CCP Lesson 6

Question 1

Organizational Culture

Answer 1

Personality of an organization.

Employees develop an organization’s culture:
-As it becomes more ingrained, it can be difficult to change.

Question 2

Organizational Culture - Values

Answer 2

Some values may be written:
-Mission statement

Many values will be unwritten and assumed:
-Learned through observation and informal communication.

Question 3

Cybersecurity Culture

Answer 3

Stong cybersecurity culture involves alignment between:
-Organizational elements (e.g., policy, leadership, social norms).
-Individual employee’s attitudes, knowledge, and assumptions about cybersecurity.

Question 4

Cybersecurity Culture: Organization

Answer 4

Cybersecurity needs to be a company-wide focus (not just IT).

People make organization secure, not technology:
-Everyone needs to be trained and conscious of risks.

Question 5

Cybersecurity Culture: Individual

Answer 5

Employees must recognize they play a role in protecting critical information from digital attacks.

Employees must participate in regular training.

Employees must actively engage in behaviors and habits outlined by their cybersecurity program.

Question 6

Institutionalization

Answer 6

Cybersecurity practices should become ingrained within the company culture.
-Are the correct technology controls implemented?
-Do all employees understand the risks?
-Are senior executives on board?

Question 7

Maturity Stages

Answer 7

1. Focusing on compliance.
2. Establishing governance.
3. Implementing cultural change.
4. Establishing quantitative framework.
5. Optimizing for long-term sustainment.

As organizations move through the maturity stages, they will institutionalize cybersecurity.

Question 8

Governance

Answer 8

Should provide balance between strategic planning and day-to-day operationalized approach.
-Allocation of personnel and resources
-Active monitoring of SLAs, KPIs, risk management activities.

Effective communication is paramount.

Internal/external assessments provide objective means to identify and address weaknesses and strengthen controls.

Question 9

Minimum Attributes of a Policy

Answer 9

Policies should:
-Clearly state purpose.
-Clearly define scope.
-Identify roles and responsibilities (to include authority and ownership of activities).
-Identify procedures used to meet the intent of the policy.
-Include regulatory guidelines.
-Be endorsed my management and disseminated to stakeholders.
-Be periodically reviewed and updated.

Question 10

Minimum Attributes of a Procedure

Answer 10

Procedures should minimally specify:
-Purpose
-Objective
-Description of roles, responsibilities, and authorities.
-Description of inputs/outputs.
-Criteria that must be met in support of procedure.
-Any tools, information, and/or supporting resources.
-Definition of key terminology.
-Detailed steps of how to perform the procedure.

Question 11

Minimum Attributes of a Plan

Answer 11

Plans should include:
-Mission and/or vision statement.
-Strategic goals and objectives.
-Relevant standards and procedures.
-Project timelines and plans.
-Resources requirements for people and tools.
-Required training.
-Stakeholders necessary to implement.

Question 12

Governance Establishment

Answer 12

As part of governance, in order to retain their efficacy, cybersecurity policies, procedures, and controls must be maintained through a plan.
-Unmanaged assets introduce higher risk.

Plans should include mechanisms for ongoing monitoring of the systems and associated controls to ensure continued effectiveness.
-Are all changes documented?
-Is the plan still functioning as intended?

Question 13

Cultural Change Implementation

Answer 13

To ensure a mature culture of cybersecurity, companies need to create a cultural change management plan.
-Secure executive support.
-Connect cybersecurity risks to other operational, financial, and legal risks.
-Establish clear business goals/KPIs.
-Establish a clear systematic culture management plan with a cross-functional team (Management, Info Security, IT, HR, Legal, and Marketing).
-Identify employees’ views/understandings of cybersecurity culture or guidelines.
-Keep policy and procedure communications user-friendly.
-Implement regular hands-on awareness training.
-Implement a relentless and consistent message that helps employees understand exactly how their daily behaviors have the potential to protect or threaten the security of corporate data.

Question 14

Quantitative Framework Establishment

Answer 14

Provides for day-to-day measurement and control of the procedures in order to.

Metrics may be qualitative or quantitative.

Measurements examples:
-Actual vs. planned (performance of procedure).
-Identification and evaluation of significant deviations.
-Results of corrective actions.

Reviews with “higher level management” are critical to the success of the organization’s cybersecurity program.

Question 15

Optimization for Long-Term Sustainment

Answer 15

Standardization provides for consistency in the implementation of policies, practices, and controls across the organization.

A standardized organizational practice typically provides:
-Ample description of practices and objectives.
-Process flow diagrams.
-Specified performance metrics.
-Procedures for incorporation of lessons learned and improvements.

