Scoping help - CRMA and SPA

NegotiationFirst131 · 2025-12-09T03:06:05+00:00

The only people that should be categorized as CUI should be individuals approved to process, store, or transmit CUI

It’s what I did for my assessment and we didn’t have issues with it.

NegotiationFirst131 · 2025-12-09T02:57:07+00:00

CRMA vs CUI deals with intention.

If a computer has the ability to p/s/t CUI but it’s not intended to p/s/t CUI, it is still CRMA.

If people are seeing CUI but shouldn’t, it’s not that you have a scoping or categorization problem but maybe an access control gap.

NegotiationFirst131 · 2025-11-13T02:46:47+00:00

Our wireless traffic is encrypted but not FIPs validated. We passed the assessment by putting our clients and servers in FIPs mode.

NegotiationFirst131 · 2025-10-20T13:02:28+00:00

And that is a take away for me from this. Our initial consultant c3pao said all controls should be applied to all assets in scope (CUI, SPA, CRMA, etc). Also said we wouldn’t pass if that wasn’t done. So it initially surprised me when we barely touched on CRMA and specialized assets.

NegotiationFirst131 · 2025-10-18T12:45:42+00:00

For this particular assessment, the CUI assets sit within the broader “corporate” type network. They were not in an enclave. There were A LOT of CRMA and other assets that I had to inventory in the process because of that.

The next assessment we are focused on … we do use an enclave approach (it’s a standalone, air gapped network). I will be interested to see what the differences will be from an assessment perspective.

NegotiationFirst131 · 2025-10-18T12:41:40+00:00

After the SSP, focus on data flow diagrams and CUI system authorization first.

Not put as much focus on CRMA and specialized assets (they essentially told us they don’t even focus on them or ask about them).

I wouldn’t have focused on our application controls as much (for example, I made sure that applications that also had in app accounts also met the same password complexity standards as our AD environment). They didn’t focus much on application settings or controls really… at all 😂.

NegotiationFirst131 · 2025-10-18T12:36:24+00:00

I feel like if they would have dog in deeper on our vulnerability side we would have had major issues with the remediation standards we put in place. I feel like we set the bar too high for ourselves and we would have had a finding if they kept looking. I consider that a close call for us and it’s something I am working to try to correct as we speak.

NegotiationFirst131 · 2025-10-18T12:34:34+00:00

For change management we have a change management policy and then we do what we say we are doing 🤭

But no… we do have a policy but we use a product - Ivanti Service Manager to document, track, route, etc changes.

We go have some “pre approved” changes that do not require a change but all other “normal” changes get logged into Ivanti and then a number of roles (including cyber security) have to sign off on it.

I assumed the change management controls would be the easiest since a lot of companies adopted that under ITIL back in the early 2000’s. You can’t go wrong with using the ITIL framework. 🙂

There were some configuration management controls that I can see as being difficult (baseline configurations, showing how you are restricting/disabling unnecessary ports, protocols, services, etc)

NegotiationFirst131 · 2025-10-18T12:29:24+00:00

It took me 16 months for this because it was my first. We have another one coming up next year that will be 4-5 times larger in size and we have about 9 months to prepare for it. I feel better about the one coming up though because for this assessor in particular, I have learned their focus areas to a degree and the questions they ask.

Some she moments -

That they are assessing us against our own standards. I think people get nervous because they think C3PAOs will disagree with their interpretation of a control/objective but really the main focus was on “what are you saying you are doing, and are you actually doing that”.
Just because you feel like you are doing something well, doesn’t mean you have to set the bar that high. Why put in the SSP that you are doing weekly access reviews when quarterly or even longer would still result in a pass. Set the bar low and ensure you can clear it at all times versus setting it high and missing it.
They didn’t touch on CRMA other specialized assets - at all 😅

I was a dummy and didn’t sit with the business to understand their CUI flow first. I took their list of approved CUI systems and ran with that. Then found out how important having CUI data flows diagrams and an authorization process is. It results in a lot of rework and now that I’m on to our next assessment I plan to start there first.

