A Holiday Recipe for a Self-Assessment
Using DoD’s numbers, 180,000 companies or more that were expecting to be required to have a 3rd party CMMC assessment, can now simply self-assess their environments. What does it mean to self-assess, and how to start?
A Recipe for a Self-Assessment
If you are going to take this on yourself, get organized. For CMMC Level 1 there are only 17 controls, for Level 2, 110. The 110 include the 17 from Level 1, making the Level 1 controls a good place to start. Once done, focus on any remaining controls that cost you 5 points on the DoD Assessment Methodology, then the 3-point questions. When those are finished you can cover the remaining 1-point questions.
But before you dive in, get organized. Make lists, including:
- Employees with access to your systems and their roles in the organization;
- Accountability - who is in charge of what;
- Locations where you have the data that needs securing and the type of data stored there;
- Tools that you use to secure your environment;
- Tools that store or transmit sensitive data;
- Plans, policies, procedures and other documents.
Think of it as a recipe. Gathering all the information (the ingredients) makes the assessment much easier and fluid.
Next dive into the controls. Make sure you understand them. The outcomes are what matters, and each control has some objectives. If you've met all the objectives, you’ve satisfied the control. Note carefully: I didn’t say just some of the objectives, I said all of them. If your house has 10 windows, and you lock 9, where is the thief going to come in?
Document everything as you go, one control at a time. Include some evidence or artifact that shows why you are good on that objective.
Ugh. I know. This isn't fun.
When is the last time you went to a trade show or a conference? Two weeks afterward, did you remember all those great ideas and inspirations that you had while you were there? Right. Probably not. That’s why you need to write things down; you simply won't remember why you said that you met all of these objectives even a few weeks later.
Imagine how much harder that is during the chaos of a breach, as you are trying to explain it to a government assessor. Trust me, write it down, and in LOTS of detail.
There is another reason to write it down. Remember the signed attestation I mentioned above? It is due every year. You really don't want to start from scratch every year.
If you keep good records, then you only have to update anything that changed. People using our platform tell us that year 2 and beyond is about 25% of the effort of the first time through. At least for me, it is worth it, in almost any endeavor, to do it right the first time because I know it will make it much easier every time after.
A few other observations. Users of our tool report getting through Level 1 in about a day. For Level 3, depending on company size, a week delivers a solid record to stand behind that signature.
Better, Faster Decision-Making
Another shocker. Once you've gathered all that information into one place, your team can use it to manage your IT. The black hole of complexity is dark no more. We hear all the time of assessments that shine the light on tools that are still being paid for but are no longer in use. Further, conversations about security lead to conversations about utility. Suddenly, broken processes and inefficiencies get addressed.
And in the End...
Okay, so the government is making us do a self-assessment and making sure that it is "real." But can we blame them? It is "the People's information" anyway, so shouldn't we try to protect it as we do with our social security numbers?
For me, considering the ask and the results, it isn't so much. We can protect the trust granted by our government. We assure protection of our intellectual property and our reputation (both hard-earned by the way). And I get a green light to bid on government contracts.
You know I was meaning to reorganize the file folders on our server anyway. May as well get started.