Identifying a Certified Third Party Assessing Organization (C3PAO)

It is worth taking some time to find the right C3PAO for an organization.

The community is invited to use this guide and matrix released by the ND-ISAC: C3PAO Shopping Guide, and encouraged to ask questions of a potential assessor to find the right fit for their environment:

SPA Categorization

1. Some assessors believe that a Security Protection Asset (SPA) includes any systems components that are used in an organizations Systems Security Plan (SSP) for supporting evidence.  Other assessors only identify an SPA as systems that provide protection to components as stated in the NIST 800-171 publication.  Talk to your assessor about what they will expect to see from you in an environment like yours.
2. Ask your C3PAO if they expect systems mentioned in the SSP for the purpose of providing evidence to meeting an assessment objective an example of an SPA?   Do they believe an SPA has to provide a security function such as a SIEM or EDR?  This will impact the level of effort to provide evidence for an assessment. NIST 800-171 states that “The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components”.  
3. You may simply ask: "Which controls will you assess for SPAs?"

Browser used to Access CUI

1. Many organizations are accessing and modifying CUI documents through a web browser but have restricted the ability to download and print. Some DOD components also use the browser for accessing Government information. One example is the Navy using "Flank Speed." When opening a document in a browser, it does process information on the endpoint. If that endpoint is not part of the organization information system and controlled then it could be a finding. Some assessors will fail an organization if they are using a browser on an asset that is not controlled, others will not. As an alternative there are solutions such as VDI or technologies that provide a pixel representation of a browser that would pass assessment. If you are using a VDI browser application to access CUI, ask your assessor if they would fail the organization.  

CUI at Alternate Worksites - Work From Home (WFH)

1. When CUI physically exists at alternate work sites, the CUI must be physically protected. The physical protections of the CUI may include locked filing cabinets, safes, or locked briefcases, for example. Some organizations even allow WFH users to print to corporate-issued printers in their home. At some level, the physical security of your home is providing safeguarding for that CUI. Some assessors will assess the WFH environment remotely, relying on policy and training, user interview, or maybe even demonstration on camera by a WFH user. Other assessors will require an in-person site visit to a representative WFH environment. Other assessors won't assess you if you have CUI at home. If you allow physical CUI at your user's homes, ask your assessor how they plan to assess your WFH environment, or if they will assess it at all.

Other more specific questions to consider, depending on your environment:

1. Do you believe that Security Protection Data (SPD) is CUI?
2. Is it acceptable to store FIPS 140-2 encrypted CUI in a non-FRME cloud?
3. What do you believe is a Cloud Service Provider and requires FedRAMP?
4. How do you define logical separation?
5. Is OneDrive in scope if local CUI folders are excluded?
6. Which controls do you believe need to be applied to Contractor Risk Managed Assets (CRMA)?
7. Would you accept N/A for a control without a waiver from DoD?
8. What are the risk management practices considered minimum for Specialized Assets (like CNC machines, lab equipment, test equipment)? Do they need to be segmented?

C3PAO Stakeholders Forum

Many assessors are involved in a voluntary, informal group that is not associated with the AB. They post position papers that may also provide insight into how assessments may be run in your environment. Not all assessors are a part of the group, but the community is well-respected and very active in the industry.