Who Owns CMMC Evidence Collection in a Small Business?

The Cybersecurity Maturity Model Certification, CMMC, is a critical part of ensuring robust and equal information security from top to bottom throughout the Department of Defense’s supply chain.

A common misconception about CMMC, stemming from previous pre-CMMC security, is that it primarily applies to prime contractors and big businesses. The truth is that it applies to any business that handles Covered Defense Information (CDI), Federal Contract Information (FCI), or Controlled Unclassified Information (CUI).

This is both better and worse for some businesses, depending on where they sit in the supply lines. Some small businesses read articles like this and see word that they’re supposed to comply with CMMC, only to see the significant burden it imposes while they don’t handle any of the information it protects. Fortunately for those businesses, the Final Program Rule issued late last year clarifies that the CMMC requirements only flow down alongside the information they protect.

On the other hand, some businesses are quite small but do handle one of those types of information; these small businesses often thought they were exempt from the burden but now find they have to comply with CMMC the same as their much larger counterparts.

This leads to a lot of questions for businesses that are often not used to addressing the steep and specific concerns found in a governmental cybersecurity framework like CMMC. Among them is who, exactly, is responsible for different parts of CMMC like evidence collection?

There’s not necessarily a single answer here, so let’s go through the details.

BLUF – Bottom Line Up Front

The Cybersecurity Maturity Model Certification (CMMC) is key for solid information security in the Department of Defense’s supply chain. It affects any business dealing with Covered Defense Information, Federal Contract Information, or Controlled Unclassified Information. Compliance can be complex for small businesses, which must collect evidence to meet CMMC standards. Options for managing compliance include appointing a compliance manager, hiring a consultant, or working with a Certified Third-Party Assessment Organization (C3PAO). Automatic evidence collection tools can ease some tasks but not all.

What is Evidence in CMMC?

As always, the best place to start this kind of discussion is at the foundational level. So, what is evidence?

Evidence is proof, in some fashion, that a particular policy or security control has been implemented. With 110 security controls – some of which require more than one piece of evidence to prove – this means a very significant package of documents, artifacts, attestations, and other proof. In fact, there are 320 assessment objectives, each of which requires evidence.

One common roadblock is that there are broadly two kinds of evidence: subjective and objective.

Subjective evidence is evidence that looks good on paper but doesn’t actually provide proof beyond a statement. Since many of the security controls involved in CMMC are related to employee behavior, you’re expected to have company policies in place. Providing copies of those policies is good and an important part of your documentation package, but it’s not evidence.

For this kind of attestation, subjective evidence would be a statement from a department head or C-level that employees are aware of the policy and follow it. Unfortunately, “taking someone’s word for it” is not objective proof. Objective evidence would be something like:

Test results for training modules your employees complete.
Attendance records for training classes for your employees.
Signed acknowledgment forms of the training for your policies.

This is also why auditors frequently ask to see processes demonstrated according to policy; they will often be checking to see if employee behavior is actually following policy or if the requirements have slipped out of focus.

Subjective evidence isn’t bad to have, but it falls under the old adage: trust, but verify.

What is Evidence in CMMC

Not all evidence relates to employee behavior, of course. Many of the CMMC security controls and assessment objectives relate to technical configurations. Additionally, sometimes, several assessment objectives can be proven using the same piece of evidence.

For example, the Password Complexity section – 3.5.7 from NIST SP 800-171A – is this:

Enforce a minimum password complexity and change of characters when new passwords are created.

The assessment objectives for this one security control are:

Determine if password complexity requirements are defined.
Determine if password change of character requirements are defined.
Determine if minimum password complexity requirements as defined (in a previous security control) are enforced when new passwords are created.
Determine if minimum password change of character requirements as defined are enforced when new passwords are created.

That’s one security control with four assessment objectives. However, something as simple as a screenshot of (or link to) the configuration settings for password management, which can specify and stipulate these requirements, can prove all four at once.

For deeper reading:

These PDFs provided by the DoD go through each of the important security controls for each of the CMMC levels and outline the control, the assessment objectives, and methods and objects for assessing those objectives using direct examination, personnel interviews, and testing. It also contains discussion of details to answer questions you might have about each section.

What is the Evidence Collection Process?

Even just reading the above, you might find yourself starting to withdraw or glaze over sections, and we’re just providing a very brief summary of the CMMC evidence system. It’s no wonder that small businesses, faced with the daunting task of going through these hundreds of details, are confused.

CMMC compliance is very complex, even for small businesses, even for Level 1. This complexity is one of the heaviest burdens for small businesses that want to work with the Department of Defense in the Defense Industrial Base. The reward – the federal contracts – are worth it, but the time, money, and labor involved in achieving that compliance in the first place is steep.

What is the Evidence Collection Process

The process for evidence collection is just one step along the overall process of compliance.

Begin with a thorough analysis of your own business, your contracts, the information you handle, and the requirements set out by CMMC. This, at a bare minimum, informs you what level of CMMC you need to achieve.
Perform a gap analysis to identify the difference between your current security implementation and the implementation you need.
Go through each security control and implement it according to the requirements laid out in your relevant level of CMMC.
Collect evidence as you go. If you’ve already achieved an adequate level, document it. If you’re only now implementing it, document it when you finish. Compile this evidence in a central location for use by the auditor, who will review it later.
Undergo the auditing process to identify your standing according to objective markers. If necessary, develop and implement POA&Ms to improve areas where you fell short.
Establish continuous monitoring to ensure that your security standards are kept up to date, gaps don’t appear (or are addressed when they do), and incidents are detected and reported if and when they occur.