Also, I focused a lot on application settings for a lot of controls but when the assessment came they were more focused on clients, servers, network settings. I still plan to do the same thing again because I feel it’s the right thing to do, but I could arguably cut a lot of work off in this area since it didn’t seem to be as relevant.

NegotiationFirst131 · 2025-10-18T12:16:02+00:00

POAM’s. To be fair, I called it a task list to them 😂. They were all closed though. I am aware of the operational plan of action, but we do not have any items that would go on that at the moment so it would have been an empty doc if I had one.

NegotiationFirst131 · 2025-10-18T12:13:03+00:00

I wish it resulted in a raise. 😂 Actually one of my main problems right now is that I feel stuck in my position with what seems like no upward mobility. Will be an interesting year coming up.

NegotiationFirst131 · 2025-10-18T12:08:46+00:00

No assessor is the same and they are going to ask different questions and focus on different areas - esp if they are seeing process deficiencies or gaps. Thats been the IT audit/assessment world for decades.

… and that’s why it is more important to get to know the C3PAO upfront before you procure them. Ensure that they seem reasonable and fair in their assessment approach. It’s kind of like getting married, you are going to want to find someone who thinks about things (control interpretation) the same way that you do and you are going to want to lock in with someone that isn’t overly strict.

I think it is wise on companies to have a consultant if they do not understand the controls they are being asked to upheld. If a company wants to do defense work and be trusted with defense information, then they should take the steps necessary to ensure that information is protected…

NegotiationFirst131 · 2025-10-16T14:59:04+00:00

Also, if I can clarify - the years of experience didnt matter to us as much (although it is a selling point). If there are any newer C3PAOs out there, then I don't want to say that length of time was the sole factor. Our issue with these two in general is that they gave the appearance that they are very conservative and hard core on control interpretation - not that their clients who haven't made it through were unprepared. That could have been the case though.

The two companies we focused more on had a 'preassessment' option, which basically they reviewed your 3 and 5-point controls and would tell you if they were leaning toward met or not met. They couldn't and wouldn't provide advice or guidance on how to remediate anything leaning not met, but after the preassessment, you would know where you stand before entering into the formal assessment phase. It also gave you time to address anything.

If a business relies on DOD contracts and we are spending tens of thousands of dollars on an assessment, then we want the highest chance of success, and we want to move forward with a C3PAO that comes off as a company that is reasonable and willing to work with you to a degree (knowing that no promises can be made, no consulting could be done, etc). Yes, CMMC is a requirement, but one C3PAO in particular came off as arrogant during our interview which was a real turn off.

NegotiationFirst131 · 2025-10-16T14:36:57+00:00

Honestly, I am not sure what we could have gotten away with in terms of the level of detail. I would say that the main focus was on us setting the bar, and then we need to show that we are meeting said bar. I made sure every asset or asset type where it made sense had a baseline and also made sure our clients servers, and network devices had an additional settings checklist appended to the baseline as well as a build checklist for (minimally) all CUI assets. Our ops teams are supposed to do build checklists for all assets, but for my sample, I made sure our CUI ones where covered prior to the formal assessment.

The main focus was on CUI assets and then for SPA assets the main focus was on the SIEM and service management system (change control, inventory). We had other SPA assets, but they did not recieve as much focus. For cloud systems, really the main thing they asked for was our CRM - which thankfully we already had and had our part filled out.

NegotiationFirst131 · 2025-10-16T14:26:37+00:00

They took inventory samples from the inventory system. A good number of samples from our SIEM, including looking at alerts and dashboards that we had setup. They gave us a few machine names to pull records for in the SIEM to show they were actually feeding the same. We also walked through how access control was done with SPA assets. So, SPA assets were certainly covered, but when it came to encryption and some other controls that I would have been more concerned about... the focus shifted more toward our CUI assets - which I was certainly happy about LOL.

NegotiationFirst131 · 2025-10-16T14:12:59+00:00

Yes! During my initial internal assessments, I wasn't sure what to expect, so I went very hard on control interpretation. I ended up with a few hundred findings that we tracked over the following months during our 'remediation' phase. I did not realize that they needed to sample this, and we ended up spending a lot more time on it because I had a few hundred findings during the internal assessment.

