What are Spot Checks for?

Posted on by Amira Armond

๐‚๐Œ๐Œ๐‚ ๐€๐ฌ๐ฌ๐ž๐ฌ๐ฌ๐ฆ๐ž๐ง๐ญ ๐’๐ฉ๐จ๐ญ ๐‚๐ก๐ž๐œ๐ค๐ฌ

“๐˜๐˜ง ๐˜ค๐˜ฐ๐˜ฏ๐˜ต๐˜ณ๐˜ข๐˜ค๐˜ต๐˜ฐ๐˜ณ’๐˜ด ๐˜ณ๐˜ช๐˜ด๐˜ฌ-๐˜ฃ๐˜ข๐˜ด๐˜ฆ๐˜ฅ ๐˜ด๐˜ฆ๐˜ค๐˜ถ๐˜ณ๐˜ช๐˜ต๐˜บ ๐˜ฑ๐˜ฐ๐˜ญ๐˜ช๐˜ค๐˜ช๐˜ฆ๐˜ด, ๐˜ฑ๐˜ณ๐˜ฐ๐˜ค๐˜ฆ๐˜ฅ๐˜ถ๐˜ณ๐˜ฆ๐˜ด, ๐˜ข๐˜ฏ๐˜ฅ ๐˜ฑ๐˜ณ๐˜ข๐˜ค๐˜ต๐˜ช๐˜ค๐˜ฆ๐˜ด ๐˜ฅ๐˜ฐ๐˜ค๐˜ถ๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฐ๐˜ณ ๐˜ฐ๐˜ต๐˜ฉ๐˜ฆ๐˜ณ ๐˜ง๐˜ช๐˜ฏ๐˜ฅ๐˜ช๐˜ฏ๐˜จ๐˜ด ๐˜ณ๐˜ข๐˜ช๐˜ด๐˜ฆ ๐˜ฒ๐˜ถ๐˜ฆ๐˜ด๐˜ต๐˜ช๐˜ฐ๐˜ฏ๐˜ด ๐˜ข๐˜ฃ๐˜ฐ๐˜ถ๐˜ต ๐˜ต๐˜ฉ๐˜ฆ๐˜ด๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ต๐˜ด, ๐˜ต๐˜ฉ๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ด๐˜ด๐˜ฐ๐˜ณ ๐˜ค๐˜ข๐˜ฏ ๐˜ค๐˜ฐ๐˜ฏ๐˜ฅ๐˜ถ๐˜ค๐˜ต ๐˜ข ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ ๐˜ต๐˜ฐ ๐˜ช๐˜ฅ๐˜ฆ๐˜ฏ๐˜ต๐˜ช๐˜ง๐˜บ ๐˜ณ๐˜ช๐˜ด๐˜ฌ๐˜ด. ๐˜›๐˜ฉ๐˜ฆ ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ(๐˜ด) ๐˜ด๐˜ฉ๐˜ข๐˜ญ๐˜ญ ๐˜ฏ๐˜ฐ๐˜ต ๐˜ฎ๐˜ข๐˜ต๐˜ฆ๐˜ณ๐˜ช๐˜ข๐˜ญ๐˜ญ๐˜บ ๐˜ช๐˜ฏ๐˜ค๐˜ณ๐˜ฆ๐˜ข๐˜ด๐˜ฆ ๐˜ต๐˜ฉ๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ด๐˜ด๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต ๐˜ฅ๐˜ถ๐˜ณ๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ฏ๐˜ฐ๐˜ณ ๐˜ต๐˜ฉ๐˜ฆ ๐˜ข๐˜ด๐˜ด๐˜ฆ๐˜ด๐˜ด๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต ๐˜ค๐˜ฐ๐˜ด๐˜ต. ๐˜›๐˜ฉ๐˜ฆ ๐˜ญ๐˜ช๐˜ฎ๐˜ช๐˜ต๐˜ฆ๐˜ฅ ๐˜ด๐˜ฑ๐˜ฐ๐˜ต ๐˜ค๐˜ฉ๐˜ฆ๐˜ค๐˜ฌ(๐˜ด) ๐˜ธ๐˜ช๐˜ญ๐˜ญ ๐˜ฃ๐˜ฆ ๐˜ธ๐˜ช๐˜ต๐˜ฉ๐˜ช๐˜ฏ ๐˜ต๐˜ฉ๐˜ฆ ๐˜ฅ๐˜ฆ๐˜ง๐˜ช๐˜ฏ๐˜ฆ๐˜ฅ ๐˜ˆ๐˜ด๐˜ด๐˜ฆ๐˜ด๐˜ด๐˜ฎ๐˜ฆ๐˜ฏ๐˜ต ๐˜š๐˜ค๐˜ฐ๐˜ฑ๐˜ฆ.” – CMMC Scoping Guide for Level 2

