The Secret to Cybersecurity Maturity Model Certification (CMMC) & NIST 800-171 Compliance
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework developed by NIST. CMMC helps organizations measure and improve their cybersecurity, in order to better meet the needs of an increasingly complex cyber environment. CMM certification provides benefits including:
- A holistic view of your security posture across all IT systems and data
- Improved operational efficiency and effectiveness
- Reduced risk exposure through reduced vulnerability to external threats
Cybersecurity is the most important topic of our time. If you have anything that connects to the internet, it’s at risk.
Do you know how to protect your company from cybersecurity threats? If not, this blog post will provide some helpful information on CMMC and NIST 800-171 compliance programs so that you can get started today!
Before you dive into scheduling your compliance audit for certification, it will help you to understand the Easy Compliance Methodology. It’s this simple understanding that will help you know how to meet the requirements of any future compliance program. That’s right. This one chapter of the book is worth the value of the book and more. Because by understanding this section, you will no longer be overwhelmed and confused with Governance, Risk, and Compliance programs or the associated standards they are trying to enforce.
So what’s the secret to Cybersecurity Maturity Model Certification (CMMC) & NIST 800-171 compliance that it took my Australian Law degree to discover?
Understanding that there are three elements to meeting any compliance program:
- Systems & Processes
These three elements combined will ensure that when your company is audited they will meet and exceed the minimum requirements created by the compliance program. Remember to meet any of the five levels of CMMC compliance. You need to pass an audit for certification. This means you need to provide an auditor a copy of your documentation which explains how you meet each compliance requirement and how you have validated the metrics of your compliance requirement have been successfully implemented. Your documentation explains the why, how, where you are meeting compliance requirements in any governance program.
Let me quickly explain these three elements to ensure you understand exactly what they are and how they apply to your company.
Documentation is the written policies and procedures used by your company to operate. These typically are expanded to address the problems specified in any compliance program. To successfully pass your compliance audit for any of the CMMC levels or NIST 800-171, you are required to have good documentation for each of the sections of CMMC.
A problem is the specific section of a compliance program. For example, let me explain using one of the CMMC practice requirements. Domain: Access Control Section: AC.1.001
CMMC Practice Requirement: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Easy Compliance Secret: If you read this CMMC practice requirement and are confused. Don’t worry. Our Easy Compliance CMMC Gap Assessment includes explanations and example scenarios to help you understand exactly what it means in simple English. You also find this Gap Assessment Explainer at the back of this book. Access Book Resources at: www.ChatFortress.com/CMMCBook
This CMMC practice requirement creates a problem that your company must determine how it will solve. Documenting how you will solve this problem is the foundation of your compliance program. How you solve this problem is explained in your documentation, including policy statements, System Security Plans, and associated documentation. This documentation is loaded into your Governance, Risk, and Compliance (GRC) software to help you manage all of these connected policies.
Insider Tip: Most companies don’t realize that they are already meeting many compliance requirements based on the systems and processes you are already using.That’s right! You could already be compliant. Now you just need to meet the certification requirements for the governance program. A company may not have documented the process as required. Therefore, by leveraging the documentation templates we provide, you can meet your compliance requirements faster and easier than ever.
Your documentation becomes part of your intellectual property. This intellectual property is created based on internal and external influencers, for example:
- Non-IT-related corporate policies.
- Board of Director guidance and or directives.
- Other internal requirements.
External Influencers – Contractual:
- SOC 2 Certification.
- ISO 27001 Certification.
- NIST Cybersecurity Framework.
- Other contractual requirements.
External Influencers – Statutory:
- HIPAA /HITECH.
- Data Protection Act (UK)
- Other data protection laws.
External Influencers – Regulatory:
- NIST 800-171 / CMMC (FAR & DFARS)
- EU GDPR
- Other international data protection laws.
When it comes to Documation there are some important terms you should understand:
- Policies:are the high-level statements of management intent from an organization’s leadership designed to influence decisions and guide the organization to achieve desired outcomes. Policies define high-level expectations and provide evidence of due diligence to address applicable internal or external requirements.
- Control Objectives: These are the targets or desired conditions that are to be met. These are the statements describing what is to be achieved as a result of the organization implementing a control. Control Objectives support policies and provide scoping for standards based on industry practices.
- Standards:are mandatory requirements regarding the process, actions, and configurations designed to satisfy Control Objectives. Standards are intended to be granular and prescriptive to establish a minimum requirement. Standards operationalize Policies by providing specific requirements that must be met.
- Guidelines: are recommended practices that are based on industry best practices. Users can apply discretion in interpretation and implementation. Guidelines provide useful guidance that provides additional content to help operationalize Standards.
- Controls: are technical, administrative, or physical. Controls are the nexus used to manage risks through preventing, detecting, or lessening the ability of a particular threat from negatively impacting a business. Controls directly map (are connected) to standards. Since control testing is used to validate the specific standard has been implemented successfully. Controls are assigned to specific stakeholders to assign responsibilities in enforcing standards.
- Procedures:A documented set of steps is necessary to perform a specific task or process in conformance with an applicable standard. Procedures address the question of how the company implements a policy, standard, or control.
- Risk: represent a situation where someone or something valued is exposed to danger, harm, or loss (noun) or to expose someone or something valued to danger, harm, or loss (verb). In practical terms, is risk associated with a control deficiency? (e.g., if the control fails, what risk(s) is the organization exposed to?) Risk is often calculated by a formula of Threat x Vulnerability x Consequence in an attempt to quantify the potential magnitude of a risk instance occurring. While it is not possible to have a totally risk-free environment, it may be possible to manage risks by avoiding, reducing, transferring, or accepting the risks.
All controls create metrics that allow you to validate if a standard has been implemented successfully. Metrics are used in the validation process.
