CMMC Update by Glenda R. Snodgrass for The Net Effect (July 16, 2024)

[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

July 16, 2024

The first step is the hardest

Recently I was chatting online in a forum dedicated to NIST 800-171 implementation, and one guy made this post that really resonated with me:

I am a late career software/systems engineering/security engineering/project manager guy trying to transition to project management for CMMC compliance. In my career I have written and managed software for multiple extremely complex missile and command & control systems, I have software and operating systems spinning in space, and I have done years of work on systems security effort. All of this was easy compared to GRC compliance for an organization without a built up history of compliance. Trying to steer all the personalities and un-documented processes in a ad-hoc organiztion into compliance is like nothing I have ever done.

Starting NIST 800-171 from scratch is not easy, but it is do-able. I like to use the NIST CSF Organizational Profiles as a step-by-step guide to developing an information security program:

Your Organizational Profile is basically the scorecard for how well you are doing the things you need to do. How can you use this to develop your 800-171 compliance program? Let's work through the steps (note that I break them down a bit further than the CSF):

1. Scope the Organizational Profile. What is the scope of your CUI environment? Is it the entire organization, or just one location or one business unit or one working group?

2. Gather the information needed. Start with the assessment objectives in NIST 800-171A in an easy-to-use spreadsheet. Look at the column "Current Profile r/y/g" I added to NIST's template. This is how I like to do a quick and informal assessment that gives your status at a glance. To use this, type "r" into a cell in that column to turn it red, "y" to turn it yellow or "g" to turn it green. This gives a strong visual of your level of compliance with that assessment objective (AO):

Green: All done. Yellow: Working on it! Red: Nope. Haven't started. Not even sure what this means.

Use this spreadsheet as your Current Profile, which is the current status of your compliance.

3. Create your Current Profile. If you haven't done this before, I would suggest setting aside one hour to do a very quick run-through of the 110 requirements and the AOs for each one. Answer in a very knee-jerk manner, your first impression of whether this one is Red, Yellow or Green. Don't even make any implementation notes on this first run, just stick to the colors.

4. Create your Target Profile. Pick a date in the near future -- say 3 months from now. Where do you want to be at that time? How many of those Red AOs can be turned to Yellow? How many Yellow AOs can be changed to Green? Be realistic! Set attainable goals so you and your team don't get overwhelmed.

5. Analyze the gaps between the Current and Target Profiles. Start out with the low-hanging fruit -- things that will be easy for you (maybe because you're almost there already?) and things that are free or cheap (so you can later set a budget for the things that are neither).

6. Create an action plan. What exactly needs to be done to close that gap? Make notes in the "Planned Implementation Notes" field for that AO.

7. Implement the action plan. Do those things! And document your progress. Update your Current Profile, fill out the "Current Implementation Notes" field for each AO that is Yellow or Green, and save this file as Current-Profile-[date].

8. REPEAT. Create a new Target Profile, set a new time frame, walk through it all again.

Setting short-term, achievable goals will give you early successes. I find that this creates a sense of accomplishment for the compliance team, and makes it easier to acquire more resources in support of the program.

If this still seems overwhelming, well, ask for help!