In our previous blogs we discussed cybersecurity assessments and control implementation. Now it’s time to address step three in our Assess – Implement – Manage (AIM) methodology. This phase involves continuously collecting, reviewing, and preserving evidence of your ongoing compliance, as well as remediating compliance gaps as you find them, all in order to maintain compliance.
Compliance Isn’t a Project—It’s an Ongoing Operational Process
If implementation and remediation were the fix, this is what happens next. If you don’t have ownership of how you operate daily, then nobody is accountable for making sure those things happen on a recurring basis. In the remediation phase, you establish those processes and do the work to stay compliant. Ensure each process that is executed in the name of compliance has someone who owns it and that the participants in that process are well understood.
The below management plan is organized according to CyberSheath’s service provider perspective, but it is also relevant to how you might organize your organization.
Security: This is the linchpin of the framework. These processes are all tied to procedural elements where a designated person needs to take action. Important tasks include:
- Monitoring and centralized logging – Track and document system activities.
- Endpoint and perimeter protection – Ensure your defined boundaries are robust and intact.
- Vulnerability scanning and detection – Continually look for incursions into your environment.
- Incident response execution and reporting – Quickly respond to undesired entry and document actions taken.
Technology: Technical and IT-focused controls make up a significant portion of requirements and include:
- Change management – Employ a defined process to govern, evaluate, and document changes.
- Configuration baselines and enforcement – Document platform baselines and enforce the technical requirements to stay aligned.
- Patching / maintenance / vulnerability remediation – Patch systems regularly according to defined vulnerability management policies and risk-based timelines.
- Config and access audits – On a recurring basis, evaluate your configuration as part of your assessment processes or technical audits, and generate evidence of those activities.
Compliance: A key component of a management plan is making sure to document your compliant state. This is accomplished through:
- Control assessments and evidence collection – Evaluate your organization’s stature relative to the requirements and collect artifacts to document your state. Organizations must retain artifacts that demonstrate controls are operating as intended.
- Document and record maintenance – Continually assess and record changes in your environment.
- Risk assessments – Regularly execute these assessments.
- System Security Plan (SSP) and Plan of Action and Milestones (POAM) maintenance – Assign ownership of these documents and keep them updated.
- Security and awareness training – Make sure employees are aware of what is expected of them.
Physical and Personnel: These are components outside the big three. They include:
- Physical security planning and controls – Define what physical security is, establish the controls, and be accountable.
- Personnel security – onboarding / offboarding / screening – Manage the HR/employee management workflows.
Why Ownership Is Critical for Effective Compliance Management
You can’t manage what no one owns. Every document and process should have a named owner who knows they own it and understands what ‘done’ looks like, including generating evidence. The person also needs the tools and authority to execute and feels the accountability when it lapses. If everyone owns it, no one owns it. Somebody has to be the hat bearer.
Every repeatable compliance task should be assigned, calendared, and verified. This includes:
- Policies, plans, and SOPs
- Access review cycles
- Incident response tabletop exercises and response testing
- Log reviews
- Change control processes
- The SSP and POAM
Compliant outcomes are more than just good intentions. Operating compliantly means process owners executing defined processes with expected participants, producing defensible outputs, and maintaining boundaries, flows, and systems as approved. Compliance equals proof of compliant outcomes, not just having policies.
As your organization works to achieve or maintain your CMMC compliance, chances are you’ll have questions about how to proceed. Contact the experts at CyberSheath. We’re here to help.