CMMC C034-P1163 - Cybersecurity Strategy & Roadmap Requirement

Posted by ComplianceForge on Jan 5th 2020

Did you know the DoD's Cybersecurity Maturity Model Certification (CMMC) v0.7 requires organizations to create, maintain and leverage a documented security strategy and roadmap to demonstrate how it is improving its cybersecurity practices that will be in-scope for review during a CMMC audit? CMMC C034-P1163 is applicable to L4 and L5 organizations. To address this need, ComplianceForge launched its Cybersecurity Business Plan (CBP) that is a business plan template tailored specifically for a cybersecurity department, which is designed to support an organization's broader technology and business strategies. The CBP is entirely focused at the CISO-level, since it is a department-level planning document. The CBP is a solution to address CMMC requirement P1163 in an efficient and cost-effective manner.

Being a Microsoft Word document, you have the ability to add/remove/edit content, as needed. We've provided an "80-90% solution" from the perspective of formatting and content, where you merely polish off the specifics that only you would know about your organization and its culture. While we did the heavy lifting in the research and development of this cybersecurity planning document, we estimate that a mid-sized organization should be able to finalize the CBP in about 5-10 hours. That final customization focuses on "owning" the document where you wordsmith the example statements that we provide so that the content of the document is specific to your organization and relates to specifically what you do.

Ideally, your organization's CISO is the individual who will edit/finalize the CBP. Fortunately, the CBP is written in a format that it can be "ghost written" for the CISO by their subordinates (we understand the time constraints many CISOs experience and planning functions are often delegated). In these instances, the CBP can easily be edited and finalized based on the CISO's existing guidance to subordinates. It is important to understand that goals are not the same thing as a strategy! It is often the case where there are a lot of good ideas and "shopping lists" for products/initiatives, but there is a lack of a formalized strategy to accomplish a set of goals. This is where the CBP is a valuable resource, since it creates a formal cybersecurity strategy and roadmap!