DCG has been highlighting discussions of interest detailed in the DoD CIO Networking and Penetration FAQ. The entire document is worth considering but we wanted to provide a few highlights in a series of posts. Today let’s look at the concept of “periodic.”
_____________________________________________________________________________________________________________
“Q20: How often should our company review our compliance with the NIST SP 800-171 security requirements?”
“A20: When compliance with DFARS clause 252.204-7012 requires implementation of NIST SP 800-171, the company is required to implement the following requirements in order to assess the risk and security of their system (s):
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI (NIST SP 800-171 security requirement 3.11.1)
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application (NIST SP 800-171 security requirement 3.12.1)
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems (NIST SP 800-171 security requirement 3.12.2)
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls (NIST SP 800-171 security requirement 3.12.3)
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems (NIST SP 800-171 security requirement 3.12.4)”
This doesn’t really give any specifics simply stating that a period must be defined. There is a limit to this, however, hidden in the CMMC Master Glossary which isn’t referenced here but holds no less power, which defines Periodically as:
“Occurring at regular intervals. As used in many practices within CMMC, the interval length is organizationally defined to provide contractor flexibility, with an interval length of no more than one year.”
So wherever “periodically” appears or is even iimplied, annually is the maximum duration. Inside of that it is up to you. The C3PAO Forum also has published a position paper on this, https://www.c3paoforum.org/position-papers/ around how often Incident Response exercises must be run. In that case the control does not specify periodically however the C3PAO Forum has indicated that this is assumed and these need to be performed at least once a year. Another great example is documentation. It must be updated annually and you need evidence that this is the case.
Periodicity is an important concept and we often see matrixes of things that need to run weekly, monthly, quarterly, and annually. When deciding on the defined periods for your organization keep in mind that annually is pretty much the maximum.