CMMC Unacknowledged Ep. 17 | NIST SP 800-53A Assessment Objects and CMMC

Transcript

welcome to cmmc unacknowledged where we ask our resident expert some of the unanswered questions that were asked during last month's cmmcab town hall meeting my name is todd stanton i'm the regional sales manager for all things cmmc at e-tactics and i'm joined by the senior information insurance manager at rain associates ty wittenberg welcome ty hey todd thank you so much for having me and happy new year thank you and i'm looking forward to our conversation today all right our question for this episode um starts with nist special publication 800-53a which uses the term assessment objects to describe items being assessed so my question to you tai is is the cmmc assessment scope synonymous with this nist term assessment objects so 800 171 for those practitioners that are utilizing it realize that you can cross map to a lot of the uh the nist 853 a controls right and so the objects really just speak to your ability to be able to identify um identify that information in the system and then provide more granular interrogation whether that be through testing observation uh or you know some form of shoulder surfing documentation okay now in the the level two scoping guide there's table two which provides three types of security protection assets people technology and facilities so my question to you is do these asset types apply to other categories like we've talked about before cui assets contractor risk managed assets specialized assets are there three types of those categories as well um you know i would say people being tied to cui is a little bit tough but look um there's obviously folks that can memorize information and things like that you could make a reference to that i would say that you know almost in the same genre or vein of like hipaa you're talking about some forms of the administrative controls some form of you know technological safeguards uh some form of organizational safeguards and physical safeguards um and so read that question back to me again because i think i was about to go off on the incorrect tangent here sure so we've got table two from the level two scoping guide which talks about three types of security protection assets people technology and facilities so you were going down the path of you know could a person be a cui asset right we know a person could be a security protection asset but could a person also be a cui asset or could a person be a contractor risk managed asset so can you apply those same three different asset types to the other categories that we've talked about before yes and no i think some of it becomes an assumption and a stretch i think a strong cultural organization will realize some of the vulnerability there um and and through those assets understand that you know through policy and procedure through technical controls uh logical controls you manage and and log and monitor some of those behaviors whether it be a person technology or or or facility i think we were talking about that a little bit earlier before on other episodes around you know making sure that we you know monitor access facility and stuff like that it really becomes while cmmc doesn't require a compliance officer like a hipaa does sometimes there is clearly uh some value in having that because compliance in that particular regard encompasses everything from the technology to the facility to the people and understands um that um they're this interwoven uh and critical part of the system so i think monitoring and keeping track of your provisioning and deep provisioning of people um yes that becomes an asset if you you're not very good at um off-boarding somebody when they leave the company and and those controls are still in place and they might have some capability to remotely access that you haven't turned off yeah they are an asset and it can potentially put you in a threat position because that person has the capability uh to uh take action and and in some cases has uh more knowledge than an outside threat actor would um to expose that critical or controlled unclassified information okay so let's look at a particular practice so we have uh awareness training which is a level two practice the nist control number is 3.2.1 and it talks about training staff on security risk awareness organizational policies and standards so is it possible on a practice like this to assess any technology assets or are we strictly focusing on the people assets here so this is really on organizational and administrative right ensuring that more importantly that managers that systems administrators and users of the organizational system are are aware of the security risks associated with their activities um and so and and tied to those policies that are security related to the systems i think what you're talking about is a robust program where um you know those systems that are cui might flash a banner that uh when you log into it this system you know contains control unclassified information uh a regular cadence with your folks that work in that dip space and have access to that cui that might have not only just exposure to security awareness around threats that are around regarding phishing or social engineering but also around a threat awareness program that somebody internally is looking at the threats that are out there on a regular basis and bringing folks up to speed so they're cognizant of it each and every day when they log in that if an email does look suspicious you don't click on it open it even if it is from a trusted uh email that you recognize that you you do a two-step method of verification you receive the email and then you you call that client or you call that co-worker and you say hey did you mean to send me this document right before you click and open on it especially if you weren't expecting it so i think it's a robust approach to security awareness for the role uh but also threat awareness too for what's going on externally outside of the environment and so in several of your answers you've talked about processes and policies and i'll kind of circle back to the reason why i started with the uh the term assessment objects you know when i read that definition from the 853 a publication it's kind of an aha moment for me because you're able to align most of the assets that they talk about in that definition with what the cmmc assessment scope talks about with one exception and that is the term activities right and you kind of you know use the word processes and i think that was a realization that yes we're talking about assets but you know an activity or a process is not really an asset but it is something that certainly would would be within the scope of an assessment if we're talking about assessment objects and and you know how we're evaluating whether these practices are in place um so i think that you know you're using the term process to really define that activity portion of that definition of assessment objects yeah and so my last question and this is probably a more difficult one but is there a way is there a mapping at all that we could know which practice or which assessment objective is focused on which type of asset um i think if you're going through your uh through the assessment guide and you're utilizing 800 171 um there are some tools out there even on nist that will allow you to see the cross mapping uh to the different uh controls that are in place and their families uh their families in the controls i should say uh in the nist 853 that are invaluable um as a uh whether you be a just starting out as a um practitioner or or your season that you you have that in your uh your tool belt of things that you go back to to just confirm it and make sure that you're using a common uh taxonomy to explain that with clients and and to achieve that goal for the assessment perfect well thank you very much for the insight there ty i think that was very helpful you're welcome