NIST SP 800-171A and CMMC Assessment Objectives

[jehsd1234]

🚀 Feature Proposal

Update NIST SP 800-171 assessment to calculate implementation scores by NIST SP 800-171A.

Update CMMC assessment to calculate implementation scores by the CMMC Assessment Guide (just 800-171A under the hood).

Motivation

CSET does not currently calculate implementation scores for NIST SP 800-171 via the assessment objectives in NIST SP 800-171A. The only way for a NIST SP 800-171 control to be considered fully "implemented" is if all of the corresponding determination statements in NIST SP 800-171A are satisfied.

As a result, the CSET method of calculating SPRS scores is misleading since results are tallied for the 110 requirements in 800-171 rather than the 320 corresponding items in 800-171A.

By extension, CMMC evaluations and scores work the same way and should also be updated.

Although the determination statements are listed in the details section, there is no ability to select them individually.

Example

See DoD's Project Spectrum Cyber Readiness Check for an example of calculating scores by 800-171A:

Pitch

Failure to properly calculate control implementation is misleading and a violation of ISOO CUI Notice 2020-04.

[cset-writer]

Hello! Thanks so much for your comment. As an open source team aiming to keep cybersecurity accessible and affordable for all, we appreciate your feedback and we are always looking for ways to improve the CSET experience for our users.

As you note, ISOO CUI Notice 2020-04 provides that an assessment (800-171 for example, and by default a CMMC assessment, as in this case) is a process by which inputting the answers for a score determination is just a part:

“The assessment process is an information-gathering and evidence-producing activity to determine the effectiveness of safeguards used to meet the security requirements specified in NIST SP 800-171. Organizations can use information and evidence from the assessment process to: a. Identify potential problems or shortfalls in the organization’s security and risk management programs; b. Identify security weaknesses and deficiencies in its systems and in the environments in which those systems operate; c. Prioritize risk mitigation decisions and activities; d. Confirm that identified security weaknesses and deficiencies in the system and in the operation environment have been addressed; and e. Support risk-based decision-making and provide information security situational awareness.”

In our initial DRAFT version of CMMC 2.0 (and many of the other assessments that we offer here on CSET) we provide the assessment objectives (sometimes called “criteria for yes”) and extensive supplemental guidance materials for each assessment question in our “Guidance” section. This allows our users to expand the “i” icon for the additional implementation guidance necessary to properly and effectively evaluate and, after considering the assessment objectives, input a response to an assessment question. Users should also utilize the “References” icon for a full collection of links (that open in separate window) for each assessment’s authoritative source docs and additional guidance material to actively consult during an assessment. This information is provided and intended to help the user/assessor evaluate the appropriate criteria for a “yes” response and/or the full/partial implementation of a control, before recording the answer to a question in CSET.

The guidance, references, comments, observations, evidence/artifacts, and flag functions are the working components/material required to effectively evaluate, determine, and record your responses for a useful CSET experience.

For CMMC 2.0, we provide the following materials to help guide the user in answering each question:

Assessment Guidance: (the "i" icon in CSET)

• Assessment Objectives (determination statements) [from NIST SP 800-171A] 
• Potential Assessment Methods and Objects [from NIST SP 800-171A]
• Discussion [taken from NIST SP 800-171r2]
• Further Discussion (derived from CMMC guidance)
• Key References (FAR clause, NIST SP 171, etc)
• Additional References (CIS, NIST 800-53, etc)

Source Material and References: For Draft CMMC 2.0, we link (and highly recommend) our users consult the following materials while taking an assessment:

• NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information (June 2018)        
• NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (February 2020, updated 1/28/21)   
• CMMC Assessment Guide Level 1 Version 2.0 December 2021  
• CMMC Assessment Guide Level 2 Version 2.0 December 2021  
• CMMC Mapping Version 2.0 December 2021 
• CMMC Glossary Version 2.0 December 2021  
• CMMC Model Overview Version 2.0 December 2021        
• CMMC Self-Assessment Scope Level 1 Version 2.0 December 2021    
• CMMC Self-Assessment Scope Level 2 Version 2.0 December 2021

Additionally, we offer the “Observations” and user “Comments” functions to make notes re: POAM-type plans/actions and additional observations/info for each question, along with our “Mark for Review” flag to denote questions that need to be reviewed later. Finally, users can take advantage of our “Documents/Artifacts” function which allows the attaching of evidence, POAM-type info, and other documents helpful for rationale/justification purposes.

As denoted by the title, this is a Draft CMMC 2.0 version which are working hard to improve, so we appreciate your input and will continue to work to improve the working draft through its final release. If you would like a demo of how the various CSET functionality described above works, please check out our YouTube video https://www.youtube.com/watch?v=TCiLJZdv1zA or contact us for a demo. Thanks again for reaching out!

[inlguy]

See CSET-Writer's Response.