Professional Documents
Culture Documents
recommend that you create an index of each documented policy, procedure, control, template, checklist,
agreement, training, etc in use for your CMMC Level 3 Information System.
This index will be used extensively through your Gap Analysis, for each of the 34 CMMC Level 2 Process Maturity
requirements.
Q: Can we just list the applicable documents in our System Security Plan?
A: Yes, if you really want to, but we've found that it is easy to miss some practices when this is done (not a desirable
thing to happen during an assessment). Also that still leaves us with trying to decide which sentences or paragraphs
relate to which practice. If you have time, we recommend indexing to ensure you are fully ready for the process
maturity portion of the assessment.
Provided by Kieri Solutions LLC (a CMMC C3PAO in Maryland, USA). Copyrighted by Kieri Solutions LLC. Not for resale. May b
shared as long as you don't remove attribution statement.
Configure the system to use FIPS-validated cryptography for applications that may be used to transmit or store CUI
The Access Request Form requires the requester and IT department to identify/review granular security roles for access to
systems.
<table of ports, protocols, programs, services, functions allowed in and out of your boundary>
Visitor Log template which we print out each week (Date, visitor name, visitor organization, sponsor name, time in, time ou
badge #)
Additional incident response procedures (in the incident response procedure document) to describe how to actually perform
an incident. Too long to quote here.
[daily] Check alerts dashboard on Antivirus server
[daily] Check alerts dashboard on SIEM
[daily] Check alerts dashboard on Antivirus server
[daily] Check alerts dashboard on SIEM
These are examples of ways that documentation can support different practices. This is a tiny fragment of what the complete
index might look like for a CMMC ML3 organization. Most organizations will have between 500 - 1000 rows in their index.
Domain Topic Practice Which Doc Now?
Configuration Management
SC Encryption for CUI SC.3.177 Policy
Incident Response
IR Incident Control IR.2.092 Procedure
If the supporting text is very lengthy and specific to one topic (a common
example is the Change Management Policy), just reference the document.
If the supporting text is very lengthy and specific to one topic (a common
example is the Change Management Policy), just reference the document.
If the supporting text is very lengthy and specific to one topic (a common
example is the Change Management Policy), just reference the document.
If the supporting text is very lengthy and specific to one topic (a common
example is the Change Management Policy), just reference the document.
Note that the same text supports multiple practices © Kieri Solutions 2021