We have all seen or felt the rage. You go into fridge to grab the gooey cooey chocolate volcano cake you labeled in the fridge and the shelf laughs back at you with an eerily empty cackle. Someone did not know who owned the cake.


flickr photo by carolinerac shared under a Creative Commons (BY-NC-ND) license

Almost all the guidance on CMMC tells you to start with determining where and how CUI flows through your system. You might want to first figure out who gets to decide the lunch policy and what goes in the fridge.

Not to mention many a prime might tell you, “We don’t know if we send you CUI but you must have a system that supports receiving CUI if you want future contracts.”

So start with deciding whose in charge.

CMMC and Data Ownership.

To understand the team your company brings to the dance we turn to NIST SP 800-18. The document basically begins with deciding where the buck stops.

What is Management Operation?

In order for the plans to adequately reflect the protection of the resources, a senior management official must authorize a system to operate. The authorization of a system to process information, granted by a management official, provides an important quality control. By authorizing processing in a system, the manager accepts its associated risk.
So before you even decide how you want CUI to flow you gotta know who signs the dotted line.

Roles and Responsibility

Management authorization should be based on an assessment of management, operational, and technical controls.
  1. Security Officer
  2. Information Systems Owner
  3. Information Owner
According to NIST you appoint a The Chief Information Officer.

(CIO) is the agency official responsible for developing and maintaining an agency-wide information security program and has the following responsibilities for system security planning

Most small manufacturers do not have a CIO. You either use a Managed Service Provider or you as CEO do it. Sometimes people choose Deborah in accounting because she keeps that WordPress site about her Gobots collection. But usually just you.

  • The CIO chooses the senior agency information security officer (probably also you, an MSP, or Deborah).
  • Develop all the security procedures and policies(copy and paste SANS templates)
  • Do all the cybersecurity stuff
  • Do all the cybersecurity training stuff
The Information Systems Owner, according to NIST, still probably just you, keeps all your wifi and printers going.
Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
  • Write the system security plan
  • Maintain and monitor the security plan
  • Make sire people do the cybersecurity training
  • Update the system security plan
  • Help with implementing practices and processes
The information owner, and unless we talking Intellectual Property, with CUI, we mean the Department of Defense, but in terms of your company you need to know who:
  • Establishes the roles and rules
  • Help with security
  • Decide who gets access to sensitive information
NIST SP 800-18 lists a few other jobs but we have already described three jobs past your headcount. Deborah quit when saw she had to do government level controls on private sector budgets.

NIST wrote the guide to writing security plans for the government not for your small business. Just remember that you do need to decide who acts as the authorizing agent. Who says:

  • Our System Security Plan good to go
  • Authorize the information system
  • Denies access to the information system

When you begin your CMMC journey you need to decide who gets to play boss of the SSP, the information system, and all the people. And please stop taking food out of the fridge that does not have your name.