3 жыл бұрын
3 жыл бұрын
3 жыл бұрын
3 жыл бұрын
4 жыл бұрын
4 жыл бұрын
4 жыл бұрын
4 жыл бұрын
4 жыл бұрын
4 жыл бұрын
4 жыл бұрын
4 жыл бұрын
4 жыл бұрын
4 жыл бұрын
Пікірлер
@TsukiCTF 12 күн бұрын
Great overview of the structure.
@michaelj5325 23 күн бұрын
finally, a decent venn diagram! close enough to CMMC 2.0 to still be relevant...
@TechWithRandy 26 күн бұрын
Thank you!!
@claudiamanta1943 10 ай бұрын
I am writing this in 2024 and automation is the fashionable IT alleged panacea. In my opinion, it’s the automated systems you must monitor even more than non- automated ones. All it takes is for someone to mess with the automated ‘trusted’ systems and processes including the automated alerts that are supposed to flag bad things.
@claudiamanta1943 10 ай бұрын
You can audit a private contractor on 1 billion criteria, civilians are civilians. All it takes is one employee getting resentful with his/ her civilian boss… or him/her getting radicalised because he/ she has fallen madly in love with a gorgeous undercover agent.
@claudiamanta1943 10 ай бұрын
Do you check what cloud services your contractors use? How does international legislation work with cloud services as the servers in datacenters where data is stored and processed might be in different states or even in different countries? I, obviously, don’t want to pry into your business, I am just trying to learn how law and governance work in the cloud business given their infrastructure, so any direction from anyone to general principles of (international) law would be greatly appreciated. I live in the UK that has Data Protection Law and GDPR but it’s not in Europe and neither it is in the USA. One big cloud provider has a region in South America paired with a region in USA (if I remember correctly what I tried to learn). I find it fascinating (I know I am weird 😄). Thanks.
@claudiamanta1943 10 ай бұрын
When you do an audit, do you walk the floor ie physically work in various departments to observe any Post-it notes with passwords affixed to displays or staff not locking their screens whilst they ‘quickly’ go to pick up something from the printer?
@claudiamanta1943 10 ай бұрын
0:01 😃 🎵 You use Microsoft (?)
@claudiamanta1943 10 ай бұрын
10:27 What if the organisation has a PaaS cloud service and the organisation has decentralised management and data management structures?
@claudiamanta1943 10 ай бұрын
Thanks for sharing. I have no clue what you’re talking about but I understand it’s about securing an IT system. I am trying to learn about IT stuff, so please bear with me. Why do you use ‘privilege’ only when you mean special privileges (above the regular user’s)? Should not all accounts have their privilege settings to ring fence and control potential damage that can be inflicted even by a user with a minimum level of access? Also, what about the newly employed (inexperienced and maybe on their probation period) who might make an unintentional but very costly mistake? Should they not have a Read- only access to the live system (and maybe full access to a safely contained sandbox) whilst they learn the system?
@arunv.gnanachchenthan2157 Жыл бұрын
You missed some of the families and their control count when reading out the families.
@borna430 Жыл бұрын
Great information. Can the same type of diagram be acceptable to represent CMMC 2.0 diagram requirements?
@GlamLamWow Жыл бұрын
Thank you for the video. I got two points: 1. You were referring to Level 1 & 3, while level 3 is not published yet. Did you mean Level 2 instead? 2. Shouldn't the Readiness Assessment @ 3:50 be done after the POAM, and before the implementation? I thought the goal of it was to assess whether we had everything in place to implement the missing requirements.
@GlamLamWow Жыл бұрын
Great video. Can you please update the information with regards to CMMC 2.0?
@CFH298 2 жыл бұрын
Part 3???
@maxmetrix4256 2 жыл бұрын
website is not working
@libardomm.trasimaco 2 жыл бұрын
Thanks!
@rval4833 2 жыл бұрын
awesome!
@SikaSOHO 2 жыл бұрын
Thanks for video. Do you have video instructions how to actually fill this out ?
