Security Assessment (CA) Domain requires you to assess your organization's security, continue to assess it periodically, monitor it consistently, and create a System Security Plan.
Under CMMC 2.0, there are no practices in CMMC Level 1 for the Security Assessment domain.. There are 4 practices for CMMC Level 2 in the CA domain. For CMMC Level 3, the CA practices are yet to be determined.
Let us dive into each of these practices to get a better understanding of them:
In this requirement, you are expected to periodically assess the security controls within your organizational systems to determine their effectiveness in use.
A security control can be defined as any safeguard/countermeasure that your organization has implemented to bolster security and meet security requirements within your organization. Assessing these controls lets you know if they operate as expected and that any weaknesses or vulnerabilities are identified before they become an issue.
Your organization may determine the time between how often the assessment is conducted. Still, your organization must ensure that the results collected during these assessments are current, relevant, and related to security control effectiveness.
This requirement is a connection to the previous requirement. In the case of a weakness, issue, or vulnerability being identified, it is important that you develop and implement a plan of action within your organization to mitigate and eliminate the vulnerabilities you find in your security assessments.
A plan of action is a document you develop that discusses any security requirements yet to be implemented (as well as how these requirements will be met) and how planned mitigations will be implemented to reduce vulnerabilities. It is important to define clear objectives and goals within your action plan and make it comprehensive.
For any security controls you have in place within your organization, continuous assessment is important and continuous monitoring of these controls is also important.
Continuous monitoring brings awareness of threats and potential vulnerabilities and lets you be vigilant in changing control requirements so that you may respond appropriately.
Your organization can determine the frequency appropriate for the monitoring. Still, it is important to keep in mind that it should be consistent enough to support risk-based decisions confidently. The results obtained from monitoring should allow you to generate appropriate response mechanisms and actions.
A System Security Plan (SSP) is a document that describes system boundaries, environments of operation, the way your security requirements are implemented, gaps in security, and the relationships between your systems.
A System Security Plan needs not be a single document; it can be a collection of documents that efficiently explain your security measures and how security requirements relate to security controls.
A System Security Plan is not only relevant for this domain but also extremely important for the entirety of your CMMC process in general. There is a minimum expectation of what an SSP should include, which can be found on the ACQ website (https://www.acq.osd.mil/cmmc/documentation.html).
This domain covers how you manage security, assess your security controls, monitor those controls, and develop action plans to address gaps or vulnerabilities. This domain also discusses the SSP, which is an important document that aids you in your CMMC journey toward certification.
For CMMC Level 1, your organization will not have to do anything for this domain. For CMMC Level 2, your organization must look further into the four practices required and provide proper implementation and documentation. Here is some guidance on where you can start or what to look for:
Security Assessment is an important domain within CMMC that is required to be implemented by your organization. The self-assessment of a CMMC practice and the assessment performed by Certified Assessor results in three possible findings: 'MET,' 'NOT MET,' or 'NOT APPLICABLE.'
To demonstrate CMMC Level 1 compliance, the contractor will need to perform a self-assessment based on the CMMC 2.0 Level 1 Self-Assessment Guide and need a finding of 'MET' or 'NOT APPLICABLE' on all the 6 Level-1 practices. Security Assessment is not one of the domains within Level 1, so this does not apply.
To demonstrate CMMC Level 2 or 3 compliance, the contractor will need to undergo a C3PAO or a Government audit and find 'MET' or 'NOT APPLICABLE' on all the 110 practices of Level 2. A contractor can achieve a CMMC certification for an entire enterprise network, for a particular segment(s), or a specific enclave, depending upon the scope of CMMC assessment.
For CMMC Level, a 'NOT MET' finding means you are not compliant.