We have all seen or felt the rage. You go into fridge to grab the gooey cooey chocolate volcano cake you labeled in the fridge and the shelf laughs back at you with an eerily empty cackle. Someone did not know who owned the cake.
Almost all the guidance on CMMC tells you to start with determining where and how CUI flows through your system. You might want to first figure out who gets to decide the lunch policy and what goes in the fridge.
Not to mention many a prime might tell you, “We don’t know if we send you CUI but you must have a system that supports receiving CUI if you want future contracts.”
So start with deciding whose in charge.
CMMC and Data Ownership.To understand the team your company brings to the dance we turn to . The document basically begins with deciding where the buck stops.
What is Management Operation?
In order for the plans to adequately reflect the protection of the resources, a senior management official must authorize a system to operate. The authorization of a system to process information, granted by a management official, provides an important quality control. By authorizing processing in a system, the manager accepts its associated risk.So before you even decide how you want CUI to flow you gotta know who signs the dotted line.
Roles and ResponsibilityManagement authorization should be based on an assessment of management, operational, and technical controls.
- Security Officer
- Information Systems Owner
- Information Owner
(CIO) is the agency official responsible for developing and maintaining an agency-wide information security program and has the following responsibilities for system security planning
Most small manufacturers do not have a CIO. You either use a Managed Service Provider or you as CEO do it. Sometimes people choose Deborah in accounting because she keeps that WordPress site about her Gobots collection. But usually just you.
- The CIO chooses the senior agency information security officer (probably also you, an MSP, or Deborah).
- Develop all the security procedures and policies(copy and paste SANS templates)
- Do all the cybersecurity stuff
- Do all the cybersecurity training stuff
Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
- Write the system security plan
- Maintain and monitor the security plan
- Make sire people do the cybersecurity training
- Update the system security plan
- Help with implementing practices and processes
- Establishes the roles and rules
- Help with security
- Decide who gets access to sensitive information
NIST wrote the guide to writing security plans for the government not for your small business. Just remember that you do need to decide who acts as the authorizing agent. Who says:
- Our System Security Plan good to go
- Authorize the information system
- Denies access to the information system
When you begin your CMMC journey you need to decide who gets to play boss of the SSP, the information system, and all the people. And please stop taking food out of the fridge that does not have your name.