Collective evidence is equivalent to simply documenting the work you’ve done and the state of your security to prove you’re doing what you need to do to achieve compliance.

Are Automatic Evidence Collection Apps Viable?

Many small businesses, especially in tech where automation, outsourcing, and even AI tools are commonplace shortcuts to achieve end results, look to automatic apps for anything that requires a lot of work.

Indeed, there are some apps, modules for platforms like Azure, or stand-alone tools that help with automatic evidence gathering for CMMC. Some are designed to be framework-agnostic, while others are specifically designed for CMMC itself, often Level 2.

Do these work, and are they viable?

The answer is a tentative, qualified “yes”.

Yes, they work, but:

Depending on how the tool works, the tool itself may need to be certified, and not all of them are. After all, by working with you and accessing systems that handle covered information, it becomes part of the DIB.

The tool needs deep access to a lot of different systems, and the more bespoke or cobbled-together your business’s operations are, the harder it is for a tool to easily link in and gather information. In some cases, getting it to work is more effort than simply harvesting the evidence directly.

There are many security controls and assessment artifacts that cannot be collected automatically. Some, like signed employee attestations, can be aggregated in a location that can be reached; others, like personnel interviews and more direct and observational evidence, can’t be gathered automatically.

Are Automatic Evidence Collection Apps Viable

In the end, often, these automatic platforms can only do half or less of the actual work of gathering evidence and have a steep cost in money and effort of their own. Whether or not they save you time or effort depends a lot on your specific environment.

Who “Owns” Evidence Collection in CMMC?

All of this brings us back to one major question: who is responsible for all of this?

Actual evidence collection can often be done by the people who are actually implementing the policies and security, when it’s done. That can be as simple as the engineer setting the firewall configuration taking a screenshot when they’re done, or it can be more complex.

That does not, however, mean that the engineer in question “owns” that system or that evidence. At some point, there needs to be a stakeholder who bears the overall responsibility of evidence collection itself.

Who Owns Evidence Collection in CMMC

For larger businesses and the standard CMMC process, businesses will appoint a compliance manager to oversee everything. This individual does the collaboration with internal and external stakeholders, they’ll develop policies to work for the business, and will oversee the sum total checklist of everything necessary to achieve CMMC compliance. That includes evidence collection.

What happens, though, if your business is small? An owner, a couple of directors, a few engineers, a sales rep, a customer service agent; if you only have a dozen or so employees, all of whom have a lot on their plates (especially when you’re adding the burden of implementing CMMC in the first place), it can be tough to find someone who can take on the overall burden of guiding CMMC implementation.

Generally speaking, you have a few options.

Option 1: Appoint someone as compliance manager and do your best.

When budgets are tight, sometimes the only option available to you is to appoint the most likely person – an IT director or similar managerial role – to the CMMC compliance officer role and have them do their best.

The good news is that there is ample guidance available, from checklists to the DoD-provided PDFs linked above, which can help educate your newly-appointed stakeholder and help them through the process.

The bad news is, since CMMC is so individualized to the company, there’s no one-size-fits-all solution, and there are certainly bound to be issues along the way. Whether those delay implementation, cause conflicts, lead to POA&Ms, or lead to a failed audit, depends on what they are.

Option 1 Appoint someone as compliance manager and do your best

The burden of an entirely new educational requirement, just learning the ins and outs of CMMC and the underlying NIST SP 800-171, is itself significant as well. Still, if you don’t have the budget to do otherwise, it may be your best choice.

Option 2: Hire a consultant to handle the task of being a compliance manager.

Another option many small businesses take is to hire someone who has CMMC experience and can help a company through the process. There are many consultants available, though finding them can be the hard part. The CyberAB has a marketplace of accredited service providers, and there are various third-party marketplaces as well, such as this one.

Option 2 Hire a consultant to handle the task of being a compliance manager

While this can be a good option, you do need to make sure to vet the consultant you hire and ensure they can work with your business. You may also still need a designated stakeholder in your business who communicates with your consultant and guides the work, so you are back where you started.

Option 3: Work with a C3PAO to handle compliance guidance tasks.

For Level 1 CMMC, a Certified Third-Party Assessment Organization is allowed to help guide self-assessments and even assist with implementation. For levels 2 and 3, the C3PAO is only allowed to provide guidance, and the final audit has to be conducted by a different C3PAO to avoid conflict of interest.

This is where we come in. At Ignyte, we have several ways to help.

Option 3 Work with a C3PAO to handle compliance guidance tasks

First, the Ignyte Platform. Our platform was designed in conjunction with the Air Force to be a framework-agnostic, centralized, non-siloed hub for gathering information and evidence for security and compliance. While it’s not going to do everything for you, it definitely helps streamline the evidence-gathering process through communication, centralization, workflow automation, and insights, as well as monitoring tools. You can see it in action by booking a demo here.

Another way we help with CMMC is by being a resource. Our blog is packed with useful information, our podcast goes through the trickiest aspects of security compliance, and we’re always open to emails if you have questions.

Finally, another way we can help is as a service provider. We’ve been accredited with the CyberAB to provide our services within the United States to DIB contractors seeking certification. You can find our listing here, and of course, reach out and contact us directly.

Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.