Once you select Cybersecurity Maturity Model Certification (CMMC) option from the main Certification Assistant Standard or Premium home page, you are redirected to the CMMC dashboard. The toolbar displays tabs for you to walk through the certification process.
System Description
This tab is used to start the information gathering required for a System Security Plan or SSP report. To begin, click the Edit button located underneath the tabs.
Click here to view instructions:
1. Enter all relevant information in the fields provided.
NOTES:
In general, for the System Categorization field:
– SC for Security Category
– The information type: example ‘information system’ or ‘contract system’
– A High/Moderate/Low impact rating for confidentiality
– A High/Moderate/Low impact rating for integrity
– A High/Moderate/Low impact rating for availability
– Together in this format: SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
General description of information: Use the link provided under the text box to view a list of CUI information types.
2. Once you enter all desired information, click Save.
NOTES:
In general, for the System Categorization field:
– SC for Security Category
– The information type: example ‘information system’ or ‘contract system’
– A High/Moderate/Low impact rating for confidentiality
– A High/Moderate/Low impact rating for integrity
– A High/Moderate/Low impact rating for availability
– Together in this format: SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
General description of information: Use the link provided under the text box to view a list of CUI information types.
2. Once you enter all desired information, click Save.
Stakeholders
This tab provides fields to identify the Information Owner, System Owner and System Security Owner for this system. To begin, click the Edit button located underneath the tabs.
Click here to view instructions:
1. Enter all information in the fields provided.
NOTE: If any of the individuals are also users in Certification Assistant, use the drop down list provided to select their name and enable online electronic signatures in the Approval tab.
2. Click Save when you complete all entries.
NOTE: If any of the individuals are also users in Certification Assistant, use the drop down list provided to select their name and enable online electronic signatures in the Approval tab.
2. Click Save when you complete all entries.
System Environment
This tab is for the detailed documentation of the system. To begin, click the Edit button located underneath the tabs.
Click here to view instructions:
1. Enter all information in the fields provided.
2. Upload a detailed topology diagram and enter a narrative to support the graphic in the fields provided.
NOTE: You may upload files or link to externally available files using the Link field. If a document needs to be replaced, use the delete X to remove the document and upload the revised version.
3. To enter your Hardware Inventory, click on the Add Hardware button.
4. Enter the Name/Description, Make and Model #.
NOTE: The Asset Category, Asset Value and Impact of Loss relate to Risk Management, and then identify who owns the hardware and who maintains the hardware, and finally the responsible individual for the inventory asset. Asset Category defines how this asset is used relative to CUI – is it for the Transmission, Processing, and/or Protection of CUI.
5. Use the Add Software to add software assets to the inventory.
6. Click Save when done.
2. Upload a detailed topology diagram and enter a narrative to support the graphic in the fields provided.
NOTE: You may upload files or link to externally available files using the Link field. If a document needs to be replaced, use the delete X to remove the document and upload the revised version.
3. To enter your Hardware Inventory, click on the Add Hardware button.
4. Enter the Name/Description, Make and Model #.
NOTE: The Asset Category, Asset Value and Impact of Loss relate to Risk Management, and then identify who owns the hardware and who maintains the hardware, and finally the responsible individual for the inventory asset. Asset Category defines how this asset is used relative to CUI – is it for the Transmission, Processing, and/or Protection of CUI.
5. Use the Add Software to add software assets to the inventory.
6. Click Save when done.
Policies
This tab is used as a repository for any policy documentation referred to in the controls.
Click here to view instructions:
1. Click the Choose Files button to add files from your local drive.
NOTE: You upload multiple files at the same time.
2. Alternatively, files available externally can be linked to using the link field.
3. Click the Open Exostar PolicyPro button to access your content and make it available in Certification Assistant.
NOTE: Once your files are uploaded, they can be removed using the delete X. You have the option to confirm the file removal before it is completed.
NOTE: You upload multiple files at the same time.
2. Alternatively, files available externally can be linked to using the link field.
3. Click the Open Exostar PolicyPro button to access your content and make it available in Certification Assistant.
NOTE: Once your files are uploaded, they can be removed using the delete X. You have the option to confirm the file removal before it is completed.
Self Assessment
This tab is where the CMMC Levels with Practices and Processes are held. Navigate between the level tabs to view each domain in the upper section, and review all open action items in the lower, Task section. The instructions listed below provide management options.
Click here to view instructions:
1. Select a Domain Name to display the Practices within that domain.
2. Click the View button or click the content to view control details.
NOTE: On the Control Details screen, the left-side panel shows the CMMC Practice number, and reference documentation regarding this control.
