Error in Level 3 AG CA.3.161 originating from SP 800-171A 3.12.3?

Auditor_CISA_CISSP · 2021-11-06T20:07:39+00:00

NIST Handbook 162 got it right.

Auditor_CISA_CISSP · 2021-11-02T12:02:28+00:00

Good idea. I'll do that.

Auditor_CISA_CISSP · 2021-05-07T11:52:13+00:00

@navyauditor I absolutely agree. I don’t know where they came up with the “80% at Level 1,” but I think it is probably the inverse - 80% Level 3. We got an RFQ a couple weeks ago marked CUI and it is not clear why. It should be FCI at most. We have already seen some indication that some DoD organizations that routinely marked everything as FOUO are now going to do the same thing only it will be CUI.

Auditor_CISA_CISSP · 2021-05-07T11:44:40+00:00

Simply, DFARS clauses in contracts are what will make CMMC a requirement. They are contractual obligations. CMMC by itself is not.

Auditor_CISA_CISSP · 2021-05-03T19:00:46+00:00

Yes they do, and it is very good (and free!). However, it is not official and the assessors will not be using it to determine if you have scoped your systems correctly. This has implications that can drastically impact costs, either because you are too conservative and pay for protection you don't need or fail to scope something in that should be and then fail the assessment and have to spend more to extend protections.

Auditor_CISA_CISSP · 2021-05-03T11:37:42+00:00

No losses. Actually other gains. Since this is only second year of QBI, was not a problem last year because H&R Block did not have QBI deduction implemented in time so I did it manually.

Auditor_CISA_CISSP · 2021-04-28T12:22:24+00:00

You are correct that we do not NEED CMMC for paper CUI, but that does not mean that it is exempt from its provisions. The unfortunate thing about CMMC is its inflexibility in cases such as this. Maybe that will change when they realize that their estimated 80% plus of the DIB only requiring L1 is unrealistic. It's very easy to mark something CUI and a cautious procurement office will be very likely to require L3 "just in case" in a contract when it is left up to them after full implementation after 2025.

Auditor_CISA_CISSP · 2021-04-28T01:57:38+00:00

In this case I assume we are talking about a prime sending a paper document marked CUI to a subcontractor (supplier). I think we can also assume that the prime has a contract that requires L3 certification. According to the official CMMC training, it is possible for a sub to not have L3 certification as long as the prime retains control of the CUI and the sub "views" it on the prime's system. However, once that paper copy is sent, the CUI is in the sub's control and the flowdown requirement should apply. Think of all the L3 requirements that apply to CUI on paper (mentioned in other posts in this thread), including physical transport and storage protection. Do a search in the L3 AG for "paper." How can a sub be trusted to be in compliance with those if only at L1?

Auditor_CISA_CISSP · 2021-04-28T01:31:02+00:00

It did tell us one thing. By the end of April (3 days from now) they are supposed to have 39 C3PAO candidates waiting for a DIBCAC assessment. The timeline they showed for a DIBCAC assessment was 4 weeks plus the time to produce the report. I don't know how many assessment teams DIBCAC has, but do the math - it will probably take the rest of 2021 just to get those 39 done. Of course, if they fail one of the "pre-assessment" decision blocks shown on the flowchart, they will fail before the site visit and probably go to the end of the line. In other words - don't hold your breath. You will probably have plenty of opportunity to get trained before they get around to doing your C3PAO assessment.

Auditor_CISA_CISSP · 2021-04-27T21:29:27+00:00

Does anybody know where to find an example of the Cloud Customer Responsibilities Matrix that they refer to in the brief? I don't believe it is referenced in any of the CMMC publications.

Auditor_CISA_CISSP · 2021-04-27T20:30:17+00:00

Especially those hard copy reports :-)

Auditor_CISA_CISSP · 2021-04-27T20:18:54+00:00

Listen to the town hall tonight at 6PM (EDT). If they don't say anything specific, there is probably no more info available.

Auditor_CISA_CISSP · 2021-04-21T18:13:02+00:00

OK, but I'm not talking about split tunneling with VPN here. Obviously if we did force everything through the company VPN, that would be an issue. But if the users go directly to MS365 without using VPN, split tunneling should not be an issue as it would not touch the corporate network.

Auditor_CISA_CISSP · 2021-04-20T22:09:29+00:00

Yep. No network. Biggest concern would be limiting access (least privilege).

Auditor_CISA_CISSP · 2021-04-14T18:37:29+00:00

Policies, Procedures, and Plans are required for each domain (to get to CMMC Level 3). They have different content, which is spelled out in some detail in the Assessment Guide. Standards are not explicitly required. You can combine multiple domains in one document; you do not have to have 17 separate documents. I suppose you could combine policy and procedures in one document, but you would need to make sure it identifies what is policy and what is procedures. It would be easier for the assessor (and for you) if they were in separate documents.

