Our previously acquired research mindset became the baseline of our internship goals and tasks, specifically with research pertaining to CMMCv2.0 and the possible implementation into both existing frameworks and through newly created frameworks specific to an individual organization. CMMC has been proven to be the future of LightGrid, comparative to an encyclopedia of cybersecurity policy I needed to know cover to cover. CMMCv2.0 builds off of the current mandated cybersecurity framework NIST 800-171, established as a way to organize third party handling of Controlled Unclassified Information. CMMC in its infant stages has proven to be a formidable end goal for any organization hopeful to implement a complex framework, designed to seem approachable, while maintaining a level of security necessary. Matched with our constant monitoring, theorizing, and research, we designated ourselves as the CMMC team, and made it our goal to accomplish the task of implementing and adapting this framework to pre-existing policies already in place.
The theory of policy development quickly became a skillset that has proven to control my life and brain when referring to the world of cybersecurity. By examining pre-existing strategies and documenting the connections between real-world and in-house events, I have discovered that you can cross examine and even map policies to aid other teams that rely on differing strategies. In my research with LightGrid, I have found that CMMC is somewhat malleable, more than I initially believed, and with the future mandate on the horizon, provided a unique challenge of establishing CMMC as an equal to already well-established frameworks, such as CISv8.0.
The challenge of mapping CMMC to other existing frameworks originated with a separated reliance to CIS. LightGrid outsources IT infrastructure and technicians to another business, Endurance IT. This setup has proven comfortable as IT technicians are available to consult without the level of interruption that in-house IT teams struggle with. With Endurance’s connection to CIS already clearly defined, the CMMC team concluded that the best possible solution to satisfy both groups (and both frameworks) would be to form a detailed map between the two policy sets. While the two are similar in nature, CMMC and CIS differ greatly in how their policies grow alongside the companies they are implemented within. CMMC for example is largely useful for organizing and managing CUI or other forms of sensitive data. CIS is a more offensive policy set, including the implementation of software to defend against cyber-attacks, train personnel, and formulate defensive strategies should infection occur. While parts of both frameworks complement each other, their differences remained clear throughout the mapping process.