This article covers the concept of building a RACI/RASCI matrix to demystify control ownership concerns, as well as reviewing any Customer Responsibility Matrix (CRM) that vendors may share with you.
What Are Your Facts & Assumptions With CMMC Controls?
Going back to my days as a military officer, the concept of defining facts and assumptions was hammered home, since assumptions have the proven ability to derail plans. Fast forward to today and I find that sage advice of defining facts vs assumptions is still immensely value for cybersecurity compliance matters, such as CMMC.
How Do I Avoid Assumptions With CMMC?
One of the most efficient tasks you can do for CMMC compliance efforts to avoid assumptions is to take the time to build a RACI/RASCI matrix that identifies the parties involved that map to each CMMC Assessment Objective (AO) requirement. Without a RACI/RASCI matrix, you will be working on assumptions and those tend to leave gaps.
Realistically, the RACI/RASCI matrix needs to be built to the AO level of detail and not to the control level (see the CMMC-COA Awesomeness Spreadsheet for an example). The difference is significant, since the 110 CUI controls from NIST SP 800-171 / CMMC L2 equate to 320 unique AO requirements which really are what need to get assigned via the RACI/RASCI matrix. For each of those AOs, the appropriate stakeholder(s) need to be identified and assigned the appropriate level of involvement to successfully meet the requirement:
Responsible: A person or team that has some form of work deliverable to make the task successful. There may be multiple parties tagged with being responsible, but each task must have at least one “R” assigned.
Accountable: There is only one accountable person. This is who is ultimate accountability and authority for the correct and thorough completion of the task. There must be one “A” assigned for each task. Note: An accountable individual can also be the responsible individual.
Supportive: A person or team that supports a “R” may get assigned a Supportive role in making the task successful. This may be technical or some form of expertise that is necessary for the task to be conducted successfully and directly supports the person or team that has the ultimate “R” assignment. There can be multiple parties tagged with “S” but there also may be none since it depends on the task.
Consulted: A person or team that supports a “R” with pertinent input. This is two-way communication between “R” and “C” to ensure success. A good example of “C” is consulting with legal counsel to review details for considerations that could impact the project. There can be multiple parties tagged with “C” but there also may be none since it depends on the task.
Informed: This is one-way communication to a person or team for situational awareness purposes only. There is no expectation for feedback, since “I” parties are not involved in the decision-making process. There can be multiple parties tagged with “I” but there also may be none since it depends on the task.
Note: Your RACI/RASCI is going to be specific to your organization, so do not expect you can copy a template or use what a buddy made for their organization and assume everything is applicable to your business model. That isn't how a RACI/RASCI works, so you have to put in the work to customize it for your specific needs.
Can I Just Outsource It All?
There are quite a few Managed Service Providers (MSP), Managed Security Services Providers (MSSP) and virtual Chief Information Security Officers (vCISO) that would have Organizations Seeking Certification (OSC) happily believe their headaches with CMMC can be outsourced with virtually no OSC involvement. Unfortunately, that is not how compliance with CMMC works (or other compliance obligations for that matter).
As you can see from the graphic below, while there are a lot of technology-related controls, there are quite a few practices that are specific to the OSC. Additionally, what tasks the MSP/MSSP/vCISO performs cannot be done in a vacuum and requires some level of oversight and risk management decisions by the OSC.
With compliance, it goes back to the old question, “What are you able to prove?” With a MSP/MSSP/vCISO, the contract, Statement of Work (SOW) or Service Level Agreement (SLA) will dictate what work the vendor is going to perform. Those are often written in the vendor’s favor, so it is important to explicitly include the assigned responsibilities that the vendor is obligated to perform. From a RACI/RASCI matrix perspective: the MSP/MSSP/vCISO will be responsible for controls, but the OSC will always be accountable.
What Can I Legitimately Outsource?
This is a loaded question and heavily depends on your budget.
Common CMMC requirements that cannot be outsourced, includes but is not limited to:
Risk management decisions. The OSC cannot legitimately contract out a third party to manage its decision making for cybersecurity risk, since that needs to be done by the OSC’s leadership team.
