Many companies today are working to update their SPRS score. The standard model for this is to conduct an assessment, assign a score, upload the score, and move on.
However, for companies building a CMMC compliance program (which is the vast majority of them) the process is different. They use their current score and then monitor raising the score as a metric for the executives. The pattern I’ve been observing in companies working towards compliance looks like this … Do a gap assessment. We are a -53. Do a project. We are at -40. Do another project. We are a -10, and so on.
This is actually a pretty good process. What do you know? We’re putting things on a POAM and then actually working them off over time? Huzzah. That was the plan.
Using this methodology the question becomes — when am I done with a POAM item, and when can I take credit and add the points? The executives only want to hear the score, and when they hear that you are 110 then that will be good. We are done. Right? No more work to do? Wait another three years before we look at this again?
Anyone working in this space realizes this is not the case. However, that last point about waiting three years is interesting. I have run across a number of companies who gave themselves an initial score 4 years ago when 7019/7020 were first published and then forgot about it until someone pointed out that their score had not been updated in over three years as required. The get the score in and faget-abbowt-it (said in your best Al Pacino voice) has been a common model. With CMMC on the horizon, many of those companies know the rigor they were using in their scoring was not high, and in many cases downright wishful thinking. As a result, they are doing new gap assessments, receiving a more realistic score, and then starting to remediate.
So in this new era, when do we give points? I think there are three things that must be true for someone to “get the points” under a running score scenario. Call this continuous monitoring rather than a new self-assessment.
First, the control must be fully implemented. We will have it implemented soon, or we have a good plan to implement it, or I can see how it will be implemented - no good! It must actually be implemented everywhere it needs to be or it gets no points.
Second, it must be documented. I am seeing a number of organizations who want to take credit for implementation and then say, “We will document it later. That is the easy part.” Wrong. Documentation is not the easy part! This is probably one of the biggest fallacies of CMMC implementation. Documentation requirements are mandatory and voluminous. In fact, I would argue that CMMC is roughly 70% documentation and 30% implementation. You cannot skip 70% of the work. To get the points the supporting documentation must be signed and posted, not drafted and aspirational.
Third, you must collect evidence. In order to collect evidence you must answer the question, “What is adequate and sufficient evidence that we are doing this?” That is a very useful question. For some of the CMMC controls, it is wise to add to your process a mechanism for generating evidence because evidence doesn’t just show up magically. You must also do this at the assessment objective level. Points are at the control level, but each assessment objective must be Met for the control overall to be Met. By looking to gather evidence for each assessment objective you really become prepared for CMMC assessment.
To recap, in order to take the points, you should have fully implemented, documented, and collected evidence for each assessment objective associated with the practice/control/security requirement. Sounds easy? It isn’t, but having discipline on when you take the points can really help keep your CMMC implementation program moving forward.