Purpose

The purpose of this document is to cover basic CMMC compliance automation. 


Relevant Modules and Features


Basic Setup Information Required to Automate


Customer Information Required to Automate

To get started, you need to determine which Controls Framework or Frameworks that you'll manage within the Platform. You'll need to know the following when you get to Step 1 to Create a System:

  • NIST SP 800 171 Revision Number
  • CMMC Controls
  • Other Specified Controls, as required by the customer


Basic Automation Steps

Some of these can be done concurrently with the exception of Step 1. There are no dependencies for Step 2 and forward.


StepsDescription
OneCreate a System - You need to create a system first. Then you can start adding data to that system. Once the system is created, the structure of the selected framework provides the bones to start building your compliance management program and keeps you focused on the requirement.
Two

Upload Existing CMMC Data -  The data can be imported or added manually depending on how you're currently doing your compliance management. 


To import data go to Options | Edit System | Advanced Configuration. Import instructions can be found here.


To manually enter data, see the Compliance - Requirements article and navigate to the "Working within Requirements to Update Controls" topic.  Using Macro Builder is a great way to automate data point updates when tools and people change in your Control Responses.


As you are building out your Compliance System you may find issues that require the creation of a Plan of Action & Milestones or POA&M (see step 4 below) and a concurrent activity.

ThreeUpload Artifacts and Policies - The documents or artifacts are managed from within the Compliance System when you see Attach Files buttons or under Document Management. First, the System folder is a default folder used to store files and folders to a specific compliance system. Next, the Global folder is a default folder used to store files and folders which are inheritable by other modules, systems of record, and global organization records. Third, the Additional Programs folder is the default folder used to store files and folders from corresponding custom Systems of Record. Finally, the External Files folder is used for gathering external information from external parties through artifact request links.

When you see the Attach Files button, there are two options "Attach Existing Artifacts" or "Upload New Artifacts". See the Compliance - Requirements article and navigate to the "Attach Files" topic.

The Document Management Module (found in the top menu) is organized using folders. There are default folder but you can create new folders that best help your organizations needs. Instruction for Artifact Uploads and Artifact Upload Requests are located in the Document Management article.
FourReview and Correct POA&Ms - As you are building out your Compliance System you may find issues that require the creation of a Plan of Action & Milestones or POA&M and part of a concurrent activity from Step 2 above. Step Four brings you back to the task of reviewing items that were created to look for any issues, and when an issue is found, correcting the issue or planning the correction of the issue.
Five

Correcting Statuses, Narratives, and Linking Policies - The best way to correct or update control statuses or add comments is to use the Bulk Editing feature found in the Compliance | Requirements article. Alternatively, you can work on updating controls from the Requirements | Control area and Edit Properties area to update statuses, owner, target assessment frequency, etc.


This is also the time to link artifacts associated with the control for ease of reference internally and at audit time. When you see the Attach Files button, there are two options "Attach Existing Artifacts" or "Upload New Artifacts". See the Compliance - Requirements article and navigate to the "Attach Files" topic.



Common Questions Asked:


Where do I capture CUI data types? 

If your CUI catalog is extensive, we would recommend creating a Custom SoR to capture CUI Types. If you have less than 10, use the System CUI. System CUI content is based on the National Archives and Records Administration (NARA) CUI Categories guidance. To develop your own custom CUI registry or to learn more about comprehensive data classification methodology contact your Service Rep.


Additional Topics

System Options


Advanced System Configuration

The Configuration area has a lot of features to support and customize your compliance system like renaming menus, requesting artifacts, additional guidance, bulk importing, and other configurations.  Features on this screen are toggled on (will see orange) or off (will see gray) with some items having links to further configure the feature. Within the Options | Edit System article, click on "Advanced Configurations" to get a better understanding of the power of these capabilities.


Building Macros for narrative reusability

Using Macros within the Platform is a powerful tool that acts as a placeholder so a variable can be used to represent the data for the purpose of easy updates as people and tools change or your organization grows. Macro Builder must be provisioned when your Platform instance is set up. 


If you don't see Macro Builder in the Edit Systems menu, speak to your Service Delivery Rep about this feature. 


If you see the menu option, you are good to go and can build out your variables list. These variables are used Control Responses. To build your variables list, please see the Edit System | Macro Builder article.