Communication throughout security systems is the key to seamless connection between teams and units. Due to this, it was a priority during project planning to organize an output method that allows for communication to be as easy as possible. One issue with businesses organized by divisions is that communication often lacks between them. With cybersecurity, this means individuals missing key information, being uninformed about newly implemented policies, or the worst-case scenario of misusing or going against policies in place.
In developing and adapting policies to be utilized in cybersecurity advancement and teachings, the CMMC team found it best to limit technical wording in order to achieve understanding from the largest number of individuals possible. For this reason, we made use of the pre-established levels of both CMMC and CIS, clearly showcasing the simpler policies in level one from the more complex policies in level 3, and so on. Both CMMC and CIS operate on a three-level system that divided strategies throughout the tiers based on the scale, and difficulty of implementation. For example, a baseline access control system is able to be deployed by all three layers while penetration testing is saved for the third tier. Our mindset and idea with this strategy was to separate level one from levels two and three, making level one as simple as possible so that all individuals, no matter their team or division, were able to adapt and understand the wording without the possibility of getting lost in the specifics or needing clarification from other team members. In doing so, my acquaintance with CMMC grew more familiar, and I quickly realized that this task was for us as much as it was for others operating within this map.
CMMC level one strategies cover Access Control, Identification and Authentication, Media Disposal, Physical Protection, System and Communications Protection, and System and Information Integrity. Level one omits some more specialized policies such as Personal Security, however, in the grand scheme of the implementation we are seeking, level one is of the most importance in terms of implementation. While CMMC is our main focus, the team continued to map CMMC to CIS in hopes of keeping our Endurance team fully updated on our framework implementation and policy development. For this reason, CIS was continually utilized as a mapping tool in developing easy to follow maps. With these maps in place, anyone unaware of a specific policy is now able to see how it specifically relates to the opposite framework, what policies it connects to, what those policies mean, and how they can be implemented.
Towards the end of our first major project, the team had an in depth understanding of both CMMCv2.0 and CISv8.0, along with the tools required to further advance a framework incorporating the two sets of policies as well as the personnel that utilize both sets of policies. It was now determined that a further understanding of CMMCv2.0 including its origins needed to be researched and discovered so that policy implementation could begin as we approached the DoD’s CMMC Webinar.