CMMC Compliance and assessment: Cyber Hygiene Steps for Security Plan of Action

uh so let’s see how this actually dealswith uh what the current uh steps areand what is the plan of action uh thatwe see with the cmmc the maturitycertification so a couple of key thingshere one is on the visibility side andthe other thing is on the threat management side of thingsif you look at it closely the modelstatesthere are five main stepsthat is included in the modeluh which is assessing first thing is toassess the network andmap it with what existing security controls do we havewhat are the uh procedures that arepresent and documentingmost importantly ensuring that we havean updated procedure or a processwhichwhich has thisdocumented and what is the plan ofaction that builds against each of thesesteps calculating those codes sowhenever we see an issue or vulnerability how much of it is important to usso there are several models uh in whichwe actually perform some of thesematurity scoring some of them arerequired by the government agencies to be able to submit the scores and they range anywhere between a score of 200 to800 uh and and the higher the score the better the maturity is for the cybersecurity of the overall organization nowwe saw that in the last one year thisresults have dippedbecause primarily because of theoperational technology infrastructurewhich is now integrated with the i.tand that is also bringing in a lot ofcontrols which is currently mandated butit does not cover uh the the existingcyber security approach uh that we hadfor several years in thein the itor our traditional uh infrastructuresecurity spacethen we also need to plan a remediationstage so it might it states thatyou need to have the organizationalvisibility to be able to take actionagainst whatever documented steps andthe scores that has beencalculated or computed uh against thesescores uh we prioritize basically telling that which are the most criticalareas we need to focus on what are theareas but having that full 360 degreeview of how theseissues can occur in my network is themost importanttopic that we’ll cover and of course thelast stage is the monitor stage so eachof these stages has some key pointersthat they talk aboutwhen we see the ss stage we look atenvironmental risks ot and iot assetsbeing connected and also classified oryou know controlled unclassifiedinformationwhich is not required uh to be uh youknow which is not uhwhich is not required uh by some of theuh some of the organizational mandates that uh the the government is uh requiring in itsbidand this is becoming a gray area what weare seeing is that while this isunclassified it does not it requiresminimal compliance uh that should beadhered to uh it is still uh responsibleand it still falls under all the 17domainsthat the cmmc are talks about or atleast it outlinesin terms of documentation are we seeingsome of the risk findings what is thesecurity plan or the system securityplan that we call it and what is theplan of action now uhit’s a very important uh point here isthatwhen we see these documented stepsthis is now being mapped not just withthe information that is out there butalso with the data that iscoming across the operational technologyand some of this critical infrastructurecomponentswhich can directly lead to a controlbreach and that eventually leads to thecompany staying non-compliant or losingsome of them some of them actuallylosing the certificationthat they already haveonce we have that steps uh the calculatestage uh outlines what are the riskscore what is the baseline model how dowe align this with the framework that isbest suited for our network and in theremediation stagewhere are we non-compliant and how do webring it to uslevel where we are meeting thosecompliance how do we map these controlsthat we have today with the compliancerequirement be it an asset managementvisibility be it monitoring remediationand responseany of the cyber resiliency process thatwe take it is mapping it to uh similarcompliance and same thing what we see isalso being directed by standards likenist uh uh and also iec 62443 which hasmore or less some overlaps in most ofthese areas and they’re a lot similarbut it does not stop once we’reimmediate there is also controls whereuh the companies and organizations haveto have continuous monitoring detectiona robust threat management plan that cancover their entire criticalinfrastructure which is being connectedto the internet nowalong with the rit and what is thecontrol flow of my unclassifiedinformation that i have from thesenetworks which is flowing through my iduh so with this five step process uh itkind of clearly outlines that where dowe start how is the journey going tolook like especially when we see otenvironments that are coming in and howdo we maintain thisfrom a mid to long termstrategicpurposes

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top