@diegocurt3553 2 жыл бұрын
Need to do more! These are good and needed!
@chrisadams27 2 жыл бұрын
Its 3:30am and I can't sleep, so I can to watch this video!
@TheMrfuturisticbaby 2 жыл бұрын
Really great video. Where can I find that PDF doc?
@joshuaboyd7695 2 жыл бұрын
Did you ever publish part 3
@chrish6659 2 жыл бұрын
Thank you for taking the time to share this, your work is appreciated!
@CellarRoot 2 жыл бұрын
I came here for maybe some additional context on why NIST used to have the minimum failures defined but now they don't. I found it eventually in Nist 800-63b and it's kinda completely different than the previous version of 800-63b. "No more than 100 failed attempts" and then separately, they have a usability section with "Minimum of 10 failed attempts allowed" as a usability concern. :/ I had read some summaries of the earlier versions and they seem to have just said Minumum was 10 and maximum was 100. I'm trying to be a change maker and this stuff is SPAGETTI!
@josegregoriodiazvasquez1871 2 жыл бұрын
Very good information, where can I download that template? or an updated one?
@gadgetdoc 2 жыл бұрын
This was very helpful. You have a super super cool channel. I'm looking through all of your videos and I know I'm going to be going through quite a few of them in the near future.
@nickibolz7735 2 жыл бұрын
Where do you actually download or access the NIST assessment? I can't find that anywhere. In order to get a score to enter, I need to take the assessment, assuringly.
@auditorsense4243 2 жыл бұрын
Hello Nicki, you can find the NIST SP 800-171 DoD Assessment Methodology and the scoring methodology (Annex A) at the following link: securedbycss.com/wp-content/uploads/2021/02/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf
@nickibolz7735 2 жыл бұрын
@@auditorsense4243 Thank you so much!
@kevinmalloy2180 2 жыл бұрын
The FAR was established in ‘74 not ‘47.
@auditorsense4243 2 жыл бұрын
Whoops! thanks for the correction!
@tabathahill6408 2 жыл бұрын
Is this video free to use or share? Great job and thanks in advance!
@auditorsense4243 2 жыл бұрын
Free to use and share! We just ask that you do not remove the credits/give credit.
@BerniesBastelBude 2 жыл бұрын
although the structure changed somehow in rev. 5, this video helped a lot to understand the concept - thx!
@henrysaldana1 3 жыл бұрын
Website is not working
@MayaMaya-tl6kl 3 жыл бұрын
Despite my expectations as it's written in the title, I couldn't find any information on NIST 800-53 and had to listen to what I knew.
@paularneson1936 3 жыл бұрын
Fantastic Info! Thanks for making this!
@patriciathomas1618 3 жыл бұрын
Dude, why are you whispering?
@ricsonandre9250 3 жыл бұрын
Iziddoxoo
@angelavila8341 3 жыл бұрын
What if you perform a self assessment and attain a negative score? Should that score be submitted? Should you try to address most issues and redo test? Should you use negative score and generate poam? On average what do companies score?
@18dnu 3 жыл бұрын
Would you recommend any training on change management for NIST standards pertaining more specifically to Technical Writing or Documentation?
@jasonmcgee3757 3 жыл бұрын
SSP (System Security Plan?? Where does this come from? We have worked with DOD for 30 years and never heard of this. Are they expecting us to create it from scratch We do portaspotties...
@jasonmcgee3757 3 жыл бұрын
Is this for all DOD contractors?
@brendank8892 3 жыл бұрын
Entering your NIST SP 800-171 assessment details into the SPRS applies to DoD contractors that handle CUI and more specifically, have the contract clause DFARS 252.204-7019 "Notice of NIST SP 800-171 DoD Assessment Requirement" in their contract. 252.204-7019 is a newer contract clause that was added back in November of 2020 as an interim rule. We have a video explaining this further that can be found here: kzbin.info/www/bejne/oJeogZWHntaUoqc&t= Additionally, you can find more information about contract clause DFARS 252.204-7019 here: www.acquisition.gov/dfars/252.204-7019-notice-nist-sp-800-171-dod-assessment-requirements.
