Scribd Logo
Upload

Welcome to Scribd!

  • Process-Maturity-Index-Template

    Uploaded by

    cale2kit
    4 views11 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views11 pages

    Process-Maturity-Index-Template

    Uploaded by

    cale2kit

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    In order to save time, frustration, and the potential for missing evidence during your CMMC Gap Analysis, we

    recommend that you create an index of each documented policy, procedure, control, template, checklist,
    agreement, training, etc in use for your CMMC Level 3 Information System.
    This index will be used extensively through your Gap Analysis, for each of the 34 CMMC Level 2 Process Maturity
    requirements.

    Specifically XX.2.998 has the following objectives.


    Determine if:
    [a] the procedures to implement the practices are documented and followed to implement the policy for the
    <Domain> domain;
    [b] the procedures specify the activities required to carry out the <Domain> policy; and
    [c] procedures are reviewed and updated periodically to ensure they meet <Domain> policy
    In simple terms, this means that for each of the 130 practice requirements, we need to check that you have
    "procedures to implement the practice" documented and that the "procedures specify the activities required". This
    takes a long time without an index that correlates the practice to each text item.

    Q: Can we just list the applicable documents in our System Security Plan?
    A: Yes, if you really want to, but we've found that it is easy to miss some practices when this is done (not a desirable
    thing to happen during an assessment). Also that still leaves us with trying to decide which sentences or paragraphs
    relate to which practice. If you have time, we recommend indexing to ensure you are fully ready for the process
    maturity portion of the assessment.

    Provided by Kieri Solutions LLC (a CMMC C3PAO in Maryland, USA). Copyrighted by Kieri Solutions LLC. Not for resale. May b
    shared as long as you don't remove attribution statement.

    © Kieri Solutions 2021


    Text in document

    Configure the system to use FIPS-validated cryptography for applications that may be used to transmit or store CUI

    The Access Request Form requires the requester and IT department to identify/review granular security roles for access to
    systems.

    5.Review major changes that have completed since last meeting.

    <table of ports, protocols, programs, services, functions allowed in and out of your boundary>

    Visitor Log template which we print out each week (Date, visitor name, visitor organization, sponsor name, time in, time ou
    badge #)

    Additional incident response procedures (in the incident response procedure document) to describe how to actually perform
    an incident. Too long to quote here.
    [daily] Check alerts dashboard on Antivirus server
    [daily] Check alerts dashboard on SIEM
    [daily] Check alerts dashboard on Antivirus server
    [daily] Check alerts dashboard on SIEM

    These are examples of ways that documentation can support different practices. This is a tiny fragment of what the complete
    index might look like for a CMMC ML3 organization. Most organizations will have between 500 - 1000 rows in their index.
    Domain Topic Practice Which Doc Now?

    Configuration Management
    SC Encryption for CUI SC.3.177 Policy

    AC Access Control Process AC.1.002 Access Request Form

    CM Change Management CM.2.065 CAB Meeting Template

    Network and Data Map


    SC Firewall rules SC.1.175 Diagrams

    Facilities Security - LogBook


    PE Facilities Forensics PE.1.132 Template

    Incident Response
    IR Incident Control IR.2.092 Procedure

    AU Audit Log Review AU.2.044 Daily tasks checklist

    SI Audit Log Review SI.2.217 Daily tasks checklist


    In this example, the Configuration Management policy addresses 20+
    practices. Each paragraph is separated in this index and identified for
    what it supports.

    If the supporting text is very lengthy and specific to one topic (a common
    example is the Change Management Policy), just reference the document.

    In this example, the CAB Meeting template addresses 6+ practices. Each


    paragraph is separated in this index and identified for what it supports.

    If the supporting text is very lengthy and specific to one topic (a common
    example is the Change Management Policy), just reference the document.

    If the supporting text is very lengthy and specific to one topic (a common
    example is the Change Management Policy), just reference the document.

    If the supporting text is very lengthy and specific to one topic (a common
    example is the Change Management Policy), just reference the document.

