CCP Lesson 7 Flashcards
Evidence
The observable proof that an organization has either met or not met the standard for a particular CMMC practice
Artifacts
Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person or persons performing a role in that practice, control, or process. Artifacts may be a printed hard-copy or a soft-or electronic copy of a document or file embedded in a system or software but must be a result or an output from the performance of a process within the OSC.
Stakeholder
A person with an interest or concern in the success of a business, interviews with them provide an excellent opportunity to gain insight and establish context
Observation
A real-time demonstration or review of a test, system, tool, software, hardware, practice, control, or process being performed and witnessed first-hand by the Lead Assessor and, if applicable, Assessment Team.
Acceptable Evidence
Must be created, provided, or demonstrated by people who implement the practice.
OSC
Organization seeking certification
CAP requirements for evidence
adequacy- does information provided meet the intent of cmmc practice (do I have the right data)
sufficiency- does information provided contain enough of the “right data” (do I have ENOUGH of that data)
3 Assessment methods used by CCP’s and CCA’s
Examine - process of analyzing assessment objects (artifacts) EX: reading privacy/security policies
Interview - discussing with groups or individuals to facilitate understanding, or obtain evidence Ex: interviewing SysAdmins/DevTeams
Test - exercising assessment objectives with specified conditions to compare actual results with expected results. Ex: Observe notification banner warnings
CMMC Assessment Process (CAP) phases
- Plan and prepare the assesment
- Conduct the assessment
- Report Recommended assessment results.
- CMMC Plans of action and Milestones (POA&M) Close-out Assessment
NIST SP 800-171A
Superceding and Authoritative guidance for assessing CUI security requirements in NIST SP 800-171
MET, NOT MET, or N/A
How objectives are scored during a CMMC assessment
Assessment Depth
Addresses the level of detail of the assessment: Basic, focused, or comprehensive
Assessment Coverage
Addresses the scope or breadth of the assessment: Basic, focused, or comprehensive
CMMC Level 1 & 2 practices are derived from
NIST SP 800-171