CMMC Scoping for Level 2 - CMMC version 2.0 - 2022 version
Рет қаралды 1,916
Күн бұрын
@jimmylamon3453 Жыл бұрын
Great Video, I did have a couple of comments. 1. Commercial cloud WITH CUI - Doesn't this have the same issues as the FCI laptop since commercial cloud does not offer the same physical security as Gov cloud? I know this one is heavily debated. I can say from experience on the government side where the risks CAN be accepted, we ALWAYS lost in commercial cloud. It has to be in Gov Cloud. 2. Website with FCI "Publicly accessible". If government information is allowed to be shared publicly then it is NOT FCI. So how do we have a control to review publicly shared FCI? Either you are sharing FCI publicly and are not in compliance or the information you are sharing is not FCI because it is allowed to be shared publicly. Right?
@kierilf Жыл бұрын
Correct, if they have FCI on the public website, that means they have failed a security requirement. Clouds / Commercial clouds / Gov Clouds / FedRAMP / etc. Not something we should get into for scoping. That is again a situation where the contractor might fail requirements, but it doesn't change what asset type it is and whether the asset is in scope. Great thoughts!
@AllenKrell Жыл бұрын
In a cloud environment where all users are connected to same CUI containing cloud (GCC High), would it be argued that the Laptop FCI and "Laptop Nothing" are both CUI assets even if that user didn't necessarily process CUI? My fear is that assessors won't be consistent on the line between CRMA and CUI asset.
@kierilf Жыл бұрын
If there is no CUI stored, processed, or transmitted by an asset, it is not a CUI asset. The potential to access CUI (but not being approved to do so) is not enough to consider something a CUI asset; the correct category for that would be a Contractor Risk Managed Asset. (in general)
@kierilf Жыл бұрын
I have another video coming out soon that discusses this exact scenario (multiple computers connected to an information system)
@AllenKrell Жыл бұрын
@@kierilf Thanks, looking forward to your videos. I can't wait to use Paint to draw my network diagrams :)
@kierilf Жыл бұрын
@@AllenKrell hah, I go deluxe for network diagrams: PowerPoint 🤣
@davidbrant9749 Жыл бұрын
I wanted to get your thoughts on the bellow scoping external cloud service providers that do not store, process, or transmit CUI but contributes to the OSC meeting CMMC requirements. example a cloud SEIM or cloud AV? Some External Cloud Service Provides with external connections to the OSC may not store, process, or transmit CUI and FCI. If the External Cloud Service Provider does not store, process, or transmit CUI, but contributes to the OSC in meeting CMMC requirements (i.e., providing protection) for the OSC’s environment containing CUI and FCI, then the External Cloud Service Provider must only meet NIST SP 800-171 requirements and attain CMMC certification for CUI/FCI (or only meet CMMC Level 1 requirements when only FCI is present and the flow of CUI is restricted from the access through the external connection). The phrases “provides protection” or “provides security protection” mean the External Cloud Service Provider contributes to the OSC meeting at least one or more of CMMC practice requirements or other specified CUI security requirements.3
@kierilf Жыл бұрын
Hello David, I think that quote is from the DRAFT CMMC Assessment Process. There are lots of issues with that version of the draft. Most people I've talked to believe that the assessment process will be revised to match whatever the DoD publishes with their revised DFARS 252.204-7021 rule.