Small Biz Thoughts by Karl W. Palachuk: Map Your Vendors to CMMC Processes

Wednesday, June 29, 2022

Map Your Vendors to CMMC Processes

Here's an idea to consider: The next time you get a pitch from a vendor, ask this a simple question:

How does this product/service/solution map to CMMC processes and practices?

By now, I'm sure you've noticed that more and more government agencies are turning to NIST (The National Institute of Standards and Technology) and their Cybersecurity Framework for guidance on "best practices" for securing technology. See the official description of NIST's Cybersecurity Framework here:

https://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

The NIST SP-800-171 standard has been used by government (specifically military) contractors to demonstrate cybersecurity readiness. A few years ago, the Department of Defense created the Cybersecurity Maturity Model Certification (CMMC) to create standards of compliance so that organizations could demonstrate their "cyber hygiene" as measured against the NIST SP-800-171 standard.

In other words . . . instead of self-attesting that they are compliant, organizations can demonstrate to outsiders that they are compliant. And BOOM! an entire industry was born around compliance training, compliance auditing, and compliance testing.

What CMMC Should Mean to Managed Service Providers

Lots of people have jumped on the bandwagon of training and using CMMC in their businesses, and in offering services to their clients. That's great.

I would encourage you to take another step - and put a little pressure on your vendors. Simply ask the question: How does this product/service/solution map to CMMC processes and practices? See the graphic from the official NIST slide deck.

How do I map your amazing, AI-enhanced, fully buzzword-compliant widget to the capability domains defined in one or more of the five levels of CMMC compliance?

In fact, I recommend that you build a spreadsheet with each of the knowledge areas and define how each specific product or service helps you achieve compliance in that area. For example:

Access Control - [Vendor] [Product]

Incident Reponse - [Vendor] [Product]

Risk Management - [Vendor] [Product]

etc.

You need to look for two things on this spreadsheet: Gaps and Overlaps. I can pretty much guarantee that you'll have overlaps. These are areas addressed by more than one vendor/product. More importantly, look for the gaps that aren't addressed by any of the products or services you use.

After all that, you should get with your team and discuss whether you have the right mix. Is THIS the product you want to use to provide THAT compliance? If not, create a change plan.

Also, make sure you go back to your vendors. Ask then how they map their products and services to CMMC compliance. Ask them if one of their products can fill your gaps. Remember, it might be as simple as using a feature you hadn't explored or didn't know about. Training from your vendors will help you choose the combination of products that you want to use going forward.

It's easy for vendors to throw up a slide deck and tell you how they plan to make the world safe from evil, amazing, AI-enhanced, fully buzzword-compliant attacks. But more and more, your company's success will be tied to your ability to demonstrate that you provide auditable compliance with a security framework that is truly growing to be a standard in the industry.

I would love to see every vendor add a slide that specifically maps their product or service to a specific piece of the CMMC security framework.

Feedback welcome.

- - - - -

A few sources:

Cybersecurity Maturity Model Certification (CMMC) Levels - https://www.nsf.org/knowledge-library/guide-cybersecurity-maturity-model-certification-cmmc-levels
Graphic from: https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/SSCA/2020%20Jan/WedAM1.1_CMMC_Overview_Releasable_Dec%202019_v2.pdf
NIST 800-171 revised - https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST CMMC Overview - https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/SSCA/2020%20Jan/WedAM1.1_CMMC_Overview_Releasable_Dec%202019_v2.pdf

:-)

No comments:

Post a Comment

Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!

Hot Books for Managed Services

Managed Services Operations Manual - 1300+ pages in four books, plus downloadable bonus content.

Learn more at www.SOP4SMB.com.

This four-volume set is the definitive guide to Managed Services. From the front office to the tech department, we cover it all. Every computer consultant, every managed service provider, every technical consulting company - every successful business - needs SOPs!

When you document your processes and procedures, you design a way for your company to have repeatable success. And as you fine-tune those processes and procedures, you become more successful, more efficient, and more profitable. The way you do everything is your brand.

How to Deliver Successful, Profitable Projects on Time with Your Small Business Clients

by Dana J Goulston, PMP and Karl W. Palachuk

Learn More:
ProjectManagementinSmallBusiness.com

Small Business project management is simply not as complicated as project management in the enterprise. But small business projects have the same challenges as enterprise projects: They need to achieve their goals effectively, on time, and within budget.

They also face the same primary challenge – staying inside the scope of the project!

This great little book provides a simple process project planning and management process that is easy to learn and easy to teach to your employees, fellow technicians, and sub-contractors. You’ll learn to track any project, explain all the stages to clients and employees, and verify that everything is completed on time and under budget.

The authors show you a great technique for making sure that scope creep is a thing of the past! Make every project a successful and profitable project!

Only $39.95 !

3nd Edition - 2018

New Chapters!

Learn More:
ManagedServicesinaMonth.com

Great for new I.T. Consultants or anyone who wants to transform your break/fix business to a profitable Managed Service practice in 30 days or less. (Really)

Includes chapters on cloud services in the Managed Service world.

Order NOW and get started on a path to recurring revenue!

Newly Revised - 2013

Learn More:
RelaxFocusSucceed.com

Balance Your Personal and Professional Lives and Be More Successful in Both.

Bringing balance into your personal and professional lives and becoming the person you want to be.

FTC Disclosure Statement

I make every attempt to honestly state what I believe and enjoy the freedom of posting whatever I feel like on this blog. This is a big complicated world and I have many interconnected personal and professional relationships.

I may in some way receive money or other benefits from any of the products, services, or companies mentioned in this blog as a direct or indirect result of my actions on and off this blog. Any experience mentioned here is just my experience and I have no knowledge about whether it represents a typical experience with any products, services, or companies mentioned.

Whenever it is possible to have both an honest and a misleading interpretation of my statements, please assume honesty.

I try to follow the FTC guidelines at all times.

Thanks. - karlp

Wednesday, June 29, 2022

Map Your Vendors to CMMC Processes

No comments:

Post a Comment

Transform Our Industry

Small Biz Thoughts Community

Most Recent Post

MSP Professional Sales - 5 week class starts April 23rd

Subscribe by Email

Get new posts by email:

My YouTube Channel

Search This Blog and Its Links

Managed Services on Amazon

Hot Books for Managed Services

About Karl

Cool Fun Links to My Stuff

Blog Roll

Blog Archive

Translate

FTC Disclosure Statement

Labels

CC Rider

Google Analytics

Clicky