CMMC 2.0 Assessment Objectives

[chemring-daniel]

🚀 Feature Proposal

Expand the question set for CMMC 2.0 to the Assessment Objective level.

Motivation

Feedback from auditors is that they are assessing these individually, rather then the top level control.

Example

AC.L1-3.1.1 is one practice, however has 6 separate assessment objectives. These need to be addressed individually for an assessor to confirm that the practice is fully met.

Pitch

Allows for fine grained detail on what practices are met and what are not. In many cases, some (but not all) of the assessment objectives are met, and the remaining require action. By separating the assessment objectives out, it is easier to highlight the practices that are not met, and thus the POAM.

[cset-writer]

Hi Daniel,
Thanks for your helpful feedback and insight. The CMMC 2.0 is a draft of questions and materials available to us at this time (while the rest of CMMC rulemaking is finalized by DoD) and we are continuously updating and improving it. For now, users will have to refer to the Assessment Objectives to track whether or not they have fully achieved a "Yes" response, and CSET offers a variety of functionality to help with that tracking, note taking, and flagging during the assessment process.

In our initial DRAFT version of CMMC 2.0 (and many of the other assessments that we offer here on CSET) we provide the assessment objectives (sometimes called “criteria for yes”) and extensive supplemental guidance materials for each assessment question in our “Guidance” section. This allows our users to expand the “i” icon for the additional implementation guidance necessary to properly and effectively evaluate and, after considering the assessment objectives, input a response to an assessment question. Users should also utilize the “References” icon for a full collection of links (that open in separate window) for each assessment’s authoritative source docs and additional guidance material to actively consult during an assessment. This information is provided and intended to help the user/assessor evaluate the appropriate criteria for a “yes” response and/or the full/partial implementation of a control, before recording the answer to a question in CSET.

Additionally, we offer the “Observations” and user “Comments” functions to make notes re: POAM-type plans/actions and additional observations/info for each question, along with our “Mark for Review” flag to denote questions that need to be reviewed later. Finally, users can take advantage of our “Documents/Artifacts” function which allows the attaching of evidence, POAM-type info, and other documents helpful for rationale/justification purposes.

As denoted by the title, this is a Draft CMMC 2.0 version which are working hard to improve, so we appreciate your input and will continue to work to improve the working draft through its final release. If you would like a demo of how the various CSET functionality described above works, please check out our YouTube video https://www.youtube.com/watch?v=TCiLJZdv1zA or contact us for a demo. Thanks again for reaching out!