Many people are of the view that the CMMC requirements are less than what NIST required for the equivalent level, however, this is far from the truth. In fact, CMMC for level 2 or 3 or any level for that matter requires additional 'process' compliance which actually builds on the requirements that were set forth by NIST meaning there are often many more things that you need to get done. What adds to the complexity is that these 'processes' require your business to be streamlined in a way that supports the other requirements of CMMC as well.
Different Processes For CMMC Levels
When looking at qualification requirements for CMMC it is important to note that there is a difference in practice and process. These differences will influence the level of CMMC that your organization is able to qualify for. For instance, if you have level 3 practices for any given task, yet the process behind that task only qualifies for level 2, then your final evaluation will be level 2. This is why having strong practices is no longer enough and organizations need to be able to demonstrate process maturity in order to get proper certification. Similarly, if your aim is to work with qualified information and you need a level 3 qualification, then you will also need to be qualified for all succeeding levels, simply doing what is required for level 3 will not be enough. This is shown in the fact that level 3 qualifications consist of a total of 130 practices of which only 58 are specific to level 3, the other 72 practices are all requirements for levels 1 and 2.
Documenting Processes
One of the main requirements for levels 2 and higher that resonate with .998, is that processes need to be documented. There is no defined way of how they should be documented, organizations can choose to do it however it suits them, but the fact that they are clearly laid out for team members to follow is important. In some cases smaller organizations may just have them written out by hand while larger firms may prefer a more formal and structured approach, both are fine, the important thing is that the documentation for each process is done.
Using Processes
Not only does this help in making sure that everyone knows what needs to be done but it's also about the fact that the same procedure is followed every time. When things are left to the discretion of people, there is a strong chance they will not stick to protocol. Similarly, having clearly defined and documented processes makes it possible to streamline operations and even create a more accurate forecast of what the business can expect. Having these things laid out will make it possible to evaluate their effectiveness in the long run and make changes where necessary. When the goal is security, especially when you are dealing with such sensitive information, you want to be able to do whatever you can to improve the security and develop better processes.
Getting Evaluated
Also, it's important to note that it is not only the higher-level procedures that need to be documented but all the procedures should be defined, whether that is a level 1 or level 5 procedure. How you structure them doesn’t matter too much. You can have them in your IT handbook or your general operating manual, as long as they are there is what matters.
Similarly, you want to make sure that you compile them appropriately. You don’t have to make a book out of it all, especially when you don’t have that many procedures that start with, but you want it to be compiled neatly.
This is also going to make it a lot easier for your assessors when they come to give you your evaluation. More importantly, assessors will also want to see evidence of how you actually use these procedures in day-to-day operations in the business. Simply having them in a book is not enough.
714-333-9620