CMMC Assessment Module Quick Start Guide CMMC Assessment Module Quick Start Gui

CMMC Assessment Module Quick Start Guide

RapidFire Tools, Inc.

CMMC Assessment Module Quick Start Guide

Compliance Manager - RapidFire Tools | RapidFire Tools

CMMC Assessment Module Quick Start Guide - RapidFire Tools

Compliance Manager for CMMC — Quick Start Guide ... command is followed by an explanation and link to Microsoft documentation. 1. reg add.

Browser built in viewer
PDF Viewer
Universal Document Viewer
Google Docs View
Google Drive View
Download Document [pdf]

File Info : application/pdf, 147 Pages, 7.00MB

Document

Compliance Manager CMMC Quick Start

QUICK START GUIDE
Compliance Manager for CMMC (Cybersecurity Maturity Model Certification)
Instructions to Perform a CMMC Assessment
9/21/2021 10:27 AM

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Contents

Performing a CMMC Assessment

Compliance Manager for CMMC

Compliance Manager for CMMC Assessment Overview

Network Prerequisites for Assessment Scans

Pre-Scan Network Configuration Checklist

Checklist for Domain Environments

Checklist for Workgroup Environments

Step 1 -- Add Organizations

Add an Organization

Step 2 -- Create a New Site

Step 3 -- Use the To Do List to Complete Tasks

Re-run or Modify To Do Items

Assessment Progress Bar

Step 4 -- Set Up the CMMC Assessment Project

Step 5 -- Install and Configure the Compliance Manager Server

Configure Scan Settings for Active Directory Domain

Configure Scan Settings for Workgroup

Step 6 -- Start Assessment and Perform Pre-Scan Analysis

Step 7 -- Collect CMMC Assessment Data

Attach Supporting Documents

Select Multiple Fields

Copy and Paste Responses

Which CMMC Level Should I Choose?

Change Assessment Level

Step 8A -- Complete Level 1 CMMC Worksheets

Note Regarding Worksheet Cross References to NIST SP 800-171

Step 8B -- Complete Level 2 CMMC Worksheets

Note Regarding Worksheet Cross References to NIST SP 800-171

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 8C -- Complete Level 3 CMMC Worksheets Note Regarding Worksheet Cross References to NIST SP 800-171
Step 9 -- Document Compensating Controls Step 10 -- Generate CMMC Assessment Reports
Optional Task: Export Issues to Kaseya BMS Step 1 -- Gather Credentials and Set Up Kaseya BMS Step 2 -- Set Up a Connection to your Kaseya BMS Step 3 -- Map your Compliance Manager's Site to a Kaseya BMS Step 4 -- Export Issues to Kaseya BMS
Step 11 -- Complete and Archive your CMMC Assessment Archiving Assessments
Step 12 -- Start a New CMMC after Completing a Previous Assessment
CMMC Assessment Reports
CMMC Compliance Reports Supporting Documentation Worksheets by Assessment Level CMMC Risk Update Assessment Reports
Appendices
Pre-Scan Network Configuration Checklist Checklist for Domain Environments Checklist for Workgroup Environments
Compliance Manager Cyber Insurance Add On CMMC To Do Task Complete List

91 91 107 109 110 110 111 116 117 119 119 120
121
121 124 125 130
131
132 132 134 137 143

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Performing a CMMC Assessment
Compliance Manager for CMMC
The Cybersecurity Maturity Model Certification (CMMC) presents a standard for achieving cybersecurity for companies that comprise the defense industrial base (DIB). The United States Department of Defense (DoD) formulated the CMMC to improve the cyber-security posture of the DIB supply-chain.
Compliance Manager for CMMC combines automated data collection with a structured framework for collecting supplemental assessment information not available through automated tools.
It is the first solution to allow for the automatic generation of the key documents that are necessary to demonstrate compliance with the CMMC framework. More than just documents to satisfy a compliance requirement, Compliance Manager provides factual evidence, expert advice, and direction to minimize or eliminate the risk of a data breach.
You can compare Compliance Manager for CMMC to getting a medical exam. Compliance Manager automates the `lab tests' for the technology environment. It includes interview and survey features to gather information manually. In addition, it provides a recommended treatment plan.
You can learn more about the CMMC model at: https://www.acq.osd.mil/cmmc/index.html.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Compliance Manager for CMMC Assessment Overview
Compliance Manager for CMMC combines 1) automated data collection with 2) a structured framework for collecting supplemental assessment information through surveys and worksheets. To perform a CMMC Assessment, you will:
l Access and log in to the RapidFire Tools Portal l Create a site and set up a project l Install the Compliance Manager server on the target network l Collect data from the target network using the Portal's guided To Do List l Generate CMMC Assessment reports and documentation

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Network Prerequisites for Assessment Scans
For a successful network scan:
1. ENSURE ALL NETWORK ENDPOINTS ARE TURNED ON THROUGHOUT THE DURATION OF THE SCAN. This includes PCs and servers. The scan can last several hours.
2. CONFIGURE THE TARGET NETWORK TO ALLOW FOR SUCCESSFUL SCANS ON ALL NETWORK ENDPOINTS. See "Pre-Scan Network Configuration Checklist" on the next page for configuration guidance for both Windows Active Directory and Workgroup environments.
3. GATHER THE INFORMATION BELOW TO CONFIGURE YOUR SCANS FOR THE CLIENT SITE. Work with the project Technician and/or your IT admin on site to collect the following: l Admin network credentials that have rights to use WMI, ADMIN$, and File and Printer Sharing on the target network. l Internal IP range information to be used when performing internal scans.
Note: Compliance Manager will automatically suggest an IP range to scan on the network. However, you may wish to override this or exclude certain IP addresses.
l External IP addresses for the organisation to be used when setting up External Vulnerability Scans.
l RapidFire Tools Portal User Credentials l For Windows Active Directory environments, you will need admin credentials
to connect to the Domain Controller, as well as the name/IP address of the domain controller. l For Windows Workgroup network environments, a list of the Computers to be included in the Assessment and the Local Admin Credentials for each computer.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Pre-Scan Network Configuration Checklist
RapidFire Tools products can gather a great deal of information from the target network with little advance preparation and with very little footprint! However, if you are having trouble with scans, or you have the ability to configure the target network in advance, we recommend the settings below.
These checklists detail the recommended network configurations for both Windows Domain and Workgroup environments.
Note: You must have the .NET 3.5 framework installed on machines in order to use all data collector and server/appliance tools.

Checklist for Domain Environments
Share this checklist with your IT Administrator and ask them to configure your network's Domain Controller as follows:

Complete

Domain Configuration

GPO Configuration for Windows Firewall (Inbound Rules)

Allow Windows Management Instrumentation (WMI) service to operate through Windows Firewall
This includes the following rules: l Windows Management Instrumentation (ASync-In) l Windows Management Instrumentation (WMI-In) l Windows Management Instrumentation (DCOM-In)
Allow File and printer sharing to operate through Windows Firewall
This includes the following rules: l File and Printer Sharing (NB-Name-In) l File and Printer Sharing (SMB-In)

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Complete

Domain Configuration l File and Printer Sharing (NB-Session-In)
Enable Remote Registry "read only" access on computers targeted for scanning.
Note: Remote Registry access should be restricted for use by the user access account credentials to be used during network and local computer scan.

Enable the Internet Control Message Protocol (ICMP) to allow authorized ICMP echo request messages and ICMP echo reply messages to be sent and received by Windows computers and network devices.
Windows firewall rules on Windows computers may need to be created/enabled to allow a computer:
l operating a Kaseya-RapidFire Tools product network data collector to issue ICMP echo request messages to be sent to Windows computers and network devices
l to send ICMP echo reply messages in response to an ICMP echo request
Note: ICMP requests are used to detect active Windows computers and network devices to scan.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Complete

Domain Configuration · Startup Type: Automatic
Network Shares
· Admin$ must be present and accessible using supplied credentials (usually a local admin or user in the local Computer's Administrative Security group)
3rd Party Firewalls
· Ensure that 3rd party Firewalls are configured similarly to Windows Firewall rules described within this checklist.
Note: This is a requirment for both Active Directory and Workgroup Networks.

Checklist for Workgroup Environments
Before you perform a workgroup assessment, run the following PowerShell commands on the target network and the machine that will perform the scan. These three configurations should help you avoid most issues in a workgroup environment. Each command is followed by an explanation and link to Microsoft documentation.
1. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\syst em /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
By default, UAC only allows remote administration tasks to be performed by the Built-in Administrator account. To work around this, this command sets the LocalAccountTokenFilterPolicy registry key to 1. This allows any local admin to perform remote administrative tasks (i.e. access to system shares C$, Admin$, etc.).
https://support.microsoft.com/en-us/help/951016/description-of-user-accountcontrol-and-remote-restrictions-in-windows

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

2. netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
This command creates an Inbound firewall rule to allow access to the WMI service and namespaces.
https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmiremotely-starting-with-vista
3. netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
This command creates an Inbound firewall rule which enables File and Printer Sharing on the machine. File and printer sharing is required in order to access the Admin$ share on remote machines.
https://answers.microsoft.com/en-us/windows/forum/all/turning-on-file-and-printersharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354

You can also share this checklist with your IT Administrator and ask them to configure each computer in your workgroup as follows:

Complete?

