Doing business with the DoD means that your minimum level of cyber risk tolerance is predetermined.
Even though DFARS 252.204-7012 has required NIST SP 800-171 implementation since 2017, pending requirements for third-party validation has forced companies into a level of cybersecurity many never wanted or expected. Risk tolerance is predetermined if your company handles Controlled Unclassified Information, and now someone is going to eventually check and make sure that minimum is met.
The number of articles on how you can “comply” with CMMC’s technical practices is staggering, despite the fact that nearly all practices are open to a level of interpretation. But so far, I haven’t seen any articles talking about the process controls, especially 3.997 which requires companies to “Establish, maintain, and resource a plan…” For this discussion, I’ll refer to it as the Strategic Plan.
Under 3.997 each domain has a requirement to:
- document mission and vision,
- outline strategic goals and objectives for implementing the practices,
- list references, standards, and relevant procedures,
- identify resources including personnel and funding sources, and
- prove buy-in from relevant stakeholders.
The cost of doing business with the DoD has changed dramatically in the last 10 years, regardless of whether your DoD revenue has increased or decreased. Strategic planning is an exercise that will force companies in the DIB to take a step back from checking compliance boxes to identify what they truly want in a cybersecurity program and how they will pay for it. These are hard realities that come with difficult choices. Developing a cybersecurity strategy can help you understand whether it even makes sense to continue selling to the DoD (keeping in mind that “allowable costs” don’t equal “reimbursable”.) A strategic plan is the document that will separate truly mature information security programs from those that have jumped into implementing practices with little thought or scoping.
Here is how to get the most out of strategic planning, rather than just creating another document nobody reads until audit time. (Hint: this document can’t be done by the CIO or CISO alone…)
State Your Business Mission and Vision
Maybe the company is in a growth phase and rapidly hiring, or entering new markets. It could be seeking funding, or performing an overhaul of a manufacturing process. Two or three tangible goals that describe the business and future state should be plenty. Then relate those goals to a need for the domain practices. For example, “Access controls reduce the risk of data loss that could potentially harm future revenue growth and protect intellectual property and sensitive information as the company develops new products.”
State the Cybersecurity Program Mission and Vision
Let’s face it, many IT teams work in a highly reactive (vs. proactive) environment. Every day, the to-do list gets pushed aside for user support or a server that went down at exactly the wrong time. A common vision might be to “Implement a proactive cybersecurity program for the organization that focuses on security alignment with business goals, and drives a security-first mindset into all elements of business operations.” This means that IT is able to actively work towards risk mitigation with the support of senior leadership.
Identify How CMMC Implementation Supports Goals
For example, CMMC requires an understanding of data flows in order to limit information. Our stated goal for the information security program might be to “Securely distribute information to support contract execution, while limiting distribution of protected information to only those with a business need.”
Our security goals should also state how achieving those goals supports the business objectives. This doesn’t need to be redundant, so this might be covered in the prior mission and vision sections.
Policy and Procedures
Any compliance framework requires lots of documentation. I’m a fan of making one master list and referring to it instead of updating multiple source documents when changes are needed. Since a plan is a required element under CMMC at Level 3, this is a great place to list the policy and procedures that support your implementation of NIST SP 800-171 and CMMC practices. Then, refer back to this document any time a list of relevant policy is required.
Roles and Responsibilities
Our clients typically identify these in the SSP, but this is another logical place to identify who is responsible for not only implementing and maintaining the cybersecurity program, but also who is accepting the risk of operating the system, and who has the final say on resource ($$) allocation.
There is a disconnect in planning and resource allocation for cybersecurity and IT in general. I know many organizations that allocate the CIO a certain dollar amount, without accounting for actual costs. I also know many organizations don’t have a good understanding of how to improve, instead lamenting that “we need more resources” without identifying what those are. If your shop is understaffed, this is a great place to identify all the activities that are required for compliance, predict the hours and skills needed, and justify another FTE. As a starting point, you can find costs estimated in the Federal Register. Remember though, these costs may be wildly inaccurate depending on how much you’ve already done, the size of your company, and scope of your boundary.
It should go without saying that even though this document might be owned by the CIO or CISO, everyone with a stake in running the business should sign off. Policy without action and resources is just rhetoric.
There are lots of ways to cover the requirements; you could certainly do separate plans for each domain or have the plan be part of the domain policy. However your organization chooses to document cybersecurity strategy, remember that CMMC is about maturity, and a key indicator of maturity is awareness and tangible action items tied to reducing risk.