Wednesday, June 29, 2022

Map Your Vendors to CMMC Processes

Here's an idea to consider: The next time you get a pitch from a vendor, ask this a simple question:

How does this product/service/solution map to CMMC processes and practices?

By now, I'm sure you've noticed that more and more government agencies are turning to NIST (The National Institute of Standards and Technology) and their Cybersecurity Framework for guidance on "best practices" for securing technology. See the official description of NIST's Cybersecurity Framework here:

The NIST SP-800-171 standard has been used by government (specifically military) contractors to demonstrate cybersecurity readiness. A few years ago, the Department of Defense created the Cybersecurity Maturity Model Certification (CMMC) to create standards of compliance so that organizations could demonstrate their "cyber hygiene" as measured against the NIST SP-800-171 standard.

In other words . . . instead of self-attesting that they are compliant, organizations can demonstrate to outsiders that they are compliant. And BOOM! an entire industry was born around compliance training, compliance auditing, and compliance testing.

What CMMC Should Mean to Managed Service Providers

Lots of people have jumped on the bandwagon of training and using CMMC in their businesses, and in offering services to their clients. That's great.

I would encourage you to take another step - and put a little pressure on your vendors. Simply ask the question: How does this product/service/solution map to CMMC processes and practices? See the graphic from the official NIST slide deck.

How do I map your amazing, AI-enhanced, fully buzzword-compliant widget to the capability domains defined in one or more of the five levels of CMMC compliance?

In fact, I recommend that you build a spreadsheet with each of the knowledge areas and define how each specific product or service helps you achieve compliance in that area. For example:

Access Control - [Vendor] [Product]

Incident Reponse - [Vendor] [Product]

Risk Management - [Vendor] [Product]


You need to look for two things on this spreadsheet: Gaps and Overlaps. I can pretty much guarantee that you'll have overlaps. These are areas addressed by more than one vendor/product. More importantly, look for the gaps that aren't addressed by any of the products or services you use.

After all that, you should get with your team and discuss whether you have the right mix. Is THIS the product you want to use to provide THAT compliance? If not, create a change plan. 

Also, make sure you go back to your vendors. Ask then how they map their products and services to CMMC compliance. Ask them if one of their products can fill your gaps. Remember, it might be as simple as using a feature you hadn't explored or didn't know about. Training from your vendors will help you choose the combination of products that you want to use going forward.

It's easy for vendors to throw up a slide deck and tell you how they plan to make the world safe from evil, amazing, AI-enhanced, fully buzzword-compliant attacks. But more and more, your company's success will be tied to your ability to demonstrate that you provide auditable compliance with a security framework that is truly growing to be a standard in the industry.

I would love to see every vendor add a slide that specifically maps their product or service to a specific piece of the CMMC security framework.

Feedback welcome.

- - - - -

A few sources:


No comments:

Post a Comment

Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!