How the secret sauce is made – one practice, one hour

Posted on by Amira Armond
Screenshot of the webinar for CMMC One Control One Hour presentation by Amira Armond

How does a defense contractor create a plan to perform each requirement in CMMC and NIST SP 800-171?

Will you fail if you don’t write policy statements which regurgitate each requirement in a ‘shall” form?

AKA “๐˜š๐˜ข๐˜ง๐˜ฆ๐˜จ๐˜ถ๐˜ข๐˜ณ๐˜ฅ๐˜ช๐˜ฏ๐˜จ ๐˜ฎ๐˜ฆ๐˜ข๐˜ด๐˜ถ๐˜ณ๐˜ฆ๐˜ด ๐˜ง๐˜ฐ๐˜ณ ๐˜Š๐˜œ๐˜ ๐˜ข๐˜ต ๐˜ข๐˜ญ๐˜ต๐˜ฆ๐˜ณ๐˜ฏ๐˜ข๐˜ต๐˜ช๐˜ท๐˜ฆ ๐˜ธ๐˜ฐ๐˜ณ๐˜ฌ ๐˜ด๐˜ช๐˜ต๐˜ฆ๐˜ด ๐˜ด๐˜ฉ๐˜ข๐˜ญ๐˜ญ ๐˜ฃ๐˜ฆ ๐˜ฆ๐˜ฏ๐˜ง๐˜ฐ๐˜ณ๐˜ค๐˜ฆ๐˜ฅ.”

The answer is no. You don’t need to write a vague and unhelpful policy for every requirement. Your policies should support your users (who are real humans who don’t know what to do with vague statements like that). You need a policy for situations where a user needs to know that there are real consequences and where there is a risk that turnover could cause your company to forget to do something.

Instead of that vague “shall” policy, your implementation might include specific training to your users or a telework agreement that users have to sign before they get a laptop. We need to design a solution which is efficient, low burden, and doesn’t rely on people to remember hundreds of policy lines.

Pro tips for developing solutions to CMMC Level 2

This video (one hour) by Amira Armond, president of Kieri Solutions, shows the process that the Kieri Solutions cybersecurity team uses to plan a common sense implementation for CMMC requirements. She focuses in on one requirement (mobile code) from NIST SP 800-171 Rev.3 and shows how Kieri designs their approach to it.

Every CMMC Level 2 requirement implementation should include considerations for these key topics:

– Do we need a policy to help enforce this?
– How will we trigger performance so no one forgets to do it?
– What procedures do we need, can we add them “just-in-time”?
– Do our providers need to perform this requirement too? How do we inherit?
– Where do we keep evidence that this is performed correctly over time?
– What is our test plan to verify proper function?

This is a webinar video for educational purposes, presented originally for the Cooey Center of Excellence Discord Forum. Thanks to Mariamsay for recording it!

This is the secret sauce of how the Kieri Compliance Documentation and the Kieri Reference Architecture were created. These are two solutions that Kieri Solutions, our sponsor, has created for Do-It-Yourself CMMC Level 2 compliance.

Enjoy, and don’t forget to subscribe to our YouTube channel for lots of other CMMC training content.

Leave a Reply

Your email address will not be published. Required fields are marked *