Back to Top Icon

Another CMMC Acronym - ODP

Intel
CMMC

What the Heck is an Organizationally Defined Parameter in CMMC? ...Fill-in-the-Blanks for Cybersecurity

Have you ever filled out one of those "Mad Libs" games where you insert your own words into a story? Imagine doing that, but instead of creating a silly story, you're customizing cybersecurity requirements for your business. Welcome to the world of "organizationally defined parameters" in CMMC.

What Are Organizationally Defined Parameters? (In Plain English)

If you're doing business with the Department of Defense, you've probably heard about CMMC (Cybersecurity Maturity Model Certification). It's basically a set of security rules to make sure sensitive government information stays protected.

Here's the thing, the government knows that not every business is the same. A five-person distributor handling military contracts doesn't operate like a 5,000 person manufacturing company. That's where organizationally defined parameters (let's call them ODPs) come in.

An ODP is simply a part of a security requirement where YOU get to decide the specifics. With the current CMMC requirement of adhering to NIST 800-171 R2 it's the government's way of saying, "We need you to do this security task, but you can decide some of the details based on your business needs."

Real-Life Examples Anyone Can Understand

Let's break this down with examples we all encounter in daily life:

Example 1: Password Management . Maintain a list of commonly used, expected, or compromised passwords, and update the list[Assignment: organization-defined frequency] (03.05.07.a) and when organizational passwords are suspected to have been compromised.

  • Small business with limited sensitive data might define: "Every 90 days"
  • Large defense contractor might define: "Every Month"

It's like how some of your online accounts may not allow your name in your passwords, while others never do. Different needs, different rules! Although we'd never recommend your name in your password. That's a terrible idea.

Example 2: Require that users log out of the system after: The requirement says: ". Require that users log out of the system after: 1. [Assignment: organization-defined time period] (03.01.01.h.01) of expected inactivity"

  • Your defintion may be 5 hours
  • or you may define it at most 24 hours.

Think of it like your phone's screen timeout. You might set it to lock quickly if you're often in public places, or longer if you're usually at home.

With organizationally defined parameters:

  1. You can make security work for YOUR business: No need for one-size-fits-all solutions that might be overkill (or underkill) for your situation.
  2. Save money: You can choose options that meet security needs without unnecessary expenses.
  3. Practicality matters: You can consider what's actually feasible for your team and technology.
  4. Common sense can prevail: You're the expert on your business operations, and that knowledge gets respected.

How to Approach These Fill-in-the-Blanks

Even if you're not a tech expert, you can make smart choices about your parameters:

  1. Think about risk: Where could things go wrong in your business? High-risk areas need stricter parameters.
  2. Consider your resources: Be realistic about what your team can handle and maintain.
  3. Look at similar businesses: What are others in your industry doing? (Industry associations can be helpful here!)
  4. Document your reasoning: Simple explanations like "We chose 4-hour timeouts because our computers are in secured areas with no public access" are perfect.
  5. Ask for help when needed: IT consultants who specialize in CMMC can provide guidance without taking over.

When Parameters Go Wrong: The "What Were They Thinking?" Files

Sometimes, parameter choices make about as much sense as bringing a spoon to a knife fight if not done right. Let's be reasonable:

  • A company should never define their backup frequency as "whenever we remember" (About as effective as saying you'll exercise "when you feel like it")
  • Don't define your sensitive document review period as "27 years" (By which time the information would qualify for retirement benefits)
  • Access control parameters as "Everyone uses the same login" (Think of it like giving everyone in your neighborhood a copy of your house key)

What's New with NIST 800-171 Revision 3 and What It Means for You

The Defense Department just released new guidance on these parameters (https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf), and it can be good news if you weren't sure how much is "enough". On the other hand now you hand it may be harder to fulfill the requirements based on your businesses technology and risk tolerance.

From the Memorandum:

"A key aspect of reference (a) is the inclusion of organization-defined parameters(ODPs), which allow organizations to tailor select security controls to specific security requirements, as determined by unique organizational risk management strategies. In preparation to implement reference (a) as the minimum requirement for contractors, the Department of Defense (DoD) has defined as policy the attached values for the ODPs identified in the reference (a) source document."

Here's the good to what this means in everyday terms:

  1. Clearer expectations: The DoD is now giving more specific guidance on how to fill in these blanks. It's like getting examples for a form you've been struggling to complete.
  2. More consistency: The new document helps ensure different companies make similar choices in similar situations. This levels the playing field when bidding on contracts.
  3. Less guesswork: Previously, many businesses were uncertain if their parameter choices would be acceptable to assessors. The new guidance reduces that uncertainty.
  4. Better preparation for CMMC: If you're working toward CMMC certification, having clearer guidance on these parameters means fewer surprises during assessment.

The bad:

Less flexibility.

Bottom Line. This Is Your Chance to Make Security Work for You

Organizationally defined parameters aren't just bureaucratic fine print they're your opportunity to customize security requirements to fit your business reality.

The new DoD guidance helps clarify how to approach these decisions. The key is finding that sweet spot where security is strong enough to protect sensitive information but practical enough that your team actually follows the rules.

Think of it like setting the rules in your own household. You know best whether shoes off at the door makes sense for your home and you know best what security parameters make sense for your business.

Share this post