CMMC Compliance audit is coming quickly. And achieving information security compliance with one or more government regulatory standards for information security (i.e. ISO 27001, NIST 800-171, HIPAA, NYDFS, CMMC, CCPA, etc.) is critically important, and often expensive, for businesses. Some of these regulations are intended specifically for the Department of Defense (DoD) contractors, others for general Federal Government contracts, and some are for businesses with customers in various States.
Often companies view documentation as a passive effort that offers little protection to a company, generally an afterthought that must be addressed to appease compliance efforts. However, properly scoped cybersecurity and privacy documentation can be an offensive tool to reduce risk.
In a national trend, many states are passing laws that shift the focus to the business on defining and implementing “what right looks like” for cybersecurity and privacy controls.
That allows businesses to be protected from a tort (civil lawsuit) within the state for suits that allege an accused’s “failure to implement reasonable information security controls resulted in a data breach concerning personal information.” Businesses who have documentation in order that aligns with a leading cybersecurity framework are protected under safe harbor clauses.
These types of data protection laws are unique since it rests on the Affirmative Defense that allows a defendant to introduce evidence that, if found credible, can negate civil liability, even if the allegations are true.
That means that the lawsuit will get thrown out if the company can prove its cybersecurity program was aligned with a leading cybersecurity framework (e.g., CMMC, NIST 800-171, NIST 800-53, ISO 27002, CIS CSC, etc.) at the time the incident occurred.
There are several reasons this law is appealing to legislators:
- Legislators do not have to contend with managing their control set as technologies and threats evolve;
- Legislators get to take credit for being tough on cybersecurity and privacy without actually having to do much;
- Businesses have no room to complain about unnecessary controls since businesses have the responsibility to define the controls framework that they will use;
- Businesses can eliminate extra costs by leverage existing audits such as ISO 27001, NIST 800-171, CMMC, and PCI DSS to demonstrate compliance; and
- The court system should see a decrease in civil lawsuits through cases being dismissed by affirmative defense protections.
There are a few downsides to this law, however. These include the following:
- The injured parties are out of luck for civil damages. The affirmative defense is essentially the state admitting that “sh*t happens,” and injured parties cannot sue when reasonable steps were taken. This may spawn both individual and commercial data protection insurance options for cases where civil damages are unobtainable.
- While the law identifies acceptable frameworks, it glosses over how an entity can be considered compliant based on the “scale and scope” of an entity’s cybersecurity program. The vagueness of the phrase “reasonably conforms to an industry-recognized cybersecurity framework” leaves significant room for interpretation.
- Identify applicable statutory, regulatory, and contractual requirements.
- Identify all geographic locations where data is stored, transmitted, and processed.
- Identify all key stakeholders and third-party service providers.
- Narrow the Scope
- From the coverage provided by the SCF, select only those requirements that are applicable (based on the gathering pre-requisites step).
- Ignore or delete the other requirements since they are not applicable to your current business model.
- Prioritize Controls
- Using the provided control weighting built into the SCF, prioritize your controls implementation starting with 10 and working towards 1.
- View this prioritization as a project. You should create a project plan to manage it.
- Assign Controls
- Use the SCF’s 32 domains to help with the assignment of controls to the correct teams or individuals.
- Educate control owners to implement controls based on risk (control weighting) to address the most important controls first.
- Monitor Controls
- Require control owners to periodically report on the status of assigned controls and track those metrics.
- Report metrics to management to identify good/bad trends and to gain support to remediate control deficiencies.
Section 1: Cybersecurity Policies, Standards & Procedures
Cyber Security Standards NIST STANDARD, DFARS, FRCP, PCI, HIPAA, FISMA,
Section 2 – Risk Management
Cybersecurity Risk Assessment
- Assessment of technology risks and gaps in compliance
- Identification of system vulnerabilities and root causes
- Development of mitigation plans and procedures to confront vulnerabilities
- Employee training to mitigate risks
Section 3 – Vulnerability Management
Guidance on HOW to they are actually managing patching and vulnerability management, including the schedule for vulnerability scanning and penetration testing.
This is where the rubber meets the road between high-level policies and the actual procedures of how systems are patched, systems scanned, etc. on a day-to-day basis by those individual contributors who execute vulnerability management tasks.
Section 4 – Incident Response
HOW we actually manage incident response operations, including forensics and reporting. Contains the actual procedures of their Incident Response Plans (IRPs) and how they are executed by those individual with incident response duties. This section identifies the Indicators of Exposure (IoE) and Indicators of Compromise (IoC) of the company. How BC/DR is to be executed by those tasked with BC/DR duties. Should include After Action Review (AAR) template, Lines of Business (LOB) reconstitution steps, etc!
Incident Response Plan
Section 5 – Third-Party Compliance
NIST 800-53 and NIST 800-171 Cybersecurity Frameworks. Discuss the different levels of coverage, based on the cybersecurity framework used by your organization.
Documentation for Vendors and third-party service providers
Evaluation procedures for Vendors and third-party service providers
Inspection forms for Vendors and third-party service providers
Sets for expectations and requirements without having to share with them your policies and standards.
These are stand-alone documents to demonstrate the requirements you expect from your supply chain.
Section 6 – Secure Engineering & Privacy By Design
Contains program-level guidance on HOW to actually manage cybersecurity and privacy principles, so that security processes are designed and implemented by default. Those actual procedures of how developers, PMs, system integrators, and system admins do their jobs to design, implement, and maintain technology solutions.
System Security Plan (SSP)
Plan of Action & Milestones (POA&M) Templates