The early stages of our updated policy development started with observing from an artificially created third-party perspective, analyzing the pre-existing policy in an effort to find the necessary gaps that would gain us points with the self-assessment point system. The NIST/CMMC point system subtracts points from a total number based off of how compliant your policy is when compared to the specific wording of the framework. For example, say an Access Control policy equals five points against your total score, should you be fully compliant, you can subtract those 5 points from your total number. However if you are only partially compliant, you don’t get the necessary point subtractions required to reduce your score to a manageable level. It was discussed during the DoD CMMC Webinar that some small contractors are a bit too generous with their self-assessment, and because of that, the DoD is cracking down on how point values will be calculated and implemented. Because of this, we observed our previous strategy as aggressively as possible in an effort to develop all possible solutions that once implemented will grant us the subtraction we needed.
We then found ourselves faced with a technical, detailed map of CMMC as outlined by Alan, containing every policy that needed to be followed along with the points they tied to, and the company’s previous efforts and ideas in achieving CMMC compliance. I quickly learned how in-depth framework adaptation was, with overlapping policies ultimately requiring separate solutions. In analyzing the previous compliance strategy, we were able to update and strategize about how to improve the policy implementation practices we were faced with. We had begun with level 1, but I quickly found myself overwhelmed by the sheer volume of content that needed to be considered, realizing the full scale of the project we had in front of us.
Access Control was the first hurdle the team was faced with, as the set of policies extended throughout the majority of stakeholders within the company, proving to be the most important. The set of policies extended into Authentication and Identification, two fields that housed their own individual policies, while holding the importance of needing to be considered further. In developing ideas about policy implementation, Alan thought it best to identify stakeholders as well as the CMMC scope of each policy we were faced with. Stakeholders were found to be anyone from users, to administration, to even the Endurance personnel we worked alongside. By identifying who was affected most by a policy, we were then able to outline the scope, or technical (more specific) tools or techniques we would need to consider.