Totem Technologies is thrilled to share the release of our biggest software upgrade to date, Version 5.0 of our Totem™ Cybersecurity Compliance Management tool! Packed with new features and improvements to enhance your user experience, these updates will make overseeing your organization’s cybersecurity compliance even simpler. Release 5.0 of Totem™ includes two brand-new modules: CMMC Roadmap and Incident Response Plan, along with a host of other features and improvements. If you’re interested in checking out Totem™, you can request a demo or free 30-day trial here.
The video below highlights the major improvements to the tool incorporated in release 5.0, but for a detailed description of all the new updates, read on!
1. CMMC Compliance Roadmap
Those familiar with CMMC can attest that compliance is a journey, not a sprint. This is why we developed a new CMMC Roadmap module: to outline strategic “stepping stones” you’ll need to cross en route to your eventual CMMC certification. A well-developed CMMC compliance roadmap can help Department of Defense (DoD) contractors achieve compliance in an effective and timely manner, while not losing sight of the overall objective. This module was inspired by our interactive CMMC Roadmap.
Each step in the CMMC Roadmap is specified by a title along with a description. You’ll have the option to “Modify” the Roadmap objective and mark it complete, once you’ve done so. You can also insert any comments you’d like, as well as assign the step to its responsible entity. This could be either a user presently in the tool, or one you free-type.
Once you click “OK” and return to the main Roadmap page, you will see the responsible entity listed next to the description of the step, the date it was completed (if it was marked as such), an “i” button indicating that a comment was added, and the indicator dot will move on to the next step of the Roadmap:
NOTE: The very first step in the Roadmap, “Build your first-draft SSP”, has an automatic check built-in, whereby it will automatically complete once you have addressed, via the Control Status page, all 320 NIST SP 800-171A Assessment Objectives AND justified their status (whether compliant or not) within the Implementation Details field for all objectives. If you browse to the Roadmap and notice that step is already marked Complete, this is why. Automation FTW!
Your journey through the Roadmap culminates with your eventual CMMC certification:
Of course, once you’ve received your CMMC Level 2 certification, you aren’t “done” with CMMC forever; you’ll move onto the next phase, Continuous Monitoring. Totem may incorporate some Continuous Monitoring objectives into the Roadmap in a future release, once CMMC assessments begin. For now, the Roadmap module will help get you through your first CMMC assessment.
Using this new module, you can easily track your progress towards receiving a CMMC certification, knowing which major objective must be completed next. This module can also be helpful for executives to understand short-, medium-, and long-term priorities for CMMC.
2. Incident Response Plan
In addition to maintaining a System Security Plan (SSP) and Plan of Action and Milestones (POA&M), DFARS clause 252.204-7012 requires DoD contractors to prepare to report cybersecurity incidents. This includes generating an Incident Response Plan (IRP). An effective IRP will include:
- The organization’s incident response team (internal and external)
- Capabilities critical to the organization’s operations (such as shipping or manufacturing), and the recovery metrics associated with those capabilities (MTD, RTO, RPO)
- Records of security incidents or tabletop exercises
Now with Totem™ 5.0, the new Incident Response Plan module will allow you to capture these elements, then export as a customized IRP, if you so choose:
As for identifying members of your incident response team, you can choose from four contact options, including:
- Computer Security Incident Response Team (CSIRT) member
- Primary Internal Incident Response Contact (e.g., the Information Security Officer)
- Contracting Officer Contact
- U.S. Government Program Manager
Upon selecting “Create Contact”, you will see the new contact, along with any previously generated IR contacts:
Before spending a bunch of money on fancy data backup technology, the first step in incident response planning is to identify the most important business capabilities — the processes that are critical to day-to-day operations — and the recovery metrics for these capabilities.
For instance, your contract may require you to ship parts to your customers. “Shipping”, then, would be one of your critical business capabilities. Now you must understand to what degree your business would be affected if shipping were impacted by a cybersecurity incident. This is done by identifying some recovery metrics: Mean Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO). If data backups are involved with this capability, it also includes specifying how long these backups are maintained.
The new Incident Response Plan module within Totem™ 5.0 allows you to specify these recovery metrics:
NOTE: if you are uncertain what these metrics mean or how to develop an effective IRP, we recommend you join our next CMMC Workshop, where we’ll teach you how!
NIST 800-171 requires us to “test the organizational incident response capability” (Control 3.6.3). This includes exercising the IRP periodically (such as through tabletop exercises) and capturing records when doing so. With Totem™ 5.0, you can do this right inside the tool! Keep track of the date an exercise was conducted, participants, a description of the scenario, lessons learned and the root cause.
1. Dashboard now shows date of last score update
When a change happens to a control that results in a change to the overall score, such as marking a control noncompliant, the organization status tab will indicate the date that the score was last updated. If you hover over this “Score last updated” button, you will also see the time that it was last updated.
Note: The “Organization Status Last Updated” reflects the latest time a change was made to the “status” of the organization, which includes its NIST 800-171 score as well as its current authorization status, found on the Manage page.
2. All NIST 800-171 controls show their point value
Previously, only controls marked noncompliant showed their associated NIST 800-171 score. Now, all controls do so, though noncompliant controls remain marked with a subtractor:
This will come in handy when prioritizing implementation of higher-value controls over those of lower value.
3. Linking between POA&M and Control Status
When resolving the Corrective Action Plans (CAPs) you build through the POA&M module, you’ll likely find yourself needing to move between POA&M and the Control Status module. Now, when selecting any Organization Actions (OAs) associated with a CAP (see image above), you will return to the Control Status page, with the proper control filtered:
Once you make the required adjustments to your SSP, you can return to the POA&M page either by selecting the POA&M module from the left-hand menu, or by selecting the CAP identifier associated with your NIST 800-171 control of interest:
These linking improvements greatly reduce the number of clicks necessary when moving between these two workflows.
In addition to these new features and enhancements, other improvements in Totem™ 5.0 include:
- An improved Hardware Inventory interface, which now includes additional inventory data columns
- Corrective Action Plans can now be created without any Assessment Objectives (Organization Actions) associated with them
- CUI and Hardware Inventory now exportable
- POA&M Gantt Chart visual improvements
- Email notifications disabled by default; users can enable in My Profile
- Users can now reseed their MFA through My Profile
- Risk Assessment Asset Type description now permits some special characters
- Other security improvements
- Other bug fixes
We have heard your feedback and worked hard to bring these new features to the tool. We hope that you enjoy Totem™ 5.0! To give Totem™ a try, please fill out the form below.
— The Totem Team