One of the most talked-about topics surrounding the newly released CMMC 2.0 is the removal of policies and procedures from the assessment requirements. CMMC 1.0 required quality policies, procedures, and other documentation, and put that documentation on par with the technical requirements. This is because the architects of CMMC 1.0 knew that technology alone will not create a successful cybersecurity program.
Many technology-oriented people are used to moving at the speed of technology, and the idea of slowing down to document their work doesn’t usually sit well with them. As a result, shortly after CMMC 1.0 launched, we saw complaints against what some characterized as an excessive focus on details and overly granular approach to documentation that was dictated by the CMMC model. Unfortunately, what gets lost in the conversations among many leading cyber security practitioners is the holistic approach presented by CMMC 1.0.
Policies, procedures, and other documents have never been solely purposed for passing assessments, yet that is how they are often treated by companies. The documents are relegated to strictly a “check mark” on a list of requirements, rather than embracing the advantages the documentation process offers, including risk definition, risk management, and cost savings.
The failure to appreciate the value documentation brings to an organization has never been more evident than with industry influence and reaction to CMMC 2.0. By removing the documentation requirement, DoD has done an injustice to our nation’s cybersecurity. As the CMMC Information Institute recently noted, an organization can technically meet the CMMC 2.0 requirements without implementing any documentation or governance. This is the wrong approach to running a cybersecurity program. Building a cybersecurity program on the “letter of the law,” while ignoring the spirit of NIST SP 800-171, as evidenced by things like NFO controls or the repeated use of words like “define” and “identify” in the present assessment guidance, isn’t technically wrong, but it absolutely is NOT RIGHT!
NIST SP 800-171A allows organizations to present a variety of objective evidence to support the organization’s position that it meets the assessment requirements. This evidence includes architectural design documentation, lists of applications, configuration settings, etc. While it is true that these examples may be sufficient to meet compliance and possibly obtain certification, as a practical matter the corresponding infrastructure will be hollow and non-sustainable.
Applying technology without developing corresponding documentation also further promotes the segregation of IT from the overall organization. Which can greatly increase the chances that the people and/or technology that have been put into place become ineffective due to improper guidance and the corresponding execution. It is plausible that it can be accomplished by someone with a background in cybersecurity and/or IT; but not for the organization which will be left to execute the established controls. This is especially important in organizations which lack in-house subject matter experts; as these documents allow the in-house staff to better react to and recover from incidents, onboard and bring personnel up to speed, and evaluate effectiveness for improvements. Policies and procedures promote the execution of intricate organizational standards, which were developed to align with the organizational mission. This is a concept that will be foreign to new personnel and will remain foreign if introduced into an environment lacking governance.
The federal government operates one of the most complex IT environments on the planet, and its systems are constantly under attack from a variety of internal and external threats. As a result, they have learned many invaluable lessons, and their teams have created documents, including the NIST Risk Management Framework, that help organizations of all sizes to help prevent certain problems from occurring. One theme that is consistent across these documents is that an effective information security management strategy requires the marriage of IT governance into organizational governance. In such a system, the information security manager acts as the officiant, helping to execute the organization’s overall plans
While this approach is increasingly being adopted by organizations throughout the federal government, many organizations in the Defense Industrial Base (“DIB”), especially small businesses, have been slower to adopt these approaches. This essentially means IT governance has been grossly ignored. In fact, only about 10% of the organizations which my organization has assisted had any semblance of a policy infrastructure in place. Many DIB organizations invest in new technologies, but they rarely take the time to define how those technologies should be used. For example, some have technologies capable of generating alerts when certain events occur, but they rarely take the time to identify the events that warrant alerting, who should (properly) be notified, or who will follow up to ensure the notifications are properly acted upon. This is not speculation; this is the reality. The assumption that comprehension and resources are universally present in the DIB could not be any more obtuse.
The granular documentation requirements presented as a part of CMMC 1.0 promoted sustained compliance with accountability. Organizations were not just required to compile a bunch of documents to check compliance boxes. Instead, the requirements existed because they encouraged the DIB companies to sustain execution of compliant practices. Where some may have seen them as a burden, they were put in place to fulfill a glaring need within the DIB. The requirements promoted institutionalization of cybersecurity throughout the organization. They provide a step-by-step reference for organizations to:
Establishing any IT infrastructure without documentation to support sustainment of its purpose results in increased overall costs, significantly lower ROI, and most importantly, a false sense of security. In order to be effective, documentation must be tailored to the organization’s IT environment and operations. The documentation must be granular enough to promote effective interpretation and allow for simplified execution. Well executed policies and procedures hold a much larger weighted value for an organization than can be determined by any assessment guide.