This isn’t a question or request for help, just a comment. Anyone created their own mapping document? Currently creating a map between ISO 27001:2022 and NIST 800-53r5 and holy toast is it tedious. Much respect to those that have done it.
we strongly advice to be careful about mappings, they are subjective and that is dangerous if you will get audited. in this case, mapping iso to nist is not a problem (nist is not certifiable) but the other way around is going to be an issue.
as for mappings, templates, etc …
good luck
Understood. I am using
NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001
July 2023
published by NIST
If it’s wrong, well, rats. It should give us a baseline for completing FedRAMP/StateRAMP and jumping off point for CMMC v2
I would say that if your goals are go add FedRAMP/StateRAMP/CMMC L2 to your current ISO 27001, you should just light your ISO starting point on fire and pretend it’s not even there. The RAMPs/CMMC are quite prescriptive in nature and will make you do things to a greater level of specificity than anything in ISO would (unless, of course, you select RAMPs/CMMC as your controls as part of your SOA).
For context: Getting ISO 27001 is usually a 5 figure level of effort. RAMPs/CMMC start at 7 figures.
Of course, if it’s just mapping to 800-53 for funsies, nothing wrong with that - it has flexibility in it that allows you to tailor the controls a bit more…
If you need mappings, the Compliance Forge Secure Controls framework is a good starting point, but it’s massive and you are dependent on the Compliance Forge folks to map correctly
Would be interested in seeing the final mapping table, if you don’t mind sharing, not to put into production, but out of curiousity.
A note on your project:
For CMMC you will be dealing with CUI labeled data, which must be protected according to NIST 800-171 v3, rather than the 53 (see DFARS Clause 7012, which is likely part of your DoD contracts). There is a lot of overlap but not a 100% match. Don’t concentrate on the wrong standard from the start.
Contrary to the comment by @david.schroth , I cannot confirm the 7 digit implementation cost, depending on the circumstances. In our case after careful analysis, the amount of data actually marked CUI was neglibile (compared to the amount of data that was “assumed to be CUI”), whereas enclaving them would be prohibitive from a cost and effort perspective. Buying an “enclave off-the-shelf” product can be a cost-saving alternative and roll-out isnt more complex than deploying a Dropbox or OneDrive client.
mappings do not work in the real audited world, this is well known and understood by any person that gets regularly audited. there are many reasons why that is the case.
you can read why here: Compliance - The world of Mappings
mapping templates can be obtained in chatgpt in seconds, literally any one of them using what is publicly available on the internet.
CMMC is still on 800-171 v2 and will be for at least a few more years (DOD needs to do the rule making process to change that).
Buying the enclave off-the-shelf product doesn’t solve all of the requirements. Sure, it moves the ball down field from a technical implementation perspective, but you still need to get a CMMC L2 assessment done, write a SSP/policies/procedures, implement all of the controls that are within your responsibility and so on. For a very limited environment like yours, maybe it’s possible within a 6 figure budget - the 7 figure number is more for a small scale SaaS platform.