In this blog, I will be recommending something that will take a lot of work upfront but will pay dividends for your organization later. While this blog specifically speaks to CMMC, the same process described here can be used for NIST 800-171 or RMF. I first used a similar process to address DISA CCI items in eMASS for RMF.
What I am calling assessment procedures are the steps that one would take to verify that assessment objectives are satisfied and in line with documented policy and procedures. In other words, these are the steps to show how you are doing what you say you are doing.
Creating custom assessment procedures will benefit your organization in three ways.
First, you can use these assessment procedures to verify and validate that your organization has met all of the assessment objectives for the CMMC Level that you are seeking. This will help in your self-assessment to determine your readiness for assessment by a C3PAO.
Second, you can give your assessment procedures to your C3PAO to show them how you assess yourself, and they can choose to incorporate your own procedures into the scope of their assessment, which could potentially streamline your assessment. Knowing exactly how to show compliance to the C3PAO with documented steps could make for an easier assessment for both you and the C3PAO.
Third, you can use these assessment procedures to perform continuous monitoring. How this works is you set the frequency of how often you want to verify that a practice is still in place and operating as expected in a continuous monitoring plan and then you would just execute the plan by performing the assessment procedures in the specified intervals. This would also satisfy CMMC Practice "CA.3.161: Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls."
The key to these assessment procedures is that they are repeatable procedures that are documented and are able to be used to ensure coverage and traceability back to requirements.
Now that I've described what assessment procedures are and how they could be used, let's discuss how to create one.
First step is to select a practice to work with. I randomly selected "SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed."
SI.1.213 is a Level 1 practice, which means formal documentation is not required but documenting will make everything easier, so it's recommended even if it's not in a formal policy. If you are pursuing Level 2 or higher, you would need to have formal documentation, so the assessment procedures for this will refer to documentation, which like we mentioned can be informal (L1) or formal (L2+).
SI.1.213 has 3 assessment objectives that need to be met.
[a] the frequency for malicious code scans is defined;
[b] malicious code scans are performed with the defined frequency; and
[c] real-time malicious code scans of files from external sources as files are downlopened, or executed are performed.
This means you would have a minimum of three assessment procedures but you could have more. Without complicating things too much, you could create multiple assessment procedures for each assessment objective if it were warranted, for example, the implementation affected several components that used different implementations. In this example, you may have assessment procedures for Windows and assessment procedures for Linux if a different anti-virus solution is used. I used the term component and view it as an object within the overall information system, so the component could be a application server, a workstation, a DC, a router, a person, a policy, anything you want if you view all parts of the system as components that you can allocate requirements against. This is an important step that should occur before creating assessment procedures. You should take each practice and assessment objective and flow it down to system components. If the practice is applicable for that component, then you should make an additional assessment procedure to verify that you are satisfying the assessment objective.
I went ahead and made a quick and very rudimentary spreadsheet to show what this could look like for SI.1.213
You will probably have to view the image in another tab to see it. This is very generic and not specific to a system for demonstrative purposes. I would recommend being more specific and listing the steps to perform the procedure on a technical level (e.g., describe where to go in menus), so that a senior system administrator is not always needed to perform the procedure. You can also add or delete any columns that fit your needs. These are the columns I like to see and filter on. You can even use formulas to change colors if the procedure is past due for its scheduled frequency since the last time the procedure was executed.
To summarize, yes this is a lot of work but it also has benefits that make it worth the effort in my opinion. Please let me know if you enjoyed the blog or have any questions. This one may have gone a little into the weeds but this is how I would approach ensuring that all the assessment objectives are satisfied and also how to define the frequency and methods for continuous monitoring.
Please reach out if you have questions or are interested in learning more about this topic or if you would like help building this capability at your organization.
Thank you for reading!
Dr. Jeff Baldwin