As we’ve seen over the last 2 years, the Cybersecurity Maturity Model Certification (CMMC) has been an evolving model and ecosystem. In some ways it truly is a case of “building the ship while we’re sailing it.” If that’s the case, how can we truly prepare and assure our efforts (resources of both time and money) are being put in the right place and towards the right ends?

While there are many strategies, InTech’s primary strategy has been “Be attentive, learn, and iterate quickly.”

Making CMMC Easy & Functional

We saw many companies focus on “getting compliant” and then ask us “What now? How do we STAY compliant so we can pass the assessment?”

As lovers of systems and processes (it’s one of our Core Values!), we developed the CMMC IT Documentation Toolkit: a package of functional IT Security Policies, Plans, Procedures, and Lists, when implemented demystifies the process of getting and staying CMMC compliant.

CMMC at Levels 2 & 3 requires a significant amount of documentation. This includes IT Policies, a Plan resources for each of the 17 Domain Areas, detailed practices and procedures on how IT and compliance related activities are performed, as well as a significant amount of lists.

Assessors look for this documentation when they perform an assessment as part of the evidence of the domain area. They will Examine the documentation, Interview those responsible for the implementation and management of compliance, and Test to see if what’s on paper is really lived in the organization.

If the documentation is insufficient, not kept up to date, or if it's clear that it is just “CYA,” the business fails the assessment. The documentation we created is functional in nature and actually used to not only get compliant, but stay compliant overtime. It is a collaborative approach that assures that management is properly briefed and engaged in compliance.

Preparing Clients and Providers

Due to the uniqueness of the CMMC IT Documentation Toolkit and the functional approach to documentation, Leia has become a subject matter expert on CMMC and IT documentation for compliance.

The Toolkit is quickly being adopted as the benchmark in the industry when it comes to documentation excellence. In addition to it being available as a downloadable package of Word, Excel, and PowerPoint docs, it will soon also be integrated into FutureFeed’s compliance documentation tool (www.futurefeed.co).

Leia is also acting as an SME for Catalyst Connection’s consultants for their work providing CMMC assessments for Pittsburgh area manufacturers. Her passion for assuring this work is done right so companies don’t waste money in their compliance efforts also finds her training other IT Consultants on how to do this work properly for best outcomes.

Preparing For Success

To assure our team is properly trained to meet the needs of the DIB and the CMMC community, the team at InTech never stops learning. From excellence in IT management, security operations, and compliance management, we hone our skills every week.

On Tuesdays the entire team (from help desk to engineers to office admins) attends a CMMC training to understand the compliance requirements from physical security to technical configurations, to documentation. On Thursdays, the technical team engages in Security Operations (SecOps) training delivered by our Partner Galactic Advisors. Three members of our team are also studying to become CMMC Certified Professionals (CCP).

Several team members are also attending a weekly peer group called “17 Domains in 17 Weeks” where subject matter experts on certain domains come together and share best practices, challenges, and get clarification an assuring environments meet the CMMC compliance requirements.

We are also regularly meeting with CMMC Third-Party Assessor Organizations (C3PAO’s) to debrief with them as they are going through their own DIBCAC assessments and perform assessments through provisional assessors to continuously improve our processes, configurations, and documentation.

Our Mission: 100% Pass Rate

While there can be no guarantees that any business will pass an assessment, our Mission at InTech is a 100% pass rate for all Clients that we work with.

Leia has been asked by a C3PAO to be a member of an official assessment team this fall. This will give us a “behind the scenes” look at how assessments are run and what assessors are looking for and bring this knowledge back so that we can be certain each company is properly prepared to pass the assessment.

We will continue to create partnerships with C3PAO’s, Registered Providers, Certified Professionals, MEP’s, and other industry organizations to assure our manufacturers remain what they have always been: the cornerstone of the American economy.

We will not stop learning, innovating, and working until the DIB is secured and our Clients have all passed their Assessment. Heck, we won’t even stop then!