Navigating CMMC with Policies of Policies and Policy Galore

Today the Northeast  CMMC Coalition met and we spent a good time discussing policy and knowledge management.You need a guiding light when imaginative the Seas of CMMC. Policy points the way.

We first began with a discussion of the delta between the policy automation vendoirs sell and the legacy documents many Organizations have.

Policy as code in a dynamic state sounds great. Cybersecurity as code and all. The reality DevSecOps probably works for less than 1% of DIB companies given their current workflows.

People need to create and track the governance of their policies first. Common tools used for policy included: purchasing policy packs, using a wiki, or using sharepoint and wet signatures for authorization.

The majority of small businesses at today’s meeting rely or have customers that primarily rely on human only readable word documents that get added to an SSP as read only files. No use of metadata or any tools of automation hyped by vendors.

Managed Service Providers also need a policy solution. The good one’s usually require you to adopt their baseline and architecture. This should standardize much of the policy. Judge an MSP by the policy they provide.

According to NIST MEP Handbook 162 you should have in order to meet the 171 Security requirements. These 39 plans , policies, and procedures do not have to be separate documents. Many for example would get included in an employee handbook.

Plans you Should have

Policies and Procedures you should have:

Leave a comment

Your email address will not be published. Required fields are marked *