Getting Started – First Steps
Initial Planning for a Baseline Cybersecurity Assessment
1. Select Your Standards
Determine/select one or more standards by which to operate – usually determined by contractual requirements.
If you are uncertain where to begin, most organizations (in particular, those that have Department of Defense (DoD) contracts) should start with the NIST 800-171 and the NIST Cybersecurity Framework standards. The NIST 800-171 provides a list of standard requirement and the NIST Cybersecurity Framework provides a conceptual framework to understand and communicate your cybersecurity activities. If you are a manufacturing company, the NIST Manufacturing Profile (which incorporates the NIST 800-171 standard) is probably the preferred choice.
The Cyber Secure Dashboard provides specific functionality to support these (and other) activities as summarized below.
2. Begin To Develop Your Policies and Procedures Documents
Review the 9 customizable policy and procedures templates provided in the Dashboard (see Policies and Procedures below).
Start by comparing your existing policies with the templates provided by the Dashboard. The Dashboard templates provides baseline, industry standard policy language – so you may need to think about how to integrate what you already have with what the templates prescribe.
Consider who will need to contribute to each policy – at this point, you may want to introduce the process and the Dashboard to those who will be involved. Send them an invitation to access/view your dashboard from the main Dashboard Account page.
3. Plan to Continuously Assess Your Status
Who should have the responsibility of reviewing and assessing your status? A Director if IT? Contracts Manager? Consultant? CEO? Now is the time to talk with colleagues about who should be driving the process in your company, and how frequently they should be reviewing cybersecurity and compliance-related activities.
This should be a collaboration across your organization, so involve all relevant internal stakeholders–communicate responsibilities, discuss contributions and timelines.
4. Begin To Conduct Your Baseline Assessment
Your ultimate goal will be to create your Plan of Action and Milestones – but before you do, you’ll need to conduct a baseline assessment.
Whatever your current status, don’t panic. It *will* improve over time.
Like any other project management tool, the Cyber Secure Dashboard provides tools to help you assign tasks, set reminders and follow up. The POA&M helps you get specific on how to obtain and maintain compliance with your selected standards over time. Depending on your company’s size, existing cybersecurity practices, and contractual obligations, you will need to decide how frequently to review your status, and who will be responsible for overseeing and maintaining compliance.
The Cyber Secure Dashboard provides four commonly used and generalized standards from which to select (see below). An organization can select one of the standards from which to work, or switch between the standards as desired or required (for example, when the flow-down requirements from two prime contractors are different). When working with multiple standards, the organizational processes, procedures, compliance posture, etc., are shared, which eliminates the need to duplicate data for each standard. With each Dashboard account, you are essentially creating one set of compliance data that can be viewed through the multiple lenses of each standard.
All four standards can be accessed from within your Dashboard account.
The Cybersecurity Maturity Model Certification (CMMC) framework is a unified cybersecurity standard for upcoming Department of Defense (DoD) acquisitions. The CMMC documentation is accessible in your Dashboard account References section.
2. NIST 800-171
The NIST SP 800-171r1 is a standardized set of requirements to protect Controlled Unclassified Information (CUI) resident in non-governmental organization. The NIST 800-171 documentation is accessible in your Dashboard account References section.
3. NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) provides one organizing structure that consist of standards, guidelines, and best practices to manage cybersecurity-related risks. The CSF documentation is accessible in your Dashboard account References section.
4. NIST Manufacturing Profile
The NIST Cybersecurity Framework Manufacturing Profile provides a prioritization of security activities to meet specific business/mission goals in the manufacturing sector. This dashboard looks at your cybersecurity posture from a NIST Manufacturing Profile perspective. The Manufacturing Profile documentation is accessible in your Dashboard account References section.
Policies and Procedures
The establishment of organizational policies and procedures is an essential task. To simplify this step, the Cyber Secure Dashboard provides the following nine (9) ready-made policy templates:
- Acceptable Use Policy
- HR Personnel Security Management Policy
- Incident Reporting and Data Breach Response Policy
- Information Security Policy
- Information Security Programs Policy
- IT Business Continuity Backup Recovery Policy
- IT Risk Management Policy
- Security Operations Policy
- Technical Controls Policy
Through the dashboard and standard views, the Cyber Secure Dashboard provides a simple to use procedure to assess your organization’s status with respect to every requirement. The Dashboards provides an intuitive process to do the following:
- Understand the requirements
- Access best practice guidance
- Assess your status using multiple assessment methodologies
- Cross reference your practice to your policies
- Document your assessment process
- Associate artifacts
In addition, during the assessment process, you can create tasks that can be managed through the Plan of Action and Milestones (POA&M) functionality described below.
Plan of Action and Milestones (POA&M)
The Cyber Secure Dashboard implements a project management tool to create and manage the tasks that are required to implement the required cybersecurity standard and maintain that standard once implemented. This feature, generally noted as a Plan of Action and Milestones, is a full-featured capability to assign, schedule, track, and approve tasks. More details on the Plan of Action and Milestones can be found here.