On the twelfth day of CMMC, my auditor gave to me…
12. Twelve controls a-controlling: 110
11. Eleven plans a-planning: 3.12.4
10. Ten scans a-scanning: 3.11.2
9. Nine patches patching: 3.11.3
8. Eight logs a-logging: 3.3.1
7. Seven backups running: 3.8.9
6. Six training sessions: 3.2.3
5. Five incident reports: 3.6.2
4. Four access controls: 3.1.14
3. Three risk assessments: 3.11.1
2. Two-factor authentication: 3.7.5
1. And a policy for cybersecurity
Twelve controls controlling:
It’s technically if you take the 12 and divide it into 1,320. You get 110. 110 controls and 320 assessment objectives.
The implementation needs to be tangible to the auditor and make sure to give a good elevator pitch.
Eleven plans planning:
3.12.4 SECURITY REQUIREMENT: Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
As written in NIST 800-171 A r3, a System Security Plan is about properly describing the implementation of security requirements. It should be easily digestible and understandable by your organization and an assessor.
Ten scans scanning:
3.11.2 SECURITY REQUIREMENT: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
There is always potential for vulnerabilities. No company has perfect security, which is why scanning periodically is important. If your organization had a security vulnerability, you’d want to identify it immediately so that you can resolve it.
Nine patches patching:
3.11.3 SECURITY REQUIREMENT: Remediate vulnerabilities in accordance with risk assessments.
Once you have identified a vulnerability, a patch is needed to properly resolve it. This goes together with a risk assessment. Your companies risk assessment document should describe your workstation patching procedures.
Eight logs logging:
3.3.1 SECURITY REQUIREMENT: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Audit logs are part of your security proof. It is evidence needed to show your procedures are actively being accomplished. The proof is in the pudding. This is part of the pudding.
Seven backups running:
3.8.9 Security Requirement: Protect the confidentiality of backup CUI at storage locations
I think seven should be enough to keep you sleeping soundly at night. If your data potentially gets compromised, it’s critical to have backups to have your business back up and running smoothly.
Six training sessions:
3.2.3 SECURITY REQUIREMENT: Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Security awareness training is a necessity for any staff. The biggest vulnerability for any business is their employees. If an employee clicks on a link, downloads a document, transfers funds that they shouldn’t have, it can cost a company their data and even their money. The government is not willing to risk this with CUI and that is why they require staff training.
Five incident reports:
3.6.2 SECURITY REQUIREMENT: Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
We obviously never want an incident to occur, but if it does, is your company prepared? It is important to track and document incidents’ to properly establish an immediate solution and future remediations. How can you know an incident is repeating if it’s not documented?
Four access controls:
3.1.14 SECURITY REQUIREMENT: Route remote access via managed access control points.
This is only one of many access controls. allowing or denying access is essential when establishing your boundary and scoping. You must ask yourself who needs access and who does not. It’s also important to look both internally and externally to access. What employees have access to CUI and also, what vendors, ESPs, or more have access to my data?
Three risk assessments:
3.11.1 SECURITY REQUIREMENT: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
Risk is something every business is most likely used to assessing, but not in this way. This is specifically risk due to CUI being processed, stored, or transmitted with the organization. It’s the risk that the company takes on when receiving CUI from the government. Periodically assessing this ensures that you are always up to date on your policies, procedures, and scoping.
Two-factor auth:
3.7.5 SECURITY REQUIREMENT: Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Listen, I’ll quote Shia Labeouf on this one, “JUST DO IT!” Don’t let your accounts stay vulnerable. This control is an example of how it can assist with nonlocal user sessions, but it’s important in any situation. If you’re password gets cracked, what’s the next line of defense? Two-factor authentication. It can save your bacon…so just do it!
And a policy for cybersecurity:
A policy needs to backup and validate the SSP. They work together to create a solid foundation of security and compliance. Policy is crucial for cybersecurity because it provides a structured and consistent framework for protecting an organization’s data, systems, and networks from cyber threats.