No CMMC Hot Takes. Just Take the Time for Some Slow Reads
Inbox overflowing with email invitations to CMMC.20 webinars? Every consultant and software service promising to give you the most up to date info your company can not do without?
You can do without. I offer no hot takes.
Just some slow reads.
If you really want to get prepared start reading. Congress got it wrong. Cybersecurity does take reading. A ton of reading.
We know CMMC 2.0 will not kick in for 9-24 months on government clocks. I have no idea how long that will last in real time or dog years.
Until then read.
Evaluate the System Security Plan (SSP).
Throw out your poorly templated SSP and start over.
Finalize the SSP and write your POAM.
Have set meetings to address POAM. Revist SSP in six months.
Grow the SSP and Shrink the POAM.
If you do not want to do the reading hire an expert. You can try to do cybersecurity without reading. You can also try accounting without math.
So instead of beating you over the head with one more CMMC 2.0 webinar I offer you my top ten hit reading list for 7012 compliance.
Reading and Time. My turnkey easy button solution to CMMC 2.0
- FIPS-199/200 - The basic controls. Only thing gov truly mandates
- SP 800-30 and 39 -learn the risk management process
- SP 800-37 - Do risk management
- SP 800-18 - How to write an SSP
- SP 800-60 & 70 - Mapping data flows and info system
- SP 800-53 - 1200 controls in the catalog. Spend a hot minute here.
- SP -800-171 -Learn the derived controls selected from 53 that combined with the basic controls from FIPS that you must have on nonfederal system (don’t skip Appendices)
- SP 800-115 - How do we test controls 9 SP 800-162 How to speak engineer to humans
- SP 800-137 - continuous monitoring guideline
Bonus reading: SP 800-161 Supply chain risk management
img credit: “A Shot of Ice and Fire” by ElleFlorio flickr.com/photos/el… is licensed under CC BY-SA