Purpose
The purpose of this document is to cover basic CMMC compliance automation.
Relevant Modules and Features
- Ignyte Compliance Management Module (Features used for basic automation of controls data)
- Ignyte Asset Management Module (Features used for advance automation of controls and boundary data)
Basic Setup Information Required to Automate
Customer Information Required to Automate
To get started, you need to determine which Controls Framework or Frameworks that you'll manage within the Platform. You'll need to know the following when you get to Step 1 to Create a System:
- NIST SP 800 171 Revision Number
- CMMC Controls
- Other Specified Controls, as required by the customer
Basic Automation Steps
Some of these can be done concurrently with the exception of Step 1. There are no dependencies for Step 2 and forward.
| Steps | Description |
|---|---|
| One | Create a System - You need to create a system first, then start adding data to that system. Once the system is created, the structure of the selected framework provides the bones to start building your compliance management program and keeps you focused on the requirement. |
| Two | Upload Existing CMMC Data - The data can be imported or added manually depending on how you're currently doing your compliance management. To import data, Options | Edit System | Advanced Configuration is where you need to go. Import instructions can be found here. To manually enter data, see the Compliance - Requirements article and navigate to the "Working within Requirements to Update Controls" topic. Using Macro Builder is a great way to automate data point updates when tools and people change in your Control Responses. As you are building out your Compliance System you may find issues that require the creation of a Plan of Action & Milestones or POA&M (see step 4 below) and a concurrent activity. |
| Three | Upload Artifacts and Policies - The documents or artifacts are managed from within the Compliance System when you see Attach Files buttons or under Document Management. First, the System folder is a default folder used to store files and folders to a specific compliance system. Next, the Global folder is a default folder used to store files and folders which are inheritable by other modules, systems of record, and global organization records. Third, the Additional Programs folder is the default folder used to store files and folders from corresponding custom Systems of Record. Finally, the External Files folder is used for gathering external information from external parties through artifact request links. When you see the Attach Files button, there are two options "Attach Existing Artifacts" or "Upload New Artifacts". See the Compliance - Requirements article and navigate to the "Attach Files" topic. The Document Management Module (found in the top menu) is organized using folders. There are default folder but you can create new folders that best help your organizations needs. Instruction for Artifact Uploads and Artifact Upload Requests are located in the Document Management article. |
| Four | Review and Correct POA&Ms - As you are building out your Compliance System you may find issues that require the creation of a Plan of Action & Milestones or POA&M and part of a concurrent activity from Step 2 above. Step Four brings you back to the task of reviewing items that were created when found and working of correcting or planning the correction of an issue. |
| Five | Correcting Statuses, Narratives, and Linking Policies - The best way to correct or update control statuses or add comments is to use the Options | Bulk Operations feature. Alternatively, you can work on updating controls from the Requirements | Control area and Edit Properties to access area to update statuses, owner, target assessment frequency, etc. This is also the time to link up artifacts associated with the control for ease of reference internally and at audit time. When you see the Attach Files button, there are two options "Attach Existing Artifacts" or "Upload New Artifacts". See the Compliance - Requirements article and navigate to the "Attach Files" topic. |
Common Questions Asked:
Where do I capture CUI data types?
If your CUI catalog is extensive, we would recommend creating a Custom SoR to capture CUI Types. If you have less than 10, use the System CUI. System CUI content is based on the National Archives and Records Administration (NARA) CUI Categories guidance. To develop your own custom CUI registry contact your Service Rep to learn more about comprehensive data classification methodology.
Additional Topics
System Options
Advanced System Configuration
The Configuration area has a lot of features to support and customize your compliance system. From renaming menus, requesting artifacts, additional guidance, bulk importing, and other configurations. Features on this screen are toggled on (will see orange) or off (will see gray) with some items having links to further configure the feature. Within the Options | Edit System article, click on "Advanced Configurations" to get a better understanding of the power to these capabilities.
Building Macros for narrative reusability
Using Macros within the Platform is a powerful tool that acts as a placeholder so a variable can be used to represent the data for the purpose of easy updates as People and tools change or your organization grows. Macro Builder must be provisioned when your Platform instance is set up.
If you don't see Macro Builder in the Edit Systems menu, speak to your Service Delivery Rep about this feature.
If you see the menu option, you are good to go and can build out your variables list. These variables are used Control Responses. To build your variables list, please see the Edit System | Macro Builder article.