This is the third in our series on the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC). Our previous articles introduced the DoD CMMC model and how to prepare for DoD CMMC audits. This final article covers how a CMMC audit is expected to play out for an assessed organization.
In an American court of justice, you are presumed innocent until proven guilty. This position is reversed in the new Department of Defense (DoD) audit to obtain the Cybersecurity Maturity Model Certification (CMMC). This is a characteristic of nearly all cybersecurity audits. Audits begin at the default state of non-compliance, where any system or process that was not tested and verified is considered insecure. This shifts the burden of proof from the auditor to the audited organization, who must prove their compliance. Not only do you need to follow all the rules, but you must be prepared to prove that you did.
Who are the CMMC Auditors?
The goal of CMMC is to verify the security of DoD contractors with third-party independent audits. This means there will be no self-assessment questionnaires or taking organizations at their word. They will need to be tested by trained, specialized individuals. These trained auditors are called “Certified 3rd Party Assessors” or C3PAOs for short. It seems someone at the DoD is a Star Wars fan.
The C3PAOs standards and requirements the auditors will follow is being defined by a separately organized CMMC Accreditation Body,1 not the U.S. government. This truly makes the auditors an independent third party. This CMMC Accreditation Body will begin training auditors shortly, with 60 initial candidates selected to audit up to CMMC level 3.2
As the C3PAOs will only be working on non-federal unclassified networks, formal U.S. government clearances, such as secret or top secret, will not be needed. There is talk of bringing in U.S. veterans as candidates to training. This training program will likely include ensuring auditors learn and adhere to a standardized process for all CMMC audits so that all assessments are uniform and fair.
The C3PAO Assessment Process
To perform an assessment, the C3PAO will need to evaluate the controls protecting the “scoped assets” against the CMMC standard. These scoped assets are the DoD data labelled as Controlled Unclassified Information (CUI). Any other data or services will be considered extraneous with respect to the CMMC.
Also extraneous to the audit are obsolete security projects and processes, unless they’re still active at the time of audit. For example, the penetration test performed two years ago will be of limited interest to the C3PAO as they will focus on the current running security tests. Similarly, other security assessments like the PCI-DSS, which is scoped to payment card information, are also irrelevant to the CMMC unless the environments and controls overlap with CUI systems. But even then, PCI-DSS controls will only have significance if they both protects CUI data and align to CMMC control domains.
So how will an actual CMMC audit likely play out?
Step 1 – Review Security Program and Scope
One of the first things commonly done on a cybersecurity audit is for the auditor to meet with the security lead for the organization. This security lead can be someone as high-ranking as a CISO or someone as humble as the network administrator. Whoever is truly in charge of security at an organization will be the most appropriate, as they are supposed to be the most knowledgeable about the current security program.
The C3PAO will work together with that security lead to facilitate the audit process for the organization. In fact, it’s highly likely that the C3PAO will want to review the qualifications and duties of that security role to ensure they are competent and empowered to run the security program. There have been some cases of other types of audits issuing findings because the security lead has conflicts of interest or does not have authority to do their job.
The C3PAO will also do a cursory review of the scope, security program, and controls. This is where it is helpful to provide like diagrams of the in-scope environment, recent risk assessments, latest vulnerability scan data, and lists of controls in place. Depending on the level of CMMC compliance, security documentation may not be needed. However, audits can go faster and more cleanly if you can provide up-to-date relevant documents for the auditor if feasible.
There is also the possibility that the C3PAO may challenge what an organization has determined to be in scope, so it is prudent to have clear descriptions of system architecture available. Since the CMMC follows the path of CUI, wherever it is stored or transmitted is considered fair game. If this includes using third parties or external platforms, then it’s a good idea to perform a security review of that third party and be ready to discuss that with the auditor.
Step 2 – Review Controls Relevant to the Scoped Environment
After confirming scope, the auditors will go through the current controls in use. Many organizations facing audit for the first time have had rude awakenings when an auditor found that users were not actually using all the security controls that management thought were already in place. Why does this happen? Immature security programs are often loose bundles of disparate “security-like” processes with weak ties to a mitigation strategy. When these programs are presented to the auditor, they are found to exist in a patchwork, often with gaps and holes in the defensive perimeters. For example, there may be multi-factor authentication on a fraction of key servers, or some personnel may have missing background checks. To help with this, we suggest reviewing our article on the six most common audit failures, as seen by an auditor with years of field experience.
