S3 E46: CMMC Scoping and Self-Assessments

Audio version

CMMC Scoping and Self-Assessments

Transcript

Jordan Eisner  
Hello, everybody. Here we are. Welcome back, Chris. You are. We had a brief, you know, Thanksgiving hiatus, and we’re back. It seems like forever since we’ve done one of these podcasts. I’m going to see if I can remember how to do it.

Chris Abacon  
Yes, Sir.
Right on.

Jordan Eisner  
We’re talking about a very timely thing today. So this is, this is good as we move into almost a month right past CMMC Phase 1officially starting, is that correct?

Chris Abacon  
That is absolutely correct. November 10th, right. So it’s also coincidentally the Navy, the Marine Corps birthday, right. So it’s very important to my practice director, right, who’s probably listening in.

Jordan Eisner  
Steve, right.
Yeah, at all. I was looking at it. I was thinking the day before Veterans’ Day. But there you go. Maybe that’s more meaningful for Steve. That’s the Marine Corps birthday.

Chris Abacon  
Yeah, absolutely. No doubt.

Jordan Eisner  
So we’re going to be talking about self-assessments and scoping for organizations seeking certification or OSCS around level one and level 2, I believe. And we’re going to be doing it with you, right, Chris Abacon, AKA Bacon.

Chris Abacon 
Yeah.

Jordan Eisner  
Senior Security Consultant here at CompliancePoint. So Chris Prior and I have to read some of this with you because you have such a long, impressive background. But yeah, 10 years in the Navy, served in several different IT roles, including Navy Blue Team analysts, tactical network engineer and IT manager.

Chris Abacon  
Yeah, no.

Jordan Eisner  
Now more on the civilian side, as you like to say, you use your experience to help CompliancePoint clients really manage complex security challenges. And given your background, a lot of that has been tied with NIST, CMMC, FedRAMP, FISMA, GovRAMP and.

Chris Abacon  
Yep.

Jordan Eisner  
In that realm. So as I alluded to a little bit, we’re talking about CMMC scoping self-assessments during Phase 1organizations that are handling CUI or or maybe I’m stealing some of your bit here. I should let the expert speak to this part. So what?
Why don’t you kind of open up about, like, what it means now that we’re in phase one, which organizations apply, anything else you want to add, and then I can start the questioning on what good practices for SES are right now.

Chris Abacon  
Yeah, absolutely. Yeah, absolutely. So with the start of CMMC Phase 1officially as of November 10th, applicable contracts, so certain companies are eligible to perform a self-assessment. So what does that mean for level one and level 2 self-assessments, right? So essentially from.
And from the CMMCDOD standpoint, that is logging on to spurs, the prior risk management, the prior risk performance management system and affirming. So an OAC will affirm that they are either meeting level one or level 2 requirements.
Right. So it’s kind of scary. You’re the CEO, CTO of a company, and you’re saying yes, yes, you’re checking the box for each of the determination statements and whatnot saying that you are in compliance with CMOC. So that’s the self-assessment period. So that’s within this first year.

Jordan Eisner  
Yes.

Chris Abacon  
Now, while it’s generally accepted that you, you know during this time you’re going to be able to do this self-assessment, it’s important to note that certain large primes are actually requiring their subcontractors and their Subs potentially to go under a an actual CPPAO certification, so a CMC.
Purification level 2, right. So some of those include big ones, Northrop Grumman, Lockheed Martin, right. Two of the biggest primes in in in the United States, right. So after this first, you know period Phase 1, at you know that right after that, so 2026 in November, we’re going to start to actually seeing the CMMC certification requirements in contracts. So that means to get the contract to, you know, be eligible for that specific contract, you’re going to have to be CMMC certified. There’s no way around it, right. So it’s to that end it’s quite a it’s that phased approach that DoD is taking.

But in in my opinion, I think the the self-affirmation part is very, very, very intensive and scary because you’re not going, you’re not asking anybody to help help you verify that, right? For the most part, there’s no certification. You’re you’re not, you’re not giving that.

Jordan Eisner  
Yeah.

Chris Abacon  
You’re not giving another opportunity. You’re not giving a certification body to showcase that you are in compliance, rather you’re doing yourself. So if something happens down the road, yes, you can, right? That’s why you have your friendly RP OS and consultants like CompliancePoint to help assist.

Jordan Eisner  
But you can have somebody look over your shoulder, right?
Yeah, shameless plug.

