Why CMMC Related GRC Tools (as far as I know) are missing the target

As a part of Peak InfoSec preparing to be a Cybersecurity Maturity Model Certification (CMMC) 3rd Party Assessing Organization (C3PAO), we have been evaluating cloud-based Software-as-a-Service (SaaS) GRC tools that support CMMC conformity efforts.

In short, we have seen them fall into two reasons why they fail for us:

• They use the underlying Unified Compliance Framework (UCF) as their backend data model
• They don’t understand the implications of doing a Comprehensive NIST SP 800-171A based Assessment

UCF Dependencies

For those that don’t know, the UCF is a generic Information Security Compliance framework that is used to map NIST, ISO, CMMC, and other Information Security frameworks to one another. From a general perspective, there isn’t anything wrong with this approach and it makes sense for businesses with a multitude of compliance requirements to use a common baseline. It also makes it easier for the GRC developers too.

The problem comes in that the mapping is not a one-to-one mapping of requirements. I know this because, as an example, the Multi-Factor Authentication requirement from NIST SP 800-171 (3.5.3) or CMMC (IA.3.083) does not map fully in the UCF requirements. Should you follow the UCF standard when preparing for a CMMC Assessment, prepare to fail now.

Why does the UCF fail? Simple question and a simple answer. The UCF is not required to comply with National Archive &Records Administration’s (NARA) Information Security Oversight Office’s (ISOO) policy guidance for assessing CUI compliance. Therefore, they leave it up to you to understand this and “interpret” if their mapping being used by a GRC tool is sufficient. Most people blindly trust the tool and salesperson.

NIST SP 800-171 Comprehensive Assessments

While the UCF doesn’t worry about ISOO policy directives, most GRC tools don’t follow it and so far, none of them get the consequences. So let’s talk about that for a minute…

ISOO’s Authority

The ISOO’s authority comes from 32 CFR Part 2002, Controlled Unclassified Information (CUI), which was created in response to President Obama’s Executive Order 13556, Controlled Unclassified Information, dated 4 November 2010. Executive Order 13556 was the catalyst that started the ongoing NIST SP 800-171 and CMMC compliance efforts for the Federal Government.

32 CFR made NARA the responsible Federal Agency for all CUI compliance. NARA, in turn, created and designated the ISOO as the Office Primarily Responsible (OPR) for CUI efforts in the Federal Government.

As such, the ISOO has both Federal Regulatory & Policy authority for the CUI implementations within the Federal government. That means:

• Policies from the ISOO supersede any other Federal agencies guidance where a contradiction exists
• Supplemental policies and guidance from other Federal Agencies can only enhance or restrict ISOO guidance

With regards to the DoD & CMMC, the DoD can only enhance or restrict ISOO guidance. In the case of CMMC, it is built on the 110 requirements from NIST SP 800-171 rev 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The CMMC Level 3 additional 20 Practices (a.k.a., “CMMC Delta 20”) and the Process requirements are enhancements.

ISOO CUI Notice 2020-04

On 16 June 2020, ISOO CUI Notice 2020-04: “Assessing Security Requirements for CUI in Non-Federal Information Systems” was published. Amongst other administrivia, the following “bomb” of a policy was dropped:

[Para 6] “When any entity assesses compliance with the security requirements of NIST SP 800-171, they must use the NIST SP 800-171A procedures to evaluate the effectiveness of the tested controls. NIST SP 800-171A is the primary and authoritative guidance on assessing compliance with NIST SP 800-171.”[1]

Let’s break this down…

“Any entity” is literal and regardless of who the entity is affiliated with. Whether it is me, your firm doing a self-assessment, a C3PAO Lead Assessor, and yes, even a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessor is in scope.

“…any entity assesses compliance with the security requirements of NIST SP 800-171…” comes back to the authority of NARA and ISOO, who designated NIST SP 800-171 as the primary authoritative guidance for protecting CUI. Again, the CMMC Model is a derivative and enhancing version of NIST SP 800-171.

“…they must use the NIST SP 800-171A procedures to evaluate the effectiveness of the tested controls.” This part is the directive portion of the policy. If you are going to assess a NIST SP 800-171 requirement, it must be done in accordance with NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information.”

“NIST SP 800-171A is the primary and authoritative guidance on assessing compliance with NIST SP 800-171” is the authority statement. NIST SP 800-171A now supercedes any other Federal assessment guidance for CUI related compliance where there is a conflict.

This latter part caused the DOD’s CMMC Program Management Office to course correct on their Assessment Guide and bring it in line.

NIST SP 800-171A Assessment Procedures

Before we break down the Assessment Procedure, let’s sum it up front…

A NIST SP 800-171 Security Requirement is only compliant if the Assessment Methods and related Assessment Objects indicate all Assessment Objectives are compliant or fulfilled.

When we get to the Comprehensive level, the statement becomes:

A NIST SP 800-171 Security Requirement is only compliant if the Assessment Methods and related Objects indicate all Assessment Objectives are compliant or fulfilled for all systems in scope.

Depth & Coverage

You may have noticed I kept coming back to a “Comprehensive Assessment.” Waaay back in NIST SP 800-171A is Appendix D, “Assessment Methods.”