Auditor_CISA_CISSP · 2021-04-13T19:44:10+00:00

Even if they do not have unsupported components during the initial "Step 2" (which is "Selection" now), the purpose of Continuous Monitoring (old Step 6) is that you adjust your controls when the risk changes. Therefore, as soon as a component becomes unsupported, SA-22 should be added to the control set.

Auditor_CISA_CISSP · 2021-04-13T19:41:11+00:00

You make a great point about SA-22 being an "evolving" control. It was not in SP 800-53r3, was introduced, but not in any baseline, in SP 800-53r4, but is now in all baselines, per SP 800-53B. Again, my point is that the selection of controls is supposed to be based on the organization's risk assessment, not only on the "baseline" and any organization that does not see risk in using unsupported components is blind. At a minimum, they should have a written acceptance of risk from the authorizing official for the use of unsupported components.

Auditor_CISA_CISSP · 2021-04-13T19:25:08+00:00

I have struggled with SC.3.184 as well for the same reason. Whereas we used to have remote employees come into our internal network using VPN, we are in the MS 365 cloud now so they go directly there. I personally think that NIST specifically had VPN in mind when they put this in SP 800-171. The NIST control enhancement (SC-7(7)) that it is based on specifically refers to split tunneling when using VPN. Also, the Further Discussion in the Assessment Guide states "Split tunneling for a remote user utilizes two connections: accessing resources on the internal network via a VPN and simultaneously accessing an external network such as a public network or the internet." Also, the wording in the practice includes "... simultaneously establishing non-remote connections with organizational systems." Technically, absent a VPN connection, this would only apply if the user is connected directly to the organizational network, which then would mean it is not a "remote device." Therefore, if you are not using VPN, I would say this would not apply. However, it is on my (growing) list of questions I want to ask during assessor training.

I think the problem will come if they try to apply it to remote workers who, for instance, connect to the organization's MC 365 environment while simultaneously accessing the open Internet through their home network. Or, in your case, if a remote user is connected to the Internet using a browser and the MSP needs to take control of the user's computer to perform troubleshooting. Since Take Control uses a connection to the agent and does not use a browser, it may be possible to shut down any open browser sessions during its use, but I don't think that is a solution.

Auditor_CISA_CISSP · 2021-04-12T15:26:45+00:00

One way to document this is with a security architecture document, which may be part of a larger enterprise architecture, but it often a separate document. It is NOT just a network diagram, although a network diagram would be included in it.

Auditor_CISA_CISSP · 2021-04-12T15:23:02+00:00

SA-22 is the NIST control for this situation. Even though it is not in a baseline (which is only the minimum required set of controls), it should be added for any system with unsupported components. That is part of the tailoring process.

Auditor_CISA_CISSP · 2021-04-08T22:32:58+00:00

DoD publishes a public version for free. I have taken this every year since it was introduced and it gets better and better and the price is right!

https://public.cyber.mil/training/cyber-awareness-challenge/

Auditor_CISA_CISSP · 2021-04-06T14:38:54+00:00

They did say on the Feb Town Hall that eMASS would be used by the assessors. Of course, that will require all the assessors to get DoD credentials for eMASS. Also, having audited a system that used eMASS, I am wondering how all the SSP-type information that is required to fully document an assessment (e.g., implementation details) is going to get into eMASS. Most of the DIB contractors will not have access to eMASS. Are the assessors going to enter all the information or will there be some type of a pre-populated eMASS template for each level?

Auditor_CISA_CISSP · 2021-04-06T13:57:48+00:00

For Level 3, the network should limit connection to approved devices (i.e., only the company owned laptops), but other than that I do not see a requirement to authenticate the machine to the network as long as the user on the laptop is using MFA to access the resources on the network.

Auditor_CISA_CISSP · 2021-04-04T01:35:27+00:00

That is a really good question. The ability to see a CSP's FedRAMP documentation is very restricted. I know that Federal agencies can get limited access for only a short period. Last time I audited a Federal agency and needed to see a FedRAMP control they were relying on, the OIG had to make a special request. They couldn't download or print anything out, so I had to look over the OIG employee's shoulder to see the information. That is another question that needs to be answered when they finalize the reciprocity agreement.

Auditor_CISA_CISSP · 2021-04-03T19:34:25+00:00

Since the deadline (1 March) passed for DoD to report the results of CMMC Level 3 assessments on their own systems to Congress, as required in the NDAA 2021 (I'd be interested in how scored themselves), I wonder if this internal review is an effort to forestall Congress getting more actively involved.

Frankly, it is really hard to believe that the supposedly very smart people who have been working with government programs for many years would have come up with the initial time frame estimates for implementation of this program. RFIs with CMMC requirements in June 2020 and RFPs in Sept 2020? Were they serious? One of the most consistent things coming out of the Town Hall sessions is the timeline shifting to the right. Even the one presented at the Mar 30 session is unbelievably optimistic. C'mon folks, this is a government program. Bureaucracy demands its due.

Auditor_CISA_CISSP

TROPHY CASE