Risk Management – Not Optional
Many companies still think that Risk Management is just a casual conversation over coffee in the break room. But in reality, that’s a mindset that’s a recipe for organizational disaster far beyond CMMC.
In this video, we’ll discuss what CMMC actually requires for Risk Management, where it appears in requirements, and why it matters in your contract eligibility and certification.
For CMMC Level 2, Risk Management is not an ad hoc activity. It is explicitly required in the Risk Management domain and also indirectly in the Security Assessment and Configuration Management domains. These practices require proof that your organization is identifying risks, evaluating them, and taking action.
CMMC assesses maturity, not just implementation. What that means is that it’s not enough to run a vulnerability scan or make a list of risks in your head. You have to show a structured and repeatable Risk Assessment methodology – something that demonstrates that that your organization makes decisions based on risk, and not just convenience.
So what assessors want to see first is:
1) A documented Risk Assessment methodology
2) A Risk Register
3) Evidence that your company is actually addressing those risks.
4) Evidence that your company has an ongoing Risk Management Program that is a continuing over time – not just a one time event.
CMMC is a contractual requirement, and without documented risk management processes, your organization cannot win many DoD contracts.
In our next edition of CMMC Today, we’ll describe how NIST 800-30 gives you the official government playbook for building that capability the right way.