    Note that the same text supports multiple practices © Kieri Solutions 2021

    Note that the same text supports multiple practices


    Text in document *Required Field*

    Create an index of your CMMC supporting documentation on this worksheet


    Domain Topic Practice *Required Field*
    Which Document? *Required Field*

    © Kieri Solutions 2021


    Practice ID CMMC Domain 800-171 requirement
    AC.1.001 AC - Access Control 3.01.01
    AC.1.002 AC - Access Control 3.01.02
    AC.1.003 AC - Access Control 3.01.20
    AC.1.004 AC - Access Control 3.01.22
    AC.2.005 AC - Access Control 3.01.09
    AC.2.006 AC - Access Control 3.01.21
    AC.2.007 AC - Access Control 3.01.05
    AC.2.008 AC - Access Control 3.01.06
    AC.2.009 AC - Access Control 3.01.08
    AC.2.010 AC - Access Control 3.01.10
    AC.2.011 AC - Access Control 3.01.16
    AC.2.013 AC - Access Control 3.01.12
    AC.2.015 AC - Access Control 3.01.14
    AC.2.016 AC - Access Control 3.01.03
    AC.3.017 AC - Access Control 3.01.04
    AC.3.018 AC - Access Control 3.01.07
    AC.3.019 AC - Access Control 3.01.11
    AC.3.012 AC - Access Control 3.01.17
    AC.3.020 AC - Access Control 3.01.18
    AC.3.014 AC - Access Control 3.01.13
    AC.3.021 AC - Access Control 3.01.15
    AC.3.022 AC - Access Control 3.01.19
    AM.3.036 AM - Asset Management N/A
    AT.2.056 AT - Awareness & Training 3.02.01
    AT.2.057 AT - Awareness & Training 3.02.02
    AT.3.058 AT - Awareness & Training 3.02.03
    AU.2.041 AU - Audit & Accountability 3.03.02
    AU.2.042 AU - Audit & Accountability 3.03.01
    AU.2.043 AU - Audit & Accountability 3.03.07
    AU.2.044 AU - Audit & Accountability N/A
    AU.3.045 AU - Audit & Accountability 3.03.03
    AU.3.046 AU - Audit & Accountability 3.03.04
    AU.3.048 AU - Audit & Accountability N/A
    AU.3.049 AU - Audit & Accountability 3.03.08
    AU.3.050 AU - Audit & Accountability 3.03.09
    AU.3.051 AU - Audit & Accountability 3.03.05
    AU.3.052 AU - Audit & Accountability 3.03.06
    CA.2.157 CA - Security Assessment 3.12.04
    CA.2.158 CA - Security Assessment 3.12.01
    CA.2.159 CA - Security Assessment 3.12.02
    CA.3.161 CA - Security Assessment 3.12.03
    CA.3.162 CA - Security Assessment N/A
    CM.2.061 CM - Configuration Management 3.04.01
    CM.2.062 CM - Configuration Management 3.04.06
    CM.2.063 CM - Configuration Management 3.04.09
    CM.2.064 CM - Configuration Management 3.04.02
    CM.2.065 CM - Configuration Management 3.04.03
    CM.2.066 CM - Configuration Management 3.04.04
    CM.3.067 CM - Configuration Management 3.04.05
    CM.3.068 CM - Configuration Management 3.04.07
    CM.3.069 CM - Configuration Management 3.04.08
    IA.1.076 IA - ID & Authentication 3.05.01
    IA.1.077 IA - ID & Authentication 3.05.02
    IA.2.078 IA - ID & Authentication 3.05.07
    IA.2.079 IA - ID & Authentication 3.05.08
    IA.2.080 IA - ID & Authentication 3.05.09
    IA.2.081 IA - ID & Authentication 3.05.10
    IA.2.082 IA - ID & Authentication 3.05.11
    IA.3.083 IA - ID & Authentication 3.05.03
    IA.3.084 IA - ID & Authentication 3.05.04
    IA.3.085 IA - ID & Authentication 3.05.05
    IA.3.086 IA - ID & Authentication 3.05.06