Chris Abacon  
Right. Shameless, shameless plug.
Right. But yeah, that’s where we’re at right now. And you know the purpose of this one is we’re gonna be starting to talk about self-assessments and scoping as it relates to this phase one.

Jordan Eisner  
OK.
Sure.
OK, good deal. Well, thanks for that overview. Good to have you on. Did you cut your hair? I know you were growing your hair longer. I know we’re getting back into personal here real quick. You did it. Oh, it’s just, is it back or something? That’s good.

Chris Abacon  
You know what? I actually didn’t cut my hair. Believe it or not, I slicked it back. So I actually have curly hair, right? So I use this. Yeah, I use this curling cream. Apparently my Barber introduced it to me. It’s like, hey, you should grow your hair out a little bit and use this.

Jordan Eisner  
Yeah, yeah, I can tell.

Chris Abacon  
And I just kind of go back and it just curls inside, right? So it’s nice and compact, even though it’s actually like, if you’re looking at the screen here, it’s probably like a good four or five inches long, my hair. So it just curls into like a nice little bulk. So it’s very handy.

Jordan Eisner  
Thank you.
There you go. Makes maintenance easier.

Chris Abacon  
Makes maintenance easier, but the wind will take it up to like that.

Jordan Eisner  
Oh, that’s why we got you locked up inside, right? Working on CMMC all the time. I’m just kidding. So, all right, you talked about self-attestation, self-assessment as a little bit of a daunting task for these organizations going through this for, you know, perhaps the first time or definitely the first time as we enter into phase one.

Chris Abacon  
Yeah, no doubt. Absolutely.

Jordan Eisner  
And you talk about the implications of what they’re attesting to and if that’s not the case and what that can mean, what the consequences would be. So let’s start with what are good practices for an OSC, an organ, you know, organization seeking certification to undergo self-assessment prior to undergoing.
The C3PAO assessment.

Chris Abacon  
Right. So it’s I mean going with and doing a self-assessment internally right prior to affirming your either you know level one level 2 on spurs or going through ACC through PA assessment going through that internal self-assessment is really best practices one it allows it gives you the time the organization so you can.
OSC to really identify and address any of the gaps in implementation of the cybersecurity measures. Really ensure that you’re in compliance with the applicable FAR clauses and DFARS clauses, right? And then really before that third party comes in.
It helps you understand and prepare for the full implementation and necessary measures to be able to produce a poem if you need to get those timelines in in place for your organization. That way you can, you know, plan ahead for, you know, potential cybersecurity investments.
And really it saves you time on on the back end, right in the front end. So when you’re going through a self-assessment prior to going prior to doing it with prior to doing an official assessment with the C3PO, you can identify those gaps early, mitigate those gaps right with RPO or you know you can do it internally.
Only if you’ve got the skill set in the human capital to do so, but it lets you find those and it reduces the risk of having those not met findings during this CPA assessment. It makes it a smoother process. A self-assessment, internal gap assessment, whatever you wanna call it at your organization is gonna be really pivotal to your success.
Sass as an OSC.

Jordan Eisner  
OK, all right. Well, easy enough, right? All right, well.

Chris Abacon  
Yeah, no doubt.

Jordan Eisner  
Scoping. Um, you know.
Why is it so important in the context of CMMC?

Chris Abacon  
Right. With scoping, right and with the self-assessments, you as an organization will want to understand the boundaries that you’re working with any of the any of the assets at your organization that process.
Store or transmit FCI and CUI. So any of your computers, any of your phones, you know, even your printers, right? Your Wi-Fi devices at your location, your, your, your, your, your large machine.
Manufacturing devices right that they could be specialized assets, right? They have to be documented and secured to the best of their capabilities, right? You might even have government furnished assets. The government could a government furnished equipment. They could give you a laptop to work with and then that’s where that CUI has. Having that documented, having all that stuff in scope, lets you narrow down what you need to, you know, prepare for, right? And then you can showcase to your assessor or really even like during your self-affirmation, you’re giving yourself the warm and fuzzy that.
That hey, look, this is where my CUI lies. I am fully confident that I’m meeting these requirements right in the CMMC specific spurs world, right? So you have this unique identifier, right? That UID is essentially the compliance number for your submission.
Into spurs, right? Like proper scoping reduces that unnecessary effort down the road and prevents over under assessment, right? That’s a big one because you don’t you don’t want to waste resources securing things you don’t exactly that you don’t need to that you don’t really need to.

Jordan Eisner 
Sure, don’t do more than you have to.
From a compliance standpoint, from a security standpoint, but yeah, yeah.

