In the ever-evolving landscape of cyber threats, recent revelations by Microsoft have once again...
The CMMC Skillset for Success
The first M in the CMMC assessment framework stands for maturity, and that's exactly what is needed to get through a self-assessment. Expectations are high for small-to-medium-sized businesses (SMBs) in the Defense Industrial Base (DIB), where hiring dedicated cybersecurity staff members is a far reach. RADICL has observed in the industry that quasi-security-related team members pick up the torch and sift through the challenges of CMMC complexity, but not without struggles. If this is you, we tip our hats! Focusing on the following skill set can make life easier and will produce a more accurate, concise, and sufficient self-assessment to reach CMMC.
6 SKILLS TO LEAN ON FOR CMMC COMPLIANCE:
DIGGING DEEPER: 6 CMMC SKILLS
Utilizing these six skills during your CMMC compliance effort will result in less confusion, quicker assessments, and a more polished CMMC self-assessment.
Nothing Counts Unless It's Written Down
Articulation is most important for communicating your company’s approach to an adopted control objective. In compliance, your efforts don’t count unless you write them down. Each control objective will require the documentation of a policy discussing how the company will hold itself to the objectives' requirements and a procedure for adhering to the policy. Writing effective, clear, and concise policies and procedures is difficult and is often one of the most challenging aspects of compliance.
The most critical step of documenting a policy and procedure is accurately reflecting how IT configurations and cybersecurity best practices are implemented to reduce risk and meet control objectives. Furthermore, articulation skills will help a company write risk acceptance justification, compensating controls, and rationale for unadopted controls. Writing down justifications effectively will provide a clear picture of where a company stands on a per-control basis and the posture of its security program.
Reduce that Stack of Tasks
Staying focused will reduce the stack of tasks and efforts needed to gain certification. So, what exactly are we focusing on? Your Federal Contract Information (FCI) scope should be your mental point of origin for a CMMC assessment. Before making deductions about any control, the focus needs to be placed on the relevance of the requirement as it pertains to your FCI enclave. This way, if the control is in the left field of your FCI enclave, you can choose not to adopt it.
Focus your attention on defining your FCI enclave and ensuring your company clearly understands where FCI is intended to be and where it may sprawl. Considering those systems and staying focused on their primacy for adopting or not adopting controls is the best move for focusing efforts in the right place.
Use Flexibility to Your Advantage
Finding a malleable approach to CMMC simplifies the effort. As discussed above, CMMC is large and meant to be scaled to fit. Adopt CMMC as your own and tailor your control objective selections to the applicability of your company and FCI enclave. Remaining rigid, adopting all controls, and following CMMC in a linear pattern will prove difficult. Like most frameworks, CMMC is a guide and allows for flexibility in adoption. Use this to your advantage.
The Trick is to Ask Yourself a Few Questions
CMMC's biggest flaw is its lack of clarity. Without years of experience in auditing and cybersecurity, it’s confusing. You’ll need to hone your interpretation skills to understand what control objectives you are working towards. It’s easy to get lost in the minutia of control, but using this simple interpretation trick can help make things easier. Ask yourself, “What topic of risk does this control work to address?” Your follow-up question is, “What are we doing, or should we be doing to address this risk?”
Another challenge requiring interpretation skills is CMMC's broad nature. CMMC, by design, is too big. It needs to be shortened, adopted, and reduced. You’ll need to interpret what is applicable and what can be discarded.
Always Be Curious: CMMC Demands It
Because CMMC is designed to be scaled down and can be overwhelming, curiosity about why a company is being asked to meet a control objective will help.
Get curious about the control, objective, and cybersecurity best practices it references. Find curiosity regarding how the best practice fits into your environment and if it's applicable to you. Using this skill will reduce the amount of frustration when attempting to approach CMMC overtly pragmatically.
Lean In and Learn to Love the Puzzle
Once you break the CMMC puzzle, you’ll notice consistent patterns in the framework. Noticing these patterns will help support how you will move forward, repeatedly in the same manner. Here are a few to chew on:
- CMMC Objectives build upon each other. The control pattern calls for documentation (policy and procedure); next is implementation, followed by review, and finished up with validation. The faster an assessor realizes this pattern, the less guesswork gets taken out of what to do next.
- There is also an anti-pattern in CMMC. This means that following CMMC in a linear fashion will have you bouncing around. With careful eye and some curiosity, an assessor can find a better-patterned approach where control objectives are related in context but may be found pages apart.
Self-assessing CMMC in a linear fashion with a limited skillset, time, and cycles will produce many headaches. Sharpening these 6 CMMC skills will simplify the process and result in a better outcome. Do you know what else helps? Skipping ahead. By adopting the RADICL™ XTP platform, your organization will instantly meet a significant number of CMMC requirements. Let us show you how to jump ahead in your CMMC journey.