Where do I Begin My CMMC Journey?
Stop looking for the easy button. Hang up on those who say, “Turn Key”
Then get started, you may have more done than you think.
Do not go to page one of the CMMC Assessment Guide Level Three and open up to page 10 and start with Access Control (AC.) 1.00.1
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
First by now you know only the assessment objectives matter. You must have enough observable evidence (multiple pieces of each) on the following AO’s to reach compliance on AC 1.00.1
Determine if:
- [a] authorized users are identified;
- [b] processes acting on behalf of authorized users are identified;
- [c] devices (and other systems) authorized to connect to the system are identified;
- [d] system access is limited to authorized users;
- [e] system access is limited to processes acting on behalf of authorized users; and
- [f] systemaccessislimitedtoauthorizeddevices(includingothersystems).
Do not start here. Heads explode, you begin to think people comes from a different planet.
Define the Roles
In our training classes for the Organizations Seeking Cerification we say begin by determining who has the authority over different parts of your System Security Plan (SSP) (see NIST-SP-800-18 for more).
In small companies people often where all the hats. Still possible but you just need to initialize each one. After that we do not encourage folks to go right into counting and determining where Controlled Unclassified Information lives.
Count Stuff
We also encourage folks to inventory their policy very early on. Employee handbooks, meeting minutes, onboarding docs, etc. Even if you have informal systems in long email chains find this stuff. It will help when you use a template or policy package from a vendor.
Then try to count where CUI lives in your system and what % of revenue comes in from contracts that flow down the DFARS 7012 clause.
From there nobody can tell you the correct right step. Every system and company in totally different state. A three year old SBIR funded machine learning company may use the latest and greatest in uncompliant technology and a sixty year old manufacturer pays more in end of life extension fees for uncompliant technology.
Basics of Cybersecurity
We lean heavily on focusing on:
- Policy
- Access Control
- Inventory
- Awareness and Training
- Governance
Before you even start thinking about your major techncal controls. Using these five roots of cybersecurity you should have enough skill to rough out a sketch of your data flow and network diagrams.
A basic understanding of your scope. Now you can engage with cybersecurity and compliance experts on completing a true scoping assessment to prepare for a formative assessment before seeking a summative certification assessment.
At the same time we wonder if you should think about CMMC compliance as starting with Awareness and Training Domain.
Awareness and Training First?
Can you complete your SSP as you utilize and also reach compliance on the Awareness and Training domain? Would this approach lead to increased hygeine?
Everyone frets over CMMC devolving into a checklist of policy and confusing technical controls. Awareness and Training makes this difference.