cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kloset
Newcomer I

CMMC samples Establish, maintain, and resource a plan that includes [Domain]

CMMC asks for each of the domains  "Establish, maintain, and resource a plan that includes [Domain]"

However, there is no samples of what this practice really includes. ML.3.997 mentions it . 

 

https://ndisac.org/dibscc/cyberassist/cybersecurity-maturity-model-certification/maturity-level-3/ml... 

 

It states "The plan does not need to be a single, comprehensive document. The required elements of a plan can be included across one or multiple organizational documents."  

 

From this I can assume existing policies, procedures, and tools listed in other documents should cover this requirement.

 

Thoughts?

 

 

 

Has anyone come across good examples of meeting this practice?

 

 

1 Reply
rhall
Newcomer I

If you read through the CMMC Model Appendices PDF which you can find here:

https://www.acq.osd.mil/cmmc/draft.html (second download button)

https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf (direct link to PDF)

 

This document gives very detailed guidance and clarification regarding the different controls.

 

If you scroll down the PDF to page 44 you'll find there are two pages specifically covering ML.3.997.

 

Rather than simply policies and procedures, this control is really looking for more of a project plan identifying objectives in SMART format (i.e. specific, measurable, attainable, result-focused, time-bound), listing the relevant standards, policies and procedures, the stakeholders, what activities are required to meet the objectives (with what funding, people, tools), any training required for those involved, an organisational commitment to do the above etc. It's not just about one-time objectives to implement controls for the first time, its about on-going activities to maintain and measure the effectiveness of the controls, with periodic reviews to ensuring the people involved have the necessary skills, knowledge and tools to meet the objectives.

 

In short, I've tended to look at this control as the 'who and when and with what tools/resources', while the policy would be the 'what', and the procedures the 'how'. It plugs the gap with formal documentation. You don't necessarily need a separate plan for each ML.3.997 control, though for complex environments with different teams for each function this might work best. A single document could work very well for smaller organisations with a single team - such as an ICT Strategy or Information Systems and Technology (IS&T) Strategy document that could include these controls under a heading like 'Governance' while also having sections for 'Operations', 'Support', 'Training', 'Systems Development' and other functions. I like to include details of service provider SLA's, key infrastructure upgrade projects, and these documents often tend to work best on a 3 or 5-year timeframe, e.g. IS&T Strategy 2019-2024.

 

Hope this helps you - I'm also in the process of preparing for CMMC L3.