Assessment day responsibilities. The OSC cannot contract out to a third party to stand as a proxy for their assessment. It is understandable for an external subject matter expert to be able to available to answer detailed questions an assessor may have, but not outsourcing the entire assessor interface component.
Common CMMC requirements that can be outsourced, includes but is not limited to:
Gap assessments, including controls oversight. The assessments can be performed by a third party, but the decisions on what to do with those findings must be addressed by the OSC.
Policy development. Third parties can be contracted to assist the OSC in the development of CMMC-specific documentation. However, authorization of documents and verification of their contents still is the responsibility of the OSC, since the OSC ultimately has to take ownership of the ongoing governance of those policies, standards and procedures.
Incident response / Security Operations Center (SOC) “as a service” (IRaaS/SOCaaS) solutions. Most small-to-medium OSCs are in the market to fill needs surround incident detection, management, and response to some degree. However, the OSC maintains internal responsibilities for handling , reporting, and recovery, so it is a shared set of responsibilities.
Case Study: NeQter Labs (SIEM & Vulnerability Scanning)
NeQter Labs offers a solution for Security Information and Event Management (SIEM), Vulnerability Scanning, and selective asset identification and management capabilities. Under CMMC’s new scoping guidance, NeQter Labs’ solution would be classified as a Security Protection Asset (SPA) since it provided “security functions and capabilities to CUI assets” within the OSC’s assessment scope. As a result, this SPA designation requires the OSC to demonstrate how NeQter Labs fulfills its responsibilities. This solution, or any other for that matter, WILL NOT absolve the OSC of its responsibilities to govern the controls. The key takeaway is that the OSC, not its vendors, will be held accountable for any compliance deficiencies and the associated negative consequences.
In the case of NeQter Labs, although an OSC purchases its technology to satisfy practices within the CMMC standard, while that is a step in the right direction, just purchasing technology is not enough since no technology is “fire and forget.” As with any technology, there is more than just purchasing a license and clicking install. When you look at the requirements within CMMC, technology solutions are just a few of the puzzle pieces that are required to become compliant. Specifically, around technology solutions, OSCs are responsible for creating the processes that operationalize the technology that can demonstrating that all the control’s Assessment Objectives (AO) are adequately addressed.
OSCs are expected to perform their due diligence when deciding upon the appropriate technology to meet CMMC controls. This process includes reviewing a vendor-produced Customer Responsibility Matrix (CRM) that details the supported controls included in the service agreement. This CRM needs to drill down to the AO level. For example, NeQter Labs provides OSCs with a CRM that contains details to the AO that address 42 specific CMMC controls where their solution provides coverage.
To better understand OSC responsibility, let’s take a deeper look at CMMC Control AU. L2-3.3.2 (User Accountability) compared to the information provided in the NeQter Labs CRM:
On the surface, this control would leave you to believe the OSC would need to just deploy a SIEM and track user’s actions. However, the AOs reveal that although the SIEM plays a vital role in satisfying the technical control requirements, the OSC cannot transfer responsibilities to the vendor. This is demonstrated in the table below:
Please note that what is shown in the CRM is not a product weakness – this is the reality with any SIEM solution. NeQter Labs’ CRM accurately shows the responsibilities the OSC has for the “ongoing care and feeding” of its log review process, regardless of the technology it uses to operate that control.
In this case study, it helps demonstrate that just as in life, nothing in CMMC compliance efforts is just handed to you. If the OSC lacks awareness of its responsibilities defined within the AOs, then it is destined to fail. “Solutions” or “Tools” are just mechanisms (if implemented properly) that help OSCs implement at control more efficiently, but does not mean that the responsibility is removed from the OSC.
At the end of the day, CMMC is best approached from an “eyes wide open” perspective where facts and assumptions are known to all pertinent stakeholders. This avoids unpleasant surprises and can even help identify process improvements, which can save time and money. A cup of coffee and an Excel spreadsheet can be your friend to go down the list of AOs to identify the “usual suspects” and how they fit into the broader CMMC compliance efforts for your organization. There is a good change that you won’t get it right the first time, but with a little discussion among stakeholders it is generally very straightforward to achieving agreement on assigned roles and responsibilities for CMMC.