𝘵𝘪𝘰𝘯 𝘰𝘳 𝘰𝘵𝘩𝘦𝘳 𝘧𝘪𝘯𝘥𝘪𝘯𝘨𝘴 𝘳𝘢𝘪𝘴𝘦 𝘲𝘶𝘦𝘴𝘵𝘪𝘰𝘯𝘴 𝘢𝘣𝘰𝘶𝘵 𝘵𝘩𝘦𝘴𝘦 𝘢𝘴𝘴𝘦𝘵𝘴, 𝘵𝘩𝘦 𝘢𝘴𝘴𝘦𝘴𝘴𝘰𝘳 𝘤𝘢𝘯 𝘤𝘰𝘯𝘥𝘶𝘤𝘵 𝘢 𝘭𝘪𝘮𝘪𝘵𝘦𝘥 𝘴𝘱𝘰𝘵 𝘤𝘩𝘦𝘤𝘬 𝘵𝘰 𝘪𝘥𝘦𝘯𝘵𝘪𝘧𝘺 𝘳𝘪𝘴𝘬𝘴. 𝘛𝘩𝘦 𝘭𝘪𝘮𝘪𝘵𝘦𝘥 𝘴𝘱𝘰𝘵 𝘤𝘩𝘦𝘤𝘬(𝘴) 𝘴𝘩𝘢𝘭𝘭 𝘯𝘰𝘵 𝘮𝘢𝘵𝘦𝘳𝘪𝘢𝘭𝘭𝘺 𝘪𝘯𝘤𝘳𝘦𝘢𝘴𝘦 𝘵𝘩𝘦 𝘢𝘴𝘴𝘦𝘴𝘴𝘮𝘦𝘯𝘵 𝘥𝘶𝘳𝘢𝘵𝘪𝘰𝘯 𝘯𝘰𝘳 𝘵𝘩𝘦 𝘢𝘴𝘴𝘦𝘴𝘴𝘮𝘦𝘯𝘵 𝘤𝘰𝘴𝘵. 𝘛𝘩𝘦 𝘭𝘪𝘮𝘪𝘵𝘦𝘥 𝘴𝘱𝘰𝘵 𝘤𝘩𝘦𝘤𝘬(𝘴) 𝘸𝘪𝘭𝘭 𝘣𝘦 𝘸𝘪𝘵𝘩𝘪𝘯 𝘵𝘩𝘦 𝘥𝘦𝘧𝘪𝘯𝘦𝘥 𝘈𝘴𝘴𝘦𝘴𝘴𝘮𝘦𝘯𝘵 𝘚𝘤𝘰𝘱𝘦.” – CMMC Scoping Guide for Level 2
𝐖𝐡𝐚𝐭 𝐚𝐫𝐞 𝐒𝐩𝐨𝐭 𝐂𝐡𝐞𝐜𝐤𝐬 𝐟𝐨𝐫? – 𝐕𝐞𝐫𝐢𝐟𝐲 𝐬𝐜𝐨𝐩𝐢𝐧𝐠 𝐛𝐨𝐮𝐧𝐝𝐚𝐫𝐢𝐞𝐬
In my opinion, spot checks are meant to be used to confirm that a company’s proposed scoping is accurate.
During planning, the Lead Assessor should identify spot checks (tests) against suspected or common boundary failures (the risks).
A test could include asking users if they send CUI via email (if email is Contractor Risk Managed Asset / Out of Scope).
Another test could be trying to copy data out of a VDI session (if endpoints are Contractor Risk Managed Asset / Out of Scope).
Spot checks should be performed early in the assessment. If a spot check fails, the Lead Assessor may revise the asset categorization identified during scoping. If asset categorization changes during assessment, it is a Big Deal, and the C3PAO Quality Manager should be informed as soon as possible..
𝐎𝐭𝐡𝐞𝐫 𝐢𝐧𝐭𝐞𝐫𝐩𝐫𝐞𝐭𝐚𝐭𝐢𝐨𝐧 – 𝐄𝐧𝐬𝐮𝐫𝐞 𝐒𝐒𝐏 𝐚𝐜𝐜𝐮𝐫𝐚𝐭𝐞 𝐟𝐨𝐫 𝐂𝐑𝐌𝐀
Another possible interpretation is that the assessor would spot check Contractor Risk Managed Assets to ensure that the security described in the System Security Plan is actually being performed for them. If this is correct, then it implies that CRMA are supposed to be fully documented regarding their performance or nonperformance of security controls in the System Security Plan.
I think there is a decent chance this interpretation is what the DoD intended, but I don’t see the purpose of doing this because it wouldn’t change the assessment result if they fail a spot check, except maybe NOT MET on the SSP? The DoD’s official guidance says that CRMA aren’t required to have any specific security applied.
𝐎𝐭𝐡𝐞𝐫 𝐢𝐧𝐭𝐞𝐫𝐩𝐫𝐞𝐭𝐚𝐭𝐢𝐨𝐧 – 𝐒𝐚𝐧𝐢𝐭𝐲 𝐜𝐡𝐞𝐜𝐤 𝐂𝐑𝐌𝐀 𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐬
I have talked to other people who interpret this scoping guidance as the assessor critiquing the security implementations for Contractor Risk Managed Assets and whether applied controls are appropriate for those assets. For example, the assessor might randomly decide that CRMA need to have storage at rest encryption. Then what?
This interpretation makes the least sense to me.
What do you think?