Content pulled from Anurag Shankar of Indiana University from the June 2nd, 2021 final workshop.
In compliance, proving due diligence and readiness for external audits requires auditing and documenting the controls one has in place. This includes, e.g., system access, anomalies, log analysis, training records, documentation reviews, and more.
Establish institutional audit process ownership and governance.
Consider having the Office of Research as the owner and ISO and Compliance as principal agents and liaison to the Office of Research (or another process owner).
Decide who makes remediation decisions for any gaps found.
Manage the Audit Process
Use network segmentation to limit the scope of the audit, especially if on-prem.
Create a central document repository.
Document the audit process. Create a checklist of process steps for various stakeholders, e.g., those who gather evidence.
Automate as much as possible. For example, use scripts to collect the audit information.
Group related audits together (e.g., by compliance regime).
Use pre-audits to prepare for external audits. Leverage Internal Audit.
Use the audits as an opportunity to organize and update documentation.
Standardize documentation, e.g., like HECVAT has done for 3PAs. However, audits may also need to pull randomly, for instance CMMC audits, since the auditors are being asked to examine, test, and interview.
Shift from focusing on (annual) audits toward continuous monitoring/assessment. Use the FedRAMP provided continuous monitoring plan template as a guide.
Bake in auditing from the get go when building research solutions.
Budget for pre-assessments. Keep in mind that pre-assessments are not a recoverable expense in CMMC, only the certification.
Gather and Organize Evidence
Leverage existing resources, for instance Internal Audit.
Make external audits easy for auditors, remembering that they often charge by the hour. This can be done by following, e.g., control framework audit guidance (e.g., NIST SP 800-171a), to guide the format of reports and data. Auditors often use the same documents to perform their audits. Store all documents in a single, auditor-ready digital document repository.
Document where each control is applied and how it is audited.
Create an index that points to the documentation (policies/standards/processes/procedures) created for each requirement. Each paragraph in those documents should identify the requirement for which they are written.
Add researchers’ data security plans to the document repository.
Leverage and Empower the Community
Explore peer assessments to prepare for audits and to share learning across the community. Ask others with CUI compliance programs to audit you. There is also a REN-ISAC peer assessment service.
Share or have peers share audit experiences since this information is highly useful to the community.
Use the Slack HigherEdCUI and RSOC-CSR lists. EDUCAUSE and REN-ISAC also have CUI lists.
Share any locally developed templates with the community.
Share lessons learned when CMMC audits start. This will help us hold C3PAOs to a single standard.
DoD is developing automated mechanisms for continuous monitoring, which they may also introduce into the CMMC process also. Use the power of community to keep the process sane if implemented.
Interviewing researchers/IT professionals to discover their processes and procedures, documentation.
Creating SSPs, system inventories and personnel lists.
Reviewing 800-171 requirements, e.g., FIPS 140-2 encryption, strategizing on how to comply.
Auditing the current state of controls (implemented, partially implemented, incorrectly implemented, not implemented) using NIST 800-53. Documenting the controls into a SSP, assessing risk from improper, partial, or no implementation of each control, and crafting a risk response to each.
Addressing compliance with specific regulations (DFARS, HIPAA) by mapping it to 800-53.
Using PowerShell and other scripts to audit technical controls.
Looking at CSET (cybersecurity evaluation tool): https://us-cert.cisa.gov/ics/Downloading-and-Installing-CSET
Using a SIEM to check against specific control sets and vulnerability scanning to cover the rest.
Implementing 800-171 through GPOs, firewall rules, configuration management (SCCM), log management and analysis.
Silos - each campus area has its own audit process, approach, or no auditing at all.
Lack of Audit tools - forced to forge one offs, no guidance or standard tools to audit controls.
Lack of Standardization - no standard checklists or a common audit process across the institution.
Difficulty of control interpretation - without understanding what a control means, it is difficult to audit it.
Legacy technologies - how to audit lab instruments with obsolete OS and software.