The Cost of Siloed Teams: Compliance, Security, and CMMC Risk
By
Todd Streicher
·
3 minute read
Your company is seeking CMMC certification, and you’re working hard to prepare. You have a top-notch compliance team in place, and your IT department is filled with cybersecurity experts. But unless those teams are working closely together, you risk missing out on CMMC readiness. Collaboration is crucial.
Why Your Teams Need to Collaborate
Collaboration works because each team brings something essential to the table. While the compliance team provides their collective CMMC and regulatory expertise, IT provides valuable technical and cybersecurity knowledge that makes compliance possible. The resulting synergy ensures your organization’s CMMC readiness.
- Robust security controls: The compliance team ensures that all controls align with CMMC requirements, while IT provides for a practical and effective implementation of the access controls, data encryption, and other risk management measures to meet those requirements.
- Comprehensive risk mitigation: The compliance team identifies regulatory risks and gaps in each of the security domains outlined by CMMC. The IT team addresses the technical vulnerabilities underlying those risks. They deploy the solutions to mitigate the risks and protect your company’s systems and data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- Assessment preparation: The compliance team prepares the policies and procedures and other documentation needed for certification assessment. IT implements those policies and procedures and provides the reporting to validate that they are in place.
- Incident response: As with assessment preparation, the compliance team defines the policies and procedures for dealing with threats and actual incidents in a manner that aligns with CMMC requirements. The IT team carries out those procedures by providing comprehensive analysis and monitoring, threat containment, and remediation measures.
- Security awareness: The teams work together to foster companywide security awareness. The compliance team communicates the messages to promote security and designs the training needed to reinforce it. The IT team provides practical assistance by enforcing security measures, communicating the need for technical security awareness, and simulating phishing attacks and other incidents for training efforts.
- Continuous monitoring and ongoing compliance: Collaboration doesn’t stop once compliance has been achieved. IT provides the tools and expertise for continuous monitoring and improvement so that the compliance team can ensure that your organization continues to meet evolving CMMC requirements and remains in compliance going forward.
There are clear dangers when teams don’t collaborate. While focusing on CMMC requirements, the compliance team might lose sight of security measures that are not specifically required but would nevertheless bolster your company’s cybersecurity and thus your compliance posture. Conversely, if the IT team is unaware of CMMC requirements, the security measures they implement risk noncompliance.
How You Can Encourage Collaboration
Leadership, involvement, communication, and training are key to building a culture of collaboration within your company.
- Lead by example. When top executives and the leaders of the IT and compliance teams are seen to work together and to value collaboration, other team members will follow suit.
- Involve both teams in compliance efforts. This includes risk evaluations, gap analyses, and readiness assessments. Also, including key IT members on the compliance team itself allows for sharing expertise and a more robust compliance posture.
- Keep the lines of communication open. Cross-functional team meetings or discussion forums can be valuable, allowing teams to share status updates and discuss ongoing security initiatives. Fun events not specific to work also allow employees from different areas to bond and build trust. And, consistent with encouraging employee engagement generally, make sure employees feel comfortable reporting concerns or asking questions.
- Train and cross-train the teams. While the focus of most of your training should be tailored to employees’ specific roles, some cross-functional training is also beneficial, as it helps each team understand the other’s responsibilities and value their contributions. Above all, make sure every person on each team knows their own roles and responsibilities and understands their importance when it comes to compliance and cybersecurity.
CyberNINES’s expertise includes not only CMMC but also IT and cybersecurity, which makes us a great fit to help with your collaboration efforts. Contact us at this link to see what we can do for you!
Next up: Compliance beyond certification
Resources
- https://dodcio.defense.gov/CMMC/About/
- https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverview.pdf
- https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2.pdf
- https://cybernines.com/cmmc-overview
- https://blog.cybernines.com/creating-an-effective-in-house-cmmc-compliance-team
- https://blog.cybernines.com/cmmc-compliance-it-takes-a-village
- https://blog.cybernines.com/tech-at-the-top-c-levels-crucial-involvement-with-it-and-cybersecurity