A cybersecurity program isn’t a real cybersecurity program until it has documentation in place that records policies, plans, and procedures. With the announcement of CMMC 2.0, maturity levels and processes are now gone, however, this doesn't mean that you shouldn’t have any documentation in place. The documentation we will mention below will help support your implementation of NIST SP 800-171 security requirements.
Documentation You Should Have:
System Security Plan
Plan of action and milestones
Information Security Policy
IT Acceptable Use Policy
Configuration Management Plan
Information System Contingency Plan
Business Impact Analysis
Incident Response Plan
Physical/Environmental Protection Plan
Security/Risk Assessment Plan
CUI Handling Procedures
IT Standard Operating Procedures
Access Control Matrix or similar
Other Documentation Considerations
The above mentioned items are policy, planning, and procedure documents however you still need a method of documenting everyday actions that involve the use of your information system. By this we mean documenting incidents in incident reports, documenting the destruction of hard drives and other media in a certificate of sanitation, documenting changes to the information system in a change request form, and documenting visitor access to your facility. Then there are other items that should be documented such as the creation of user accounts, onboarding new employees, and vulnerability scans. Using an IT ticketing system or similar is a good method to document these.
Where Can I Get These Templates?
Subscribers to Lake Ridge’s Compliance Accelerator app have the ability to download the documentation templates mentioned above at no additional cost to the subscription.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.