Risk Assessment using DoD's CMMC and NIST 800-171 requirements

QMSCAPA software provides a Risk Assessment and Management module that supports the FEMA (failure modes and effects analysis) methods. The FEMA methods are commonly used in:

•aerospace quality management systems (AS9100, 9110 & 9120)

•business continuity management systems (ISO 23000)

•cybersecurity models (DoD's CMMC)

•environmental management systems (ISO 14001)

•food safety management systems (ISO 22000)

•information security management systems (ISO 27001)

•laboratory management systems (ISO 17001)

•medical device quality management systems (ISO 13485)

•occupational health and safety systems (ISO 45001)

•quality management systems for general business and manufacturing (ISO 9001)

 

The recent enhancements in the QMSCAPA software module for Risk Assessment and Management make the tool ideal to meet the security requirements in NIST Special Publication 800-171, which should be applied to the nonfederal organization’s internal systems processing, storing, or transmitting CUI.

 

The term organizational system is used in many of the CUI security requirements in NIST Special Publication 800-171. This term has a specific meaning regarding the scope of applicability for the CUI security requirements.

 

In addition, this Security Systems Plan includes requirements for the DoD Cybersecurity Maturity Model (CMMC) Levels 1, 2 and 3:

 

•<> CMMC Level 1 Performed – 17 Controls must be applied based on 48 CFR 52.204-21.

•<> CMMC Level 2 Documented – 72 Controls (includes Level 1 controls) must be applied. This includes documentation to processes, such as SOPs, policies, and plans.

•<> CMMC Level 3 Managed – 130 Controls (includes Level 2 controls) must be applied, along with the requirements of NIST SP 800-171.

Documenting NIST SP 800-171 DoD Assessment Results

a) A summary level score for basic assessments completed by the Contractor, and for medium and high assessments conducted by DoD, will be posted in the Supplier Performance Risk System (SPRS) to provide DoD Components with visibility to the results of strategic assessments.

•<> i) SPRS is defined by DoD Instruction (DoDI) 5000.79, Defense-wide Sharing and Use of Supplier and Product Performance Information, October 15, 2019 available at https:\\www.esd.whs.mil/DD/.

•<> ii) SPRS is the authoritative source to retrieve supplier and product performance information for the DoD acquisition community to assess and monitor unclassified performance, and to assess corporate business practices related to DoD contracts and the supplier’s management of risk.

https://lnkd.in/g3rstJD