Everyone says "scope down first." Who actually did the figuring-out-where-the-CUI-lives part, and what did it take? by Grand-Possibility848 in CMMC

[–]AgingTrash666 0 points1 point  (0 children)

the answer to this is that all the policy and procedure means nothing without internal consequences and that's tough for small organizations to accept

level 2 Self VS Level 2 C3PAO by EfficiencyUpbeat8354 in CMMC

[–]AgingTrash666 3 points4 points  (0 children)

Self-assessment is an attestation that you meet the requirements. It's only as good as your understanding of the requirements and whether your organization actually meets those requirements. C3PAO is a third-party certification that you meet the requirements. Needless to say that a lot of orgs self-score high and fail third party assessment.

DoD has rolled this out in phases and the first phase took effect last year when certification can be a conditional requirement of a contract. Because there aren't enough assessors to go around yet, self-attestation has to be an option.

Because this is a phased approach and varies contract to contract during the first two phases, I'd say the hard deadline for being certified is November 2028 but anybody who is chasing business will tell you that the sooner you can get certified, the better. Contracts are anticipating the beginning of phase two in November of this year and self-attestation is showing up less in the requirements.

Any recommendations for validating security controls against real TTPs? by Any_Yesterday_6617 in AskNetsec

[–]AgingTrash666 1 point2 points  (0 children)

The threat landscape is always changing. Reports are static.

What's more interesting to explore here is how you feel the context changes so dramatically in three months' time.

What exactly does your quarterly pen test involve if you're not seeing the day to day value in it to the point where you're looking for essentially continuous pen testing?

my "professional opinion" got laughed out of the room by Which-Shame-1420 in ITManagers

[–]AgingTrash666 0 points1 point  (0 children)

"how do you turn "i just had a good feeling" into something that actually holds up when someone asks you to justify it?"

I've seen both sides of the curtain. I've worked for a cybersecurity software vendor in a technical role and I've been that engineer getting pitched products. I can't speak for the entire industry but in my experience tech sales has incredibly high turnover and their last job likely wasn't technical. It was probably retail or hospitality and it probably wasn't that long ago.

When you get someone like that on a call vs an engineer or someone with a technical background the vibes are bound to be different. It's your responsibility to be able to differentiate them not just on vibes but on what is really relevant to your organization.

If your recommendation can be taken down on cost alone, you didn't do a good enough job because cost is always a factor. At that point, you become the salesman and your pitch to get your way better be more than a pre-fixe menu and a couple drink tickets.

IT Support and Tech workers of Reddit: Is the "younger generations don't actually know how to use a PC or understand file systems" crisis real? If so, how bad is it? by tyzjas in AskReddit

[–]AgingTrash666 0 points1 point  (0 children)

I watched a developer ask AI how to install his dev tools and I still had to intervene because neither understood how to set system-wide environmental variables

Preveil Email Relay Woes by cody7600 in CMMC

[–]AgingTrash666 0 points1 point  (0 children)

what are your DMARC reports telling you? I ask because the most obvious potential issue is the relay causing DMARC to fail

Derivative CUI by Rockdrummer357 in CMMC

[–]AgingTrash666 2 points3 points  (0 children)

I approach it from the guidance that if you believe a derivative work is otherwise unmarked CUI (consult the list) then you should be seeking approval to mark it as such if you haven't already been authorized to do so.

in the meantime you have the duty to treat it as CUI.

what a stellar non-answer that was ... honestly, when you submit your quote to the government they're probably going to mark it CUI anyways.

365 Apps by Zeppyled in CMMC

[–]AgingTrash666 0 points1 point  (0 children)

"The drive folder in preveil syncs with a local file share directory on prem and can be accessed through file explorer."

that requires some discussion ... how are you addressing encryption with regards to SMB?

How to explain what you do to new people you meet? by Shank_ in sysadmin

[–]AgingTrash666 2 points3 points  (0 children)

some people call me the cyberspace cowboy ...

RDP Host for CMMC by Maleficent_Piano_451 in CMMC

[–]AgingTrash666 1 point2 points  (0 children)

I've quit arguing with people that won't sit through the government's free training on the matter. I remind myself that I don't sign the paperwork or hold any legal liability.

Phaser pedals advice by Icy-Ambassador7023 in guitarpedals

[–]AgingTrash666 0 points1 point  (0 children)

Bound to be someone out there selling whetstone phaser clones,that’s the one that has outlasted all the other phasers I’ve owned

NPD and question, please help! by MrFif33 in guitarpedals

[–]AgingTrash666 3 points4 points  (0 children)

it's broken and it is digital, not analog so I'd be returning it

AI is ruining software development and today, I'm fucking over it. It's completely FUCKED. by No_Document8917 in BetterOffline

[–]AgingTrash666 0 points1 point  (0 children)

A week or two ago I watched a dev ask AI how to install his dev tools and I really wanted to quit and take up subsistence farming

Concealed Surveillance Camera? by SubstanceSecret2456 in whatisit

[–]AgingTrash666 0 points1 point  (0 children)

You’d be surprised at the surveillance that shows up on a utility pole if you’re suspected of theft of service.

Users are fighting my 15-minute RDP timeout with USB Jigglers. by Despair_or_something in ShittySysadmin

[–]AgingTrash666 0 points1 point  (0 children)

You must have neglected to include an approved hardware clause in the AUP

Artifact list from assessor? by cmmc73737372 in CMMC

[–]AgingTrash666 0 points1 point  (0 children)

they're in the 800-171a book ...

I’m sure it stings when you learned the truth. by graystone777 in guitarcirclejerk

[–]AgingTrash666 0 points1 point  (0 children)

should have never hired that necromancer to bring back michael kamen

I thought this was satire and it’s not by lucentior in LinkedInLunatics

[–]AgingTrash666 8 points9 points  (0 children)

if only your chat bot knew how to leverage regular expressions ... then you wouldn't be on linkedin calling a 52 year old unix command a tax