January 18, 2021
Good morning, everyone, and Happy New Year!
Talk about overwhelmed! New information and interpretations of the CMMC have been rolling out pretty steadily the last couple of months. I have an inch-high stack of notes from various webinars and blogs. I’ll highlight just a few today.
If It isn’t written down, it doesn’t exist
Last Tuesday I heard fellow CMMC-RP Darren Van Booven talk about preparing for the CMMC, and this was one of his key points. Documentation is everything in the world of compliance, and it is critical to your CMMC preparation.
While there is no process maturity required for Maturity Level One (ML1), that doesn’t mean there is no documentation required. A few of the ML1 practices inherently require documentation of some sort (e.g., “maintain audit logs of physical access” and “Identify, report, and correct information and information system ﬂaws in a timely manner.”)
At ML3, however, the documentation requirements are significant. There are three maturity processes required for each domain at ML3:
- Establish a policy
- Document the CMMC practices to implement the policy
- Establish, resource and maintain a plan for performing the practices
What exactly does this mean? For each of the 17 domains in ML3, you must first establish a policy. For example, for “Physical Protection” you might have a policy that employee access is restricted to areas based on job function, and visitor access is limited to public spaces. Then you need to document the practices required to implement this policy. So, in this example, we might have a Physical Protection Policy document with a few bullet points describing the actions, procedures and/or technology in place that enforce this policy.
Finally, we need to have a plan for each domain which includes information such as:
- mission/vision statement
- strategic goals/objectives
- relevant standards & procedures
- project plans
- due dates
- resourcing (personnel, tools, funding)
- assigned management/oversight of activities
- involvement of relevant stakeholders
The plan for each domain describes in detail how you will perform the practices that are required to implement the policy, identifying the resources allocated and the strategy for execution.
Documentation is typically the last thing addressed by small businesses. The requirements for demonstrating process maturity for ML3 are challenging but they are doable. The key, as always: Start preparing now.
Remember, too, that there is more to documentation than just written policies and plans. In an official CMMC assessment, the only things that matter are what you can prove. Besides the interviews (“We do this thing”), you must also provide either artifacts (“See, this shows that we do this thing”) or in some cases, test results (“If you try to do that thing, you won’t be able to, because we do this thing to prevent it”).
Finally, be honest. Don’t make false statements, don’t claim practices that you don’t actually perform, don’t fabricate evidence for your CMMC audit. In a lunch and learn with Katie Arrington last Friday, one of the audience questions was whether it is possible to lose one’s CMMC certification after obtaining it. Ms. Arrington said emphatically yes, that is possible. For example, if you have a serious cyber incident and forensic investigation shows that you knowingly neglected a control that you were audited on earlier, you could lose your CMMC certification. And of course it’s always possible to be sued by the government under the False Claims Act
If you are totally lost on how to document your practices, reach out to me for help.
Next Work(fromhome)shop January 26
This newly-updated online class will cover the basics -- what is it, why do we have it, applicability, terminology, timeline, and the assessment process. It's an introduction to my "deep dive" series on the specifics of achieving Maturity Levels 1-3 coming up in Spring 2021. Participants in this class will have the first chance at signing up for the spring series.
Tuesday, January 26 @ 10:00 AM - 11:00 AM (CT)
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!
Glenda R. Snodgrass
The Net Effect, LLC
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!