How to create a system security plan, and some of our lessons learned.

Compliance
Written By Margaret Noel
Laptops and people writing with pencil and paper, preparing for an audit.

We know NIST 800-171 and CMMC.

As a cyber security company, and we are a CMMC-AB Pro providing security services to the DIB community. Security in our internal operation is paramount, directly translating into our ability to protect our clients. Most of what's required in NIST 800-171 and CMMC are things we've done since day one. Building security into every process is a normal course of business for us.

Until about two months ago, we tracked ourselves against the CISv8 and ISO27001 frameworks. We used the combination of the two as our checklist but have yet to undergo the final certification audit. It seemed like the perfect time to take on CMMC. 

Cybersecurity for government contractors

We only sell what we use or do. We handle cybersecurity for several defense contractors, so we decided to prepare for and undergo our own C3PAO CMMC Level 2 audit. We do not do government contracting work, but we do offer cybersecurity services for those who do. It seemed a natural, common-sense approach. Here are three lessons learned in going through the process. I'll post along the way. Follow us for more lessons learned as we discover them.

  • There is a template. Use the template.

  • Be as detailed as possible in building out your SSP. Auditors may use your SSP to figure out how much it will cost you for your audit.

  • Use a tool to track your progress.

There is a template. Use the template: As mentioned, we tracked our security against CISv8 (a WONDERFUL framework) and ISO27001. When we decided to move to NIST 800-171, we figured (assumed?) that using the SPRS spreadsheet with good details would serve as our SSP. Not so. NIST published a CUI SSP template **[see Planning Note] (docx). It looks like a standard government boring document, and it is, but the three C3PAOs, when we asked about what they would charge us, asked for our SSP –and they didn't want our SPRS worksheet (which we used both as a tracking tool and planning (POAM). Your SSP should start with a page that looks like ours.

Be as detailed as possible in building out your SSP.

Auditors may use your SSP to figure out how much it will cost you for your audit.

  • Your SSP should be as detailed as possible and 100% factual. Plan the work and work the plan —document as much detail as possible. One C3PAO told me that if he were auditing a subject, they fail the audit at the first sign of a missed control, close their laptops immediately, and leave. You'll be required to redo your work and schedule a new audit. Be prepared. The SSP is not just a document but a tool to help you document or plan your cybersecurity implementation.

  • Your SSP will be used to determine what your audit will cost. We contacted three C3PAOs for price comparisons. Our 30-person company operates primarily out of Iron Mountain data centers, taking advantage of their physical security, uptime guarantees, and facility certifications. We don't handle any CUI and retain no data from our clients other than the log data we use to monitor security. Our process is led by a retired Air Force communications officer who'd written these documents and ATO (authority to operate) documentation for years. It is second nature to him, and it documents everything we do.

When preparing for your CP3AO audit, use a tool to track your progress.

We don't know yet which C3PAO we will choose for our audit. We know from the documentation and experience that every control must show the policy, process, and evidence of that process in use following NIST 800-171A. This document shows exactly what will be needed for every control to prove your compliance. The easier you make it for your auditor to view each of these requirements, the less time the audit will (should) take for every control. Using a good tool to organize your thoughts, works, and documentation will go a long way toward keeping your efforts and audit as efficient as possible.

Which tool do we use? We've tried several of them -simple spreadsheeting, Apptiga, and Cynomi. We settled on Cynomi. All three are fine, but we wanted something that would offer explicit work tracking, pull all of our documents and evidence/links into one location, and reasonably export professional-looking reports on demand. 

We use Cynomi primarily to consolidate everything needed for the audit, but as shown below, it also tracks our tasks and clearly presents everything. 

We offered subscriptions for another similar service until a few months ago but didn't never really cared for the feature set. Unfortunately, very few options were available when we first started that partnership. We use Cynomi internally. It doesn’t offer the standard SPRS scoring, but you can dump out the full spreadsheet of controls and transpose it over with no additional translation. For our clients, we offer a DIY package –a Cynomi subscription with Virtual CISO™ support available for help if/when needed. Work your plan on our infrastructure and get help when needed -billed by the hour. 

Preparing for your C3PAO audit takes time, attention to detail, and effort, like any other. The better your SSP, the easier the path to a successful audit. 

Need help? More information? Contact your Virtual CISO™ or email us at staysafeonline@trustedinternet.io.

Margaret Noel
Previous

Lessons learned from our search for, and integration of, our XDR
Next

Why DNS Anomaly Analysis is Important for Your Business