How CMMC Complements Your Risk Management Strategy
Risk management seeks to identify those factors or variables in your organization that would damage your company, including causing harm to operations, sales, and reputation. Securing your IT infrastructure is obviously one component of a robust risk management plan. From an organizational perspective, this monumental task typically resides under governance, risk, and compliance (GRC) and focuses on IT and cybersecurity risk mitigation.
Most companies identify security as their Achilles heel, whether it be physical security, IT, or cybersecurity. Risk management is a Pandora’s box–there’s a lot of issues that pose risk to an organization, some of which are easily managed and others that can be apocalyptic. The benefit of having a risk management program is it allows you to identify what is in your Pandora’s box and to start preparing in case any of these issues arise in your environment.
Linking risk management to CMMC
The new-ish Cybersecurity Maturity Model Certification (CMMC) has multiple levels based on the business you are conducting and the type of information you have access to. For instance, level one focuses on operations and making sure you have secure capabilities and functions. Level three of CMMC starts to delve into managed services, and that’s where risk management becomes a bigger deal. Specifically, risk management is first referenced in CMMC level two, but not many companies focus on achieving that level.
In terms of level three being a managed program maturity level, you need to identify what those risks are to the management of your program. It could be the standard bad actors and nation states that everybody hears about in the news or other things related to your competition. In terms of managed processes, CMMC specifically requires that you ensure your processes are repeatable.
What CMMC mandates in terms of risk management
- Level 1 – At this stage, risk management is not a priority from a compliance standpoint.
- Level 2 – At this point, CMMC starts talking about assessing the operational risk as it relates to mission, function, image, and reputation. Risks to assets and individuals resulting from controlled unclassified information (CUI) processing, storage, and transmission operation are also referenced, but there is no detail on what is required to actively manage your risk.
- Level 3 – Here is where risk management and assessments should become more repeatable, and approaching cyclical (typically monthly or quarterly). These assessments need to be conducted based on predefined risk categories, sources, or measurements, and stem off of risk mitigation plans, which delineate how risk can be resolved.
As you pursue your CMMC certification, it is important to have a holistic view of risk management. From a CMMC or a DFARS 800-171 assessment side, your IT team is always a key player. Involving HR, Finance and the C suite, also makes sense as all risk is interconnected. For example, if you have an IT breach and it gets in the news, your reputation is affected which impacts sales, and in turn company finances, therefore causing concern over the future of the company.
There are some simple steps to take as you form your risk management strategy.
- Identify your target. It’s very difficult to know how to proceed if you don’t know what your desired end state is. Are you looking for compliance or certification with CMMC, ISO, or Sarbanes Oxley? Are you seeking privacy from a General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) side? Know your goal. For CMMC, are you looking for level one or level three compliance? Or are you simply looking to log your DFARS score into the Supplier Performance Risk System (SPRS).
- Discover where you are in relation to your goal. Perform your assessment and create the foundation of your current state in relation to the target. In other words, determine that ‘this is where we are’ in relation to ‘that is where we want to be’.
- Build your plan to reach your target. Once you’ve identified your goal and know your current state, it’s time to start crafting how you take the steps to reach your risk management objective.
If you have any questions about how to get started with your risk assessment and management plans about your organization’s IT security, contact the experts at CyberSheath. We are well-versed in CMMC controls and have deep expertise helping companies meet their compliance goals. Contact us today.