Systems & Processes
Systems & Processes are the controls, either technical, administrative, or physical, that have been implemented into your company. For example, this could be the software your company uses to manage passwords. It could be the software you use to detect vulnerabilities, viruses, or threats within your network. It could be the process you use to hire or terminate an employee.
Systems & Processes is the “how” your company is implementing and operating day-to-day. The good news is that if you haven’t documented your Systems & Processes yet, it should be easier than starting from scratch. Because you already have a system, you just need to document it. To make the System & Processes meet your governance requirements, all you need to do is ensure they meet the minimum guidelines stated in the practice requirement.
ChatFortress can provide you with our System & Process questionnaire cheat sheet to help you map what you are already doing to existing compliance requirements. This saves you from having to rush out and buy all this fancy and expensive software. You may only need to upgrade the existing software you have.
Insider Tip: Based on the Systems & Processes your company is already using, you could be meeting various governance controls. ChatFortress Easy Compliance makes available our Systems & Processes Questionnaire as part of our Gap Assessment.
This is where we ask you about “how” you are operating your company. The software you’re already using could mean you’ve already met various control requirements. This allows you to focus on documenting what you’re doing to meet the three elements of the Easy Compliance methodology.That’s right, ChatFortress has mapped various software applications that companies use on a daily basis to every one of the CMMC & NIST 800-171 practice requirements. This questionnaire can save you thousands and help you choose the right type of software solution to satisfy each compliance requirement.
Access Book Resources and the Easy Compliance Gap Assessment at: www.ChatFortress.com/CMMCBook
Validation is the process of auditing your —documentation, and Systems & Processes are effective and operating successfully. By providing your auditors with your methodology for auditing and your validation documentation, you are making their jobs easier to pass your company. The harder you make an auditor work, the more likely they are to find non-compliant elements within your company.
Validation does not need to be complicated or time-consuming. Validation can be either automated or manual tasks. The secret to creating effective validation controls is defining your audit methodology when you write your controls. For example, how will you validate that strong passwords longer than eight characters are being used? This would be checking that the password strength variables are configured within your base security configurations.When you design your System & Processes controls include these four elements within your audit methodology for each control.
- Evidence: What evidence is required to audit this control, and where is it located?
- Analysis: What within the evidence is being reviewed?
- Output: What is the expected output of this review or data?
- Success Criteria: What within the output determines a success or pass/fail?
Validating for compliance is all about asking the right questions when writing your documentation and implementing your systems & processes. CMMC Level 5 requires 171 practices that all require validation (audit log). This supporting documentation is provided to your auditors to confirm you are proactively implementing your interpretation of the governance standards.
Even though many CMMC or NIST 800-171 practice requirements are technical, it should be possible for non-technical managers or decision-makers to request and design a validation report. This is why it’s important to complete regular vulnerability assessments or leverage tools like the ChatFortress Ransomware Simulator. We use real-world threats to validate your current systems & processes are reporting and responding to alerts correctly.
One of the biggest mistakes that companies make with validation is not factoring in the time required to document with evidence that compliance requirements are implemented successfully. Auditing any practice requirement takes time. Specifically, suppose you need to collate evidence from other parties, preparing evidence. In that case, your systems & processes that have been implemented should be part of your company’s operational procedures and not waiting for a compliance audit. Many companies have not defined their validation methodology and therefore do not know what evidence is required or defines success.
Just because you are using specific software, does not mean you have configured the software correctly. We helped one client identify that the $80,000 a year software they were using was not even turned on. That’s right, mistakes happen. This type of mistake is common. Validation is like using a pilot checklist. Pilots use a checklist for every flight, and every event that occurs, pre, during and post flight. Your company needs to have a checklist for validating your systems and processes. This type of validation allows your company to become resilient to attacks and any challenge.
Insider Tip: Many governance requirements can be validated using automated reporting or alerting software. You can also validate multiple requirements at the same time. It does not need to be a complicated and time-consuming process. Just look at the table below to understand the time required to complete validation tasks.
|Number of Controls||Average Hour||Total Validation Time|
|72||3||216 Hours(5.4 Weeks)|
|171||1||171 Hours(4.3 Weeks)|
|171||3||513 Hours(12.8 Weeks)|
However, you need to factor time into this validation process based on how frequently you want to validate your controls. For example, with 171 controls being validated at an average of 1 hour per control, that is 171 hours. However, if you are validating three times a year, that is 513 hours of work. Providing you have the relevant documentation and validation methodology defined with supporting evidence. Five hundred thirteen hours is 12 weeks (40/hour week average) of focused work.Validation becomes time-consuming when there is no supporting evidence, or creating this evidence becomes a task requiring multiple parties to submit evidence. This is when you need to be aware that monthly reporting may not be possible on all of your 171 controls. You need to be aware of which controls need to be audited more frequently and which can be validated once a year.
Do you need to implement CMMC into your company?
The process of implementing CMMC and NIST800-171 can be intimidating, but that’s no longer the case with ChatFortress’s new book “CMMC + NIST800-171 Compliance Checklist & Implementation Guide“. ChatFortress has created a clear blueprint for how to implement CMMC and NIST 800-171 in your company. This book is full of tips, tricks, and implementation recommendations. Plus, the ChatFortress team provides you with all the document template resources and software recommendations for implementing your cybersecurity compliance program.
Claim your CMMC Gap Analysis and Implementation Resources today!
ChatFortress is a leading cybersecurity company helping business owners protect their assets from cybercriminals. ChatFortress is the creator of the Cybersecurity Report Card, the only external security assessment that validates 3rd party risk. We provide companies with access to the latest technologies, social engineering and human behavioral strategies, and user education to create a proactive cybersecurity culture. Helping you fortify your business against cyberattacks.