Policies and Procedures DOCUMENTATION
With all the changes regarding CUI and CMMC over the last couple of years, it can be difficult to know what is required and what is not. While CMMC L2 in 2.0 removed additional governance requirements from CMMC 1.0, that does not mean an organization doesn’t need to write policies and procedures.
Even though there is no longer an explicit requirement for policies, plans, and procedures, there are still some practices that specifically reference policies and procedures, and those must be documented.
In fact, proving your compliance in a CMMC assessment would be nearly impossible without that documentation
(And, honestly, for best business practices, every organization should document everything. For training purposes, operations, and incident response…. Just to name a few key areas where documentation isn’t just helpful, but essential.)
An organization has to start by documenting where they want their cybersecurity posture to be. And that means writing policies, procedures, and plans.
There is a difference between an organization’s policies and the procedures to carry out those policies. For example, a policy could include requiring multi-factor authentication to access the remote system. Procedures explain how to set that up and enforce the policy.
Policies are the all-encompassing guidelines for an organization. They set a course and direct decisions and strategy. Basically, it’s the “why” an organization does certain things or takes certain actions.
Procedures, on the flip side of the coin, are the “how.” They specify actions in a step-by-step order. They should be readable, accessible, and fairly simple to follow.
The policies are set and should be reviewed from a high-level standpoint…. “Do we as an organization still require this?” Procedures, on the other hand, should be reviewed and even tested regularly.
It is impossible to provide guidance to your staff in protecting CUI without sound documentation – telling them what they need to do and how to accomplish it.
If you approach this endeavor to implement industry best practices in securing your data, the compliance will follow. Conversely if you are just looking to check the box, you may become compliant, but still miss the mark on securing the CUI.
We’ve seen our clients struggle trying to do this on their own (and failing) or even having their Managed Service Provider or the lone person in the IT department try to handle.
Duffy Compliance Services has years of expertise developing both policies and procedures (and understanding the difference) for its clients. Let us help you navigate this journey without struggle and frustration – and resulting in getting the job done.
Even though there is no longer an explicit requirement for policies, plans, and procedures, there are still some practices that specifically reference policies and procedures, and those must be documented.
In fact, proving your compliance in a CMMC assessment would be nearly impossible without that documentation
(And, honestly, for best business practices, every organization should document everything. For training purposes, operations, and incident response…. Just to name a few key areas where documentation isn’t just helpful, but essential.)
Policies are the all-encompassing guidelines for an organization. They set a course and direct decisions and strategy. Basically, it’s the “why” an organization does certain things or takes certain actions.