Domains, Practices, and Processes of CMMC
When you join the CMMC Essentials class at Southern Connecituct State University, you interact with the best experts in Cybersecurity.
Yesterday Vincent Scott, Leigthon Johnson, and Paul Netopski joined us to record the module launch of CMMC Domains, Practices, and Processes.
We have a few MSPs joining us this session. They support both DIB and HIPPA contractors…Been a busy couple days for them….
We spent most of the session dealing with the 999, 998, and 997s of CMMC. The policies (99), procedures (98), and plans (97) required for Cybersecurity Maturity Model Certification (CMMC) compliance.
A blog post by Amira sparked the discussion and we went into topics from:
- The impossibility and impracticality of step by step procedures
- Challenges for DIB large and small
- Role of Reference Architecture
- Automating procedures through STIGs, SIEM, and Compliance Managers
We also discussed the three types of evidence required throughout the CMMC assessment process: interviews, examinations, and tests. Leighton shared his observation that CMMC requires no testing. You observe someone perform a test, or interview them about the test they performed, but no C3PAO or Certified Assessor will ever test a private system.
No security engineer will ever allow a random assessor—or worse—a registered professional poke around the system.
Finally, we closed with the point that if you start your self assessment using the DCMA 171a assessment, and get your SPRS score started you will be well ahead of the game.
If you want a preview of the fun we have in our module kick offs (WE WILL NEVER USE A PPT PROMISE) check out this teaser:
Join us for our next class starting Julty 20th https://southernct.edu/cmmc