Cyber Snap Tip#12 with Viet: "Insights on CMMC Level 2 Compliance: Reviewing Policies and Procedures from My Experience"

Every company establishes its own IT and information security policies and procedures. While some align with ISO 27001, the international standard for information security, compliance with the Cybersecurity Maturity Model Certification (CMMC) introduces specific requirements to safeguard Controlled Unclassified Information (CUI) and related assets.

For small businesses, especially those operating within larger corporations with distinct host units, aligning existing policies with CMMC standards can be challenging. Despite overarching corporate policies, not all may meet CMMC criteria. This necessitates a thorough review to either adapt existing policies or develop new ones tailored specifically for CMMC compliance.

Recently, I collaborated extensively with IT and cybersecurity teams to navigate these complexities. Here are some key insights for companies undertaking a policies and procedures review for CMMC:

1. Document Importance: Documentation is foundational in CMMC. Prioritize creating and maintaining comprehensive policies aligned with the current cybersecurity landscape and evolving DoD regulations.

2. Focus on CMMC Level 2: In this article, I delve into the requirements of CMMC Level 2, which encompasses 14 domains. If you're unsure where to begin, start by reviewing the 14 domains of CMMC Level 2. Assess each domain to determine if your current policies can be applied. This systematic approach allows you to leverage existing policies effectively.

For simplicity, aim to create at least 14 separate documents, each addressing one of the domains specified in CMMC Level 2. This straightforward approach ensures comprehensive coverage and clarity in compliance efforts.

Each domain necessitates specific policies and corresponding procedures for effective implementation. By addressing these domains comprehensively, businesses can establish a clear roadmap for meeting CMMC Level 2 compliance.

3. Policy Review and Creation: Evaluate existing policies to determine relevance to CMMC requirements, particularly those concerning CUI confidentiality. Establish a clear list of policies requiring creation or adjustment.

4. Implementation and Enforcement: Distinguish between policies needing documentation as evidence and those requiring active implementation and enforcement within technical configurations. Develop procedures accordingly.

5. Inherited Policies: Some fundamental cybersecurity practices like MFA, authentication and authorization, password complexity and management, Facility and Personnel Security, Security Awareness, Identity Management, Information Security Planning, Physical Security, Logs and Audit. may already align with CMMC requirements. Leverage these existing policies to streamline compliance efforts.

6. Special Requirements: Address specific CMMC mandates such as backup procedures and encryption, referencing resources like NIST guidelines for cryptographic modules.

Successfully reviewing policies and procedures for CMMC compliance demands collaborative efforts across departments, transcending IT and cybersecurity roles. This inclusive approach ensures comprehensive readiness for CMMC, emphasizing efficiency and effectiveness in implementation.