@electricmauinui3871 3 жыл бұрын
Im bidding for a federal contractor for the first time and Im trying to register an account on the PIEE page. However, I am stuck on the "Location Code/CAGE" line of the roles section. Do I need pre-existing paperwork to register?
@eto895 3 жыл бұрын
How do we come into which risk level to determine Low, Medium or High ?
@PabloSilva-ph6mk 3 жыл бұрын
The level determination must be given by the information system owners... I believe that this example shows how to evaluate the criteria: The risk for a supermarket information system isn't as high as the risk for a bank information system. That said, a Bank information system has to be classified as a High level and the supermarket as moderate/low.
@eto895 3 жыл бұрын
@@PabloSilva-ph6mk Thanks
@lotususa2565 3 жыл бұрын
Thanks for sharing the information
@JustinCarlson8 3 жыл бұрын
Do you need to upload a POAM and SSP, or just post the score into SPRS?
@brendank8892 3 жыл бұрын
Sorry for the late response, but you do not upload the actual POAM or SSP to the SPRS. You will just upload information about these items into the SPRS. The SPRS currently does not allow any documents or attachments to be uploaded.
@Nsorkwame 3 жыл бұрын
Great summary! Thanks sir
@Nsorkwame 3 жыл бұрын
Very helpful: Thanks
@chadnash5181 3 жыл бұрын
This is a really great video. Thanks man I like all your stuff. Any chance you can share that template or let me know where it came from? I like the layout and thr look of it
@auditorsense4243 3 жыл бұрын
Hi Chad, thank you. The template specifically is from ComplyUp. Here is the link! www.complyup.com/cmmc-ssp-template/
@lindawisniewski3059 4 жыл бұрын
Do you need the score of 110 to be compliant as a basic user for the DOD?
@brendank8892 4 жыл бұрын
You do not need a score of 110 for the NIST 800-171 self-assessment to be compliant with DFARS 252.204-7012/7019. However, if the NIST 800-171 security requirements (controls) are not completely implemented, you must develop a Plan of Action & Milestones (POA&Ms). For every security control that is not implemented, you must document the security control in the POA&M, and describe when and how the unimplemented security control will be met. For more information on this, I recommend you check out the NIST SP 800-171 DoD Assessment Methodology, which can be found here: www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf Now keep in mind, POA&Ms are only acceptable for DFARS 252.204-7012/7019. When the Cybersecurity Maturity Model Certification (CMMC) is rolled out over the next few years, you cannot obtain a CMMC certification if your organization has unimplemented security requirements. For CMMC, you must have all required security practices and processes implemented at the time of the CMMC assessment. Outstanding security practices or processes will result in an organization failing the CMMC assessment.
@uche2564 4 жыл бұрын
Do you know how long has the RMF has been in use by private organizations? I understand it was initially for federal use only but its now being used in the private sector. I ask because I just passed my ISC CAP exam, got my certification and im looking for jobs and I see a lot of clearance require jobs linked to the RMF, not many non cleared jobs in the private sector.
@auditorsense4243 3 жыл бұрын
Hello, sorry for the late reply. NIST RMF was developed back in 2014 with input from thousands of private sector organizations/individuals. That being said, there is not any guidance or dates surrounding private sector adoption as it is up to each individual organization. I am comfortable saying that adoption has increased vastly over the past few years among the private sector.
@erikblue6275 4 жыл бұрын
Can you explain, with an exampke if possible, of how controls are more "outcome based" and how that differs from before?
@auditorsense4243 4 жыл бұрын
The controls have been re-written using strong action verbs to clearly define the goal of each control. The overall structure of each control is more outcome focused rather than impact focused. A good example is SC-10: Rev 4, the control reads: "The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time-period] of inactivity.". Rev 5, the control reads: "Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity." The control is a lot more clear and concise on the end goal of the control implementation.