CMMC Documentation Lamentations
There is a fine line between information technology (IT) policy written for compliance purposes and IT policy written for effective system management. The first tends to parrot the compliance requirements and does little to provide meaningful, actionable guidance to administrators in the day-to-day operation of the network. The latter provides meaningful guidance in a user-friendly format, easily searched, navigated, understood and implementable. It is easy to tell which your organization has; the compliance driven policy is that big binder on the top shelf collecting dust, the effectiveness driven policy is the well-worn, dog eared version sitting on your systems administrator’s desk.
The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) framework has mandated an extensive documentation program that is proving to be a challenge for defense contractors even before CMMC has been fully implemented. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) has been conducting Cyber Resilience Analysis on defense contractors for over two years and has reviewed over 200 companies. During the April 2021 CMMC Accreditation Body Town Hall meeting, DIBCAC Director Darren King stated, “the first thing is documentation, we’ve seen some atrocious system security plans over the last two years, we’ve seen some really bad polices, some really bad procedures.” It is not surprising that the first problem area discussed was documentation; it is the first thing an assessor looks for and lack of quality and substance is quickly apparent.
Thorough documentation is much more than a System Security Plan (SSP). The CMMC Level 3 framework requires contractors to maintain a policy, a management plan, and an implementation plan for each of the seventeen security domains, all tied together in a SSP. In addition to these fifty-two documents, any other policies or procedure referenced in one’s SSP or plans must also be provided.
Why document? “I know what needs to be done, it takes too much time to capture all of that in writing.” Documentation is important for three reasons. First, your Systems Administrator could leave tomorrow and leave you completely unaware of how your network is configured. Second, you need to verify that things are being done correctly. And third, your entire team needs to be following the same procedures in the same way. Life happens. People change jobs, people quit or are fired, people retire. When personnel leave key positions the effects can be devastating, especially if what they’ve been doing hasn’t been documented and is repeatable. Cybersecurity is hard. There are 181 CMMC practices and processes for level 3. There are over 700 objectives that must be met to fully implement all of them. No one, no matter how good they are or claim to be can handle this many things without writing them down, and if they can, they can’t sustain it. Having a single source of what is right removes the guess work and ensures the entire team and new employees can configure and maintain the network in its most secure state.
There are many challenges associated with creating an effective documentation ecosystem.
Covering what needs to be covered – Too little is useless, too much won’t get read. Luckily in the case of CMMC you know what to cover, the CMMC Assessment Guides provide the level of detail needed.
Writing so it is understandable and useful – For any documentation to be effective it needs to be useful. If you can’t find what you’re looking for or don’t understand what it’s telling you to do, it won’t get done.
Doing what it says – If you decide not to implement things how they’re written you run the risk of creating security risks. I know a better way, or it is too hard or takes too long is not a good excuse for not following the plan as it’s written. Hopefully, a lot of thought and planning went in to writing the procedures to ensure a secure outcome, having someone circumvent them for a shortcut could expose the entire system.
Changing it to be effective – If in the implementation you find there is a better way, or a more secure way, the procedures need to be changed in a managed way that considers the entire system.
Let’s look at the specific CMMC documentation requirements. For level 3, the CMMC framework requires that each of the seventeen security domains have a policy, a plan and implementation procedures.
Polices. A simple document stating what you’re doing, what it covers and who’s responsible. The policy comes in handy when people question if you have the authority to do what you’re doing. Also takes away any guesswork about who’s responsible.
Plans. Cybersecurity costs money and requires staff and tools to be effective. The plan contains all the details for management so that they can budget for, hire and acquire all that’s needed. Having a plan solidifies the requirements in a way that management is aware of and can plan for.
Implementation Procedures. For the IT team this is the most important and detailed document. This document tells administrators what to do, how to configure things and how to maintain them. This document should be tailored to your specific environment. If the requirement is “Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).” Your implementation plan shouldn’t mimic that back by stating “The system limits information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).” You need to provide the how, what where and when of how you’re actually going to achieve that within your environment. The end goal is that if a new administrator had to take over because you just got run over by the proverbial bus, that they would know what needs to be done.
The Governments point in requiring all of these documents is they figure that if a company has taken the time to assign responsibility through policy, to plan for the resources required, and to thoroughly document how practices are implemented, that they will have a mature and effective cybersecurity program in place. And if you honestly think about it, they’re right. Without these components in place a company can’t sustain an effective program. They may be able to establish a secure environment for a week or two, but it will quickly lapse, administrators won’t know how to maintain it and resources will evaporate.
So what’s the answer? If you’re lucky your company has been working on policies for years and it’s just a matter of tailoring them to fit CMMC practices. If you are unlucky, all of your policies are in Karl the IT guy’s head. Either way, if you want to protect your information and achieve CMMC certification, you are going to need some extensive documentation. You can start writing from scratch you can search for generic templates (SANS and NIST have a few), or you can hire a consultant to write them for you. As you begin preparing the documentation for your CMMC assessment you will quickly realize the sheer number of policies, plans and procedures required to adequately document and manage your compliance. Many companies start with an existing set of internal policies and procedures but quickly realize they are incomplete, insufficient and often contradictory. The process of writing cybersecurity documentation internally can take your existing team months and involves pulling your most senior and experienced cybersecurity experts away from their operational duties to assist in the process.
If you decide to outsource the task, in addition to the cost of hiring a cybersecurity consultant to write the documentation you still need to devote your time to provide guidance and assist in the final deliverable. The consultant will require involvement from your team for direction, answering questions and quality control, so the impact is not limited to just the consultant's hours.
The task of writing all the required documents can take months and hundreds of hours. Some estimates place it at 9-12 months of staff work – your staff have day jobs after all – and upwards of $60,000 in labor expenses. With the consultant route, after hiring a firm to conduct a gap assessment and then navigating through months of meetings, interviews and presentations, they provide documentation at a cost double to what you could have done yourself and only marginally faster.
A final and perhaps better way is to purchase templates tailored specifically for CMMC. Ascolta’s CMMC Document Template Packages provide editable Microsoft Word and Excel templates that are written to satisfy CMMC framework Level 1, 2 and 3 requirements. Instead of starting from scratch, start with 90% of the writing already done. There will still be some writing, configuration and tailoring of the templates, but at a fraction of the cost, effort and time than if you were starting with nothing. And the end result is a better product. Our CMMC Documentation Ecosystem provides linked and supporting documents based on the CMMC framework, CMMC Assessment Guides and NIST SP 800-171 requirements. The package provides templates for all CMMC required documentation of your system to achieve a CMMC Level 1, 2 or 3 assessment.