Phase 3 of the NIST SP 800-171/CMMC Consulting methodology is Remediation. In this phase, we are working the to remediate all of this issues identified in the Gap Assessment and programmed for in an organization’s POA&M.
Peak InfoSec's NIST SP 800-171 & CMMC Consulting Methodology Phase 3: Remediation

Consulting Phase 3: Remediation

Phase 3 is all about correcting the deficiencies identified in Phase 1 and working the Plan of Action & Milestones (POA&M) from Phase 2 to get all of the NIST SP 800-171 Security Requirements to MET.  It is also where we work with your team to generate the three types of evidence reviewed by an Authorized C3PAO during the formal Conformity Assessment.

Step 1: Remediate

This step is simply executing and implementing the fixes needed to resolve the deficiencies identified in the POA&M.  As we work on correcting the issues, we see Policies, Plans, Procedures, and Organization Defined Parameters (ODP) take shape and get enforced.  For organizations that don’t have existing Policies, Plans, and Procedures, we make our white label versions available free of charge.

Also in the remediation step, we start generating capturing technical configurations that become a part of the configuration baseline and core to evidence needed during the C3PAO Conformity Assessment.

Step 2: Governance

DO NOT underestimate how critical Governance is.  The reason Governance shows up as a cog in the image is simply because it is and without it functioning in this Phase, your organization will flounder and get nothing done.

This is NOT an IT problem.  The corrections needed for 95% of the organizations we deal with will reshape your business culture and processes.

At Peak InfoSec, we require the organizations we work with to stand up a governance board with key executive leadership.  IT is also there.  Organizations that follow our advice succeed in getting this done.

Frankly, Peak InfoSec fires customers who don’t stand up this function.  Dependent upon how much organizations are using us in the Remediation Phase, we range from being a Subject Matter Expert to being the last-to-vote Chair of the governance team.  Companies that work with us during governance efforts also get access to our complete governance slide decks and decision points which we walk your organization through.

Step 3: Pre-Assessment Readiness Review

The Pre-Assessment Readiness Review (PARR) is where we go back through each requirement, our Security Assessment Report, and the related POA&M items to make sure we can mark the deficiency as corrected and the Assessment Objective/Security Requirement as MET.

This is where we finalize all of the evidence and map them as examination evidentiary objects for your SSP.  It is also in the Remediation Phase and really towards the end, that your SSP is finalized.

This Phase repeats until all Security Requirements can be marked as MET and all POA&Ms related to deficiencies are closed.

In this phase we “discover” the “server under the desk” that was not discussed in the Gap Assessment Phase.  This is very normal and is why the diagram shows lines going back to the Design & Plan Phase.

Step 4: Contract C3PAO

Once we have all of this done, and sometimes a bit before everything is finalized, we will pull together the Book of Evidence, which at the center of your SSP, and help you pick anther C3PAO for your Conformity Assessment.

We will recommend you speak with other C3PAOs who are familiar with our consulting approach and how we help you document your SSP and evidence.  This also helps to reduce your risks during a Conformity Assessment.  Because of our relationships with other C3PAOs, we can reach out to their executives in case one of their Assessors brings their bias and starts marking things as NOT MET that should be MET.

Consulting Phase 3: Remediation Deliverables

Deliverables coming out of Phase 3 are:

  • Your Finalized SSP
  • Evidentiary artifacts
  • Your Policies, Plans, & Procedures

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

An Authorized CMMC 3rd Party Assessment Organization (C3PAO)