How does a defense contractor create a plan to perform each requirement in CMMC and NIST SP 800-171?
Will you fail if you don’t write policy statements which regurgitate each requirement in a ‘shall” form?
AKA “𝘚𝘢𝘧𝘦𝘨𝘶𝘢𝘳𝘥𝘪𝘯𝘨 𝘮𝘦𝘢𝘴𝘶𝘳𝘦𝘴 𝘧𝘰𝘳 𝘊𝘜𝘐 𝘢𝘵 𝘢𝘭𝘵𝘦𝘳𝘯𝘢𝘵𝘪𝘷𝘦 𝘸𝘰𝘳𝘬 𝘴𝘪𝘵𝘦𝘴 𝘴𝘩𝘢𝘭𝘭 𝘣𝘦 𝘦𝘯𝘧𝘰𝘳𝘤𝘦𝘥.”
The answer is no. You don’t need to write a vague and unhelpful policy for every requirement. Your policies should support your users (who are real humans who don’t know what to do with vague statements like that). You need a policy for situations where a user needs to know that there are real consequences and where there is a risk that turnover could cause your company to forget to do something.
Instead of that vague “shall” policy, your implementation might include specific training to your users or a telework agreement that users have to sign before they get a laptop. We need to design a solution which is efficient, low burden, and doesn’t rely on people to remember hundreds of policy lines.
Pro tips for developing solutions to CMMC Level 2
This video (one hour) by Amira Armond, president of Kieri Solutions, shows the process that the Kieri Solutions cybersecurity team uses to plan a common sense implementation for CMMC requirements. She focuses in on one requirement (mobile code) from NIST SP 800-171 Rev.3 and shows how Kieri designs their approach to it.
Every CMMC Level 2 requirement implementation should include considerations for these key topics:
– Do we need a policy to help enforce this?
– How will we trigger performance so no one forgets to do it?
– What procedures do we need, can we add them “just-in-time”?
– Do our providers need to perform this requirement too? How do we inherit?
– Where do we keep evidence that this is performed correctly over time?
– What is our test plan to verify proper function?
This is a webinar video for educational purposes, presented originally for the Cooey Center of Excellence Discord Forum. Thanks to Mariamsay for recording it!
This is the secret sauce of how the Kieri Compliance Documentation and the Kieri Reference Architecture were created. These are two solutions that Kieri Solutions, our sponsor, has created for Do-It-Yourself CMMC Level 2 compliance.
Enjoy, and don’t forget to subscribe to our YouTube channel for lots of other CMMC training content.