Workgroup Configuration

Network Settings

· Admin$ must be present on the computers you wish to scan, and be accessible with the login credentials you provide for the scan

· File and printer sharing must be enabled on the computers you wish to scan

· Ensure the Windows Services below are running and allowed to communicate through Windows Firewall: · Windows Management Instrumentation (WMI) · Windows Update Service · Remote Registry · Remote Desktop · Remote Procedure Call

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Complete?

Workgroup Configuration
· Workgroup computer administrator user account credentials.
Note: Before configuring scan settings for workgroups, prepare a list of the workgroup computer(s) adminstrator user account credentials for entry into the scan settings wizard.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

To complete a CMMC Assessment, follow these steps:
Step 1 -- Add Organizations
Before you begin your first IT or compliance assessment, you can optionally create an organization. Think of an organization as a folder in which you can store assessment projects for a particular client. For example, if a client has multiple sites or distinct networks that you want to assess individually, use an organization to keep these client sites in one neat container. Much like folders in Windows Explorer, you can create multiple organizations and can move your sites between them.
Add an Organization
To add an organization:
1. Access the RapidFire Tools Portal at https://www.youritportal.com and log in with your credentials.

2. Access the Organizations page from the top-menu. Select All Organizations from the side menu.
© 2021 RapidFire Tools, Inc. All rights reserved. 12

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

3. Then click Add Organization.
4. Enter an organization name. For example, this might be the name of a large client or company for whom you want to create multiple sites and types of IT and compliance assessments. Then click Confirm.
5. You can see each organization you've created from the left-side menu.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

6. From the button you can rename or delete the organization. You can also see the number of sites grouped under the organization.

Step 2 -- Create a New Site
Tip: We recommend you get started by making a "practice site" and running your first assessment in-house. Use this to familiarise yourself with Compliance Manager and the installation and configuration process. The first step in performing a CMMC Assessment is creating a "Site". Sites help you organise your assessments. This task is performed by the Site Administrator. To create a site:
© 2021 RapidFire Tools, Inc. All rights reserved. 14

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

1. Access the RapidFire Tools Portal at https://www.youritportal.com and log in with your credentials.

2. From the Sites page, click Add Site.
3. Enter a Site Name. This can be the name of the client for whom the assessment is being performed, for example.
4. Under Site Type, select Compliance Manager and your assessment type. l If you wish to perform a GDPR assessment, select GDPR. l If you wish to perform a HIPAA assessment, select HIPAA. l If you wish to perform a Cyber Insurance assessment, select Cyber Insurance. l If you wish to perform a NIST CSF assessment, select NIST. l If you wish to perform a CMMC/NIST 800-171 assessment, select CMMC/NIST 800-171.
© 2021 RapidFire Tools, Inc. All rights reserved. 15

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Note: · If you are a direct-to-customer or SMB user, you will not need to provision a license for your Site. Click Confirm and proceed to "The Site Home page will appear. Click the Compliance Manager tab." on page 20.

· If you are an MSP user, you will need to select a license to use with each of your Sites. This license determines how many endpoints you can manage at the Site. Proceed to "Click Next. Select an Organization Folder for the new site." below. 5. Click Next. Select an Organization Folder for the new site.
© 2021 RapidFire Tools, Inc. All rights reserved. 17

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

6. Select a subscription option (MSP only). You can choose to:
a. Use an Existing License you have purchased previously. Select the existing license from the drop-down menu and click Next.

b. Create a New Subscription. Select the subscription option from the dropdown menu and click Next.
© 2021 RapidFire Tools, Inc. All rights reserved. 18

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Note: You have 10 FREE Site licenses as part of your initial Compliance Manager subscription. Each of these licenses can cover a site with up to 250 computers. Select one of these free licenses for use with your first 10 new Sites. We suggest that you use 1 of the 10 licenses for your own internal use, such as familiarizing yourself with the product and assessment processes.
If you wish to purchase additional licenses or upgrade to a higher license (500 and above), you will be billed extra. Contact your Sales Representative for more details.
© 2021 RapidFire Tools, Inc. All rights reserved. 19

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

7. The Site Home page will appear. Click the Compliance Manager tab.

The Site To Do page will appear.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 3 -- Use the To Do List to Complete Tasks
The To Do List will guide you through the CMMC Assessment process. It presents the tasks you need to complete for the assessment. To use the To Do List:
1. From the [Your Site] > Compliance Manager tab, click To Do.

The Site's To Do list will appear.

2. Click on a To Do item to open more detailed information and instructions about each step in the assessment process. Tip: The Tasks steps in this quick start guide walk you through each To Do task. Note that the tasks may appear in a different order depending on which tasks you complete first.
Re-run or Modify To Do Items
Some to do items can be re-run or modified after they have been completed. l Automated Scans can be re-run directly from the To Do item. Re-running a scan will reset whatever forms were generated from that can. Any data entered into those forms during the current assessment will be lost. The worksheets will reappear as
© 2021 RapidFire Tools, Inc. All rights reserved. 21

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

new To Do items. l Worksheets and forms can be modified directly from the To Do item. To re-run or modify a To Do item:
1. Open a completed To Do item from the To Do list.

2. Depending on the type of To Do item (scan or worksheet), select Re-run or Modify: l If the To Do item is an automated scan, click Re-run.

l If the To Do item is a Worksheet or Survey, click Modify.

3. A list of related To Do items that will be reset will appear. Confirm that you wish to proceed.
© 2021 RapidFire Tools, Inc. All rights reserved. 22

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Note: For example, if you reset an automated scan, 1) any worksheets that contain data from that scan will also be reset and 2) any data previously entered in that form during the current assessment will be lost.

4. Once you reset or modify the To Do item, the regenerated item will appear in the To Do list.
Assessment Progress Bar
From the Site Dashboard, you can view a progress bar for your assessment. This progress bar is advanced when you complete assessment tasks.

If you hover over the progress, you can see the number of To Do items remaining in the assessment. This number is based on the total steps in the assessment, rather than the
© 2021 RapidFire Tools, Inc. All rights reserved. 23

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

current To Do list. Once all To Do items are completed, the Progress Bar will be removed from the Current Assessment panel in the Compliance Manager Dashboard.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 4 -- Set Up the CMMC Assessment Project
I. Task Set Up Report Preferences.
Compliance Manager generates assessment reports and proof of compliance documents to help you complete your CMMC Assessment. You can also customize these reports to align with your company or organisation branding guidelines and information. This task is performed by an Administrator.
To configure Report Preferences:
1. From your Site Home Page, go to Compliance Manager > Settings.

Next, click Report Preferences to access the customization settings. This includes company information, images, and design elements for this site's reports.
© 2021 RapidFire Tools, Inc. All rights reserved. 25

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

2. Customize your reports. This includes company information, images, and design elements for this site's reports.

3. Once you finish configuring Report Preferences, return to the item in the To Do list and click Mark Complete. Do this each time you complete a task in the To Do list.
© 2021 RapidFire Tools, Inc. All rights reserved. 26

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

II. Recommended: Set Time Zone. You can set your time zone from Global Settings > General. Set your time zone to schedule automated scans at your preferred local time. To configure time zones:
1. Go to Global Settings > General.

2. Select your time zone from the drop down menu. 3. Click Save. Note that the time zone setting is relatively narrow in scope. For example, To Do task creation time is shown based on your browser's local time, not the time zone setting in Global Settings. The time zone setting effects a few items, including: l start time for scans when using the limit scan start time feature for a site l last modified date of risk update reports l last sync date and time for Kaseya BMS billing integration III. Task Create additional users and assign to roles. Your CMMC Assessment has several roles: these include Site Administrator, Technician, Internal Auditor, and (optional) Subject Matter Expert (SME). Each role performs different tasks within the assessment.
© 2021 RapidFire Tools, Inc. All rights reserved. 27

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Tip: Before you begin the assessment, you will need to assign users to each role except the optional SME role. This allows users to be assigned assessment tasks within their To Do list and email notifications.
This task is performed by the Site Administrator. To assign users to project roles:
1. From the Home page for your Site, click Users.

