Show AND Tell: The Importance of Policies in a CMMC Assessment

Instead it’s that the documentation supporting the in-place solutions (i.e., their plans, policies and procedures) do not meet the requirements expected for CMMC compliance. Often, documentation is seen as an afterthought; policies are written and maintained because they have to pass the assessment, rather than to create a more functional environment.

The truth is, your CMMC journey should focus heavily on developing clear and valid documentation as a best practice, but also because it is one of the more valuable tools in your possession to pass your CMMC assessment.

A Heavy Burden with Huge Impact

It is no surprise that developing useful policies and procedures can be extremely expensive in both time and cost. Particularly for CMMC, it would not be unusual for your SSP to extend to 100-200 pages in length. In fact, this is often an expectation - an unexpectedly short SSP can be seen as an assessment risk, often calling into question your organization's overall understanding of its environment. 

However, in terms of risk reduction and accountability, how you document your organization’s technological environment is vital. Clearly written policies identify potential vulnerabilities and define expected system behaviors, while simultaneously detailing who is accountable for each part of your overall security ecosystem. By not just documenting how your individual security needs are met but also who is responsible for meeting those needs, a substantially clearer picture is created for anyone who might need to understand the in-place processes better (including your assessors). Which brings us to the most valuable part of useful policies and procedures - It will save you immense headaches during your assessment week.

“Ok, but what’s in it for me?”

If you are preparing for a future CMMC assessment, the standard expectation is that a week or more will be dedicated to deep diving into your environment through technical interviews and screenshares. There can be motivation to simply wait for the interview week and show the assessment team in real time. However, speaking as a member of the assessment team community, having insufficient documentation causes an abundance of potential risk at the start of an assessment and only serves to make an assessment longer than necessary.

The unfortunate reality of CMMC is that being technologically ready for the assessment is only half of the battle; solutions are only valuable if they can be explained to the team assessing your environment. The end goal of any CMMC assessment is to have the team assessing your environment have a completely clear understanding of what solutions are in place. Therefore, having clear and concise documentation ready at the start of an assessment can reduce an understated amount of risk that comes from live explanations. The last thing you want is to spend a large amount of time and money preparing for CMMC compliance just to have it depend on a single misunderstanding in a live interview.

“How can I prepare?”

Documentation does not have to be scary. While our team excels at assessments, Hive Systems also provides a wealth of readiness support, which includes documentation development services that are unique to your organization’s individual CMMC needs. Reach out to us today to see how we can help!

Follow us - stay ahead.