Ep 15: Security Assessment

BEN: Security Assessment. It’s kind of what we’re talking about [in this series], isn’t it?

DAN: Right. The big one here is—there’s four controls we deal with—the first one is the big document. It’s basically, you have to have a System Security Plan. It has to be documented. In this is also going to be your network drawing. So this is one of your main documents that if you don’t have, you will need to produce. This control demands it.

BEN: Right. And I think the important thing here is—my understanding at least in its current thought process—that the CMMC certifications are three-year certifications. And obviously you’ll have to have that SSP to go through that assessment process. But that’s not it, right? It isn’t just, you get certified and you’re done. It’s a process that has to be a continual process where you are continuously reviewing and assessing and adjusting based on your business changes. All of our businesses change all the time so I think it’s important for people to think about it as a routine that is on that is ongoing, as well.

DAN: Yeah, in CMMC, the “M” is for maturity. That’s what they they’re talking about. There’s basically an active plan that doesn’t just sit in a drawer for three years. It’s something you reference. It’s something you update. It says, how am I going to put the security controls for my organization? If I add new equipment, did my network drawing get updated? We work with a lot of companies where we’ll come in and we’ll actually do that assessment twice a year to keep that fresh. You can do it in-house or you can basically externalize it if you like.

BEN: Right.