CMMC On-Site Assessments Are Optional

Too Long; Didn't Read (TL;DR): There is no mandatory on-site requirement as part of CMMC, since it is at the discretion of the Lead CCA / C3PAO to determine the optimal logistical approach for implementation validation of specified CMMC requirements. 

• If the Lead CCA / C3PAO determines a remote assessment can be conducted, then that is acceptable.
• If the Lead CCA / C3PAO determines that assessors must be on-site to properly evaluate those requirements, then that is equally acceptable.

 This is where interviewing C3PAOs is critical to ensure that the OSC and C3PAO agree on critical concepts of how the assessment will be performed. Getting confirmation of a C3PAO's on-site vs remote determination can mean the difference in thousands to tens of thousands of dollars in a CMMC assessment!

This is another issue of "the path to hell is paved with good intentions" within Cybersecurity Maturity Model Certification (CMMC) and CMMC Third-Party Assessment Organizations (C3PAO) reading into requirements, specifically around Section P.11 of the CMMC Assessment Process (CAP).

Official Requirements For On-Site CMMC Assessments

Section P.11 can be found on page 10 of the CAP and it states "Another consideration of framing the assessment involves determining assessment location(s), including what security requirement objectives of the assessment might be assessed virtually or in-person on the OSC premises. The Lead CCA and/or the C3PAO should consider the optimal logistical approach for implementation validation of the following 18 CMMC security requirement objectives to ensure adequate assessment scope and depth:

• CM.L2-3.4.5[d]: Physical access restrictions associated with changes to the system are enforced. 
• MA.L2-3.7.2[d]: Personnel used to conduct system maintenance are controlled. 
• MP.L2-3.8.1[c]: Paper media containing CUI is securely stored.
• MP.L2-3.8.1[d]: Digital media containing CUI is securely stored. 
• MP.L2-3.8.4[a]: Media containing CUI is marked with applicable CUI markings. 
• MP.L2-3.8.4[b]: Media containing CUI is marked with distribution limitations. 
• PE.L1-3.10.1[b]: Physical access to organization systems is limited to authorized individuals. 
• PE.L1-3-10.1[c]: Physical access to equipment is limited to authorized individuals. 
• PE.L1-3-10.1[d]: Physical access to operating environments is limited to authorized individuals. 
• PE.L2-3.10.2[a]: The physical facility where organizational systems reside is protected. 
• PE.L2-3.10.2[b]: The support infrastructure for organizational systems is protected. 
• PE.L2-3.10.2[c]: The physical facility where organizational systems reside is monitored. 
• PE.L2-3.10.2[d]: The support infrastructure for organizational systems is monitored. 
• PE.L1-3.10.3[a]: Visitors are escorted. 
• PE.L1-3.10.3[b]: Visitor activity is monitored. 
• PE.L1-3.10.5[b]: Physical access devices are controlled. 
• PE.L1-3.10.5[c]: Physical access devices are managed. 
• SC.L2-3.13.12[b]: Collaborative computing devices provide indication to users of devices in use. 

NOTE: For OSC CMMC-scoped environments that DO NOT have physical and/or environmental controls due to a cloud environment or other factors that negate conducting an "on-site" portion of the assessment, the applicability of these requirements should be addressed between the OSC and the C3PAO in Phase 1."

Shall vs Should Clarification

The crucial element in this requirement involves a SHOULD statement: "The Lead CCA and/or the C3PAO should consider the optimal logistical approach for implementation validation..." There is no must statement.

NIST's glossary does not provide definitions for the terms "must" and "should", but Aqcuisition.gov does provide coverage in the Federal Acquisition Regulation (FAR), Part 2:

• The terms "must" and "shall" to be synonymous and are defined as "denotes the imperative." (note - imperative means indicating actions are mandatory and not permissive / optional).
• The term "should" is defined as "an expected course of action or policy that is to be followed unless inappropriate for a particular circumstance."

Bottom Line Requirements

There is no mandatory on-site requirement as part of CMMC, since it is at the discretion of the Lead CCA / C3PAO to determine the optimal logistical approach for implementation validation of specified CMMC requirements.

• If the Lead CCA / C3PAO determines a remote assessment can be conducted, then that is acceptable.
• If the Lead CCA / C3PAO determines that assessors must be on-site to properly evaluate those requirements, then that is equally acceptable.

Why Is This Important?

The cost associated with travel-related expenses to bring assessors on-site for a period of several days can mean the difference in thousands to tens of thousands of dollars!

This is where interviewing C3PAOs is critical to ensure that the OSC and C3PAO agree on critical concepts of how the assessment will be performed. Getting confirmation of a C3PAO's on-site vs remote determination is a necessary due diligence step in the CMMC assessment process. Picking the wrong C3PAO can be a costly mistake.

How Do You Prove The CMMC Requirements Remotely?

Assuming you pick a C3PAO that supports the idea of remote assessments, the best approach is to thoroughly document your physical security measures in a Physical Security Plan (PSP) document. This can provide an assessor with the necessary information "on a silver plate" to make it very efficient to assess the controls. This enables the assessors to fully understand the locations and physical security controls implemented at all in-scope facilities. With the information available to the C3PAO, you may get asked to do a virtual walkthrough on FaceTime or a similar video call to just validate that something like the server room door is locked or the visitor sign in process exists as it is documented in the PSP. That is efficiency that leads to enormous savings!