๐–๐ก๐š๐ญ ๐š๐ซ๐ž ๐’๐ฉ๐จ๐ญ ๐‚๐ก๐ž๐œ๐ค๐ฌ ๐Ÿ๐จ๐ซ? – ๐•๐ž๐ซ๐ข๐Ÿ๐ฒ ๐ฌ๐œ๐จ๐ฉ๐ข๐ง๐  ๐›๐จ๐ฎ๐ง๐๐š๐ซ๐ข๐ž๐ฌ
In my opinion, spot checks are meant to be used to confirm that a company’s proposed scoping is accurate.

During planning, the Lead Assessor should identify spot checks (tests) against suspected or common boundary failures (the risks).

A test could include asking users if they send CUI via email (if email is Contractor Risk Managed Asset / Out of Scope).
Another test could be trying to copy data out of a VDI session (if endpoints are Contractor Risk Managed Asset / Out of Scope).

Spot checks should be performed early in the assessment. If a spot check fails, the Lead Assessor may revise the asset categorization identified during scoping.  If asset categorization changes during assessment, it is a Big Deal, and the C3PAO Quality Manager should be informed as soon as possible..

๐Ž๐ญ๐ก๐ž๐ซ ๐ข๐ง๐ญ๐ž๐ซ๐ฉ๐ซ๐ž๐ญ๐š๐ญ๐ข๐จ๐ง – ๐„๐ง๐ฌ๐ฎ๐ซ๐ž ๐’๐’๐ ๐š๐œ๐œ๐ฎ๐ซ๐š๐ญ๐ž ๐Ÿ๐จ๐ซ ๐‚๐‘๐Œ๐€
Another possible interpretation is that the assessor would spot check Contractor Risk Managed Assets to ensure that the security described in the System Security Plan is actually being performed for them. If this is correct, then it implies that CRMA are supposed to be fully documented regarding their performance or nonperformance of security controls in the System Security Plan.

I think there is a decent chance this interpretation is what the DoD intended, but I don’t see the purpose of doing this because it wouldn’t change the assessment result if they fail a spot check, except maybe NOT MET on the SSP? The DoD’s official guidance says that CRMA aren’t required to have any specific security applied.

๐Ž๐ญ๐ก๐ž๐ซ ๐ข๐ง๐ญ๐ž๐ซ๐ฉ๐ซ๐ž๐ญ๐š๐ญ๐ข๐จ๐ง – ๐’๐š๐ง๐ข๐ญ๐ฒ ๐œ๐ก๐ž๐œ๐ค ๐‚๐‘๐Œ๐€ ๐œ๐จ๐ง๐ญ๐ซ๐จ๐ฅ๐ฌ
I have talked to other people who interpret this scoping guidance as the assessor critiquing the security implementations for Contractor Risk Managed Assets and whether applied controls are appropriate for those assets. For example, the assessor might randomly decide that CRMA need to have storage at rest encryption. Then what?

This interpretation makes the least sense to me.

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *