Copies of the slides can be downloaded from: MAR 2022 FutureFeed User Presentation.pdf
Webinar Description
In this month's session we addressed:
Documents and Documentation in FutureFeed
- CMMC v2 - Documentation Requirements vs Best Practices (Jim Goepel)
- FutureFeed Curated Document Templates (Jim Goepel)
- Live Documents vs Attachments in FutureFeed (Mark Berman)
- ADD-ON - InTech Documentation Service (Leia Shilobod)
- User Efficiency through Document Tagging - The Game Plan (Mark Berman)
- Asset Types - A new CMMC requirement (Jim Goepel)
All prior webinar recordings are available on our support site.
Speakers:
Mark Berman - CEO, FutureFeed.co
- Mr. Berman helped found the CMMC-AB.
Jim Goepel - Director of Education and Content, General Counsel
- Mr. Goepel helped found, and is the former Treasurer of, the CMMC-AB, and is a Professor of Cyber Security at Drexel University.
Leia Shilobod - is CEO, InTech (FutureFeed Content Partner), www.intechit.net/cmmcitdoctoolkit
Webinar Index
04:50 Full Agenda
06:20 CMMC 2.0 and Maturity
- Some candidate C3PAOs and others struggled with the policy, procedure, and plan requirements.
- DoD removed the explicit policy, procedure, plan process requirements (i.e., the 997, 998, and 999s).
07:25 Must Still Document Compliance
- Documentation Takes Many Forms
- System configuration settings
- Lists
- Logs
- Policies
- Procedures
- Plans
07:45 Does Every Practice Need a Policy? - No
- CMMC Assessment Guide describes many objects, not just policies.
- However, remember your goal: convince the DIBCAC auditor/CMMC assessor that you meet all applicable objectives of every practice.
08:40 Should We Have Policies? - Yes
- Creates consistency in the organization
- Enhances organizational maturity
- Fills in the documentation gaps for the assessors
10:15 Document Templates
- Longer-term rollout for complete functionality
- Plans, Policies, Procedures, Agendas, Lists
- Review and modify based on your organization's needs
- Can create your own using a blank policy template
- Provided with representative examples of what these completed templates should look like
- Feedback is encouraged once they go live as our goal is to make these templates community-focused
- Editor
- Automation to provide less work for users who wish to create templates within FutureFeed
- Paid add-on for template package from our valued partner InTech IT Solutions - Leia Shilobod, CEO
10:41 Built-in Templates - Coming Soon
Ensure these apply to your organization before incorporating them.
A blank template will be available to use if your organization wishes to start from scratch.
Policies
- Acceptable Encryption Policy
- Acceptable Use Policy
- Access Control Policy
- Acquisition and Merger Assessment Policy
- Asset Inventory & Device Management Policy
- Bluetooth Baseline Requirements Policy
- Clean Desk Policy
- Cybersecurity Policy
- Data Breach Incident Response Policy
- Data Classification Policy
- Data Protection Policy
- Disaster Recovery Plan Policy
- E-mail Policy
- E-mail Retention Policy
- Ethics Policy
- Information Logging Policy
- Information Systems Audit Policy
- Non-Discrimination and Anti-Harassment Policy
- Patching Policy
- Phishing Policy
- Physical Security Policy
- Portable Media/USB Policy
- Remote Access Policy
- Risk Assessment Policy
- Social Media Policy
- System and Network Security Policy
- Third-Party Service Provider Policy
Plan
- Data Breach Incident Response Plan
Procedures
1. Employee Offboarding Procedure
14:52 Free Templates
- Good Building Blocks
- Illustrate Kinds of Issues to be Addressed
- Extend Beyond CMMC/800-171 (e.g., ethics)
- Not comprehensive
- Only periodically maintained
15:56 Who is Leia Shilobod?
- Founded InTech in 2006
- Speaks country-wide on IT Security, IT Documentation, IT Operations, CMMC | NIST 800-171, and IT for Manufacturers
- Process Driven
- Author of the “CMMC IT Documentation Toolkit”
- Author of 2 Books:
- “Cyber Warfare: Protecting Your Business From Total Annihilation”
- “The 3 Indisputable Rules Every Manufacturer Must Know Before Purchasing Any IT Product or Service”
17:20 Leveling Up Our Process Maturity
- Create a process to get our clients compliant
- Create documentation of processes
- Create the required Policy, Plans, and List documentation
- Develop a process to KEEP it all aligned
18:13 CMMC IT Documentation Toolkit Onboard and Implementation Roadmap
- Kick-Off Call (19:38)
- Orient to the CMMC IT Documentation Toolkit
- Introduce to CMMC Documentation Requirements
- Our Philosophy and Approach to Meet Requirements
- Review Agenda and Set Meetings
- Data Flow Diagram (20:58)
- Diagram how FCI and CUI flow in, are handled, flow out, and who is authorized to access
- Include hard copy and digital forms
- Include removable media and backups
- Include third party providers who may have access FCI/CUI even if they don’t handle it as part of their scope
- Policies "The Bible" (25:46)
- Policies are your guiding Principles and will affect technology, human resources, and business processes
- IT Policies Document
- Consolidated IT Policies that map to CMMC Controls
- Privacy& Security Policy
- Notice is posted at the log on screen of all devices
- Acceptable Use Policy for End Users
- User-facing Policy that is stand-alone, signed at onboard and again each year at yearly security training
- Plans "Our Strategy" (29:31)
- Information Control and Flow Plan
- CMMC is about protecting the data – you must start with alignment on what will be protected and how it flows in, handled, and flows out
- Asset Management Plan
- IT Roadmap for managing IT initiatives, budgets, and life cycling
- Awareness & Training Plan
- Incident Response Plan
- And associated procedures
- Business Continuity & Disaster Recovery Plan
- And associated procedures
- Risk Management Plan
- And associated procedures
- RM brings everything together to assure continued updates, accountability for activities, and compliance
- Systems Security Plan (SSP) – details everything you are doing to comply
- Procedures "How To" (31:59)
- IT Procedures
- Baseline configs, IT procedures
- HR Procedures/ Checklists
- Other helpful procedures to assist with compliance
- The Lists (37:59)
- CMMC | NIST 800-171 requires that you maintain records of things such as:
- Who is authorized to access the system
- What devices are authorized
- What software is approved
- Who is authorized to access the facility
- What just won’t fly:
- A point in time export from your firewall DB is NOT an authorized remote access list
- A point in time export of all software installed on endpoints from your RMM tool is NOT an Approved Software List
- Other Things You Didn't Realize You Need (39:39)
- Network Diagram AND Data Flow Diagram
- Organization Charts
- How printed CUI is handled and destroyed (some firms try to ‘simplify’ CMMC by having everything printed)
- Media Marking of Equipment
- Shared Responsibility Matrix
- Requirements Traceability Matrix (RTM)
- Maintaining CMMC Compliance (43:32)
- Important Question: How are we going to manage 14 Plans, keep the environment aligned, keep management up to speed, assure everyone is continuously trained, keep documentation fresh, etc.?
- Our Answer: Change Management Process and Risk Management Meetings
- Managing CMMC Compliance
- Bring it together through the Risk Management Plan:
- Security Assessments
- Vulnerability Assessments
- Risk Assessments
- Risk Management Meetings
- Consider it a QBR/TBR or IT Meeting with Management on steroids and with a wider purpose:
- Create an agenda and send it in advance
- Establish expectations in the client’s/management’s minds about the purpose of the meeting
- SOP for YOU to prepare; SOP for CLIENT to prepare
- Review Risks the organization faces: internal, external
- Review Plans and/or the outcome of your execution of the plans (e.g. – Current assets and life-cycling, upcoming projects, testing the BDR Plan, how you responded to Incidents, Change Management, state of the Active Directory, Approved Software List, Key SOPs, etc….)
- Make decisions on projects, direction, and get approval in the meeting
- Capture notes, create tickets, assign accountable resources, set deadlines right into your tools, update POAM, update FutureFeed’s SSP
- Follow "The Way" (49:47)
- Follow InTech's or create your own, but you must follow "The Way of CMMC"
- Anything less will be a spastic approach
- Anything less under serves your Clients
- Anything less produces low confidence for passing an assessment
56:05 Live Documents vs. Attachments
- Live Documents
- Edited and Maintained inside of FutureFeed (AWS GovCloud)
- Can have attachments as well
- Tag to appear on a control
- Attachments
- Drag and Drop into FutureFeed (AWS GovCloud S3 Buckets)
- CHANGE: Going forward one active attachment per document
- Tag to appear on a control
01:01:25 CMMC 2.0 Scoping: Asset Types
- CUI Assets: process, store, or transmit CUI
- Security Protection Assets:
- Provide security functions or capabilities within the assessed environment (even if they don’t process, store, or transmit CUI)
- Contractor Risk Managed Assets:
- Can, but are not intended to, process, store, or transmit CUI because of policies, procedures, and practices in place
- Specialized Assets:
- may or may not process, store, or transmit CUI
- Out-of-Scope Assets:
- cannot process, store, or transmit CUI
Questions? Email support@futurefeed.co
Comments
0 comments
Please sign in to leave a comment.