2. Click Add User.
i. Add Existing Users(s) by searching for their user name within the dropdown menu.
© 2021 RapidFire Tools, Inc. All rights reserved. 28

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

ii. Alternatively, you can create a New User account to provide individuals access to the Portal and assessment process. You will need to enter an email address, first and last name, and password for each user. The email address you enter is where the user will receive To Do Notifications from Compliance Manager. Important: Send new users their login credentials after you add them to the site.
iii. Click Add to add the user to the site. Next you will associate these new users with your CMMC Assessment Site. To do this: 3. From the Home tab side menu, click Roles.
4. Next to each role, click Add User to assign users to the Technician, Internal Auditor, and (optional) Subject Matter Expert (SME) roles. The users assigned to these roles will receive assessment task notifications for that role.
© 2021 RapidFire Tools, Inc. All rights reserved. 29

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

5. Select each user you wish to assign to the role. Then click Add. Note: Before you can assign a user a Role, you must first create that user and/or associate them with your Site.
Important: Do not assign the SME role to users with other role assignments. Doing so will limit their access to the portal. 6. When you have finished adding users to your site and assigning roles, click Mark Complete on the task To Do page.
Important: Be sure to send the users their login credentials in order to access the RapidFire Tools Portal and begin working on assessment tasks.
© 2021 RapidFire Tools, Inc. All rights reserved. 30

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 5 -- Install and Configure the Compliance Manager Server
I. Task Install Compliance Manager Server .
Install the Compliance Manager Server on the target network. This task is performed by the Technician. The Server collects data and performs automated scans within the assessment environment.

Click Download Server Installer to visit https://www.rapidfiretools.com/cm. Refer to the separate Compliance Manager Server Installation Guide for more detailed instructions.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Important: You can only install one RapidFire Tools server/appliance on a PC or endpoint at a time. If you need to install multiple server(s)/appliance(s), install each one on a separate endpoint on the network.
Note: Once you install the Server, this To Do item will automatically be marked complete. This may take several minutes.
II. Task Configure Server Scan settings.
Before you configure scan settings, first determine if the target network is an Active Directory Domain OR a Workgroup. Then refer to the instructions below.
l Look here to "Configure Scan Settings for Active Directory Domain" below l Look here to "Configure Scan Settings for Workgroup" on page 40
Tip: For best results, be sure to follow "Pre-Scan Network Configuration Checklist" on page 132
Configure Scan Settings for Active Directory Domain
Set the Scan Settings from the [Your Site] > Compliance Manager > Settings > Scan Settings page. Complete all required prompts. This task is performed by the Technician.

Follow the steps below to configure the Scan Settings for the Compliance Manager Server:
© 2021 RapidFire Tools, Inc. All rights reserved. 32

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

1. Select the Scan Type: Active Directory Domain. Click Next Page.

2. The Merge Options page will appear. Configure how you wish to treat computers that are not associated with Active Directory. You can choose to:

a. Treat them as part of the primary domain b. Treat them as part of a specific workgroup by entering a workgroup
name Tip: Use this feature to tell Compliance Manager how to handle computers that are not connected to the domain. This will help those computers appear where you want them when you generate reports at the end of the assessment. Select a merge option and click Next Page. 3. Enter a username and password with administrative rights to connect to the local Domain Controller and Active Directory.
© 2021 RapidFire Tools, Inc. All rights reserved. 33

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Note: Be sure to enter the Fully Qualified Domain Name (FQDN) name before the username. Example: corp.myco.com\username.
4. Also enter the name or IP address of the Domain Controller. Click Next Page to test a connection to the local Domain Controller and Active Directory to verify your credentials.

5. The Local Domains window will appear. If you wish to scan only specific domains or OUs, select those here. Click Next Page.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

6. The Additional Credentials screen will appear. Enter any additional credentials to be used during the scan. Click Next.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

7. The IP Ranges screen will then appear. The Compliance Manager server will automatically suggest an IP Range for the scan. If you do not wish to scan the default IP Range, select it and click Clear All Entries. Use this screen to enter additional IP Addresses or IP Ranges and click Add.
© 2021 RapidFire Tools, Inc. All rights reserved. 36

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

From this screen you can also: l Click Reset to Auto-detected to reset to the automatically suggested IP Range. l Exclude IPs or IP ranges from the scan. Note: Key network component IP addresses should be excluded in order to prevent scans being performed from impacting the performance of a device when it is being scanned. For example, a company might want to exclude the IP Address range for their voice over IP telephone system if they are performing a scan during business hours.
Click Next Page once you have configured the IP ranges for the scan.
© 2021 RapidFire Tools, Inc. All rights reserved. 37

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

8. The SNMP Information window will appear. Enter any additional SNMP community strings used on the network. Click Next Page.

9. Enter the IP addresses for the external vulnerability scan. Click Next Page. Important: You must ensure that no other Network Detective or Compliance Manager products are being used to perform an External Vulnerability Scan on the same external IP Address range at the same time. Allow at least several hours between repeat external vulnerability scans. Scheduling external scans at the same time will result in reports with missing or incomplete data. Note: IP ranges for the external vulnerability scan are not supported at this time. Please enter individual IPs for the external scan.
© 2021 RapidFire Tools, Inc. All rights reserved. 38

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

10. Your scan settings will then be complete. Return to the To Do list and continue assessment tasks.
Note: Stepping through the prompts creates the Scan Settings. Once the settings are saved, the Start CMMC Assessment To Do item is what is used to trigger the scans. When you have finished entering the scan settings, return to the To Do item and click Mark Complete.
© 2021 RapidFire Tools, Inc. All rights reserved. 39

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Configure Scan Settings for Workgroup
Set the Scan Settings from the [Your Site] > Compliance Manager > Settings > Scan Settings page. Complete all required prompts. This task is performed by the Technician.

Follow the steps below to configure the Scan Settings for the Compliance Manager Server:
1. From the Scan Settings screen, select the Scan Type: Workgroup. Click Next Page.
2. The Merge Options page will appear. Configure how you wish to treat computers that are not associated with Active Directory. You can choose to:
© 2021 RapidFire Tools, Inc. All rights reserved. 40

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

a. Treat them as part of the primary domain b. Treat them as part of a specific workgroup by entering a workgroup
name
Select a merge option and click Next Page.
3. Enter scan credentials with administrative rights to connect to the local computers in the workgroup.

Note: For Workgroups, you have two options for how to enter the username. First, you can enter the characters ".\" (without quotation marks) immediately before the username, as in the image below.
© 2021 RapidFire Tools, Inc. All rights reserved. 41

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Second, you can optionally use the following format: "computername\localuseraccountname." For example, "WGWINX\user."
If you have trouble connecting when using one username format, use the other format presented here.
Click Next Page to test the connection and verify your credentials. 4. The Additional Credentials screen will appear. Enter any additional
credentials to be used during the scan. Click Next. Important: If each workgroup PC has its own unique Admin username and password credentials, you will need to enter each set of credentials here in order to scan these PCs.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

5. The IP Ranges screen will then appear. The Compliance Manager server will automatically suggest an IP Range for the scan. If you do not wish to scan the default IP Range, select it and click Clear All Entries. Use this screen to enter additional IP Addresses or IP Ranges and click Add.
© 2021 RapidFire Tools, Inc. All rights reserved. 43

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

6. The SNMP Information window will appear. Enter any additional SNMP community strings used on the network. Click Next Page.

7. Enter the IP addresses for the external vulnerability scan. Click Next Page. Important: You must ensure that no other Network Detective or Compliance Manager products are being used to perform an External Vulnerability Scan on the same external IP Address range at the same time. Allow at least several hours between repeat external vulnerability scans. Scheduling external scans at the same time will result in reports with missing or incomplete data. Note: IP ranges for the external vulnerability scan are not supported at this time. Please enter individual IPs for the external scan.
© 2021 RapidFire Tools, Inc. All rights reserved. 45

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

8. Your scan settings will then be complete. Return to the To Do list and continue assessment tasks.
Note: Stepping through the prompts creates the Scan Settings. Once the settings are saved, the Start CMMC Assessment To Do item is what is used to trigger the scans. When you have finished entering the scan settings, return to the To Do item and click Mark Complete.
© 2021 RapidFire Tools, Inc. All rights reserved. 46

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 6 -- Start Assessment and Perform Pre-Scan Analysis
Note: The order of To Do tasks may appear differently in your assessment, depending on the order in which you or other users complete To Do tasks.
I. Task Start CMMC Assessment. To begin performing the CMMC Assessment, click on the Start CMMC Assessment task from the To Do list:

When you are ready to perform your first initial CMMC Assessment, click Start Assessment.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Note: Completing this task will create several new assessment tasks in the To Do list. The task Type of CMMC Assessment will be added, where you can choose whether to add additional worksheets for an expanded CMMC assessment. Two scans that will begin automatically: the Pre-Scan and the External Vulnerability Scan. The scans will be marked complete automatically when they finish. II. Task (Automated) Running the Automated External Vulnerability Scan. The assessment includes an external vulnerability scan of your publicly facing IP addresses.
Once the scan is complete, this To Do item will automatically be marked as complete.
© 2021 RapidFire Tools, Inc. All rights reserved. 48

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Note: New worksheets will appear once the External Vulnerability scan completes. III. Task Running Pre-Scan Analysis. In this task, the Compliance Manager server will begin an automated pre-scan analysis of the target network.
This will verify the credentials and attempt to detect issues to ensure you have the most accurate automated scans.
When the automated scan is completed, and any issues are identified, you may follow the recommended corrective actions and re-run this analysis. IV. Task Review Pre-Scan Analysis Results and Recommendations. Use the Pre-Scan Analysis Results and Recommendations to address any identified network configuration issues before continuing the assessment.
© 2021 RapidFire Tools, Inc. All rights reserved. 49

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

The results from the pre-scan analysis will appear on the task details page.
Note: A 100% successful scan may not be possible in some cases due to network restrictions. Before opening ports or allowing protocols, please consult with your network and system administrator.
Below the Results Summary, refer to the Recommendations for specific suggestions for mitigating the issues that were identified.

Once you finish making any changes, click Rerun Pre-scan Analysis to check for any remaining issues.

When you have reviewed the pre-scan analysis and are finished making any recommended changes to the target network, click Mark Complete.
© 2021 RapidFire Tools, Inc. All rights reserved. 50

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 7 -- Collect CMMC Assessment Data
I. Task Complete External Port Use Worksheet.
Note: The External Port Use Worksheet will become available 1) once the External Vulnerability Scan is complete, and 2) one or more external ports are found to be open.
An attacker can exploit unnecessary open ports to gain access to the network. This worksheet details ports that were found to be open during the external vulnerability scan. Use this worksheet to document the business justification for each open port. Also indicate whether the port uses a secure protocol.

When you are finished, Save, and return to the To Do Item and click Mark Complete. II. Task (Automated) Running the Automated Scan of the Internal Network. The Compliance Manager server performs the Internal Network Scan on the target network. The Internal Scan begins automatically once you complete the prescan analysis and review the results.
Once the scan is complete, this To Do item will automatically be marked as complete.
© 2021 RapidFire Tools, Inc. All rights reserved. 51

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Important: At least 1 computer must be successfully scanned in order for this To Do item to be automatically marked complete. III. Task Running Local Scan of Remote Computers. Once the Internal Network Scan is successfully completed, a scan of remote computers on the target network will automatically begin.
This scan gathers more detailed data from individual endpoints on the target network.
Important: At least 1 computer must be successfully scanned in order for this To Do item to be automatically marked complete.
l You will receive a separate To Do item if there is an error during the local scan of Remote Computers.
l You can then click Go to Scan Settings to change your scan configuration. l You can also click Initiate Rescan once you fix any issues and wish to restart
the scan.
© 2021 RapidFire Tools, Inc. All rights reserved. 52

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

IV. Task Run Local Data Collector (Optional).
In this task, you can perform manual scans on computers that could not be scanned automatically. You will also receive a list of known computers on the target network that could not be scanned. From this to do item, you can:
A. Upload scans for computers that are connected to the network but cannot be scanned
B. Upload scans for computers that are not available on the network being scanned, but that should be accounted for in the assessment process

Tip: You will also be notified if all computers are scanned successfully. You can then just click Mark Complete and move on with your assessment.
To perform the scan manually, first download the Local Computer Data Collector from https://www.rapidfiretools.com/cm. Run the Data Collector directly on the computer(s) and then upload the scan(s). Then click Upload Local Scan, and select the files or .zip files. When you are finished, click Mark Complete. V. Task Complete Anti-virus Verification Worksheet. Compliance Manager will automatically detect any anti-virus software installed on PCs on the target network. Use the Anti-virus Verification Worksheet to quickly determine if each endpoint on the network has anti-virus software installed.
© 2021 RapidFire Tools, Inc. All rights reserved. 53

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

To use the worksheet: 1. From the To Do list, click the Go To Form button to open the worksheet.

2. The results of the scan for anti-virus software will appear in the worksheet for all PCs detected. Review the results: l PCs detected with anti-virus will automatically be marked Verified Present. l PCs detected without anti-virus will automatically be marked Not Detected. Note: You can also manually change each response if needed. For example, you can mark a PC as Verified Present if you know the PC has anti-virus, but Compliance Manager did not detect it. Alternatively, you can mark the entry Verified Not Present if you know the PC does not have anti-virus installed.
3. When are finished, Save, return to the To Do item and click Mark Complete.
Attach Supporting Documents
As evidence of compliance, you can add supporting documents that will be included as attachments when you generate assessment and compliance reports with Compliance Manager. To attach a supporting document:
© 2021 RapidFire Tools, Inc. All rights reserved. 54

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

1. Click on the folder icon underneath the appropriate questionnaire field.

2. Choose whether to Add Attachment from Previously Uploaded or from your Local Computer.
3. Select the file you wish to upload and click Open. The selected file(s) will appear in the attachments queue.
4. The file will be added to the assessment document as an attachment.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Note: The attachment will appear in your supporting documents and reports that are generated at the end of the assessment process.
Select Multiple Fields
In worksheets that have tables with multiple fields, you can select several or all fields at once in order to enter responses more quickly. To select multiple fields:
1. Click the left mouse button and hold on the first field you would like to include in the selection.
2. While holding the left mouse button, drag and select your desired fields.
© 2021 RapidFire Tools, Inc. All rights reserved. 56

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

3. You can use this feature to copy and paste multiple responses at once. See "Copy and Paste Responses" below.
Copy and Paste Responses
Some worksheets allow you to copy and paste the responses you entered, much like a spreadsheet. This saves you time by allowing you to enter many responses at once. To do this:
1. First answer one or more questions that require a response. Enter your response within the field.
Note: You can copy and paste both free-form and multiple choice entries.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

2. Use your mouse to drag and select multiple rows that contain the responses you wish to copy.

3. On your keyboard, press CTRL+C. 4. Use your mouse to drag and select the rows you wish to paste the responses
into. 5. On your keyboard, click CTRL+V. Your pasted responses will appear in the
worksheet.
© 2021 RapidFire Tools, Inc. All rights reserved. 58

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Use this feature to save time completing worksheet responses that can be answered with the same answer. VI. Task Complete User Access Review Worksheet. The User Access Review Worksheet enables you to identify each user and to document their status: Employee, Third Party, Former Employee, Former Third Party, Service Account. You can also indicate whether each user has Remote Access.
Note: In addition to other scan procedures that identify Windows admin accounts, a user will also be marked as a "Privileged (Administrator) Account" if they are associated with any group or organizational unit that contains the word "admin."
To use the worksheet:
© 2021 RapidFire Tools, Inc. All rights reserved. 59

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

1. Click the Go To Form button to open the worksheet.

2. Assign each identified user the correct Status. 3. Indicate whether each user has Remote Access. 4. Indicate whether each user is Authorized to access the envirionment. 5. When are finished, Save, return to the To Do item and click Mark Complete. VII. Task Complete Asset Inventory Worksheet. Note: The Asset Inventory Worksheet will become available once the Internal Network Scan is complete.
The Asset Inventory Worksheet details the computer assets discovered on the network. Complete all of the required fields in the worksheet.
© 2021 RapidFire Tools, Inc. All rights reserved. 60

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

VIII. Task Complete Application Inventory Worksheet. This worksheet details the applications discovered on the network. For each application, specify whether the app is necessary for the organization and its operation; unnecessary apps should be removed from the environment. Note: The apps in this worksheet are discovered during the network scan -- and you might find that certain apps are redundant or not authorized by the organization. In this case, they can be removed from the network.
> IX. Task Complete External Information System Worksheet.
© 2021 RapidFire Tools, Inc. All rights reserved. 61

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

This worksheet is used to document external information systems used by your organization. Add entries for each external information system along with a description, purpose for using the system, name of the business owner of the system, along with its criticality. Examples of external information systems include Salesforce, QuickBooks Online, and Office 365.
The purpose of this worksheet is to inventory systems in use at the organization, but that are largely outside of (external to) that organization's control and/or ownership. This can allow the organization to manage the risk posed by using external systems. Specifically, you must:
l Identity each external info system
l Determine the business owner and business purpose of that system
l Establish the business priority (criticality) of that system

Enter each information system one line at a time. Complete all relevant fields for each entry.
X. Task Select Level of CMMC Assessment. In this step, choose whether you wish to perform a Level 1, Level 2, or Level 3 CMMC Assessment.
© 2021 RapidFire Tools, Inc. All rights reserved. 62

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

CMMC has multiple "Levels" of IT security controls that can be implemented to secure the IT environment. Level 1, Level 2, Level 3 represent the first two levels of the CMMC assessment.

Note: To learn more about the CMMC model and it associated levels, visit https://www.acq.osd.mil/cmmc/.
© 2021 RapidFire Tools, Inc. All rights reserved. 63

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Which CMMC Level Should I Choose?
l The Level 1 assessment presents fewer worksheets for the auditor to complete. In addition, the CMMC worksheets will be simplified and contain fewer questions. Use this level if you want to perform a relatively quick "Basic Cyber Hygiene" check as per the CMMC framework.
l The Level 2 assessment presents several additional worksheets to complete. Likewise, the CMMC worksheets will contain added sections and questions. Use this level if you want to perform an "Intermediate Cyber Hygiene" check as per the CMMC framework. Once you complete a Level 2 assessment, you will have a wealth of documentation to support your Level 2 compliance.
The Level 3 allows you to perform a "Good Cyber Hygiene" check as per the CMMC framework. Once you complete a Level 3 assessment, you will have a wealth of documentation to support your Level 3 compliance.
Change Assessment Level
During your assessment, you may decide to change CMMC assessment levels. To do this:
1. Return to the Select CMMC Level to do item. 2. Click Re-run and select your desired assessment level. Confirm that you wish
to regenerate the worksheet To Do items.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Your To Do list will be updated with the worksheets for the selected level.
Note: Your saved responses will be available to re-use in the regenerated worksheets.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Step 8A -- Complete Level 1 CMMC Worksheets
Note Regarding Worksheet Cross References to NIST SP 800-171
Many CMMC worksheets include cross references to items within the NIST SP 800-171 rev1 framework. However, note that CMMC contains additional security requirements, and thus not every CMMC provision references a NIST requirement.

I. Task Complete CMMC Access Control Worksheet
Complete the CMMC Access Control Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Restrictions on internal system access l Restrictions on access to external information systems l Restrictions on information posted to public-facing data systems
© 2021 RapidFire Tools, Inc. All rights reserved. 66

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

l Utilization of the principle of least privilege for user accounts and their access to sensitive data

II. Task Complete CMMC Identification and Authentication Worksheet
Complete the CMMC Identification and Authentication Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l User identification procedures and practices l Password policy, management, and enforcement
© 2021 RapidFire Tools, Inc. All rights reserved. 67

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

III. Task Complete CMMC Media Protection Worksheet Complete the CMMC Media Protection Worksheet . This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l Procedures in place to protect CUI (Controlled Unclassified Information) present on both analog and digital media within the organization l Procedures to destroy or sanitize media devices no longer in use that might contain sensitive data
© 2021 RapidFire Tools, Inc. All rights reserved. 68

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

IV. Task Complete CMMC Physical Protection Worksheet
Complete the CMMC Physical Protection Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Measures to control physical access to site and its resources l Visitor access control l Visitor access audit logs l Physical access control devices and their management
© 2021 RapidFire Tools, Inc. All rights reserved. 69

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

V. Task Complete CMMC System and Communications Protection Worksheet
Complete the CMMC System and Communications Protection Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Collaborative computing devices l Session encryption l Communication boundary definition and protection
© 2021 RapidFire Tools, Inc. All rights reserved. 70

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

VI. Task Complete CMMC System and Information Integrity Worksheet
Complete the CMMC System and Information Integrity Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to: l Catalog information systems in use and their responsible parties l Identify and manage information system flaws l Identify malicious content l Perform network and system monitoring
Note: For additional guidance in answering worksheet questions 1 through 1.3, please refer to the publication "NIST SP800-18, Guide for Developing Security Plans for Federal Information Systems," page 19, section 3, "Plan
© 2021 RapidFire Tools, Inc. All rights reserved. 71

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Development." This document is currently available at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 8B -- Complete Level 2 CMMC Worksheets
Note Regarding Worksheet Cross References to NIST SP 800-171
Many CMMC worksheets include cross references to items within the NIST SP 800-171 rev1 framework. However, note that CMMC contains additional security requirements, and thus not every CMMC provision references a NIST requirement.

I. Task Complete CMMC Access Control Worksheet
Complete the CMMC Access Control Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

l Utilization of the principle of least privilege for user accounts and their access to sensitive data

II. Task Complete CMMC Asset Management Worksheet
Complete the CMMC Asset Management Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine processes and procedures in place in order to manage "controlled unclassified information" (CUI).

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

III. Task Complete CMMC Audit and Accountability Worksheet Complete the CMMC Audit and Accountability Worksheet. This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l Event logging of individual system users and their actions l Audit log retention l Audit log review
© 2021 RapidFire Tools, Inc. All rights reserved. 75

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

IV. Task Complete CMMC Awareness and Training Worksheet Complete the CMMC Awareness and Training Worksheet. This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l The status of security awareness training at the organization l The status of role-based security awareness training at the organization

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

V. Task Complete CMMC Configuration Management Worksheet
Complete the CMMC Configuration Management Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Establish configuration baselines: Ensure principle of least functionality is employed; restrictions on user-installed software. l Configuration change management: Ensure organization analyzes security configuration changes and establishes and enforces baseline security settings.
© 2021 RapidFire Tools, Inc. All rights reserved. 77

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

VI. Task Complete CMMC Identification and Authentication Worksheet
Complete the CMMC Identification and Authentication Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l User identification procedures and practices l Password policy, management, and enforcement

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

VII. Task Complete CMMC Incident Response Worksheet Complete the CMMC Incident Response Worksheet. This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l Detail the organization's plan for handling a security incident, including planning, responding, reporting, analyzing, and testing.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

VIII. Task Complete CMMC Maintenance Worksheet
Complete the CMMC Maintenance Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Management of IT maintenance tools and management of IT personnel l Multifactor authentication for remote access maintenance tools

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

IX. Task Complete CMMC Media Protection Worksheet Complete the CMMC Media Protection Worksheet . This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l Procedures in place to protect CUI (Controlled Unclassified Information) present on both analog and digital media within the organization l Procedures to destroy or sanitize media devices no longer in use that might contain sensitive data
© 2021 RapidFire Tools, Inc. All rights reserved. 81

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

X. Task Complete CMMC Personnel Security Worksheet
Complete the CMMC Personnel Security Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Procedures to screen individuals before employment and access to sensitive data l Procedures to restrict employee data access after they leave the organization
© 2021 RapidFire Tools, Inc. All rights reserved. 82

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

XI. Task Complete CMMC Physical Protection Worksheet
Complete the CMMC Physical Protection Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

XII. Task Complete CMMC Recovery Worksheet
Complete the CMMC Recovery worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Regular performance and testing of data backups l Protection of CUI data after backup

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

XIII. Task Complete CMMC Risk Management Worksheet
Complete the CMMC Risk Management Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Risk and vulnerability assessment l Vulnerability scanning l Vulnerability remediation
© 2021 RapidFire Tools, Inc. All rights reserved. 85

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

XIV. Task Complete CMMC Security Assessment Worksheet Complete the CMMC Security Assessment worksheet. This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l Existence of a system security plan l Assessment of the security plan l Plans of action against vulnerabilities

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

XV. Task Complete CMMC System and Communications Protection Worksheet
Complete the CMMC System and Communications Protection Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

XVI. Task Complete CMMC System and Information Integrity Worksheet
Complete the CMMC System and Information Integrity Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Development." This document is currently available at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

XVII. Task Complete NIST 800-171 Scoring Supplement Worksheet (Optional) In summer 2020, the Department of Defense (DoD) introduced a self-assessment methodology to allow contractors to achieve interim certification before the eventual implementation of the complete CMMC program. The optional NIST 800-171 Scoring Supplement allows you to perform a selfassessment as per the DoD's interim rule. It is based on the DoD NIST SP 800-171 Assessment Methodology, where the final assessment results are communicated in the form of a DoD Assessment Score. This worksheet should be completed by an Internal Auditor.
The NIST 800-171 Scoring Supplement contains and cross-references the CMMC Control Domains that are relevant to the NIST 800-171 Security Requirement.
© 2021 RapidFire Tools, Inc. All rights reserved. 89

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Note: Issues generated as a result of your responses to the NIST 800-171 Scoring Supplement Worksheet do not currently appear in the Compensating Controls Worksheet. Update your responses in the NIST 800-171 worksheet itself to indicate any mitigation measures taken to resolve issues identified. Return to the Worksheet To Do item, click the "Modify" button, and modify the worksheet responses to reflect the remediation actions undertaken.
Complete the Scoring Supplement to access the following compliance reports at the end of your assessment:
l CUI Plan of Action and Milestones Report l CUI System Security Plan l NIST 800 171 Scoring Supplement Worksheet l NIST SP 800 171 DoD Assessment Score Report

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 8C -- Complete Level 3 CMMC Worksheets
Note Regarding Worksheet Cross References to NIST SP 800-171
Many CMMC worksheets include cross references to items within the NIST SP 800-171 rev1 framework. However, note that CMMC contains additional security requirements, and thus not every CMMC provision references a NIST requirement.

I. Task Complete CMMC Access Control Worksheet
Complete the CMMC Access Control Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

l Utilization of the principle of least privilege for user accounts and their access to sensitive data

II. Task Complete CMMC Audit and Accountability Worksheet
Complete the CMMC Audit and Accountability Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Event logging of individual system users and their actions l Audit log retention l Audit log review
© 2021 RapidFire Tools, Inc. All rights reserved. 92

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

III. Task Complete CMMC Awareness and Training Worksheet Complete the CMMC Awareness and Training Worksheet. This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l The status of security awareness training at the organization l The status of role-based security awareness training at the organization

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

IV. Task Complete CMMC Configuration Management Worksheet
Complete the CMMC Configuration Management Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

V. Task Complete CMMC Identification and Authentication Worksheet
Complete the CMMC Identification and Authentication Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l User identification procedures and practices l Password policy, management, and enforcement

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

VI. Task Complete CMMC Incident Response Worksheet Complete the CMMC Incident Response Worksheet. This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l Detail the organization's plan for handling a security incident, including planning, responding, reporting, analyzing, and testing.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

VII. Task Complete CMMC Maintenance Worksheet
Complete the CMMC Maintenance Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Management of IT maintenance tools and management of IT personnel l Multifactor authentication for remote access maintenance tools

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

VIII. Task Complete CMMC Media Protection Worksheet Complete the CMMC Media Protection Worksheet . This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l Procedures in place to protect CUI (Controlled Unclassified Information) present on both analog and digital media within the organization l Procedures to destroy or sanitize media devices no longer in use that might contain sensitive data
© 2021 RapidFire Tools, Inc. All rights reserved. 98

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

IX. Task Complete CMMC Personnel Security Worksheet
Complete the CMMC Personnel Security Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

X. Task Complete CMMC Physical Protection Worksheet
Complete the CMMC Physical Protection Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

XI. Task Complete CMMC Recovery Worksheet
Complete the CMMC Recovery worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Regular performance and testing of data backups l Protection of CUI data after backup

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

XII. Task Complete CMMC Risk Management Worksheet
Complete the CMMC Risk Management Worksheet. This worksheet should be completed by an Internal Auditor.

Specifically, this worksheet asks you to examine: l Risk and vulnerability assessment l Vulnerability scanning l Vulnerability remediation
© 2021 RapidFire Tools, Inc. All rights reserved. 102

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

XIII. Task Complete CMMC Security Assessment Worksheet Complete the CMMC Security Assessment worksheet. This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine: l Existence of a system security plan l Assessment of the security plan l Plans of action against vulnerabilities

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

XIV. Task Complete CMMC Situational Awareness Worksheet Complete the CMMC Situational Awareness Worksheet. This worksheet should be completed by an Internal Auditor.
Specifically, this worksheet asks you to examine how the organization becomes aware of and/or identifies potential cyber threats.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

XV. Task Complete CMMC System and Communications Protection Worksheet
Complete the CMMC System and Communications Protection Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

XVI. Task Complete CMMC System and Information Integrity Worksheet
Complete the CMMC System and Information Integrity Worksheet. This worksheet should be completed by an Internal Auditor.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Development." This document is currently available at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

Step 9 -- Document Compensating Controls
Task Complete the Compensating Controls Worksheet. Use this worksheet to document any compensating controls used to mitigate the risks detected during the assessment.
1. Click the Go To Form button to open the worksheet.
2. Enter your responses for the worksheet. Here you can document any false positives. You can also indicate if you have taken measures to reduce or avoid any issues identified in the assessment that might not otherwise appear in your assessment documentation.
© 2021 RapidFire Tools, Inc. All rights reserved. 107

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

3. When are finished, return to the To Do item and click Mark Complete.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 10 -- Generate CMMC Assessment Reports
Task Review Final Reports. After documenting the compensating controls, the assessment reports and supporting documentation will become available for review.
Note: It may take several minutes for the reports to appear once you reach this step.
To review the reports and findings: 1. From your Site, go to Compliance Manager > Assessments.

2. Click Reports from the left menu to access a list of generated reports.
3. The Reports page will appear. Click the download icon next to the report that you wish to download and view.
© 2021 RapidFire Tools, Inc. All rights reserved. 109

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

4. Once you have reviewed the reports, click Mark Complete on the task details page.
Optional Task: Export Issues to Kaseya BMS
Once you generate assessment reports and review them, you can view specific issues identified in the assessment -- organized by risk score -- from the Issues tab. These issues supplement the detailed data in your reports with immediate action items -- and likewise allow you to export these issues as tickets to Kaseya BMS.
To do this:
Step 1 -- Gather Credentials and Set Up Kaseya BMS
Before you begin, you will need: l Valid Login Credentials for RapidFire Tools Portal l A RapidFire Tools Portal Compliance Manager "Site" for which you wish to export
© 2021 RapidFire Tools, Inc. All rights reserved. 110

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

tickets l Valid Login Credentials and details for Kaseya BMS (refer to the table below)

PSA System

PSA Prerequisites

l Kaseya Username
l Kaseya Password
l Kaseya Tenant (i.e. company name)
l Kaseya API URL, example: "https://bms.kaseya.com" (you should receive the exact URL in an email from Kaseya)

Step 2 -- Set Up a Connection to your Kaseya BMS
Follow these steps to set up a Connection to Kaseya BMS.
1. Visit https://www.youritportal.com and log into the RapidFire Tools Portal.

Note: In order to configure the Settings in the Portal, you must have the All or Admin global access level.
© 2021 RapidFire Tools, Inc. All rights reserved. 111

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

2. Click Global Settings.

3. Click Connections.

4. Click Add to create a new Ticketing System/PSA Connection.
5. In the Setup New Connection window, select Connection Type and choose Kaseya BMS.
© 2021 RapidFire Tools, Inc. All rights reserved. 112

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Note: Compliance Manager can only be integrated with Kaseya BMS at this time.

6. Then enter the information required to set up the Connection. This information will include: l Username and Password l API URL l Tenant name (Company name)
© 2021 RapidFire Tools, Inc. All rights reserved. 113

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

7. Click Test Login button to test your Connection login. After a successful test login, the second Add Connection Ticket Details window will be displayed.
8. Continue creating your Connection by entering in the necessary Ticket Details.
© 2021 RapidFire Tools, Inc. All rights reserved. 114

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Click Test Ticket. The Add Connection Settings Confirmation window will be displayed after the Test Ticket process is successful. 9. In the Add Connection Confirm Settings window presented, enter a Connection Name. 10. Review the Connection's configuration details and click Save.
© 2021 RapidFire Tools, Inc. All rights reserved. 115

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

The new Connection created will be listed in the Portal's Connection list.
Step 3 -- Map your Compliance Manager's Site to a Kaseya BMS
Follow these steps to map a Kaseya BMS Connection to the RapidFire Tools Portal Site associated with your Compliance Manager assessment.
1. From the Global Settings > Connections menu, scroll down and click Add under Site Mappings. The Map Site to Connection window will be displayed.
© 2021 RapidFire Tools, Inc. All rights reserved. 116

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

2. Select the RapidFire Tools Portal Compliance Manager Site you want to assign to the Kaseya BMS Integration.
3. Next, select the name of the Connection that you want use to link the Site to Kaseya BMS.

4. Click Save. The Site's mapping will be saved and listed in the Site Mappings list. You can now export Issues as tickets for the RapidFire Tools Portal Site you selected.
Step 4 -- Export Issues to Kaseya BMS
The final step is to select issues and export them. To do this: 1. Navigate to the site with the issues you want to export. Go to Compliance Manager > Assessment > Issues. 2. Check the box next to each issue to be exported.
© 2021 RapidFire Tools, Inc. All rights reserved. 117

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

3. Click Export to BMS and confirm.

Each successfully exported issue will receive a ticket number. The issues will now be available as tickets in Kaseya BMS.
Note: Once the ticket is exported, you can continue to view its details, but you cannot export it twice.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Step 11 -- Complete and Archive your CMMC Assessment
Task CMMC Assessment Complete.
In this step, after you have reviewed your CMMC assessment reports, the CMMC assessment will be complete. Compliance Manager will also note the number of compliance and security issues detailed for further review in the Risk Assessment report.
Archiving Assessments
When you complete an assessment, that assessment will be archived. You can review the assessment and the generated reports and compliance documentation. To do this:
1. Navigate to the Compliance Manager > Assessments tab. 2. Click on the drop-down menu from the right side of the screen.

3. Select the archived assessment you wish to review.
Note: Your archived assessment will be named: YYYY-MM-DD where the date is the start date of the assessment.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Step 12 -- Start a New CMMC after Completing a Previous Assessment
To start a new assessment, follow these steps:
1. Go to Compliance Manager > Assessments > Dashboard. 2. Click Start New.

Your To Do List will be reset. The Start CMMC Assessment To Do item will be added to your To Do list.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

CMMC Assessment Reports

Compliance Manager for CMMC can generate the following reports and supporting documents:

CMMC Compliance Reports
These reports show where you are in achieving CMMC compliance. In addition, these documents identify and prioritize issues that must be remediated to address CMMC related security vulnerabilities through ongoing managed services.

Report Type Description

Level 1

CMMC Assessor The CMMC Assessor Checklist gives you

Checklist

a high-level overview of how well the

organization complies with the CMMC

(Cybersecurity Maturity Model

Certification) requirements. The checklist

details specific compliance items, their

status, and helpful references. Use the

checklist to quickly identify potential issues

to be re-mediated in order to achieve

compliance.

CMMC Evidence Compiles compliance information from of Compliance automated scans, augmented data, and
questionnaires. Gathers evidence into one document to back up the CMMC Assessor Checklist with real data.

CMMC Risk Analysis

CMMC Risk Analysis is the foundation for the entire CMMC compliance and IT security program. The CMMC Risk Analysis identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of sensitive data at rest and/or during its transmission.

CMMC Risk

Based on the findings in the CMMC

Treatment Plan

Level 2

Level 3

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Report Type
CUI Plan of Actions and Milestones Report*
CUI System Security Plan*
NIST 800 171 Scoring Supplement Worksheet*

Description

Level 1

Compliance Assessment, the organization must create a Risk Treatment Plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, CMMC Manager provides a risk scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources and ensure that issues identified are issues solved. The Risk Treatment plan defines the strategies and tactics the organization will use to address its risks.

The CUI Plan of Action is organized by the NIST security control requirements and cross references the CMMC control domains. It details the status of implementation for each control, and provides suggestions for resolving the issues identified. (Requires Level 2 assessment and completion of NIST SP 800 171 DoD Assessment Scoring Supplement Worksheet)

This document supplements the Risk Analysis, Risk Treatment Plan, and NIST SP 800 - 171 DoD Assessment Scoring report and offers substantiation and verification of compliance with control requirements. (Requires Level 2 assessment and completion of NIST SP 800 171 DoD Assessment Scoring Supplement Worksheet)

The optional NIST 800-171 Scoring Supplement allows you to perform a selfassessment as per the DoD's interim rule. It is based on the DoD NIST SP 800-171 Assessment Methodology, where the final assessment results are communicated in

Level 2

Level 3

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Report Type Description

Level 1

the form of a DoD Assessment Score. (Requires Level 2 assessment and completion of NIST SP 800 171 DoD Assessment Scoring Supplement Worksheet)

NIST SP 800 171 DoD Assessment Score Report*

This report details the DoD Assessment Score as per the DoD Assessment methodology. It details the control point value deductions, as well as the implementation status for each required control. (Requires Level 2 assessment and completion of NIST SP 800 171 DoD Assessment Scoring Supplement Worksheet)

Level 2

Level 3

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Supporting Documentation
These documents show the detailed information and raw data that backs up the compliance reports. These documents include the various interviews and worksheets, as well as detailed data collections on network assets, shares, login analysis, etc.

Report Type Description

CMMC Full Detail Excel Export

The CMMC Full Detail Excel Export includes every detail uncovered during the CMMC assessment's network and computer endpoint scanning process. Details are presented in line-item fashion in an editable Excel workbook document. The report is organized by titled worksheets to help you locate the specific findings of interest, and problem areas are conveniently highlighted in red, making it easy to spot individual problems to be rectified

CMMC Login History Report

This report presents user login history by computer to enable workforce members responsible for IT Security to audit access to computers connected to a company's network. Quite useful, in particular, for looking at a commonly accessed machines (file server, domain controller, etc.) or a particularly sensitive "CUI" computers that are used to collect, process, transmit, or store CUI for failed login attempts.

CMMC Windows The CMMC Windows Patch Assurance Report helps verify the

Patch Assurance effectiveness of the client's patch management program. The report

Report

uses scan data to detail which patches are missing on the network.

External Vulnerability Scan Detail by Issue

Detailed report showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Worksheets by Assessment Level

Report Type Description

Level 1

CMMC Access

This worksheet is used to collect

Control Worksheet information required to demonstrate

compliance with the CMMC "Access

Control" control domain requirements

that cannot be discovered and assessed

through automated scans.

CMMC Antivirus Verification Worksheet

Compliance Manager will automatically detect any anti-virus software installed on PCs on the target network. The Antivirus Verification Worksheet details whether each endpoint on the network has anti-virus software installed. It also displays the type of anti-virus software.

CMMC Application This worksheet is used to document the

Inventory

"necessity" of the applications identified

Worksheet

as being installed on the computer

endpoints operating within the network.

CMMC Asset Inventory Worksheet

The Asset Inventory Worksheet is used to augment the asset data that was collected during the internal network scan. Details include the asset owner, acceptable use, environment, backup agent status, as well as device and asset criticality classification. The asset criticality classification is used to determine the risk to the organization in the event of a security incident where the asset's access or availability is compromised.

CMMC Asset Management Worksheet

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Asset Management Worksheet" control domain requirements that cannot be discovered and assessed through

Level 2

Level 3

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Report Type Description

Level 1

automated scans.

CMMC Audit and Accountability Worksheet

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Audit and Accountability" control domain requirements that cannot be discovered and assessed through automated scans.

CMMC Awareness and Training Worksheet

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Awareness and Training" control domain requirements that cannot be discovered and assessed through automated scans.

CMMC Configuration Management Worksheet

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Configuration Management" control domain requirements that cannot be discovered and assessed through automated scans.

CMMC External This worksheet is used to document

Information

external information systems used by

System Worksheet your organization. Add entries for each

external information system along with a

description, purpose for using the

system, name of the business owner of

the system, along with its criticality.

Examples of external information

systems include Salesforce,

QuickBooks Online, and Office 365.

CMMC External Port Use Worksheet

This worksheet allows you to document business justifications for all of the allowed external ports, the protocol configured to use a specific port, and the

Level 2

Level 3

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Report Type
CMMC Identification and Authentication Worksheet
CMMC Incident Response Worksheet
CMMC Maintenance Worksheet
CMMC Media Protection Worksheet
CMMC Personnel Security Worksheet

Description

Level 1

documentation of any insecure configurations implemented and in use for a given protocol.

This worksheet is used to collect

information required to demonstrate

compliance with the CMMC

"Identification and Authentication"

control domain requirements that cannot

be discovered and assessed through

automated scans.

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Incident Response" control domain requirements that cannot be discovered and assessed through automated scans.

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Maintenance" control domain requirements that cannot be discovered and assessed through automated scans.

This worksheet is used to collect

information required to demonstrate

compliance with the CMMC "Media

Protection" control domain requirements

that cannot be discovered and assessed

through automated scans.

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Personnel Security" control domain requirements that cannot be discovered and assessed through automated scans.

Level 2

Level 3

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Report Type Description

Level 1

CMMC Physical Protection Worksheet

This worksheet is used to collect

information required to demonstrate

compliance with the CMMC "Physical

Protection" control domain requirements

that cannot be discovered and assessed

through automated scans.

CMMC Recovery Worksheet

This worksheet is used to collect information required to demonstrate compliance with the CMMC "recovery" control domain requirements that cannot be discovered and assessed through automated scans.

CMMC Risk Management Worksheet

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Risk Management" control domain requirements that cannot be discovered and assessed through automated scans.

CMMC Security Assessment Worksheet

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Security Assessment" control domain requirements that cannot be discovered and assessed through automated scans.

CMMC Situation Awareness Worksheet

This worksheet is used to collect information required to demonstrate compliance with the CMMC "Situation Awareness Worksheet" control domain requirements that cannot be discovered and assessed through automated scans.

CMMC System and This worksheet is used to collect

Communications information required to demonstrate

Protection

compliance with the CMMC "System

Level 2

Level 3

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Report Type Description

Level 1

Worksheet

and Communications Protection" control domain requirements that cannot be discovered and assessed through automated scans.

CMMC System and This worksheet is used to collect

Information

information required to demonstrate

Integrity

compliance with the CMMC "System

Worksheet

and Information Integrity" control domain

requirements that cannot be discovered

and assessed through automated

scans.

CMMC User Access Review Worksheet

The User Access Worksheet is used to augment the user data that was collected during the internal network scan. Complete the worksheet to provide the additional information requested.

NIST 800 171 Scoring Supplement Worksheet

The optional NIST 800-171 Scoring Supplement allows you to perform a self-assessment as per the DoD's interim rule. It is based on the DoD NIST SP 800-171 Assessment Methodology, where the final assessment results are communicated in the form of a DoD Assessment Score.

Level 2

Level 3

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

CMMC Risk Update Assessment Reports

Report Type Description

CMMC Change Summary Report

Every time you use Compliance Manager for CMMC to run a CMMC Risk Update Assessment on a given network, Compliance Manager for CMMC generates the CMMC Change Summary report. This report compares the results the last Full CMMC Assessment with the Risk Update Assessment's network scan, local computer scan(s), and external vulnerability scan results performed during the Risk Update Assessment process. This report details changes in the network's User Accounts, Local Computer Accounts, Active Directory (A/D) Computers, Non-A/D Computers, Non-A/D Devices, External Vulnerabilities, along with a Windows computer Patch Summary.

CMMC Risk Treatment Plan Update

Based on the findings in the CMMC Risk Update Assessment, the organization must create a CMMC Risk Treatment Plan with tasks required to minimize, avoid, or respond to identified risks to IT security. The CMMC Risk Treatment Plan Update contains a list of tasks that can be executed to mitigate identified IT Security risks.

CMMC Risk Analysis Update

The CMMC Risk Analysis Update report lists IT Security risks identified during a Risk Update Assessment that impact the state of IT network security. The CMMC Risk Analysis Update identifies what protections are in place and where there is a need for more. The CMMC Risk Analysis Update report presents results in a list of items that must be remediated to ensure the security and confidentiality of sensitive or confidential information at rest and/or during its transmission.

External Vulnerability Scan Detail**

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Appendices

Refer to the appendices listed below for the supplementary information referenced in this user guide:

Pre-Scan Network Configuration Checklist

132

Checklist for Domain Environments

132

Checklist for Workgroup Environments

134

Compliance Manager Cyber Insurance Add On

137

CMMC To Do Task Complete List

143

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Checklist for Domain Environments
Share this checklist with your IT Administrator and ask them to configure your network's Domain Controller as follows:

Complete

Domain Configuration

GPO Configuration for Windows Firewall (Inbound Rules)

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Complete

Domain Configuration
Note: Remote Registry access should be restricted for use by the user access account credentials to be used during network and local computer scan.

GPO Configuration for Windows Services
Windows Management Instrumentation (WMI) · Startup Type: Automatic
Windows Update Service · Startup Type: Automatic
Remote Registry · Startup Type: Automatic
Remote Procedure Call · Startup Type: Automatic
Network Shares
· Admin$ must be present and accessible using supplied credentials (usually a local admin or user in the local Computer's Administrative Security group)

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Complete

Domain Configuration 3rd Party Firewalls
· Ensure that 3rd party Firewalls are configured similarly to Windows Firewall rules described within this checklist.
Note: This is a requirment for both Active Directory and Workgroup Networks.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

This command creates an Inbound firewall rule which enables File and Printer Sharing on the machine. File and printer sharing is required in order to access the Admin$ share on remote machines.
https://answers.microsoft.com/en-us/windows/forum/all/turning-on-file-and-printersharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354

You can also share this checklist with your IT Administrator and ask them to configure each computer in your workgroup as follows:

Complete?

Workgroup Configuration

Network Settings

· Admin$ must be present on the computers you wish to scan, and be accessible with the login credentials you provide for the scan

· File and printer sharing must be enabled on the computers you wish to scan

· Workgroup computer administrator user account credentials.
Note: Before configuring scan settings for workgroups, prepare a list of the workgroup computer(s) adminstrator user account credentials for entry into the scan settings wizard.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Complete?

Workgroup Configuration
l operating a Kaseya-RapidFire Tools product network data collector to issue ICMP echo request messages to be sent to Windows computers and network devices
l to send ICMP echo reply messages in response to an ICMP echo request
Note: ICMP requests are used to detect active Windows computers and network devices to scan.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

Compliance Manager Cyber Insurance Add On
You can directly provision cyber insurance for your Compliance Manager sites. This offering is provided by Cysurance. Cyber insurance safeguards small business revenue against privacy breaches, identity theft, system damage and other cybercrimes, and can be a valuable service for your MSP to offer clients.
To provision Cysurance for one of your Compliance Manager sites:
1. Log into the Compliance Manager Portal. 2. Open your Compliance Manager Site provisioned for any assessment type (i.e.
GDPR, HIPAA, or Cyber Insurance. 3. Select the Add-Ons menu options.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Note: Select the Learn More button to learn more about available Cyber Insurance offerings.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

5. Select the category that bests describe the business/client from the drop-down menu.

6. Select the business/client's annual revenue from the drop-down menu.

7. After the selections have been made, click Next button in the Get Your Instant Quote window to proceed.
8. Select the Policy Coverage option desired.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

Note: The "Notes" associated with each Policy Coverage option, such as the Deductible amount, will vary based on the option. 9. Click Proceed once you have selected an option.
10. The RapidFire Tools Portal redirects the user to the Cysurance Web Portal.

Compliance Manager for CMMC -- Quick Start Guide

Compliance Manager

11. The RapidFire Tools Portal opens a new browser tab and the user is directed to the Cysurance MSP Enrollment web page to complete the Cyber Insurance enrollment process. The Cysurance MSP Enrollment process will take over the interaction with the user to complete the Cyber Insurance Enrollment process.

Note: Once you enter the company's or client's information on the Cysurance webpage, you will receive a policy from Cysurance to review. Follow the link in the email from Cysurance and follow the steps to finalize the policy. You will receive these emails from Cysurance to the email addressed you entered for sign-up.
12. Once you complete the transaction through Cysurance, you can View Policy Summary from your Compliance Manager Site Home > Add-ons.

Compliance Manager

Compliance Manager for CMMC -- Quick Start Guide

CMMC To Do Task Complete List
The list below outlines all To Do tasks in the CMMC Assessment To Do list.

Note: The items below may appear in a different order in your To Do list. This depends on the order in which you choose to complete certain tasks.

Task
Create additional users and assign to roles (Home tab > Settings > Users; Roles)

Project Role
Site Admin

Add and invite users to participate in the assessment. Then assign these users to project roles.

Set up Report Preferences (Compliance Manager tab > Settings > Report Preferences)

Site Admin

Configure the reports for the Site that will be generated at the end of the assessment. This includes visual elements and client details.

Install Compliance Manager Server (Installed on client network)
Compliance Manager Server on the target network.

Technician

Configure Server Scan Settings (Compliance Manager tab > Settings > Scan Technician Settings)

Once server is installed, enter information to set up scans.

Start CMMC Assessment (Compliance Manager tab > To Do)
Initial start of assessment. Starts automated scans and generates forms to complete.

Internal Auditor

Running Pre-Scan Analysis (Automated Scan)
The server will check for issues that might prevent a complete network scan.

Compliance Manager Server

Review Pre-Scan Analysis Results and Recommendations (Compliance Technician Manager tab > To Do)

143

Task
Review and fix potential scan problems before starting the internal scans.
Running the Automated Internal Network Scan (Automated Scan)
An automated scan will begin on the client's internal network.

Project Role
Compliance Manager Server

Running Local Scan of Remote Computers (Automated Scan)

Compliance Manager Server

An automated scan will begin on the client's internal network targeting remote

computers.

Unable to scan all selected systems (Compliance Manager tab > To Do)
Perform and upload computer scans on machines that could not be reached during the internal scan.

Technician

Run Local Data Collector (optional) (Compliance Manager tab > To Do)
Perform and upload computer scans on machines that could not be reached during the internal scan.

Technician

Running the Automated External Vulnerability Scan (Automated Scan)
An automated external vulnerability scan will begin on the designated IP addresses.

Compliance Manager Server

Complete External Port Use Worksheet (Compliance Manager tab > To Do) Technician
Enter information about external ports discovered during the external scan.

Complete Antivirus Verification Worksheet (Compliance Manager tab > To Internal Auditor Do) Assess

Complete User Access Review Worksheet (Compliance Manager tab > To Internal Auditor Do) Assess
144

Task
Complete Asset Inventory Worksheet (Compliance Manager tab > To Do)
Document any

Project Role
Internal Auditor

Complete Application Inventory Worksheet (Compliance Manager tab > To Internal Auditor Do) Document how

Complete External Information System Worksheet (Compliance Manager Internal Auditor tab > To Do) Document any

Select Level of CMMC Assessment (Compliance Manager tab > To Do)
Optionally can choose to add additional worksheets to your assessment to identify additional issues.

Internal Auditor

Complete CMMC Access Control Worksheet (Level 1 and Level 2) (Compliance Manager tab > To Do) Conduct

Internal Auditor

Complete CMMC Audit and Accountability Worksheet (Level 2) (Compliance Manager tab > To Do) Conduct an inventory of all .

Internal Auditor

Complete CMMC Awareness and Training Worksheet (Level 2) (Compliance Manager tab > To Do) Conduct an inventory of all

Technician

Complete CMMC Configuration Management Worksheet (Level 2) (Compliance Manager tab > To Do) Select

Internal Auditor

Complete CMMC Identification and Authentication Worksheet (Level 1 and Level 2) (Automated Scan)

Internal Auditor

145

Task
An automated scan of the client network will begin checking for .
Complete CMMC Maintenance Worksheet (Level 2) (Automated Scan)
An automated scan of the client network will begin checking for .

Project Role
Internal Auditor

Complete CMMC Media Protection Worksheet (Level 1 and Level 2) (Automated Scan) An automated scan of the client network will begin checking for .
Complete CMMC Personnel Security Worksheet (Level 2) (Automated Scan) An automated scan of the client network will begin checking for .
Complete CMMC Physical Protection Worksheet (Level 1 and Level 2) (Automated Scan) An automated scan of the client network will begin checking for .
Complete CMMC Recovery Worksheet (Level 2) (Automated Scan)
An automated scan of the client network will begin checking for .

Internal Auditor Internal Auditor Internal Auditor Internal Auditor

Complete CMMC Risk Management Worksheet (Level 2) (Automated Scan)

Internal Auditor

An automated scan of the client network will begin checking for .

Complete CMMC Security Assessment Worksheet (Level 2) (Automated Internal Auditor Scan)

An automated scan of the client network will begin checking for .

Complete CMMC System and Communications Protection Worksheet (Level 1 and Level 2) (Automated Scan)

Internal Auditor

An automated scan of the client network will begin checking for .

Complete CMMC System and Information Integrity Worksheet (Level 1 and Level 2) (Automated Scan)

Internal Auditor

146

Task
An automated scan of the client network will begin checking for .
Review Final Reports (Compliance Manager tab > To Do)
Examine the final reports and supporting documents to demonstrate compliance or begin remediating issues.
Complete CMMC Assessment (Compliance Manager tab > To Do)
Finish and archive your CMMC Assessment. You can review the archived documentation at any time.

Project Role
Internal Auditor Internal Auditor

147

madbuild