Last Updated on May 25, 2021
Great news for companies that do business in the US Department of Defense (DoD) supply chain and have an ISO 9001 certified Quality Management System (QMS): your ISO 9001 know-how can be an awesome foundation for compliance with the DoD’s new Cybersecurity Maturity Model Certification (CMMC) program.
A recent episode of The Virtual CISO Podcast showcases the unique expertise of John Laffey, program manager with Perry Johnson Registrars and a Certified Lead Auditor for both ISO 9001 and ISO 27001 (information security). John explains “clause by clause” exactly how an ISO 9001 QMS relates to the CMMC framework.
“[The context clause] is actually going to be a key element on the path to CMMC certification for a lot of organizations, because the scoping of the system is critical as far as really understanding what information you handle and what systems that information lives on,” notes John.
“When you talk about context, it’s really understanding what your organization does, who the interested stakeholders are and what their information security requirements are for you. But with CMMC, that’s going to be limited to either Controlled Unclassified Information (CUI) if you’re handling it, or Federal Contract Information (FCI). So it’s really those specific types of information that they’re concerned about protecting.”
Understanding Your Data
Diagramming how CUI and FCI flow through your business is critical to scoping and planning your CMMC environment. The more you know in advance about your current state through your ISO 9001 efforts, the better for targeting where you want to end up. For example, you might want to rationalize CUI and FCI data flows to “right-size” your CMMC footprint and realize significant cost and time savings.
Another aspect of your ISO 9001 context that can help with CMMC is whether any of your FCI or CUI is also covered by other US government compliance requirements, like NOFORN or ITAR. Further, depending on the level of technical detail in your contract, your FCI can actually rise to the level of CUI.
“It’s going to be critical that you understand the specific nature of the FCI or CUI because there’s a CUI Registry,” John explains. “Depending on the classification of that CUI, there could be additional requirements above and beyond just what’s documented in the CMMC standard.”
Using ISO 9001 to Help Define CMMC Third Party Risks
Similarly, your ISO 9001 context will help you define how you deal with third-party risk in CMMC, including whether your CMMC requirements “flow down” to any of your subcontractors.
John’s bottom-line suggestion is to talk to your contracting officer, whether as a starting point or to clarify open issues upfront: “A lot of [our ISO 9001 clients] aren’t real sure if they have CUI or not, which I don’t think is going to be unique because there are so many smaller manufacturing houses in the DIB. ‘Are you giving us CUI or are we giving you back CUI?’”
“You need to understand what data you have and how you get it and what you do with it so you can then identify the subsequent systems and people that are handling it and start to build a coherent scope,” summarizes John. “CUI is actually what you’re being hired to create in a lot of these cases. Making this a requirement with CMMC is to make people do this due diligence. Sit back and understand what you’re handling, storing and distributing, and what the potential risks are.”
Many of the key elements in your ISO 9001 “context” documentation will also translate very cleanly into your CMMC System Security Plan (SSP).
“It’s the boundaries, it’s the scope, it’s the data, it’s the people, it’s the systems, it’s the stakeholders,” clarifies show host John Verry, Pivot Point Security CISO and Managing Partner. “You had to define that for ISO 9001. Now you’re just defining it again, ideally using the same exact process, for CMMC.”
If your ISO 9001 certified business vies for DoD contracts, don’t miss this show with John Laffey! To hear the episode in its entirety, click here.
If you don’t use Apple Podcasts, you can access this and all our other podcast episodes here.