When you join the CMMC Essentials class at Southern Connecituct State University you interact with the best experts in Cybersecurity.

Yesterday Vincent Scott, Leigthon Johnson, and Paul Netopski joined us to record the module launch of CMMC Domains, Practices, and Processes.

We have a few MSPs joining us this session. They support both DIB and HIPPA contractors…Been a busy couple days for them….

We spent most of the session dealing with the 999, 998, and 997s of CMMC. The policies (99), procedures (98), and plans required for Cybersecurity Maturity Model Certification (CMMC) compliance.

A blog post by Amira sparked the discussion and we went into topics from:

  • The impossibility and impracticality of step by step procedures
  • Challenges for DIB large and small
  • Role of Reference Architecture
  • Automating procedures through STIGs, SIEM, and Compliance Managers

We also discussed the three types of evidence required in the CMMC assessment process: interview, examine and test. Leighton shared his observation that CMMC requires no testing. You observe someone perform a test or interview them about test they perform but no C3PAO or Certified Assessor will ever test a private system.

No security engineer will ever allow a rando assessor or worse, a registered professional poke around the system.

Finally we closed with the point that if you start your self assessment using the DCMA 171a assessment and get your SPRS score started you will be well ahead of your game.

If you want a preview of the fun we have in our module kick offs (WE WILL NEVER USE A PPT PROMISE) check out this teaser:

Join us for our next class starting Julty 20th https://southernct.edu/cmmc