Step 3 – Gather Evidence of Control Implementation
Diving deeper into the controls, the auditor will need to have evidence of a control’s usage within the scoped environment. At CMMC Level 1, organizations won’t need to produce reports or documentation detailing running controls. However, auditors have other ways to gather sufficient evidence. A common low-level method is simply “attestation” where the person in charge of that control process formally testifies that the control is being performed. In these matters, misrepresentation or dishonesty obviously have severe legal consequences, but there is another audit pitfall: misinterpretation. A good example is the auditor asking if there is a security policy. The auditee may confirm there is with a simple “yes.” However, they also may not realize that the three sentences about using better passwords sent in an email to the IT staff over two years ago isn’t really a security policy. This is why auditors often will ask auditees to “show me the security policy.”
If it is a process, then the auditor may ask someone to walk them through that process. In some cases, an auditor may want to observe the process as it’s performed. Good examples of processes commonly observed in cybersecurity audits include: adding/disabling users, changing firewall rules, and setting up new servers. Lastly, auditors may want to directly inspect a randomly chosen example of a control in use to see how it functions. For example, they may verify that doors are locked, passworded screensavers are running, and authentications settings are set up for user accounts.
There have been cases where organizations have not fully cooperated with an audit due to lack of resource or even fear of failure. When it comes to an audit, an “incomplete” is the same as a failure. If a control activity can’t be confirmed by an auditor, they will have no choice but to issue an audit finding for that control.
Step 4 – Evaluate and Report
As the auditor reviews controls, they may uncover evidence of control failures or deficiencies. This does not necessarily mean the organization will fail the audit and not achieve certification. No organization is expected to have perfect security all the time. The C3PAOs standards will likely include some threshold for acceptable control failure. If CMMC follows common cybersecurity audit standards, the threshold will hinge on two factors. One is whether it was a key risk control that failed, meaning a threat would likely impact CUI unimpeded. This is why it pays to use overlapping controls in a defense in depth strategy. The second factor is whether that control failure was a singular event or just one of many failures. This is often why when an auditor finds a failure, they will then scrutinize more instances of the control to determine if the problem was a fluke or pervasive flaw.
Step 5 – Receive the Audit Findings
Once they’ve completed their onsite work, it’s unlikely that a C3PAOs will issue an official finding on the spot. Many audit reports require internal review by the auditing organization before issuance, so that can take days or weeks to finalize. However, the audited organization will likely have a good idea of where they stand just based on the interactions with the auditor.
The audited organization should expect to receive a detailed report on their CMMC capability with notes on the tested scoped environment, listings of what evidence was collected, and how controls were assessed. Only an organization’s certification level will be made public, with the details about specific findings kept confidential.
How Many Times Do You Need to Get Audited?
The first round of CMMC audits will likely be a snapshot or a point-in-time audit of the current state of security within an organization. However, it is reasonable to expect that in order to maintain a CMMC certification, the C3PAOs will need to return year after year to review. As such, future audits will examine running controls as tested from the earlier audit onwards. For example, if you passed the audit in January 2021, C3PAOs will review the compliance of your security program throughout 2021 and 2022. These are things to keep in mind when designing control processes as they will need to be manageable and affordable over the long haul.
The Future Convergence Possibilities of CMMC
The DoD has said that CMMC will evolve based on changes in threats and technology, so we can expect new controls to be added to the various levels of CMMC compliance. This evolution is critical to the CMMC’s ongoing viability and usefulness. Mårten Mickos, CEO of HackerOne, told F5 Labs, “We are following CMMC closely because they have been thinking of including Vulnerability Disclosure Programs in the requirements.”
At the beginning of this series, we asked if the DoD CMMC would be the model for all future compliance standards. The size, depth, and coverage of CMMC have indeed attracted a lot of attention in the compliance world. F5 Labs has been told that other countries as well as international professional audit associations have expressed interest in adopting CMMC into their compliance standards. We could see a day where standards like COBIT, NIST, PCI-DSS, and ISO 27000 all converge into a single framework.
No matter what, remember the value of an audit is two-fold. First, you gain an impartial outsider’s appraisal of your security before the attackers try their luck. Second, you can use an audit certification as tangible proof of your organization’s good security practices, which can help drive new business. We know that the CMMC will definitely improve new business opportunities for DoD suppliers.