FSO Tip of the Month: Risk-Based Compliance Techniques

In a classic case of following the letter of the law but not the spirit, contractors have long followed the “checkbox approach” to security compliance, running through a long list of controls and technical requirements to stay on top of audits while ignoring the real dangers that face their business. In 2020, the DoD hopes to change that with the Cybersecurity Maturity Model Certification (CMMC).

As the CMMC supersedes regulations like NIST 800-171 for defense contractors, the meaning of “compliance” is changing: in many ways, the CMMC will make things easier by organizing standards into multiple tiers, some more forgiving and some more rigorous. In other ways, the CMMC is making things harder by holding government organizations to a high standard for security readiness.

As stated in an official FAQ:

But what does this mean for the FSO? The fundamental goal of facility security is to mitigate risks to an organization, its clients, and – ultimately – the nation. Consequently, it will soon be impossible to meet the standards for compliance without strategy and preparation centered on the remediation of risk. In this article, we’ll share some examples.

The Meaning of Risk

Since 2018, contractors have been required to follow the DAAPM’s Risk Management Framework (RMF), which provides a useful definition: in short, risk measures the likelihood and impact of any threat event. Meanwhile, risk-based compliance means selecting, implementing and monitoring security controls based on the most serious risks to an organization.

To deal with risk effectively, any organization must follow three fundamental rules:

1. Know the risks that face your organization
2. Assess how your current strategy defends against those risks
3. Continually work to improve your position

If every contractor followed these rules to the best of their abilities, they would meet many of the requirements stipulated by regulations which are aimed at risk on a generic level. Compliance becomes intuitive when an organization takes ownership of its unique risk factors and proactively works to prevent them.

Here are five ways an FSO can do exactly that:

1. Empower your people

An organization’s personnel are the eyes and ears of a competent FSO, and they can make a big difference when it comes to risk management. For instance – under SEAD 3 – all cleared individuals are required to report on their own activities and suspected violations. Conversely, the greatest threat to an organization comes from insiders.

Empower your personnel to fight against risk by providing them with:

• Software to easily create and submit reports
• Mandatory procedures to create habits of compliance
• Cybersecurity awareness training to combat insider threats

2. Thorough reporting

An FSO cannot work alone: they need the support and cooperation of upper management, CSOs and other security officers. But communicating the severity of risk can be difficult without tools that translate between low-level activities and high-level results. With thorough and timely reporting, an FSO can keep their organization informed with accessible information on incidents, violations, and risk throughout cleared facilities.

3. Track your assets and employees

To ensure that security controls remain effective, FSOs should keep inventory of IT assets and monitor them for compromise. Similarly, they should keep a vigilant watch for insider threats, noticing and recording patterns of behavior including violations and suspicious activity.

4. Always stay informed

Facility security is a full-time job that involves moment-to-moment updates and rapid decision-making. Since threats can arise at any time, invest in a compliance solution that allows access to important information on the go, where FSOs can approve requests and review incidents remotely. 

5. Manage your supply chain

The products and services you invest in will either bring more risk into your organization or reduce it. Look for partners and solutions that will help you to stay compliant: products built to modern standards of cybersecurity; vendors known for quality and support; software that will make your workflow more immediate and effective. While none of these things are a replacement for good strategy, they add one more barrier against successful attack or compromise and increase the culture of security in an organization.

Moving Past Checkboxes

Over the past decade, the number of threats facing government organizations have only increased from the inside and outside. While bodies like the National Institute of Standards and Technology (NIST) work hard to provide a minimum baseline for security compliance, in 2020 only proactive organizations are prepared for modern risks.

MathCraft’s Commander series is designed to give FSOs, CSOs, and other security professionals control over their compliance strategy with a comprehensive solution for reporting, counterintelligence, integrated data, and much more. This year move past checkboxes and take ownership of your organization with the industry’s best solution for enterprise security.

 For a free demo of Access, ViSi, or Portal Commander, contact us today.