The Quadrant
The Quadrant is where you'll spend the majority of your time
identifying, documenting, and tracking remediation for each identifier
you intent to implement.
Some of it has
been filled out for you, but you are free to change, remove, add, and
pretty much do whatever you want to make the system unique for your
company.
It consists of four major parts.
The status card (Upper left)
Standards (upper right)
Controls (bottom left)
and Weaknesses (bottom right)
STATUS CARD
The
status card is a break down of everything in the quadrant and is
capable of mini reports specifically for this identifier. A left click
will bring up the overview.
Once the overview is up, if
you click Edit within the report, you can change values from here. The
only values you should edit are on the right side starting from Status.
You can change the status at any time for the identifier and it will
update the dashboard graph.
The four statuses are as follows:
Implemented - Fully Implementation, Identifier satisfied
Non-Implemented - Default status, identifier not started
In-Progress - Active remediation, Identifier in-progress
Deficient - Active remediation, Identifier has defined weaknesses that require resolution
From
here, you can also select as many standards, controls, or weaknesses
you'd like to display in the overview as they are created. This is key
for customizing single reports for the identifier, or pulling large
reports. You may choose not to display some information (for example,
Weaknesses are not necessary for a CMMC only style report).
Due to procedures being more technical in nature, they have been left off the reporting page. Same applies for milestones.
STANDARDS
Standard
are your overall goals. What you're trying to achieve to satisfy the
identifier as it pertains to the family. We have added baseline
standards to every policy to provide guidance on goals that should be
met. Standards can be removed or added as needed. When adding a
standard you MUST supply the current identifier to properly link
it to the quadrant via the drop down, or by typing the Identifier out.
This ensures proper linkage in the database and is the most crucial
step. You may label Standard ID's any way you wish, currently we have
labeled them S#'s in order.
After typing your standard, you can submit and you'll see it appear in the Quandrant.
CONTROLS
Controls
are the methods in which you will satisfy any given standard. Every
control will be tied to a specific standard. You may add controls
directly from the Quadrant, or select the Add Control button to bring up
a new pop out window to get a better view with some more screen real
estate.
Just like adding Standards, you MUST supply
the identifier you're working within to keep the database linked.
Furthermore, you need to select the standard ID in which the control
applies. You may add supporting documentation (think custom forms,
screen caps for verification and reference material, and/or evidence)
via the file upload button.
Controls should be short and direct, they are merely an overview of how you are satisfying the standard.
Procedures
are where you will detail out how the control is implemented.
Procedures and milestones are similar in which you can detail out
technical aspects of how you are implementing or remediating. Procedures are not on final reports, as they are used as a basis to create an audit level control. Consider them internal instructions for reference and for your team, to understand how the control was satisfied.
Some
controls will have simple procedures or no procedures at all. Others
may be more complex if you plan on referencing GPO's that are enforced
to satisfy a specific control.
WEAKNESSES (Deficiencies)
Weaknesses
and deficiencies are the same, and are interchangeable in relation to
NIST/CMMC. The weakness form's fields are all called for/required by
NIST. We have left the majority of the fields as "not required" as at
times weaknesses may require some time and research to create.
Weaknesses
are only required for NIST to establish your PoAM. However, it's
highly recommended to use them anyway, even if you're exclusively
focused on CMMC. They provide a strong reference point of history as
well as guidance on the controls you may need to create to remediate the
weakness.
As with controls and standards, you MUST supply the identifier for linkage. All weaknesses will be tied to a standard.
Weaknesses are similar to controls in which you can add via the Quadrant, or select "Add Weakness" for a better pop up view.
Much
like procedures, milestones provide supporting history of remediation
of the weakness. Once all milestones are completed and implemented, the
weakness can be completed.
Many
Identifiers are satisfied just for completely basic items in NUDG. For
example, if you choose to use our Users, Groups, & Roles form, the
bulk of AC-N.01 will be completed
Lastly, it is
not required to use our naming for Standards, Controls, or Weaknesses.
For example, S1 could be any Standard1, or AC-N.01-S1. Same goes for
Controls and Weaknesses.
Related Articles
Basic Troubleshooting & System Status
NUDG has just recently been completely redesigned in this release, and we have been working diligently to migrate legacy data over to the new system. Given that NUDG is also in active development, you may experience hiccups along the way. Please do ...NUDG Introduction
Welcome to NUDG Systems. This guide is meant to give you a brief overview of how we recommend starting your journey on cyber security compliance. While there's no right order to manage things, setting up the foundation correctly at the beginning can ...CMMC (Cybersecurity Maturity Model Certification)
What is CMMC (Cybersecurity Maturity Model Certification)? CMMC is the US Department of Defense (DoD) response to increasing cybersecurity and compromises of sensitive data across the defense industrial base. The first revision of the CMMC was on ...