April 28, 2021
Good afternoon, everyone!
It’s Not Something You Buy
During the recent Billington CyberSecurity Defense Summit on Zero Trust, panelist Gregory Touhill, president of the AppGate Federal Group, said:
"It's not something you buy … It's a strategy. We've got too many folks in industry trying to peddle themselves as zero-trust vendors selling the same stuff that wasn't good enough the first time."
Boy, that really hit home with me! It reminded me of a LinkedIn discussion awhile back, talking about how many organizations think they can buy a “solution” to become CMMC compliant. That’s not how it works. Many “solution providers” want you to believe this, but don’t fall for the sales pitch. You cannot write a check big enough to make this happen without internal effort. Remember the pillars of information security?
Many of the practices of CMMC ML3 can be addressed with just a policy, or with a policy combined with training – no technology required. For organizations with limited resources, especially lacking in-house IT, this is a great way to achieve compliance without breaking the bank. But you need good policies, and you need good documentation to make this work.
The Defense Contracts Management Agency (DCMA) recently held a brown bag lunch meeting with some candidate C3PAOs to discuss how their CMMC ML3 assessments would be conducted, including some specific information on areas found lacking during the first two assessments conducted. You can view the slides yourself (lots of good info there), but I want to point out a few key points relevant to the current conversation, because documentation is absolutely key to ML3. Deficiencies found:
SSP
- Still in a draft
- Template was not completed (i.e. Insert Text Here)
- Mismatches with Policy
- Mismatches with Inheritance
Policy
- Still in a draft
- Templates not completed
- Mismatches with SSP
Procedures
- Still in a draft
- Templates not completed (i.e. Insert Text Here)
- Distinguishing between policy and procedures Not clear
- Could not determine who to interview
- Could not determine what to test
Ask yourself, what does your documentation look like? Would an assessor visiting you now have these same complaints?
The Provisional Assessors have been trained to look for known template sets and to reject them as evidence – and “Insert Text Here” is a dead giveaway that you didn’t write this policy yourself. But you can do this!
Over and over again we have seen organizations – sometimes with strong security measures in place – lacking in documentation. That’s why I developed my CMMC 102: “Creating Documentation for CMMC ML3” online class, happening next Tuesday! It’s just one hour long, and chock-full of details on how to create a good SSP, written policies, practice and procedure documents, and management plans. The hardest part is getting started, and this class will break the whole process down into manageable chunks.
P.S. – Need help? I’m just an email or phone call away!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!
Sincerely,
Glenda R. Snodgrass
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!