Initial Planning for A Baseline Cybersecurity Assessment
1 – Select Your Standards
Determine/select one or more standards by which to operate – usually determined by contractual requirements.
If you are uncertain where to begin, most organizations (in particular, those that have Department of Defense (DoD) contracts) should start with the NIST 800-171 and the NIST Cybersecurity Framework standards. The NIST 800-171 provides a list of standard requirement and the NIST Cybersecurity Framework provides a conceptual framework to understand and communicate your cybersecurity activities. If your a manufacturing company, the NIST Manufacturing Profile (which incorporates the NIST 800-171 standard) is probably the preferred choice.
The Cyber Secure Dashboard provides specific functionality to support these (and other) activities as summarized below.
2 – Begin To Develop Your Policies and Procedures Documents
Review the 9 customizable policy and procedures templates provided in the Dashboard (see Policies and Procedures below).
Start by comparing your existing policies with the templates provided by the Dashboard. The Dashboard templates provides baseline, industry standard policy language – so you may need to think about how to integrate what you already have with what the templates prescribe.
Consider who will need to contribute to each policy – at this point, you may want to introduce the process and the Dashboard to those who will be involved. Send them an invitation to access/view your dashboard.
3 – Plan to Continuously Assess Your Status
Who should have the responsibility of reviewing and assessing your status? A Director if IT? Contracts Manager? Consultant? CEO? Now is the time to talk with colleagues about who should be driving the process in your company, and how frequently they should be reviewing cybersecurity and compliance-related activities.
This should be a collaboration across your organization, so involve all relevant internal stakeholders–communicate responsibilities, discuss contributions and timelines.
4 – Begin To Conduct Your Baseline Assessment
Your ultimate goal will be to create your Plan of Action and Milestones – but before you do, you’ll need to conduct a baseline assessment.
Don’t panic. Whatever your current status is, it’s going to improve over time. So bite the bullet and get started.
Like any other project management tool, the Cyber Secure Dashboard provides tools to help you assign tasks, set reminders and follow up. The POAM helps you get specific on how to obtain and maintain compliance with your selected standards over time. Depending on your company’s size, existing cybersecurity practices, and contractual obligations, you will need to decide how frequently to review your status, and who will be responsible for overseeing and maintaining compliance.
The Cyber Secure Dashboard provides four commonly used and generalized standards from which to select (see below). An organization can select one of the standards from which to work or switch between the standards as desired or required (for example, when the flow-down requirements from two prime contractors are different). When working with multiple standards, the organizational processes, procedures, compliance posture, etc., are shared, which eliminates the need to duplicate data for each standard.
The four standards and their corresponding Dashboards can be accessed by clicking on the Dashboard icon <insert icon>. For more information, go to <Dashboard page document>.
The Cybersecurity Maturity Model Certification (CMMC) framework is a unified cybersecurity standard for upcoming Department of Defense (DoD) acquisitions. The CMMC documentation is accessible in the references section <insert icon> (insert links to the CMMC standard, appendix, errata, etc.) and its implementation in the Cyber Secure Dashboard is accessible from <insert both the link and an image of the Dashboard page>.
The NIST SP 800-171r1 is a standardized set of requirements to protect Controlled Unclassified Information (CUI) resident in non-governmental organization. The NIST 800-171 documentation is accessible in the references section (insert a link to the 171 standard) and its implementation in the Cyber Secure Dashboard is accessible from <insert both the link and an image of the page>.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) provides on organizing structure that consist of standards, guidelines, and best practices to manage cybersecurity-related risks. The CSF documentation is accessible in the references section (insert a link to the CSF standard) and its implementation in the Cyber Secure Dashboard is accessible from <insert both the link and an image of the page>.
NIST Manufacturing Profile
The NIST Cybersecurity Framework Manufacturing Profile provides a prioritization of security activities to meet specific business/mission goals in the manufacturing sector. This dashboard looks at your cybersecurity posture from a NIST Manufacturing Profile perspective. The Manufacturing Profile documentation is accessible in the references section (insert a link to the Manufacturing Profile standard) and its implementation in the Cyber Secure Dashboard is accessible from <insert both the link and an image of the page>.
Policies and Procedures
The establishment of organizations policies and procedures is an essential task. To simplify this step, the Cyber Secure Dashboard provides the following nine (9) ready-made policy templates:
- Acceptable Use Policy
- HR Personnel Security Management Policy
- Incident Reporting and Data Breach Response Policy
- Information Security Policy
- Information Security Programs Policy
- IT Business Continuity Backup Recovery Policy
- IT Risk Management Policy
- Security Operations Policy
- Technical Controls Policy
Through the dashboard and standard views (insert images), the Cyber Secure Dashboard provides a simple to use procedure to assess your organization’s status with respect to every requirement (see Dashboard discussion for more details). The Dashboards provides an intuitive process to do the following:
- Understand the requirement
- Access best practice guidance
- Assess your status using multiple assessment methodologies
- Cross reference your practice to your policies
- Document your assessment process
- Associate artifacts
In addition, during the assessment process, you can create tasks that can be managed through the Plan of Action and Milestones functionality described below.
Plan of Action and Milestones
The Cyber Secure Dashboard implements a project management tool to create and manage the tasks that are required to implement the required cybersecurity standard and maintain that standard once implemented. This feature, generally noted as a Plan of Action and Milestones, is a full-featured capability to assign, schedule, track, and approve tasks <insert screenshot>. More details on the Plan of Action and Milestones can be found at <insert documentation link>.
Next Article – Quick Survey of Features and Benefits
Get a quick overview of what you can do with the Cyber Secure Dashboard.