Appendix D is simply about how rigorous the Assessment is conducted. Based on how deep and wide the Assessment goes, it is either a “Basic” assessment that is “high-level” in nature; “Focused,” which is more in-depth look at a “representational sample”; and “Comprehensive” is a “detailed and thorough” look at a “sufficiently large” sample of systems in scope.

Let’s briefly discuss the difference between a “representational sample” and a “sufficiently large” sample. Let’s say you have 10 Windows PCs as one of the systems of type in scope. In a representational sample, an Assessor would look at one, maybe two of the devices to validate a specific Assessment Objective. In a “substantial sample,” that Assessor would look at an absolute minimum, at least 2 PCs. Three to four would be more appropriate. Remember, the Assessor gets to pick which devices they will use, not your organization.

So here is the bottom line, CMMC will either be a Focused or Comprehensive Assessment and it makes no difference from your perspective. Your organization has to be ready for a review of 100% of your systems in scope.

Assessment Objectives

Each NIST SP 800-171 “Security Requirement,” to use the formal title, is actually broken down to 1 or more Assessment Objectives. As shown in the picture from NIST SP 800-171A below, the MFA requirement, 3.5.3 is brown down to 4 Assessment Objectives.

To be compliant, at a high-level (or Basic per NIST SP 800-171A Appendix D), the Security Requirement is compliant only when all four are compliant.

Let me be blunt here: NIST SP 800-171 Security Requirement compliance is measured first at the Assessment Objective and then rolled up to the Security Requirement level.

When looking at the GRC tools on the market we see:

• Many GRC tools either never get to that depth or just show these as tasks. The GRC tools must start compliance measurements at this level and roll-up to the Security Requirement.
• To support a Comprehensive assessment, the GRC tools must show that all Assessment Objectives for in-scope system X are also compliant.

Assessment Methods & Objects

When evaluating an Assessment Objective, the Assessor can either Examine, Interview, or Test. These are the Methods. 

Each Security Requirements provides relevant Objects that the Assessor can select from.

Again, using the MFA requirement 3.5.3, and specifically the Assessment Objective 3.5.3[a] “privileged accounts are identified” you can see the list of Assessment Objects. Some like Policies address the who in the org is responsible and other like “list of system accounts” are the end product that can be evaluated.

Back to GRC tools, because they don’t measure compliance at this level, they generally don’t allow you to attach evidence (examine artifacts) at this level. Being honest, a couple do. As far as we have seen, none allow you to associate evidence between an Assessment Objective & System in scope pairing.

CMMC GRC Tooling Needs

So, for all of the CMMC tools we have been looking at, lets sum up the main shortfalls that need to be addressed:

• Evaluate compliance for each system (e.g., Microsoft Office 365) or system of type (e.g., Windows 10 PCs) at the distinct Security Requirement Assessment Objective Level
• Associate Examine evidence objects to each distinct Security Requirement Assessment Objective & system/system of type pairing. This si in line with a enter once, reference many paradigm
• Roll-up each distinct Security Requirement Assessment Objective & system/system of type pairing to determine the distinct Security Requirement Assessment Objective compliance
• Then roll-up each distinct Security Requirement Assessment Objective compliance to determine the overall distinct Security Requirement compliance

Why does this matter?

The short answer is traceability. Prior to the Lead Assessor stating the Assessment process, the Organization Seeking Compliance (OSC) needs to know it is ready. The GRC tools on the market don’t let the OSC know they have dotted all the I’s and crossed all the t’s without additional manual work outside their tools.

The second answer lies in providing the Evidence Objects for each system or system of type. Without being able to align the evidence objects to each distinct Security Requirement Assessment Objective & system/system of type pairing, the OSC will waste the Assessor’s time during the Assessment.

Lastly and most importantly, $$$. Starting and stopping an assessment because your firm isn’t ready wastes your funds and you still have to pay the Assessor for that portion of their work. During the Assessment, the Assessor and their team will bill you for their time while you search for examine artifacts. 

What options does an OSC have then?

Well, as an OSC also, I see the following options for us:

1. Go completely manual. This is normally done with Excel spreadsheets.
2. Develop your own tool. We are looking at using Microsoft Office 365 SharePoint Lists to maintain much of the information
3. Go off-line. One of our Partners, Imprimis, has a Microsoft Access tool called i2ACT 800 that is addressing the gaps the cloud-based SaaS GRC providers are missing
4. Buy one of the cloud-based SaaS GRC tools and hope they fill these gaps. In the interim, manage the gaps manually

About Matthew Titcombe & Peak InfoSec

Matthew Titcombe is the CEO and the Senior Information Security Consultant for Peak InfoSec.  Mr. Titcombe is a certified CMMC Provisional Assessor, volunteers on the CMMC Advisory Board’s Industry Standards Working Group, and he also supports two CMMC Advisory Board Licensed Partner Publishers develop CMMC training materials.

Peak InfoSec is an organization that specializes in Information Security Turn Around efforts supporting federal and commercial sectors. Peak InfoSec has been brought into consult with organizations across the globe like United Launch Alliance, Sony, ConocoPhillips, Munich Re-Insurance, Nutanix, Toyota Research Institute, and Uber. 

[1] https://www.archives.gov/files/cui/documents/20200616-cui-notice-2020-04-assessing-security-requirements-in-non-fed-info-systems.pdf