• Good discussion on the difference between the word specified, identified, and defined.

  • Then goes into software permission using a deny list and an allow list. They use the brdige approach with a permit by exception.

  • Auditing and MFA were the hardest part for Kratos to implement

  • Opens with CMMC 2.0 lowered your documentation requirements. It did not. They are 100% the same

  • We can't put out examples. If NIST did every implentation would look like this.

  • Victoria shares that security requirements are written at the high level. There should be no short of ways to implement the controls. We can't test all the implementations.

  • @DoctorMac Shares a timeline of NIST upates for 171 rev 3. We could be in a race to see who gets done first rule making or rev 3

  • Leopold reminds us to apply our due diligence on our assets.

  • He hasn't really gotten into the comparisonsof different controls and philophies of boundary versus access control.

    Keeps saying ZTA and 171 is aligned.

    It is not

  • suggests starting at the most secure data. That makes no sense...don't go mucking about in yiour TS enclaves with no security engineering first.

  • @DoctorMac Looking at authozing at the asset level. Zero trust is a maturity moidl moving from preparingm protecting, baseline, intermediate, and advanced.

  • A person asks about what do we do with the subs who do not have a relationship with the government.

    Stacy again brings up disaggregation. So glad to hear the conversation.

    Closes with zero trust is coming (for our bounday based security requirements).

  • Matt Titcombe asks about the scoping guide and CRMA which aren't supposed to have CUI but could and are in scope out of 109 of 110 controls if you manage the risk of these assets.

  • @DoctorMac Stacy says we could look at false claims act for the self attestation. Yet I believe rule making has to finish. There is no requirement for an SSP and POAM for FAR

  • Stacy confirms that if you do an early assessment and 171 rev 3 comes out you can live under three years of 171 rev 2

  • bout time someone talked about disaggregstion...using the bolts example....too bad they get the entire tactical guide.

    uses the welder story...the welder needs the whole package because of overlapping practices.

    they table top shhowed a prime can be a two but i am a 3.

  • We are currently looking at using C3PAOs for DIBCAC-High assessments. WE will start with everyone doing the self assessment and affirmation. Our intent is they get three years.

  • All level 1 can be POAMd. You can waive FIPS as part of POAM if you have 3 out of five points. You get 180 days to close POAM. If POAM open when contract starts after 180 days a KO can penalize.

    The waiver is for companies that do something so unique no other company is doing it or thinking about CMMC. The awardee will have 180n days to start CMMC

    (FYI I can't get a server in 180n days)

  • Stacy talks about the annual annuall affirmation for Level One. Says it is just 15 thigns. It is really 59 requirments.

    Then dicusses prioritized and non-prioritized CUI for Level 2.

    Every company that does a level three has a level two from a thirds party.

  • @DoctorMac Stacy begins with an overview of the rulemaking change. and how we returned back to 171 because everyone is already familiar and should be doing it anyway.

  • We have a full house. "We are continuing the mission. For my team it is Ground Hog Day." "We are going into the rule making. Really only can say check the FRN"

  • @danielpunkass Complaince as code, they should be scanning the stack for vulnerabilities...I don't want to take a developers word for it.

  • "step two: identify all your contracts that could contain CUI"

  • You need to have a unique identifier for any device on your network.

  • Amira: "It begins with asset inventory and you need to be a 100% correct.

subscribe via RSS