3. Select Additional References to get more information on the reference documents.
4. Review the center panel for practice content and additional information to assist you implementing the control.
5. Optionally, add notes in the text field concerning your implementation.
NOTE: The most recent comment is all that is included on the SSP report and beneath that is a running audit trail of all activity on the control.
6. Click a status button, in the right panel, to change the control to that status.
NOTE: Click the Save button or the status buttons. Use the Cancel or the Back to List button to return to the control list.
7. Use the file upload/link tools to attach any documentation or evidence to the control.
8. Use the Action Item form to create a new action for the control.
NOTE: While a control has an open Action Item, the Status icon on the list displays Action Item. In the control details, the button Pending Action Item, See Below displays. Click the pending action button to snap down to the open actions for the control. Click any of the tasks to display the Action Item Details page.
9. Any text entered in the Response text box is added to the audit trail for the control, and files can be uploaded or linked. The files are attached to the control, not the task.
NOTE: If the action is no longer needed, click the Remove this Task checkbox and Save. You are prompted to confirm. When the action is complete, select the Close this Task checkbox and Save to close the task and return to the screen you were previously on.
IMPORTANT! Levels 2 and up include Processes where your internal processes are assessed for maturity.
2. Click the View button or click the content to view control details.
NOTE: On the Control Details screen, the left-side panel shows the CMMC Practice number, and reference documentation regarding this control.
3. Select Additional References to get more information on the reference documents.
4. Review the center panel for practice content and additional information to assist you implementing the control.
5. Optionally, add notes in the text field concerning your implementation.
NOTE: The most recent comment is all that is included on the SSP report and beneath that is a running audit trail of all activity on the control.
6. Click a status button, in the right panel, to change the control to that status.
NOTE: Click the Save button or the status buttons. Use the Cancel or the Back to List button to return to the control list.
7. Use the file upload/link tools to attach any documentation or evidence to the control.
8. Use the Action Item form to create a new action for the control.
NOTE: While a control has an open Action Item, the Status icon on the list displays Action Item. In the control details, the button Pending Action Item, See Below displays. Click the pending action button to snap down to the open actions for the control. Click any of the tasks to display the Action Item Details page.
9. Any text entered in the Response text box is added to the audit trail for the control, and files can be uploaded or linked. The files are attached to the control, not the task.
NOTE: If the action is no longer needed, click the Remove this Task checkbox and Save. You are prompted to confirm. When the action is complete, select the Close this Task checkbox and Save to close the task and return to the screen you were previously on.
IMPORTANT! Levels 2 and up include Processes where your internal processes are assessed for maturity.
Risk Management
This tab starts with no risk identified. The blue process flow above the risk list is for user-purposes only. These blue blocks are not linked to the specified process, and once risks are developed, they display in the risk cube to the right. Notes for risk cube:
- The vertical axis corresponds to the likelihood a risk will be exploited
-
- A higher risk plot, corresponds to a higher likelihood the risk will be exploited
- The horizontal axis corresponds to the level of impact should the risk be exploited
- The further to the right corresponds to a higher impact should the risk be exploited
Click here to view instructions:
1. Click the CMMC Risk Management Control Requirements button above the risk table.
NOTE: This matrix contains the CMMC requirements for each level of certification.
2. Select Add Risk.
NOTES:
– Helpful resources and links are listed at the bottom of the page, and open a new tab when clicked.
– The user answers the three sections: Risk Title, Risk Manager and Category.
3. Click SAVE & Next Step to move onto Link assets and CMMC Controls. Notes for linking a risk to Assets or Controls:
NOTE: Helpful resources and links are listed at the bottom of the page, and open a new tab when clicked.
4. Select one or many assets from the link-able assets drop down.
NOTES:
– The menu will contain a list of all assets identified during the System Environment exercise.
– After each selection, the selected item displays above the drop-down menu selection.
– An asset can be deleted if it is determined it should no longer be listed as a linked asset to the identified risk.
5. Select one or many Control Domains for linking to risk via the drop-down menu.
NOTES:
– After each selection, the selected item displays above the drop-down menu selection.
– A Domain can be deleted if it is determined it should no longer be listed as a linked Domain to the identified risk.
6. Click Next Step to move to Determining a Threat Assessment.
NOTE: Helpful resources and links are listed at the bottom of the page, and open a new tab when clicked.
7. Select a relevant Threat Level and provide a short narrative as to why.
NOTE: While this is not a requirement, it is highly recommended.
8. Once complete, select SAVE & Next Step to move to Determining a Vulnerability Assessment.
NOTE: Helpful resources and links are listed at the bottom of the page, and open a new tab when clicked.
9. Select a relevant vulnerability level and provide a short narrative as to the why.
NOTE: While this is not a requirement, it is highly recommended.
