CMMC 2.0 Assessment Objectives #2604
Comments
|
Hi Daniel, In our initial DRAFT version of CMMC 2.0 (and many of the other assessments that we offer here on CSET) we provide the assessment objectives (sometimes called “criteria for yes”) and extensive supplemental guidance materials for each assessment question in our “Guidance” section. This allows our users to expand the “i” icon for the additional implementation guidance necessary to properly and effectively evaluate and, after considering the assessment objectives, input a response to an assessment question. Users should also utilize the “References” icon for a full collection of links (that open in separate window) for each assessment’s authoritative source docs and additional guidance material to actively consult during an assessment. This information is provided and intended to help the user/assessor evaluate the appropriate criteria for a “yes” response and/or the full/partial implementation of a control, before recording the answer to a question in CSET. Additionally, we offer the “Observations” and user “Comments” functions to make notes re: POAM-type plans/actions and additional observations/info for each question, along with our “Mark for Review” flag to denote questions that need to be reviewed later. Finally, users can take advantage of our “Documents/Artifacts” function which allows the attaching of evidence, POAM-type info, and other documents helpful for rationale/justification purposes. As denoted by the title, this is a Draft CMMC 2.0 version which are working hard to improve, so we appreciate your input and will continue to work to improve the working draft through its final release. If you would like a demo of how the various CSET functionality described above works, please check out our YouTube video https://www.youtube.com/watch?v=TCiLJZdv1zA or contact us for a demo. Thanks again for reaching out! |
|
CMMC 32 CFR Part 170 was published in the Federal Register on October 15th, 2024 and will be effective December 16th, 2024. The Final Rule is available for review at: https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program Please update the CSET Tool to the Final CMMC 2.0 Rule. Please advise if there is anything we, as the CMMC community, can do to assist in updating the tool. |
🚀 Feature Proposal
Expand the question set for CMMC 2.0 to the Assessment Objective level.
Motivation
Feedback from auditors is that they are assessing these individually, rather then the top level control.
Example
AC.L1-3.1.1 is one practice, however has 6 separate assessment objectives. These need to be addressed individually for an assessor to confirm that the practice is fully met.
Pitch
Allows for fine grained detail on what practices are met and what are not. In many cases, some (but not all) of the assessment objectives are met, and the remaining require action. By separating the assessment objectives out, it is easier to highlight the practices that are not met, and thus the POAM.
The text was updated successfully, but these errors were encountered: