October 13, 2020
Good afternoon, everyone!
I listened to a live webinar last Wednesday which included Ben Tchoubineh, a CMMC Accreditation Board member, and I wanted to share with you a few key points I jotted down:
"The time to prepare is now." Boy, this one phrase is getting a lot of air time. You see, the clue is in the name -- we are talking about the cyber security MATURITY model certification, and a lot of emphasis is being placed on maturity. You need to start developing and institutionalizing your practices NOW, even if you won't be getting certified for another year or two or three. During an official assessment, you will need to demonstrate:
Repeatable processes, following organizationally-approved policies, performed over a significant time frame.
This is even for Maturity Level One (ML1)! At ML1, the policies don't have to be written down, but they have to be formulated and followed. At ML2 and up, policies must also be documented.
He made a point of saying "This is why the CMMC has practices, not controls." The 800-171 document identifies controls. The CMMC focuses on practices, the holistic view of the controls and how they are implemented, within the context of your maturity level.
"Start with a gap analysis." One of the questions from the audience was "where do we begin?" The answer: start with a gap analysis. Designate a point person to learn the CMMC practices and processes, and have that person perform a gap analysis. What does this mean? Wikipedia says:
"Gap analysis involves determining, documenting and improving the difference between business requirements and current capabilities."
If you are still stuck, I highly recommend using the NIST Cyber Security Framework (NIST CSF) as your starting point. You can learn how to get started using the NIST CSF for your gap analysis in my work(fromhome)shop on October 28. Details and registration online here.
Primes, start talking to your subs. Prime contractors need to start querying their subcontractors about their cyber security posture. You need to examine the data that flows down to your subs, and help them identify which ML they will need to achieve. Unless they provide only COTS, most of them will need at least ML1.
A final thought. When answering the question "what are the most common things you have seen doing gap analyses?" the answer was "when cybersecurity is not a part of the culture of the business."
So make certain that cybersecurity is an important part of the culture of YOUR business!
Have a great week!
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" --
sign up now!