Chris Abacon  
From a compliance standpoint, there’s best practices and compliance, right? We know that. We know that definitely, right. But one thing also to consider. So in in the latest FAQ, right, published in November, was it December or it was recently right, the DoD actually considered gave clarity on virtual desktop interfaces, right? Virtual desktop infrastructure, right? So VDI, if you’re familiar with VDI, it’s just you’re remoting into a virtual desktop that where the processing is happening somewhere else, right? So in this case, let’s just say for example it’s happening on the.

Jordan Eisner  
OK.

Chris Abacon  
Microsoft High GCC high cloud, right? It’s happening somewhere else other than your computer, right? So those can be so the assets processing. So you’ve got these thin clients, your monitors and your keyboard, whatever. Those can be considered out of scope if and only if.
Only keyboard, video, and mouse data is being processed, right? Because if you think about it right, if you have a thing, if you’re doing a VDI through your desktop or rather or you or like a laptop, you could still do a print screen, right? You can definitely.
Do a screenshot right of that CUI and store it locally, right? There are all these like little nuances about VDI that you know you as an organization just need to understand and really go through these, these, these, these little efforts just to make sure that you’re covering yourself on that regard because you don’t want it to say, hey, all of a sudden.
Your assets are in scope when you’ve previously attested or affirmed that it’s not right. So that’s just one big example where scoping is extremely important and that’s why you know you should go talk to your friendly RPO organization for support.

Jordan Eisner  
Yeah, sure.
I was about to say, right, you know.

There could be a lot of financial consequences of getting the scope wrong. Yeah, whether you under scope and then come out of time, it’s determined that it should have been in scope and then fail and all the costs associated with that.

Chris Abacon  
Absolutely, no doubt.

Jordan Eisner  
Or you’re over-scoping. You spend more time and effort certifying and complying with something that you may not need to.

Chris Abacon  
Absolutely, no doubt.

Jordan Eisner 
Yeah. All right. So we’ve covered some pretty good ground here. You know, I think what to expect for level one, level 2, some scrutiny they need to place on a few certain things like self-assessment, the scoping.
What about, you know, if you had to sum up a few other things or I I would say maybe even in closing for this for this podcast, what are some key recommendations that that you have for somebody starting this journey and doing their self-assessment to look for to do to make sure they cover and maybe it’s some reiteration?
Of what we already talked about, or maybe some other things that you make sure you want to cover or that they know about.

Chris Abacon  
Yeah, absolutely. So for any organization that’s, you know, starting this journey right with CMMC, I know everybody’s saying you’re late in the game, but that’s not the case. We’re looking towards future state. We’re looking, you know, to work with your OSCS, right. But as an OSC, First things first is identify those contract clauses.
In your contract, right. So you’ll you it’s generally the if you have this capability speak to a representative from your prime or your sub that has that owns the contract, right. Or you know if you have a representative in dip even better.
But generally for you know our audiences, if you have that representative from the prime that can you know showcase the contract clauses and what you know your statements of work and all that, all that stuff right, all that contractual language can help you dictate and determine what is you know what you’re processing is could be.
You potentially see UI or FCI, right? So that’s First things first, look at the contractual language, then really identify. Then the second I would go into an asset inventory, inventory, everything that you have from. It depends on how deep you want to go into this. You can go as deep as monitor.
At your office locations, you can the desks, right? You can do all of your laptops if you’re remote, right? Inventory everything, right? Because general best practices as an organization is you need to have an asset inventory. It’s one of the first things any consultant will ask you, hey, do you have an asset inventory?

In a network diagram, that’s another one, right? Make sure you have that network diagram and NASA inventory that covers a lot of bases and it gives it gives a consultant or a C3PO warm and fuzzy that you know what you’re doing, right? So understand that. So having that those two things first, exactly so.

Jordan Eisner  
Oh, you got your ducks in a row, right? And.

Chris Abacon  
So with the network diagram, also a data flow diagram, you know it might be simple depending on your organization, right? It might just be one building right into this specific room that processes CUI. Or it could be complex where you have your multinational that has multiple locations that process CUI. There’s all of that, right?
But generally understand where your data is flowing, specifically FCI and CUI. Then we can get into like the technical implementation of it, like the whole the nitty-gritty system security plans, right? System security plans. Everybody’s heard about a system security plan. It’s the first thing an assessor looks at. It’s their blueprint.
System security plan is the blueprint to your to your security program, right? And it lets you, it lets you identify those specific items that you need to point towards and say, hey look check this policy out. Here’s an accompanying access control policy. You can see all of our specific procedures there. You can use a create an SSP that goes line item by line item right for the CMMC requirements and if you you know if you don’t have the capabilities or internal resources to.
Do that yourself. Definitely. We absolutely recommend seeking out an external consultant like CompliancePoint, right? No doubt. And then with that as well, like this goes hand in hand. It’s understanding the level one and level 2 requirements.

