Written policies document nearly one-third of the 320 assessment objectives within CMMC.
In fact, there are 281 results if you search for “policy” or “policies” in the CMMC Assessment Guide - Level 2.
The purpose of this blog is to:
Outline the relationship between Policies, Practices and Procedures
Enable you to write CMMC policies based on NIST SP 800-53A guidelines
Provide a mapping of policies to practices & procedures within CMMC
How to avoid bottlenecks along the way
Table of Contents
Policies
NIST SP 800-160 Vol.1 defines policy as a set of rules that governs all aspects of relevant system and system element (including technology, machine, and human elements) behavior. Policy frameworks start with high-level, organizational policies overseeing issue-specific and system-specific policies.
Organizational policies have the following characteristics:
State the organization’s goals
Assign roles and responsibilities
Outline enforcement
Support legal regulations
Provide scope and direction
Easy to understand
Underneath organizational policies are issue-specific and system-specific policies.
Issue-specific policies provide guidance on how to comply with specific issues. For example…
Information Flow Policy
Separation of Duties
Session Termination
System-specific policies govern defined scopes of information systems, networks or applications. For example…
Mobile Device Policy
Portable Storage Device Policy
All policies should be broad and focus on answering the questions “what” and “why”. They should also be technology-independent. And they shouldn't restrict the organization to specific ways of accomplishing them.
Practices and Procedures
Practices (standards) and procedures enable implementation of a policy.
Let’s walk through a quick example. 100 practices within the NIST SP 800-171 specify four main groups…
Technologies
People
Facilities
Processes
The regulation explains how each of those groups should protect the confidentiality and integrity of controlled unclassified information.
These requirements can be further expanded into the 320 determination statements. Those statements express the desired outcomes of implementing each practice.
Focusing on these determination statements allows for the creation of procedures supporting implementation. Another term for determination statements? Assessment objectives. Procedures are repeatable, step-by-step descriptions that define the tasks carried out by people.
To keep policies easy to understand, don’t insert the procedures into the policies. A more narrow audience will receive the standard operating procedures (SOPs).
The hierarchy below demonstrates policies and their relationship to practices and procedures.
There are two sources to consult when drafting policies for each domain within CMMC:
CMMC Assessment Guide Level 3 Version 1
NIST Special Publication 800-53A
CMMC Guidance on Policies
Ryan Bonner noted on a recent webinar that he classifies over 100 of the 320 assessment objectives as governance objectives.
These controls use non-functional language like identify, define or specify. Written policies would be a good way to document these requirements. Even though CMMC Version 1 was overcome by events, we find the original guidance on writing policies is still relevant.
CMMC Version 1 had specific requirements for each domain policy. These requirements included the following checklist of items that each should include:
Clearly state the purpose of the policy
Define the scope of the policy
Define the roles and responsibilities of the activities covered by the policy
Establish or direct the establishment of procedures to carry out the policy
Regulatory guidelines that the policy addresses
Management endorsement and dissemination to appropriate stakeholders
Periodically review and update the policy
NIST SP 800-53A Guidance on Policies
CMMC uses NIST SP 800-171 as its underlying framework. These controls (practices) came from security requirements within NIST SP 800-53. CMMC Version 2.0 dropped the specific requirements for having written policies. But, the tailoring of controls referenced in Appendix E of NIST SP 800-171 points back to a series of controls that non-federal organizations should be performing without specification. These include having written policies for each domain!
We’re going to compare these requirements from NIST SP 800-53. We can do so by using the assessment guide from this framework, and we will bold those requirements that match from CMMC Version 1.0.
The NIST requirements for writing policy begins with eight organizationally defined parameters (ODPs):
Define the personnel or roles whom to disseminate the policy to
Define the personnel or roles whom to disseminate the procedures to
Select the level this policy governs (organizational; mission/business process; system)
Define the official to manage the policy and procedures
Define the frequency to review and update the policy
Define events that would require review or updating of the current policy
Define the frequency to review and update the procedures
Define events that would require review or updating of the current procedures
Substituting these ODPs into the policy objectives provides us with the following guidance:
Develop and document the Policy
Disseminate the policy to (1) the personnel or roles
Develop and document the procedures to facilitate the implementation of the policy and associated controls
Disseminate the procedures to (2) the personnel or roles
The Policy addresses purpose
The Policy addresses scope
The Policy addresses roles
The Policy addresses responsibilities
The Policy addresses management commitment
The Policy addresses coordination among entities
The Policy addresses compliance
The Policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines
The (4) designated official manages the development, documentation, and dissemination of the policy and procedures
Review and update the Policy within the (5) defined the frequency
Review and update the Policy following (6) defined events
Review and update the current procedures (7) at a defined frequency
Review and update the current procedures following (8) defined events
NIST SP 800-53 covers much more than the seven of the objectives listed in the original CMMC guidance. For these domain-level policies, NIST SP 800-53 provides the most detailed policy checklist to follow.
Mapping Policies with Practices in CMMC
We started out discussing the 281 references to policy or policies within the Level 2 CMMC Assessment Guide. In addition to the 14 domain policies we counted 21 additional policies referenced. Based on the domain and controls referencing these policies, we created the following hierarchy:
As we went through this process, we came away with two main things.
First, we recognized that some practices referenced domain policies. No big deal, right? Well, some of these domain policies weren't for the particular practice.
For example, SI.L2-3.14.2 through SI.L2-3.14.4 belong to the System and Information Integrity domain. These three practices also reference configuration management policy and procedures as potential artifacts.
Second, we found out that parameters are important. A little more than 100 assessment objectives involve identifying, defining or specifying parameters.
As we mapped out the practice to policy relationship, we noted which assessment objectives used this language. We can then verify that they meet those requirements with the policies that govern those controls.
In support of each policy, standard operating procedures detail the effort of relevant practices. Within each practice, the assessment guide lists the relevant procedures.
You should group these procedures together by the policies that govern them. Doing so allows for the creation of standard operating procedures that can accompany each policy.
We're left with something amazing in the end. An 21 page document that includes the hierarchy of CMMC policies. It also includes the governed controls, assessment objectives they meet and associated procedures.
For example:
Access Control Policy
Information Flow Control Policy
Practice AC.L2-3.1.3
Identify & Define (a, b, c, d)
Procedures addressing information flow enforcement
Separation of Duties Policy
Practice AC.L2-3.1.4
Define & Assign (a, b)
Procedures addressing divisions of responsibility and separation of duties
Privacy and Security Policy
Practice AC.L2-3.1.7
Define (a,b)
Procedures addressing system use notification
Practice AC.L2-3.1.9
Identify (a)
Procedures addressing system use notification
Avoiding Bottlenecks Along the Way
The average time to summit K2 is about 60 days. Over 8,000 meters up, climbers must overcome an infamous section called the “Bottleneck” by traversing a column of glacial ice.
We named our compliance management solution K2 Compliance. The path to documenting compliance is lengthy and likely includes bottlenecks along the way.
At the end of your journey to CMMC, you will have written at least 43 policies. Each of them reference applicable regulations. They can also show the standard operating procedures that support these policies.
K2 Compliance helps you providing…
Fillable fields for your policies
Association of policies to practices
Standard operating procedure linking
Our system can also set policies to expire and remind the policy owner that it is time to refresh and redistribute their policies. Contact us today for a 30-day free trial.
Here’s everything you need to know about CMMC Level 1 continuous monitoring.