10. Select SAVE & Next Step to move to Determining an Impact Assessment.
NOTE: While this is not a requirement, it is highly recommended.
11. Select the relevant Impact Level and provide a short narrative as to the why.
NOTE: While this is not a requirement, it is highly recommended.
12. Select SAVE & Next Step to move onto Determining a Handling Approach: Accept the Risk, Transfer the Risk or Mitigate the Risk.
13. Select SAVE and Next Step.
NOTES:
– Only when choosing Mitigate the Risk does the user proceed to the next step, which is developing a mitigation plan.
– User clicks New Mitigation Action and describes what mitigation activity will be performed.
– User selects the person responsible for the activity and assigns a completion date. Click Save.
– User has option to create another mitigation activity or Return to Risk Homepage.
On the Monitor and Report page, all mitigation actions on the TASKS list located on the Certification Standard Homepage display and a status of all mitigation actions on the TASKS list located on the Certification Standard Homepage display.
NOTE: This matrix contains the CMMC requirements for each level of certification.
2. Select Add Risk.
NOTES:
– Helpful resources and links are listed at the bottom of the page, and open a new tab when clicked.
– The user answers the three sections: Risk Title, Risk Manager and Category.
3. Click SAVE & Next Step to move onto Link assets and CMMC Controls. Notes for linking a risk to Assets or Controls:
NOTE: Helpful resources and links are listed at the bottom of the page, and open a new tab when clicked.
4. Select one or many assets from the link-able assets drop down.
NOTES:
– The menu will contain a list of all assets identified during the System Environment exercise.
– After each selection, the selected item displays above the drop-down menu selection.
– An asset can be deleted if it is determined it should no longer be listed as a linked asset to the identified risk.
5. Select one or many Control Domains for linking to risk via the drop-down menu.
NOTES:
– After each selection, the selected item displays above the drop-down menu selection.
– A Domain can be deleted if it is determined it should no longer be listed as a linked Domain to the identified risk.
6. Click Next Step to move to Determining a Threat Assessment.
NOTE: Helpful resources and links are listed at the bottom of the page, and open a new tab when clicked.
7. Select a relevant Threat Level and provide a short narrative as to why.
NOTE: While this is not a requirement, it is highly recommended.
8. Once complete, select SAVE & Next Step to move to Determining a Vulnerability Assessment.
NOTE: Helpful resources and links are listed at the bottom of the page, and open a new tab when clicked.
9. Select a relevant vulnerability level and provide a short narrative as to the why.
NOTE: While this is not a requirement, it is highly recommended.
10. Select SAVE & Next Step to move to Determining an Impact Assessment.
NOTE: While this is not a requirement, it is highly recommended.
11. Select the relevant Impact Level and provide a short narrative as to the why.
NOTE: While this is not a requirement, it is highly recommended.
12. Select SAVE & Next Step to move onto Determining a Handling Approach: Accept the Risk, Transfer the Risk or Mitigate the Risk.
13. Select SAVE and Next Step.
NOTES:
– Only when choosing Mitigate the Risk does the user proceed to the next step, which is developing a mitigation plan.
– User clicks New Mitigation Action and describes what mitigation activity will be performed.
– User selects the person responsible for the activity and assigns a completion date. Click Save.
– User has option to create another mitigation activity or Return to Risk Homepage.
On the Monitor and Report page, all mitigation actions on the TASKS list located on the Certification Standard Homepage display and a status of all mitigation actions on the TASKS list located on the Certification Standard Homepage display.
Approval
After all the content has been added to the tabs, the Approval tab can be used to sign the content either online of offline. Online signatures can be accomplished by the user if their name was linked to the information on the Stakeholders tab. If online signature is available, the blue Sign Online or Offline button is available. If Offline is the only option, then the grey Not Signed/Sign Offline button is available.
Click here to view instructions:
1. Click the buttons to enable signing.
2. Select the checkbox for the desired option.
NOTE: Only one signature at a time will be processed.
When the signature is complete, the name, date and method displays.
2. Select the checkbox for the desired option.
NOTE: Only one signature at a time will be processed.
When the signature is complete, the name, date and method displays.
SSP/POAM
The final tab is used for reporting the System Security Plan and Plan of Action and Milestones. Each of the reports is a moment in time, and can not be revised when generated.
Click here to view instructions:
1. Click the Generate SSP button to create a report or the Generate POAM button to create a POAM.
2. To view the generated report, click the View button.
NOTE: The most recent document always displays at the top of the list.
3. Click the View button to preview the POAM report.
2. To view the generated report, click the View button.
NOTE: The most recent document always displays at the top of the list.
3. Click the View button to preview the POAM report.