There is an expression, everyone wants to go to heaven, but no one wants to die. Meaning we want stuff, but often we do not want to pay the price it takes to get there. An example of this in the business world is compliance. Compliance is challenging in two ways; first, it is hard to become compliant or to become certified as ISO 9001, HIPAA, SOX, etc., and second, it is hard to sustain compliance. Successful companies realize immediately, or after failure, that they have to pay the price, and the price is management involvement. Compliance is not a task that can be handed off by management to some individual or staff. Often this strategy results in assigning some resources, spending some money, and floundering. After some time, the responses are to give up, fire everyone involved, or for management to get serious and get involved.
Meeting compliance requirements are, to some degree, business process re-engineering. Meeting these requirements often means changing business processes and behaviors, and they often require subtle changes in the business culture. Implementing change is not a question of spending money; it is a question of management commitment. Without management’s commitment to ensure the organization is implementing change, compliance will fail.
As discussed in past articles, the impending requirement for the Defense Industrial Base is the Cybersecurity Maturity Model Certification (CMMC) framework. The requirement is for all businesses in the Defense Industrial Base to become certified to one of five levels by 2025. Most companies will only need to be certified to Level 1. However, most manufacturers that deal with technical information will need to be certified to Level 3. At Level 1, there are 17 requirements, and at Level 3, there are 130 requirements and the requirement for a system security plan. A universal requirement for certification is documentation describing how the organization is meeting the compliance requirement. No matter the level, the company’s compliance will have to be documented, and this documentation will need to be signed by management signifying commitment.
As outlined in the expression above, there is a price to be paid for compliance, and the price is management involvement. Often CMMC compliance is handed to the IT department or to the part-time IT guy, with less than satisfactory results. Most importantly, meeting CMMC compliance is not an IT task; it is not a cybersecurity task. Though certainly many of the compliance requirements revolve around computer systems, system administration, encryption, etc., and meeting many of these compliance tasks end up in IT. However, many of the requirements do not involve IT; they are risk management, training, configuration management, physical security, etc. Consequently, meeting the CMMC requirements requires a holistic approach toward system security; it requires management involvement in directing all aspects or divisions of the company to meet the compliance requirements and to sustain system security over time.
The reality in meeting these compliance requirements, CMMC or any other compliance requirement, is for the staff implementing compliance, this is a part-time job; it is an additional task to that already filled task list. The role of the executive management is to support the staff by ensuring that all know that this is important; it is to set the compliance task as a company priority. It is to make decisions that support compliance. Often one of the biggest decisions is IT management support; many times, the current IT Managed Service Provider (MSP) is not up to the CMMC task. Though all will describe how they understand CMMC compliance and how they are meeting compliance, the reality is much different. The first task in meeting compliance in this example is often finding an MSP that can “spell CMMC.” This meaning they understand the requirements, they are implanting the requirements, and they themselves, as an MSP for CMMC Level 3 companies, are too working toward CMMC Level 3 certification.
The management tasks are to become personally involved in the CMMC compliance process, demonstrating to the company that this is a priority. It is making decisions that will support the compliance effort. A guaranteed way to fail at compliance is for management to not lead, it is to delegate the compliance effort to the staff that already has a full-time job.