Control Status

Control Status Articles:

What is the Control Status module?

Control Status is the most central module within Totem™. It serves as the primary workflow facilitator for developing your System Security Plan (SSP), the "blueprints" of your cybersecurity program, including justifying your implementation, providing objective evidence, and identifying shared responsibility.  Using Control Status, you can:

• Assess your current implementation state against your cybersecurity standard of interest (CMMC L1, L2, L3 or ISO 27001) at both the Control and Organization Action level
• Provide justification as to how you have or have not yet implemented each Organization Action
• Provide objective evidence demonstrating your implementation, such as through attachments
• Specify Shared Responsibility where an Organization Action is being fulfilled by another party, whether partially or fully

How do I build a System Security Plan (SSP) using the Control Status module?

Totem has a tutorial on creating an SSP using the Control Status module. Please see our tutorial.

What's the difference between Control Status and POA&M?

Control Status houses your System Security Plan (SSP). When assessing your compliance with your cybersecurity standard of interest (CMMC or ISO 27001), you will do so using Control Status. However, when performing your assessment through Control Status, you may identify that some Organization Actions are presently noncompliant. You'll then add these deficient Organization Actions to your POA&M, where you'll then build Corrective Action Plans (CAP) to correct these deficiencies. Please refer to our POA&M support page for more on this.

The Control Status module and POA&M module work heavily with one another. A typical workflow may look something like this:

1. Assess your implementation of the cybersecurity standard (CMMC or ISO 27001) through Control Status
2. Add non-compliant Organization Actions to POA&M through creation of Corrective Action Plans
3. Remediate CAPs
4. Update SSP and other relevant documentation

What's the difference between a Control and an Organization Action?

A Control represents the overarching "requirement". For example, in NIST SP 800-171 Revision 2, there are 110 requirements. However, for each Control, there are underlying "objectives"; things to do to ensure the overall requirement is met. In NIST SP 800-171A Revision 1, there are 320 objectives. In Totem™, these objectives are referred to as Organization Actions (OAs).

Example:

AC.L2-3.1.8 (Control): Limit unsuccessful logon attempts. Its OAs include:

• AC.L2-3.1.8[a]: The means of limiting unsuccessful logon attempts is defined. 
• AC.L2-3.1.8[b]: The defined means of limiting unsuccessful logon attempts is implemented.
  

Only upon 3.1.8[a] and 3.1.8[b] being deemed Compliant will the overarching Control, 3.1.8, also be deemed Compliant.

What's the difference between Compliant, Noncompliant, and Not Applicable?

• Compliant: The organization has implemented the Control/Objective and can provide justification and evidence of doing so.
• Noncompliant: The organization has not yet implemented the Control/Objective, and therefore cannot yet provide justification and evidence of doing so.
• Not Applicable: The organization has determined that it is absolved of implementing the Control/Objective. (NOTE: This is rare. If the organization determines that a Control/Objective is "out of scope" or is otherwise not necessary to implement, it is recommended to instead mark Compliant and provide justification.)

When the CMMC Assessment Type is loaded in Totem™, a subtractor will automatically be indicated for all Noncompliant controls. Noncompliant controls will subtract from the organization's overall DoD Assessment Methodology score of 110 points.

What is the Implementation Details field used for?

Implementation Details is a free-form text field used for justifying how the organization has implemented a given Organization Action. Any justification within this field should reflect the Organization Action "Type". For example, if the organization has determined that it will satisfy an action by way of a policy, the Implementation Details should either specify that policy or reference where this policy lives. Or, if the organization will satisfy an action using technical means, this field should describe (at a high level) how the technology is used and configured, including references to any relevant external documentation. The sum-total of an organization's Implementation Details forms the bulk of its System Security Plan.

What is the Comments field used for?

Comments is a free-form text field used for providing information in support of the Implementation Details. This could include internal team comments, references to external supporting documentation, objective evidence, or whatever else the organization may need the field for.

Totem has a tutorial on leaving and editing Comments. Please see our tutorial video here.

What is the Shared Responsibilities field used for?

Many organizations rely on third parties to help fulfill their cybersecurity compliance requirements. When it comes time for an assessment, it is critical for the assessors to understand which security objectives are handled by the third party, and which are handled by the organization. This concept is known as Shared Responsibility -- multiple parties sharing in the responsibility of protecting the organization and its critical assets.

The Shared Responsibilities field is used for fleshing out how other parties are helping achieve the associated Organization Actions. If the third party already has a Shared Responsibilities Matrix (SRM), you can use this field to reference that SRM.

What is the difference between Policy, Technical, and Hybrid Organization Action types?

How an organization chooses to implement an Organization Action may vary from other organizations. Some may prefer a policy-based approach, some may prefer to utilize technology, and others may opt for a blend of both. The Type field helps indicate which approach has been chosen for a given Organization Action. The Type drop-down gives three options:

• Policy: Satisfying the objective will involve establishing a new organizational policy or contributing to an existing policy. For instance, creating an IT Acceptable Use Policy used as part of the organization's onboarding and ongoing cybersecurity training initiatives.
• Technical: Satisfying the objective will involve procuring new or configuring existing technology. For instance, purchasing and installing a firewall or endpoint protection solution.
• Hybrid: Satisfying the objective will involve a blend of both Policy and Technical.

How do I upload attachments?

Attachments can be uploaded either through the Attachments tab near the top of the Control Status page or through the Attachments option next to any Organization Action. Any attachments uploaded through an Organization Action will appear in the Attachments repository.

Uploading via the Attachments tab:

Uploading via an Organization Action:

How do I associate an attachment with an Organization Action?

