CMMC Assessment Solution
Central to the effectiveness of this CMMC Assessment solution and console is that the data infusion from GUICE2 is directly from the authoritative data sources of which is updated 24/7… never stagnate and always the most accurate.
USER overarching goal for the CMMC program is:
- To clearly understand CMMC requirements from related laws, regulations, and industry best practices and apply them as desired to USER’s overall cybersecurity program.
- USER’s cybersecurity personnel will gain experience in performing CMMC assessments and advise partners on CMMC Compliance.
- Align USER’s existing cybersecurity policy with CMMC policy requirements and identify any gaps between them.
USER requires the capability to help position their company and partner community to comply with CMMC mandates and continue to compete for DoD IT contracts.
AATD will deliver an assessment capability, CMMC Console, powered by a GUICE2 CMMC Data Landscape with comprehensive CMMC program requirements from related authoritative source documents. The CMMC solution is fully integrated and consists of three components.
GUICE2 CMMC Data Landscape (DL).
The DL is the heart of the CMMC Solution. It contains related laws, regulations, and other guidance documents that collectively define the requirements of the CMMC program.
- The DL is dynamic and updated continuously, 24/7, as the CMMC program changes and evolves.
- Accurate requirements from the DL drive the CMMC Console assessment business processes.
- The generation of alerts occur when changes in the DL that impact CMMC assessments.
The DL is a web-based application that provides DL visibility.
- GV provides a detailed understanding of CMMC information and relationships between USER’s policies and authoritative source documents in the DL
- GV is used in conjunction with the Console to reduce the time and effort required to complete assessments by providing access in clicks to supplemental information useful in completing an assessment.
CMMC Console (CC).
The CC is a Web-based application driven by the CMMC requirements, business rules, and best practices contained within the DL.
- The CC and DL are seamlessly integrated, and the CC pulls in an up to date set of CMMC requirements each time its refreshed.
- CC assessment processes are directly linked back to the authoritative source documents in the DL.
- Interactive questionnaires and practice specific checklists guide users through performing an assessment.
- The CC provides assessment reports and an auditable solution to prove CMMC compliance
The CMMC Solution is delivered on a subscription basis. USER will receive a one-year solution subscription for up to 10 user licenses.
The subscription includes:
- Initial customer on-board and user training
- Continuous updates to the data in the DL
- Software maintenance and updates
As a USER vendor partner, we see mutual value in purposeful collaboration as we tailor the CMMC Solution to meet USER’s needs and those of your vendor partners in preparing for the impending mandate. We ask that USER provide feedback during the subscription period to improve and ensure the best possible CMMC Solution for you and your vendor partners.
The CMMC program’s authority has recently been codified in DFARS Interim Rule 7019-D041, effective 1 Dec 2020. Applicable FAR and DFAR clauses from the new rule shall be incorporated into the DL and delivered by 15 Dec 2020.
The GUICE2 CMMC Solution delivered and customized for USER will provide USER personnel with a clear understanding of CMMC compliance requirements so they can:
- Understand CMMC program requirements
- Improve cybersecurity and CUI compliance
- Perform internal assessments and assist partners with CMMC compliance
- Align existing USER policies with CMMC program requirements
The DL and GV will provide a capability that contains, maintains, and provides visibility into the full complement of CMMC program methodologies, policies, compliance standards, industry best practices, etc., as defined in:
- Cyber Maturity Model Certification (CMMC) Version 1.02 | March 18, 2020,
- CMMC Appendices Version 1.02 | March 18, 2020
The DL shall contain comprehensive CMMC requirements data mapped to authoritative source documents. The DL is a central repository and maintains CMMC compliance data that defines and describes the processes required to perform compliant CMMC assessments.
GV provides DL visibility in tabular and graphic form
- GV provides the ability to search and view CMMC requirements in tabular form by maturity level, domain, capability, practice, and other CMMC related categories like policy and program authority.
- GV’s graphical view shows the relationships between authoritative data sources for different portions of the CMMC program relevant to USERs assessment goals.
- The graphical view shows the impact new, changed, or deleted documents have on other documents in the DL. Change alerting and visibility allows cybersecurity personnel to make the CMMC program adjustments required to maintain compliance.
The GUICE2 CMMC Solution shall provide USER the capability to perform a comprehensive self-assessment of CMMC compliance.
CC will provide a capability to assess any portion of the organization and the 171 CMMC Practices in maturity levels 1-5. The CC offers an effective capability for USER personnel to gain broad experience in performing CMMC assessments.
- Intuitive graphical dashboard reflects current assessment status by domain and maturity level for individual systems and the organization.
- The automation of an interactive questionnaire and practice checklists guide a user through the assessment process. Data collection and entry required to perform the assessment are accomplished by USER personnel.
- Cybersecurity personnel are automatically alerted of changes in the DL. These alerts show precisely which assessment requirements have changed to facilitate appropriate actions to bring USER back into compliance and maintain that compliance over time.
The CC will generate the following reports:
- System Security Plan (SSP). The SSP document shows how each CMMC practices assessed are met and how organizations plan to meet the requirements and address known and anticipated threats.
- Plan of Action & Milestones (POA&M). The POA&M is a description of mitigation measures and action plans for unimplemented security requirements.
- Security Assessment Report (SAR). The SAR documents assessment results in sufficient detail as deemed necessary by organizations.
Assessment results and reports are all linked back to authoritative source documents in the DL, forming a chain of compliance that will allow USER to prove compliance despite the constant regulatory change.
CMMC Policy Integration Service.
CMMC Policy Service will align USER’s existing cybersecurity policies with CMMC policy requirements and identify gaps between them. AATD provides policy support to customize the DL by integrating USER policies and procedures. Specifically:
- The policy templates provided encompasses 17 CMMC domains, consisting of CMMC maturity level 3 policy requirements for each domain.
- USER will map existing USER policies to the CMMC policy template requirements and perform a gap analysis between existing policies and CMMC policy requirements. Each policy template will be filled in by USER to the extent desired.
- AATD will continuously ingest USER’s policy templates into the DL upon completion, update and re-ingest updated USER policies caused by regulatory changes in the DL affecting USER’s compliance status.