    IR.2.092 IR - Incident Response 3.06.01
    IR.2.093 IR - Incident Response N/A
    IR.2.094 IR - Incident Response N/A
    IR.2.096 IR - Incident Response N/A
    IR.2.097 IR - Incident Response N/A
    IR.3.098 IR - Incident Response 3.06.02
    IR.3.099 IR - Incident Response 3.06.03
    MA.2.111 MA - Maintenance 3.07.01
    MA.2.112 MA - Maintenance 3.07.02
    MA.2.113 MA - Maintenance 3.07.05
    MA.2.114 MA - Maintenance 3.07.06
    MA.3.115 MA - Maintenance 3.07.03
    MA.3.116 MA - Maintenance 3.07.04
    MP.1.118 MP - Media Protection 3.08.03
    MP.2.119 MP - Media Protection 3.08.01
    MP.2.120 MP - Media Protection 3.08.02
    MP.2.121 MP - Media Protection 3.08.07
    MP.3.122 MP - Media Protection 3.08.04
    MP.3.123 MP - Media Protection 3.08.08
    MP.3.124 MP - Media Protection 3.08.05
    MP.3.125 MP - Media Protection 3.08.06
    PE.1.131 PE - Physical Protection 3.10.01
    PE.1.132 PE - Physical Protection 3.10.03
    PE.1.133 PE - Physical Protection 3.10.04
    PE.1.134 PE - Physical Protection 3.10.05
    PE.2.135 PE - Physical Protection 3.10.02
    PE.3.136 PE - Physical Protection 3.10.06
    PS.2.127 PS - Personnel Security 3.09.01
    PS.2.128 PS - Personnel Security 3.09.02
    RE.2.137 RE - Recovery N/A
    RE.2.138 RE - Recovery 3.08.09
    RE.3.139 RE - Recovery N/A
    RM.2.141 RM - Risk Management 3.11.01
    RM.2.142 RM - Risk Management 3.11.02
    RM.2.143 RM - Risk Management 3.11.03
    RM.3.144 RM - Risk Management N/A
    RM.3.146 RM - Risk Management N/A
    RM.3.147 RM - Risk Management N/A
    SA.3.169 SA - Situational Awareness N/A
    SC.1.175 SC - Systems & Comms Protection 3.13.01
    SC.1.176 SC - Systems & Comms Protection 3.13.05
    SC.2.178 SC - Systems & Comms Protection 3.13.12
    SC.2.179 SC - Systems & Comms Protection N/A
    SC.3.177 SC - Systems & Comms Protection 3.13.11
    SC.3.180 SC - Systems & Comms Protection 3.13.02
    SC.3.181 SC - Systems & Comms Protection 3.13.03
    SC.3.182 SC - Systems & Comms Protection 3.13.04
    SC.3.183 SC - Systems & Comms Protection 3.13.06
    SC.3.184 SC - Systems & Comms Protection 3.13.07
    SC.3.185 SC - Systems & Comms Protection 3.13.08
    SC.3.186 SC - Systems & Comms Protection 3.13.09
    SC.3.187 SC - Systems & Comms Protection 3.13.10
    SC.3.188 SC - Systems & Comms Protection 3.13.13
    SC.3.189 SC - Systems & Comms Protection 3.13.14
    SC.3.190 SC - Systems & Comms Protection 3.13.15
    SC.3.191 SC - Systems & Comms Protection 3.13.16
    SC.3.192 SC - Systems & Comms Protection N/A
    SC.3.193 SC - Systems & Comms Protection N/A
    SI.1.210 SI - System & Information Integrity 3.14.01
    SI.1.211 SI - System & Information Integrity 3.14.02
    SI.1.212 SI - System & Information Integrity 3.14.04
    SI.1.213 SI - System & Information Integrity 3.14.05
    SI.2.214 SI - System & Information Integrity 3.14.03
    SI.2.216 SI - System & Information Integrity 3.14.06
    SI.2.217 SI - System & Information Integrity 3.14.07
    SI.3.218 SI - System & Information Integrity N/A
    SI.3.219 SI - System & Information Integrity N/A
    SI.3.220 SI - System & Information Integrity N/A
    © Kieri Solutions 2021

    You might also like