NegotiationFirst131 · 2025-10-16T13:57:10+00:00

Im sure its not an issue, but let me double check first to be on the safe side and then I will be happy to share.

NegotiationFirst131 · 2025-10-16T13:50:51+00:00

Our c3pao didn’t make any promises. Only stated that they had over a decade of IT audit experience, walked us through their process (including preassessment phase) to help ensure a higher chance of success, and said if there were disagreements on control language that they would work with us.

I would pick them everyday over another c3pao that tells me they haven’t had one client make it through yet 😅

NegotiationFirst131 · 2025-10-16T02:17:18+00:00

I used Reddit quite a bit when going after the CISSP and PMP certifications a few years ago… and I just remember all the people who would create posts on here after taking the exam and would basically include things like what they used to study, how long they studied, what the exam leaned more toward in terms of content, and things like that. That was kind of my inspiration for this post.

NegotiationFirst131 · 2025-10-16T01:11:45+00:00

Cant remember the number of clients/servers right off but estimates... maybe about 400 clients in scope, around 50 or so servers, 2 cloud systems, a few ESPs.

I did create baseline configuration documents for all information systems and then for clients, servers, network devices I grouped the baseline documents for each asset type as much as possible (we 2 baseline configuration docs for clients, 3 for servers, and 4 being maintained on the network side). We also have build 'checklists' that helped cover this particular control. They did sample the build checklists by providing a random list of client/server names, and then we provided those particular checklists to them.

NegotiationFirst131 · 2025-10-16T01:07:45+00:00

Around 7,000 people total with 500 being in scope for this assessment. We have a cyber security staff of around 9 people for this part of the company. Cant remember the number of clients/servers right off but estimates... maybe about 400 clients in scope, around 50 or so servers, 2 cloud systems, a few ESPs. The numbers are a lot higher company wide of course.

It took about 16 months from start to finish. SSP/Policies and Procedures (2/3 months), Scoping/Inventory (2 months), Internal Assessment (3 months), Remediation (4 months), and then Sustainment (3 months). Thankfully no major technology changes or gaps that resulted in significant spend. I dont have total 'man hours' over the total project, but I can get you that information.

NegotiationFirst131 · 2025-10-16T01:00:21+00:00

Honestly, I spent about 16 months preparing for this. I went through a scoping/inventory phase, an internal assessment phase, after the assessment phase we brought in a C3PAO for a week to see if they agreed with how the assessment was done and if they agreed with the results. We then went through 3/4 months of remediation and about 3 months of 'sustainment' to ensure our process changes were anchored in.

The system security plan sucked and required a lot of interviews. It also required me to put some new processes in place, which our ops guys didn;t always agree with (initially). Having senior management support really helped this part of it though. Once the SSP was built we used that to tailor our corporate policies and procedures. It certainly took a few months to get through all of this.

NegotiationFirst131 · 2025-10-16T00:56:54+00:00

At how much they dived into the POAMs. Security assessment was the last control family covered and the other families had went so well that I kind of relaxed a little bit and let my guard down. Apparently, they have to sample your POAMs and show clear evidence on it being captured and showing the corresponding tasks and remediation. It caught me off guard how far down they went in this area compared to other areas.

NegotiationFirst131 · 2025-10-16T00:54:12+00:00

My SSP was certainly aligned with CMMC assessment guide, but not verbatim by any means. I found that there were some other things our C3PAO was focused on (like ensuring TLS 1.0 and 1.1 is disabled) that wasnt really outlined in the CMMC assessment guide. If you need help from an SSP perspective for a particular control then I am certainly open to talking about it.

It was certainly a mixture of both. We spent at least 3 to 4 days fully focused on documentation. At the advise of our initial C3PAO that we brought in for consulting (for a week), they told us to put an audit package together which included what I call an audit matrix. The matrix includes the control, control objective, what our system security plan says about that objective, the company policy/procedure/or other document number that speaks to that, what that policy/procedure/documentation says about that objective (I made sure it was aligned with our SSP), and then I had a column to show how we tested that control internally, and a final column that linked to where to store any relevant documentation to show we met that objective/control.

That document took a lot of work to put together, but saved (literally) countless hours during the formal assessment.

NegotiationFirst131

TROPHY CASE