Hi there Gerald, apologies for not replying sooner, and I hope this is still relevant.
A little bit of background first of all - I have managed BA Teams ranging from 25 people to smaller teams of 4 or 5. I’ve worked on many a Digital project as well as ‘ground up’ new core systems for companies.
Now first of all, I should mention that I am from the United Kingdom, so your first part about “…was planning on using SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC (nist.gov)” I know nothing about.
However, If my understanding is correct, we do have a similar protocol here in the UK, and I would imagine other countries do as well.
My initial thought on reading your question was to use Active Directory as an approach – so I read that bit with interest. It’s important to remember that a HR based alignment of roles is basically another version of Active Directory (indeed in some companies it is one and the same).
For those reading this who don’t know what Active Directory is – in it’s simplest of forms think of it as a train signal box. The signalman (or woman) will let a train go on path/route 1 if that train has permission. Active Directory works in the same way in that for any given system it groups people together who have permission to perform task ‘a’.
For example, I have a CRM system which allows me to create new Customers on the system. Active Directory will have a list of people (called Users) within the Company who have permission to do that. Anyone not in that Directory will not be able to do so.
To answer your question more directory Gerald, I would say that you can create teams which differ from the HR prescribed teams, but I would make sure that if you do so, any other system (e.g. a HR based system) would still be able to perform as required. There is a bit of impact analysis to carry out. There are other formats of teams other than Standard User + Standard Manager – especially in larger teams. There may be, for example a ‘Team Lead’ middle manager type role. There may be Junior roles (junior to the Standard role).
One or two things to consider:
- Is there a specific reason why you want a different team structure to that used in HR? If there is no good reason, then I would ask what the benefit is. You will be just creating work for yourself.
- If you create Active Directories for your system, what about other systems – do they need to accommodate your new roles as well? How will that happen, and will it have a knock-on effect? Will it go against any known policies within the company?
- Lastly, but probably the most important of all – someone will need to manage the Active Directory. Who will that be? Are they aware of what you are doing? (They must be a stakeholder, so that they have a say in what you are expecting them to manage).
So in short, yes you can use Active Directory to set up different team structures, but be wary of doing so as it may have an unexpected knock-on effect. HR should be a stakeholder, as well as whoever is due to manage your Active Directory account. You’ll need their buy-in otherwise you may come up against quite a bit of opposition (at least that was my experience).