QMSCAPA software

ABCI Marketing

/@abcimarketing6909

Published: May 5, 2021

Open in YouTube
Insights

This video provides an in-depth exploration of the QMSCAPA software's Risk Assessment and Management module, specifically demonstrating its application for cybersecurity maturity model certification using NIST 800-171 controls. The presenter guides viewers through the module's interface and functionalities, emphasizing a structured approach to identifying, assessing, mitigating, and tracking risks. The core purpose is to show how an integrated Quality Management System (QMS) can be leveraged for comprehensive risk management, ensuring compliance and operational resilience.

The demonstration begins with an overview of how risk assessments are stored and accessed within QMSCAPA, recommending users print out assessments for a complete data overview. The tour then delves into various tabs of the risk assessment form, starting with basic information like title, subtitle, and the standard being applied (NIST 800-171 in this case), which are standardized via lookup tables. A critical aspect highlighted is the "risk assessment set ID," which defines the boundaries of the assessment. The video then progresses to the identification of threats and vulnerabilities, categorized as "aspects of risk," which in this context are the NIST 800-171 security families and additional CMMC requirements.

A significant portion of the demonstration focuses on the detailed assessment of individual security families, such as "Access Control." The software employs a Failure Mode Effects Analysis (FMEA) type of risk assessment, allowing for a general description of the risk, a treatment or mitigation plan, and the ability to link to controlled documents within QMSCAPA for integrated documentation. The module supports both pre-mitigation and post-mitigation impact statements, assessing risks based on availability, confidentiality, financial integrity, and total impact. Concurrently, a Risk Priority Number (RPN) is calculated, providing a quantitative measure of risk. The presenter illustrates how responses (e.g., treat or accept) and their current status are recorded, influencing the overall risk score. The video concludes by showing how the software tracks the running score for the cybersecurity maturity model, reflecting the implementation status of controls and the effectiveness of treatments.

Key Takeaways:

  • Structured Risk Assessment Framework: QMSCAPA provides a highly structured framework for risk assessment, organizing information across multiple tabs for clarity and comprehensive data capture, including title, purpose, threats/vulnerabilities, FMEA details, impact, and specific controls.
  • FMEA-Based Methodology: The software utilizes a Failure Mode Effects Analysis (FMEA) approach for risk assessment, enabling users to systematically identify potential failure modes, their effects, and implement corresponding mitigation strategies.
  • Integrated Mitigation Planning: Users can store detailed treatment plans and mitigation strategies directly within QMSCAPA, with the added capability to link these plans to relevant controlled documents, ensuring all compliance-related information is centralized and interconnected.
  • Dual Risk Scoring Mechanisms: The module offers two complementary methods for risk evaluation: impact statements (assessing availability, confidentiality, financial integrity, and total impact) and a quantitative Risk Priority Number (RPN), allowing for a holistic view of risk.
  • Pre- and Post-Mitigation Tracking: The system effectively tracks both pre-mitigation and post-mitigation risk levels for both impact statements and RPNs, providing clear visibility into the effectiveness of implemented controls and treatments.
  • Granular Control Management: Each security control (e.g., from NIST 800-171) has specific fields for recording control methods, user-definable audit evidence (e.g., internal/external audit), and CMM level values, facilitating detailed compliance tracking.
  • Standardization via Lookup Tables: QMSCAPA heavily relies on lookup tables for standardizing various data points, including standards (NIST 800-171, AS9100D, ISO 9001), controls, and response types (treat, accept), which enhances data consistency and reporting.
  • Real-time Compliance Scoring: The software maintains a running score for the cybersecurity maturity model (CMM), dynamically updating based on the implementation status of controls, applied treatments, and calculated RPNs, offering real-time insight into compliance posture.
  • Audit Trail and Evidence Management: The system is designed to support audit processes by allowing users to record what evidence would be presented to an auditor to prove control method verification and usage, streamlining audit preparation.
  • Adaptability to Various Standards: While demonstrated with NIST 800-171, the underlying QMSCAPA framework is adaptable to other management systems and regulatory standards, such as AS9100D and ISO 9001, indicating its versatility for different compliance needs.
  • Centralized Documentation: The ability to group all risk-related data, mitigation plans, and links to controlled documents within a single tool promotes a centralized and organized approach to quality and compliance management.

Tools/Resources Mentioned:

  • QMSCAPA software: The primary software demonstrated for risk assessment and management.
  • Microsoft Word: Mentioned for its spell-check functionality integrated within the text editor fields.

Key Concepts:

  • QMSCAPA: A Quality Management System (QMS) software platform.
  • NIST 800-171: A U.S. National Institute of Standards and Technology publication that provides requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations.
  • CMMC (Cybersecurity Maturity Model Certification): A unified standard for implementing cybersecurity across the defense industrial base, which incorporates NIST 800-171.
  • FMEA (Failure Mode Effects Analysis): A systematic, proactive method for evaluating a process, product, or service to identify where and how it might fail and to assess the potential impact of different failures.
  • Risk Priority Number (RPN): A quantitative measure used in FMEA to prioritize risks, typically calculated as Severity x Occurrence x Detection.
  • Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Examples/Case Studies:

  • The entire demonstration serves as an example of using QMSCAPA for NIST 800-171 cybersecurity maturity model certification.
  • Specific security families from NIST 800-171 (e.g., "Access Control") are used to illustrate how threats and vulnerabilities are categorized and assessed.
  • The "control of CUI in accordance with approved authorizations" is highlighted as a specific control within the Access Control family, demonstrating how detailed information for each control is recorded.