All attachments uploaded into your Totem™ organization will appear within the drop-down "Select Attachments" list next to a given Organization Action. Selecting the attachment of interest will associate it with the action. You can add or remove attachment associations as needed.

How do I update multiple controls at once?

The Bulk Update tool allows you to update multiple Organization Actions or Controls at once. NOTE: using the Bulk Update tool will overwrite any existing data. Be sure to only bulk update the controls you want updated. Leaving fields in the Bulk Update window blank will not overwrite the existing data; only changes specified in the window will do so. For instance, leaving the Implementation Details field blank in the Bulk Update window will not make all OA Implementation Details blank. But adding any text, even including a space, will overwrite the existing data.

On the Control Status page just above the list of controls, select Bulk Update. Select the Organization Actions you would like to update, then perform your desired changes. Alternatively, you can select the checkbox next to the Organization Actions you want to updated, then select Bulk Update.

Bulk Update allows you to update the following Control Status fields:

• Status
• Implementation/Justification Details
• Type
• Comments
• Shared Responsibilities
• Attachments

For example, to bulk update all Organization Actions in the Audit & Accountability family to Noncompliant and add comments:

On the Control Status page, select Bulk Update. With the Bulk Update window open, type "AU" in the Organization Actions field. Notice that all actions in the list are filtered to only those in the Audit & Accountability family:


Manually select each Organization Action in the list. NOTE: Choosing "Select All" will select all Organization Actions across all controls, not just those in the AU family.

Change the Status to Noncompliant, and insert the comment:

Select OK, and navigate to the Audit & Accountability family. Notice that all Organization Actions are now Noncompliant and contain the comment.

How do I import Totem's SSP template?

Totem has a tutorial on importing the SSP template. Please see our tutorial.

How do I use the search tool?

The search tool allows you to filter controls based on certain text strings. The Resources page includes a list of search functions you can use for filtering controls. Using the search tool, you can perform text filters on the Implementation Details, Comments, and Shared Responsibilities fields.

For instance, to search all Implementation Details fields for the text "Microsoft" or "Multifactor Authentication", the details: search term would be used:

details:"Multifactor Authentication"

To search all Comments fields, use the search term comments:

comments:"_Jane"

comments:"Active Directory"

To search all Shared Responsibilities fields, use the search term shared:

shared:"MSSP"

shared:"Totem Technologies"

NOTE: When a search is performed and the text string is located, Totem™ will list all controls containing that text. However, it will not highlight which Organization Actions contain the text string or where the text can be found. Totem Technologies plans to incorporate this in a future release.

The following list outlines the remaining terms you can use to filter on the controls:

• control.control_id: (Filter on the Control ID. Example -- control.control_id:"3.1.1")
• control.family: (Filter on the Control Family. Example -- control.family:"Access Control")
• control.text: (Filter on the Control Text. Example -- control.text:"FIPS")
• control.guidance: (Filter on the "Discussion" info element. Example -- control.guidance:"Access control policies")
• control.clarification: (Filter on the "Further Discussion" info element. Example -- control.clarification:"logging")
• control.other_references: (Filter on the "References" info element. Example -- control.other_references:"AU ACSC Essential Eight")
• control.far_clause: (Filter on the FAR clause associated with a CMMC L1 safeguard. Example -- control.far_clause:"b.1.i")
• control.example: (Filter on the "Example" info element. Example -- control.example:"shred")
• control.pac: (Filter on the "Assessment Considerations" info element. Example -- control.pac:"privileged accounts")
• control.mep_questions: (Filter on the "MEP Questions" info element. Example -- control.mep_questions:"separation of duties")
• control.compelling_evidence: (Filter on the "Compelling Evidence" info element. Example -- control.compelling_evidence:"administrators")

How do I create and save filters?

To create and save a filter, select the drop-down arrow next to "Select Saved Filter" at the top of the Control Status page. Enter in the details for the filter you'd like to create, then select Save Filter.

For example, to create a saved filter for all NIST 800-171 controls mapped to the Totem Top 10, input the following into the "Search Filter" field:

control.family:"Access Control" + control.family:"Awareness & Training" + control.family:"Audit & Accountability" + control.family:"Incident Response" + control.control_id:(3.4.1, 3.4.2, 3.4.4, 3.4.7, 3.4.8, 3.4.9, 3.5.1, 3.5.3, 3.5.7, 3.5.8, 3.5.9, 3.8.3, 3.8.6, 3.8.8, 3.8.9, 3.9.1, 3.11.1, 3.11.2, 3.11.3, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.13.1, 3.13.6, 3.13.8, 3.13.13, 3.14.1, 3.14.2, 3.14.4, 3.14.5, 3.14.6, 3.14.7)

In this case, the search grabs all controls from four control families (Access Control, Awareness & Training, Audit & Accountability, and Incident Response), along with individual controls found in other families.

Any saved filters are easily accessible from the Select Saved Filter drop-down:

Selecting the saved filter will automatically apply the filter and load the corresponding Controls.

Why does my score show 110/110 despite having non-compliant controls?

If you are seeing your NIST 800-171 assessment score show 110/110 despite having one or more controls in a Noncompliant state, this is very likely due to not having selected the variable control scores for one or multiple of the following two controls:

• IA.L2-3.5.3: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. 
• SC.L2-3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Typically, this may occur upon an SSP import. Navigate to these controls and ensure that you have addressed the variable scoring. Upon doing so, your organization's NIST 800-171 assessment score should update. If you have performed this action and are still not seeing an updated score, please Contact Support.