In our previous blog we started discussing what it takes to implement your cybersecurity controls. Now it is time to dig deeper and cover important details and considerations related to your implementation efforts.
Distinguishing Point Fixes from Ongoing Activities in CMMC Implementation
There are issues needing remediation that simply require flipping a switch. These items, often called point fixes, require direct actions and are often done one time. They include enabling MFA for all users, turning on BitLocker encryption, enforcing password complexity via GPO, and blocking USB ports on all laptops.
Once these configuration-based control implementations (often called point fixes) are implemented you are not done. To make them audit-ready, these fixes need to be documented. You still need before and after proof for Plans of Action and Milestones (POAM) closure.
Capture defensible evidence such as configuration exports, system reports, or validated screenshots to close out POAM items, include them in baseline documentation, assign ownership, and reference them in a System Security Plan (SSP) update. Every point fix should answer what was changed and if the change was documented, where it is enforced, and who is responsible for it staying that way.
Ongoing Compliance Activities That Support CMMC and NIST 800-171 Controls
The other type of issues, non-point fixes, are operational activities that must persist compliantly. These processes are done on a regular basis. You also need to have some output that shows that you are defensibly compliant. Continually monitoring and reassessing is the real compliance.
Action words in the assessment objectives that reflect this repeatable nature include ‘implement’, ‘employ’, ‘review’, and ‘assess’. These apply to activities that you are going to do on a regular basis. You need an operational capability as well as monitoring. This could be log review and threat hunting, quarterly access reviews, annual control assessment, and change control board (CCB) activity.
If you’re going to review and authorize changes, then you need an event that says, how often do we do that and what’s the record or output of that happening? If you can’t show cadence, you’re out of compliance.
Building Repeatable Processes to Sustain CMMC Compliance
For every operational requirement:
- Document the activity with a procedure. CyberSheath does this for our clients. We inventory the processes that have compliant outcomes, and then we make sure that we have SOPs along with our policies that document those procedures, the steps, and the outcomes so that we know what to look for when it comes to being defensibly, operationally compliant.
- Assign a clear owner. Make sure there’s ownership of those processes. The participants in those processes need to understand where they are in that process. Consider an annual assessment. Someone is leading the event, but others are participating in it.
- Define the cadence (weekly, monthly, annually). You have some flexibility within the NIST 800-171 framework to define your approach and keep the records and output of each occurrence. If you say that you are self-assessing on an annual basis, make sure your annual assessment output, be it a spreadsheet or PDF report, is dated and within that timeframe that you define.
- Keep records of each occurrence. Use a compliance calendar with auto-reminders and evidence templates. At CyberSheath, everything is calendar-driven and reoccurring. If you say you’re going to have a change approval review with your operations manager, set a weekly cadence, and generate notes from that meeting.
Moving forward, know that implementation does not equal maintenance. Don’t just remediate, be ready to sustain. You aren’t done, you’re ready to start. Intelligently transition to the next phase by tracking ownership, setting review cadences, and knowing what compliance looks like for every process.
As you work to implement your point and non-point fixes, including assembling the related documentation, you may have questions. Contact CyberSheath for guidance. We are the CMMC experts and we are here to help.