February 21, 2024

How old is your SPRS self-assessment score? Might want to review this.

You can't solve a process problem with technology

This is something we run into all the time! If you've ever heard me give a presentation on cyber security, you've heard me say "Cyber security is not just an IT problem." There are three pillars in information security:

I find that too many people focus on the technology side of information security requirements, while ignoring the people and processes. I was reminded of this last week, when Amira Armond, a well-respected figure in the CMMC world (instructor, assessor and owner of an authorized C3PAO) made a comment on a LinkedIn post about things we see that we don't understand:

My add is companies trying to become CMMC compliant which spend their effort on securing technology first, rather than people and processes.

Technology is a switch you flip. You can flip it 5 minutes before your assessment and be fine.

People and processes take months or years to get functional.

So true! Too many organizations focus on technology, without understanding their business processes. I consider 3.1.3: Control the flow of CUI to be the most important of all 110 controls in NIST SP 800-171. Find your CUI. Follow wherever it goes. Document your policies and procedures. Then add technology where you need it.

(Guess what I consider to be the second most important? Maybe that's the next newsletter!)

Meanwhile, if you need help with your CMMC preparation, you know where to find me!

Want more information? Check out my upcoming virtual CMMC workshops:
Wednesday, February 28, 2024	Tuesday, March 5, 2024

Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!