Inbox overflowing with email invitations to CMMC.20 webinars? Every consultant and software service promising to give you the most up to date info your company can not do without?

You can do without. I offer no hot takes.

Just some slow reads.

If you really want to get prepared start reading. Congress got it wrong. Cybersecurity does take reading. A ton of reading.

We know CMMC 2.0 will not kick in for 9-24 months on government clocks. I have no idea how long that will last in real time or dog years.

Until then read.

Evaluate the System Security Plan (SSP).

Read more.

Throw out your poorly templated SSP and start over.

Read more.

Finalize the SSP and write your POAM.

Read more.

Have set meetings to address POAM. Revist SSP in six months.

Read more.

Grow the SSP and Shrink the POAM.

If you do not want to do the reading hire an expert. You can try to do cybersecurity without reading. You can also try accounting without math.

So instead of beating you over the head with one more CMMC 2.0 webinar I offer you my top ten hit reading list for 7012 compliance.

Reading and Time. My turnkey easy button solution to CMMC 2.0

  1. FIPS-199/200 - The basic controls. Only thing gov truly mandates
  2. SP 800-30 and 39 -learn the risk management process
  3. SP 800-37 - Do risk management
  4. SP 800-18 - How to write an SSP
  5. SP 800-60 & 70 - Mapping data flows and info system
  6. SP 800-53 - 1200 controls in the catalog. Spend a hot minute here.
  7. SP -800-171 -Learn the derived controls selected from 53 that combined with the basic controls from FIPS that you must have on nonfederal system (don’t skip Appendices)
  8. SP 800-115 - How do we test controls 9 SP 800-162 How to speak engineer to humans
  9. SP 800-137 - continuous monitoring guideline

Bonus reading: SP 800-161 Supply chain risk management

img credit: “A Shot of Ice and Fire” by ElleFlorio… is licensed under CC BY-SA