top of page

POLICY & PROCEDURE

Master Class

RETHINK YOUR POLICY APPROACH

Critical Prism Defense and CyberDI have teamed up together to help your business tackle the hardest part of CMMC compliance: policy and procedure. Our collaboration pairs the best Risk Management Governance XP with latest approaches based on cognitive science and writing instruction research.

BRIDGE TO POLICY AUTOMATION

As companies, small to the Enterprise level, engineer trustworthiness into their systems they need to look at policy as a living document. We need to create a bridge from paper based versioning control that creates risks and move to policy as code. Our class takes your existing policy and integrates Microsoft Compliance Purview manager and Azure Policy to begin your journey.

DRIVE HOW YOU ATTAIN AND SUSTAIN

Awareness and Training controls the trustworthiness of your system. Not only do you need to reach a near 110 score and meet all the security requirements of NIST-SP-800-171 but legally you must sustain it for the life of any contract, sometimes further. You must have compliant policy and procedures and teach and assess that your people follow these requirements.

WHO IS THE POLICY AND PROCEDURE MASTER CLASS FOR?

We wrote our curriculum and templates for small businesses who rely on Microsoft 365 Cloud environments. We know many customers have policy in different departments or may utilize the default templates from HR applications. We help you take this policy and utilizing our coaching you build your policy and procedure into your Microsoft 365 CMMC Compliance and Security Ecosystem.


We also have customers who utilize our curriculum as app developers utilizing Azure Cloud. We can help you meet NIST SP-800-171 security requirements while preparing for SOC and ISO standards and preparing your SBOM.

We also wrote our curriculum for Microsoft 365 Cloud environments that utilize an enclave approach for the sharing of Controlled Unclassified Information.


Enterprise customers should call for special programs on developing  processes  to automate the ingestion of policy as code across multiple in-scope systems and security plan. We have additional DevSecOps training for those running a SOC.

WHAT IS INCLUDED?

For $5,000 you get a subscription to all of our policies and procedures. These assets provide governance structure for many systems that meet NIST-SP-800-171 at a variety of impact levels. Our policies have already passed DIBCAC assessments. 


Clients who work in environments above a moderate level should call for a pre-screening to learn about additional policies, procedures, and trainings.


You also get a 10 week training class, feedback, and access to a year of office hours. For one year, twice a week, you can stop in and ask a CMMC Provisional Instructor implementation questions about your plans, policies, and procedures.

HOW DOES IT WORK?

Our Policy and Procedure Master Class comes with all the documentation and checklists you need to help your company grow the SSP and shrink the POA&M.


Included is a 10 week class with up to 10 hours of live instruction, written feedback on your writing, policy customization,  and hundreds of hours of video lessons.


All Participants get access to a year’s worth of open office hours hosted by CyberDI CMMC Provisional Instructors. 


We have an NDA process, a secure fileshare called PolicyLock, or can be invited into your environment with read only access. Our classes can be held in the commercial cloud or in FedRAMP solutions for customers who require moderate environments per their contract

WHY DOES IT WORK?

We know small business owners like you find writing hard. You want to run a business and build parts, not do technical writing. Unlike other policy programs we do not leave you drowning in templates or trapped in cells of Spreadsheets. Critical Prism Defense’s unique partnership with CyberDI allows us to coach you towards 110.


Complying with CMMC requires awareness and training. You need to enforce policy and procedures that meet the security requirements of NIST-SP-800-171. Writing is not different. Investing in our Master Class helps you do business better.

MASTER CLASS COURSE OUTLINE

INTRODUCTION TO GOVERNANCE, RISK AND PROCEDURES

Review key Definitions
Identify Requirements of your Systems
Compare role of Policy, Procedure,Process, and plans
Scope policy requirements of Architecture
Including Adequate and Sufficient Evidence in the SSP

DISCIPLINES / FOCUS AREAS

Security Architecture
Framework, Standards and Requirements
Security Operations
User Education
Staff Education
Threat Intelligence
Governance  & Compliance
Risk Assessment
Physical Security
Legal
Human Resources
Project Delivery Lifecycle
Business Enablement
Budgeting
Identity Management
Titles / Roles
Officer
Director
Manager
Engineer
Administrator
Technician

KEY REFERENCE DOCUMENTS

NIST SP 800-39
NIST SP 800-53r5
NIST SP 800-53A
Business
Organizational Chart
Business Sectors
Country(ies) of business registration
State(s) of business registration

WHAT SHOULD BE IN A POLICY?

Roles Responsibilities, Purpose, Scope, and Enforcement of Policy

WHAT SHOULD BE IN A PLAN?

Evaluating Workforce, funding, tool, training and testing needs
Creating a RACI model for Responsibilities for individuals for a given task
Customizing Policy, Plans, and Procedures with RMF

TIER 1

The Information Security Policy / Plan
Summary of all requirements
Directs Roles and Responsibilities
Permits or denies delegation
Provides information for Tier 2 Policies
Threat Analysis for the organization
Risk Assessment for the organization
Threats and Controls for mitigations
Checks and Balances
Separation of Duties
Strategic Plan
Supporting Committees
Data Classification
Policy that must be applied to the entire organization
Policy that specific groups must put in place
Policy that is for specific locations
Policy that is specific for technologies
Policy that is specific based on data classification
Index of policies
Reference policy architecture and naming conventions
Asset Management policy
Incident Response policy
Business Impact Analysis
Disaster Recovery policy
Recovery policy
Controls for CUI information policy
Firewall policy
Backup and retention policy
Vendor Management policy

TIER 2

Business Information Security Policy / Plan
The business implementation of the directives from Tier 1
Any specifics that are derived requirements from Tier 1
Specific references or architectures used to comply with Tier 1
Asset Management policy
Incident Response policy
Business Impact Analysis
Disaster Recovery policy
Recovery policy
7. Controls for CUI information policy
Firewall policy
Backup and retention policy
Vendor Management policy

TIER 3

System Security Policy / Plan
Specifics from Tier 1 and Tier 2 policies that are applied to a specific

bottom of page