What is data governance, why does it matter, and how does it play into CMMC?

Data governance is the process of managing the availability, usability, integrity, and security of the data in enterprise systems, based on internal data standards and policies that also control data usage. Effective data governance ensures data is consistent, trustworthy, and doesn’t get misused. Before we explore it’s role in CMMC, let’s explore the basics.

What is the point of data governance?

Data governance is a set of principles and practices that ensure high quality through the complete lifecycle of your data. According to the Data Governance Institute (DGI), it is a practical and actionable framework to help a variety of data stakeholders across any organization identify and meet their information needs.

How important is data governance for your company?

Data governance is a set of processes ensuring important data assets are formally managed throughout the enterprise. It also ensures that trusted information is used for critical business processes, decision making, and accounting.

What are some core principles of data governance?

There are certain core principles which drive a successful data governance implementation:

Recognizing data as an asset – In any organization, data is the most important asset.

Data classification – The process of organizing data into categories making it is easy to retrieve, sort, and store for future use. A well-planned data classification system makes essential data easy to find and retrieve. This can be of particular importance for risk management, legal discovery, and compliance.

Data ownership and accountability – In a successful data governance process, ownership and accountability of data must be clearly defined.

Data retention – Data retention is an important step in helping protect an organization’s data and avoid financial, civil, and criminal penalties that increasingly accompany poor data management practices.

What are the business drivers for data governance?

Regulatory compliance – This is affecting all organizations. And, at the lowest denominator, all organizations need to comply with their own country’s financial regulations. Then there are region specific data privacy regulations, some stricter than others, but noncompliance to those can also end up costing the organization large sums of money, as well as bad publicity. This tends to score high in the list of data governance drivers because of the high risks and costs associated with noncompliance.

Data driven decision making – This is an umbrella for a few drivers, so sometimes you might see this stated simply as “implementing a Business Intelligence (BI) program.” Other times you hear about “starting data analytics” or “big data adoption;” even improving overall efficiency and customer satisfaction. You should consider all of these under one driver because they all fall into the idea of knowing the best decisions to make based on your company’s data.

The quality of your data – It all boils down to data quality (the reason why a lot of organizations point to this as the main driver). Even those who want to start a BI program, ensure regulatory compliance, become more efficient, increase customer satisfaction, and so on – need to ensure the data is clean and accurate, as well as in agreement with the data quality dimensions that matter to the business. If you don’t have good data quality, then you won’t accurately know that the right customer unsubscribed from your newsletters and you’re still continuing to send to them. You might overcharge someone, send inaccurate financials to the IRS, mislabel ingredients on a product, incorrectly categorize those medical lab tests, or draw inaccurate conclusions from revenue projections. The state of quality of your data can make or break everything –and for this you need a good data governance.

What is the importance of Data Governance within the CMMC framework?

The concept of Data Governance is a focal point in the CMMC world. Identifying information as FCI, CUI, or CTI is crucial in knowing how to handle the information at hand and to be able to classify and label it accordingly.

Knowing how to classify your data is key in managing Access Control (AC); as an example, AC.2.16, a level 2 practice, talks explicitly about controlling the flow of CUI in accordance with approved authorizations. Knowing how to classify your data is key in knowing who in your organization is authorized to access CUI to manage their access accordingly.

Example 1: When it comes to Data Classification, companies should know in advance whether a Team or SharePoint site will contain CUI data when it is provisioned. The Community Service Team should be open to all personnel and data about the unit’s volunteer opportunities should be free to be widely shared. However, the unit’s readiness report is probably sensitive information. As such, it needs to be labeled “CUI” and live in a Team site that is clearly marked as such. In other words, the Community Service Team can be labeled “public” while the Readiness Team should be labeled “Readiness – Restricted – CUI.”

Example 2: When it comes to Lifecycle Management, a good Data Governance policy includes a Lifecycle Management plan. Periodic reviews or certain events (for example, the end of a contract) should initiate an archiving process that may even include the deletion of the workspace. This eliminates sprawl and can reduce clutter, which in turn also reduces the attack surface of the environment.

Data is a critical asset for every business, and it is a powerful asset when well-governed. Remember, ad-hoc approaches to how to handle your business data are likely to come back to haunt you. Data governance has to become systematic, as big data multiplies in type and volume and people seek to answer more complex business questions. That means setting up standards and processes for acquiring and handling data, as well as procedures to make sure those processes are being followed. That said, achieving enterprise-wide Data Governance is a not trivial task. It makes sense to break that initiative down into more manageable steps.

Some things you should consider:

  • Identifying current and desired data governance levels
  • Focusing on strategic quick wins to build support
  • Building toward the facets of a sound data governance framework/program

Most organizations do not have the people, nor do they have the expertise, to tackle such an important program. Involving a third-party is often critical for success; an organization with the expertise to help you map out a Data Governance framework specific to your business and industry and let you decide how mature you would like that program to be over time.



Want More?

Check out our YouTube video where Senior Cybersecurity Consultant and Instructor, Joy Beland sits down with CISO, Dana Pickett for an episode of CMMC Explained to discuss the importance of Data Governance as it relates to CMMC and which policies it involves.



Dana Pickett serves as former Edwards Principal of Cybersecurity and CISO. He is experienced in managing programs with a focus on both business and technical risk management for cybersecurity, audit and privacy/compliance with diverse requirements. While being a member of various task forces for industry and state government cyber security, risk management and compliance initiatives, Dana has proven to be effective in communicating to executive management, various senior executive boards and councils, and Audit Committees to achieve sponsorship and governance.