Jordan Eisner  
Right, right.

Chris Abacon  
Right specific, especially for you know the level 2 self-assessments even right. You need to understand not just 110 controls, but the 320 determination statements that go with those 110 controls.
Right. And if you’ve read those, they all kind of flow in a certain way. I you identify something, you document something and then you implement something, right? You have to be able to show for it like a 33 tier way to that. You can’t just have something documented, right? Certain things assessors will look for and want to see.

Jordan Eisner  
Yeah.

Chris Abacon  
See over the shoulder, right? I want to see you lock out your computer with your passwords. Is it really five times or however many times you defined right? So be prepared to showcase your procedures, right? Be able to showcase that you’re doing what you’re saying you’re doing.

Jordan Eisner  
Yeah.

Chris Abacon  
And then really one last thing as well, right, there are there’s an abundance of, you know, resources available for you, right. So first thing actually is to go look at some of the cyber A/B documentation and the official DoD documentation.
You’ll see the official FAQ, frequently asked questions. You’ll see the actual models. You’ll see the assessment guides, right? So the assessment guides are what the assessors use right for assessment. You can get the answers to the test right there.
Go, go to the official documentation, get the assessment guides. Now there are, you know, obviously the assessment guides, they can be daunting, right? That’s why we always recommend going with a consultant, right? But they will give get you that first head start, right?
There’s also if you’re having issues with for or if you’re looking at training resources, for example, there are free training resources out there for CUI. You can incorporate them into your training programs. Just add another little certification for those.
For those users, alongside your general security awareness training, document them. Anybody that’s using CUI and you know has to be aware of it. Take this training, print out or save the certificates and have HR or somebody or training manager save the certificates and there it is, right? You can showcase.
You’re meeting a domain in CMMC, which is awareness and training, right? And also lastly, there’s also the business support, small business support programs like the NIST MEP, which stands for Manufacturing Extension Partnership. So each state and maybe perhaps region has one.
I know Georgia’s got one and the New England region’s got one, but there you can, you know, maybe network with your fellow manufacturing organizations in within the state or region and then you can kind of help share that knowledge when it comes to scoping.
Right. Because, you know, ultimately this is a team effort, right? This is a national security thing, right? Cybersecurity is national security. And I believe that if we, you know, we share those resources specifically, you know, on the OSC side, it just makes things a lot easier moving forward, right?

Jordan Eisner  
Well said. Yeah, no, that’s a lot, but but good. No, I think important vital information for a lot. And I’d encourage our listeners and people coming back to the source of its compliance point. Not to say that it’s near the breadth of resources in cyber AB and those other sites, but we’ve done.

Chris Abacon  
Those are my big steps.

Jordan Eisner  
We’ve done a few podcasts on this, Chris. I know, you know, blog posts, there’s other resources we also have available on our website that I’d encourage anybody to check out. And then I’d go a step further as Chris identified in inside this session or inside this podcast. You know, we are an RPO.
We have CMMC expertise. We work with organizations to prepare for and get ready for our three PAOC, three PAO audit. And so if you have questions, you have inquiries, if you want to talk with somebody and figure out your journey, what’s going to take, where it might make sense for consultative support, where it makes sense for you to just handle it on your own.
You know, we like to think of ourselves as a trusted advisor and wouldn’t be very, very keen on having those conversations with anybody that’s listening to this today and is interested in that. So reach out to us at compliancepoint.com. There’s a e-mail there. In fact, you can e-mail at connect@compliancepoint.com and get in touch with us or.
LinkedIn or many, many different channels. It shouldn’t be too hard to find us. And if it is, let me know because it’s kind of my responsibility here. But until next time, Chris, thank you for your time, and for everybody else, I think we got probably another one of these or two before the holidays are lined up. As you can see in Chris’s background, we’re getting.

Chris Abacon  
Thank you.

Jordan Eisner  
So happy holidays to everybody listening and now we’re looking forward to 2026.

Chris Abacon  
Absolutely.

Jordan Eisner  
All right, see ya.