Optimization is contingent upon practice stability.

Question 16

Identify the Desired CMMC Level

Answer 16

CUI information not found or expected – CMMC Level 1 is likely sufficient.

CUI information is found or expected – CMMC Level 2 is required.

Question 17

Identify the Scope

Answer 17

Scoping is information driven.

Understand organizational context and requirements.

Identify people, technology, facilities, and external service providers.

Identify assets involved in creating and receving FCI/CUI.

Determine context and categorization of FCI/CUI.

Determine system functionality.

Determine connectivity to FCI/CUI environments.

Question 18

Gap Analysis

Answer 18

Helps to guide initial understanding of current OSC capabilities and controls.

Helps to identify insufficiencies in the implementation of critical controls and practices.

Encourages engagement of OSC stakeholders earlier in the Assessment process.

Gap analysis is conducted by OSC or optionally by a RP or CCP as a consultant; or a provider outside of the CMMC ecosystem.

Question 19

Closing Gaps

Answer 19

When gaps in implementation are identified, it’s critical to not only understand the present issue, but also to create a meaningful plan for resolution of these issues.

Question 20

Closing Gaps (As a CCP working as a consultant)

Answer 20

-Describe the nature and impact of the issues (current state).
-Propose actions to help resolve gaps (future state).
-Identify changes to existing policies, plans, practices, resources, and artifacts.
-Develop a resourced plan to address approved gap action items.
-Verify that gaps are properly closed, and that corresponding implementation demonstrates that the control/objective is met.
-Articulate any issues in a timely manner with leadership and POCs.
-Communicate preliminary readiness with OSC.

Question 21

Evidence Validation

Answer 21

Means for OSC to engage in preparatory steps for formal Level 2 Assessment.

Goal is to create a set of evidence as preparation for formal assessment.

This may include creating and/or developing:
-An inventory report of all evidence for the target CMMC level.
-A list of all policies and related plans in scope for the target CMMC level.
-A list of all personnel who will need to participate in the assessment.
-All the above mapped to in-scope CMMC practices and levels.

Question 22

Benefits of Evidence Validation

Answer 22

Earlier validation of scope and evidence sufficiency.

Increased identification and understanding of implementation and compliance issues.

Earlier detection and resolution of issues that can impact the assessment and assessment timing.

Proactive engagement of project teams, supporting staff, and external stakeholders.

Question 23

Assessment Methods - Forms of Evidence

Answer 23

Examine: The process of reviewing, inspecting, observing, studying, or analyzing assessment objects.

Interview: The process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence.

Test: The process of exercising assessment objects under specified conditions to compare actual with expected behavior.

Question 24

Evidence Validation Preparation Guidelines

Answer 24

The number and type of evidence collected is up to the lead assessor’s discretion.

Plan to have two pieces of evidence from two different assessment methods for thoroughness.
-Examine and Interview.
-Examine and Test.
-Interview and Test.

Multiple pieces of evidence can be used within an assessment method.

Comprehensiveness will be determined by OSC.

Question 25

Exam Preparation

Answer 25

Collect all documentation for the CMMC Level 1 and Level 2 practices.

Documents need to be in their final form.

Common types of documents that can be used as evidence include:
-Policy, process, and procedure documentation.
-Training materials.
-Plans.
-System-level, network, and data flow diagrams.

This list of documents is not exhaustive or prescriptive.

Question 26

Interview Preparation

Answer 26

Identify individuals likely to be interviewed.
-Staff who perform the tasks that will be assessed in a Level 2 Assessment.
-Staff might be at different organization levels.

Verify that staff have adequate resourcing, training, and planning to perform the practices.

Question 27

Test Preparation

Answer 27

Identify potential tests.
-Determined by lead assessor.

Some practices may be best assessed by checking that safeguards are in place.
-Observing staff following a process.

Testing is an important part of the Assessment process.
-Interviews tell the lead assessor and CCAs what the OSC staff believe to be true.
-Documentation artifacts provide evidence of intent.
-Testing demonstrates what has or has not been done.

For example, for IA.L1-3.5.1:
-OSC staff may talk about how users are identified.
-Documentation may provide details on how users are identified.
-Seeing a demonstration of identifying users provides evidence that the practice is met.

Question 28

Guidelines for Evaluating Readiness

Answer 28

Seek first to understand, then continuously validate this understanding.

Ensure alignment of preparation activities to the CMMC Assessment Guides.

Engage the expertise of those directly responsible for performance of the control/practice.

Utilize applicable standards and guidelines.

Identify and record opportunities for improvement.

Encourage preparation as a means to build a shared understanding of the Assessment process.