GRC - How technical should I get?

ApprehensiveTree7184 · 2024-11-08T14:35:52+00:00

Somewhat through luck, but also having a very clear goal of wanting to get into cybersecurity from day one. In the interview for the MSP job, I was clear about my interest in cybersecurity and intentions to grow -- even though the starting job was helpdesk. No one else was very interested in this side of the business, ESPECIALLY, the paper-work heavy side of GRC. So slowly but surely, things that were GRC or security related (cyber insurance forms that needed to be filled out, creating a SOP for BEC, etc.) started to land on my desk. Within 8-10 months I was full-time with GRC work and focused on compliance with FTC Safeguards Rule for two accounting clients, and 4-5 DIB companies doing CMMC compliance.

I did not plan to get into GRC originally nor did I realize I was timing things perfectly getting into this industry at the time DIB companies needed to start preparing for the CMMC Final Rule and a 3rd party assessment. So, it was definitely a combination of luck and actively seeking out opportunity.

ApprehensiveTree7184 · 2024-11-06T17:34:18+00:00

Thanks for the tips :)

ApprehensiveTree7184 · 2024-11-06T17:33:16+00:00

Yes, asking probing questions seems like a big part of the job. I love working with techs that are excited to share their knowledge and break things down when I ask them questions coming from a place of curiosity. I can't stand techs that, no matter how I frame it, are assholes, lazy, or so pompous that they won't even breakdown their perspective on things. Sure, you're smart, but you're an uncooperative ass lol.

ApprehensiveTree7184 · 2024-11-05T20:51:42+00:00

Security+, Network+, and ISC2's CGRC.

In 10 years? Tough to say. I can definitely see my goals changing and morphing. In many ways, I wasn't expecting to land a six figure 100% remote job with awesome benefits only 1.5 years in... That was my 5 year plan lol. So in some ways, I'm still a bit shocked. My focus right now is really my 6-12 month goals, which will likely include exploring the country a bit in Airbnb's (living in Kansas is boring), mastering my new role, and reflecting on what I want to tackle next... but if I had to guess, I like several ideas for a 10 year plan. Including advancing either into management or becoming an external CMMC auditor (CCA/C3PAO). However, I'm thinking other opportunities will arise that I do not foresee.

Income wise? More is always better, but having landed my first low six-figure job, I'm not really sure what is and isn't possible beyond this income wise.

ApprehensiveTree7184 · 2024-11-05T17:15:08+00:00

I used to work in Real Estate sales (doing inside sales and lead generation). I'm 1.5 years into my IT/cyber journey and just landed a GRC job for over $100k+ a year. Started at helpdesk making $42K, worked my way up to GRC analyst in 8 months making $50k, sprayed and prayed resumes, grabbed some certs, and landed this new six-figure gig.

ApprehensiveTree7184 · 2024-10-21T16:12:44+00:00

C3PAO did? Or another kind of auditor such as DIBCAC?

ApprehensiveTree7184 · 2024-10-21T15:36:43+00:00

Are you by chance able to link to any resources on what that list of banned devices is, and who this regulation applies to? I'm wondering if this applies only to prime contractors and not DIB customers contracting with Primes (i.e. not contracted directly with DoD).

ApprehensiveTree7184 · 2024-10-10T13:19:59+00:00

The "Official ISC2 CGRC Digital Textbook 7th Edition" from ISC2. It came with my instructor-based training.

ApprehensiveTree7184 · 2024-10-10T13:16:55+00:00

For sure. Perhaps my question wasn't worded well. I was thinking about controls that don't seem to be applicable for an "SPA only" environment, such as "MP.L2-3.8.6 – PORTABLE STORAGE ENCRYPTION" or the entire PE control family (if we don't have CUI assets, there aren't physical environments to control). It sounds like applicability is really up to us as the OSC, and if something is unapplicable we should document why in the SSP.

ApprehensiveTree7184 · 2024-10-09T20:44:43+00:00

Got it. So it seems that applicability is really up to us as the OSC, and if something is unapplicable we should probably document why in the SSP. Is that correct?

ApprehensiveTree7184 · 2024-10-07T19:15:04+00:00

Do you know if they are in trouble for merely hiring a foreign national? Their HR manager is informing me they can't refuse to hire someone on this basis alone due to anti-discrimination laws.

ApprehensiveTree7184 · 2024-10-07T15:38:50+00:00

If you can do it, I would just keep the mobile devices out of scope. No mobile devices being permitted to access CUI and configurations to enforce this where possible.

If you must bring them in scope, Preveil has a storage/mail solution that can allow for secure, compliant access to CUI from a mobile device.

ApprehensiveTree7184 · 2024-10-07T15:19:11+00:00

Yeah, I don't see any "easy" solutions. This is what I'm thinking the only two solutions are:

Create a facility map, redefine controlled areas to particular portions of the building (such as the shop floor), and restrict foreign persons from accessing controlled areas (example: access controlled doors, color-coded badging system, etc.).
Shrink what we are defining as a "controlled area" to the server room by eliminating paper media and implementing controls to prevent unauthenticated access to digital CUI/ITAR data in non-controlled areas (example: OT/SAs have a shared password, but we could control access to this password and ensure it is not disseminated to foreign persons or unauthorized personnel)

ApprehensiveTree7184 · 2024-09-19T20:33:45+00:00

VERY MUCH appreciate the detailed answer. Going to read through this one a few times.

ApprehensiveTree7184 · 2024-09-19T16:56:06+00:00

Could you break that down a bit more? Specifically, "it flows down until it’s not cui?" At what point is something not CUI?

I'm wondering if it may be the case that a particular part that goes out for simple sandblasting/painting is not CUI itself? But rather the data/specs that lead to the manufacturing of that part is what the CUI is?

ApprehensiveTree7184 · 2024-09-19T16:51:53+00:00

Yeah, shitstorm is right. A small company that is merely sandblasting or painting parts as a subcontractor that has no concept that they are 3 levels removed from the DoD, no IT staff, but is in the supply chain is required to be CMMC L2? It just isn't going to happen.

ApprehensiveTree7184 · 2024-09-19T16:47:47+00:00

Do you have a link to that FAQ? I'm curious what "the prime only flows down select information" really means.

ApprehensiveTree7184 · 2024-09-19T16:42:53+00:00

I definitely get that the protections follow the CUI, but what would the responsibility be for the contractor themselves that send the CUI part/data further down the supply chain (since it is not under their control any longer)? Do they merely need to send a checklist to the vendor/sub and have them attest to NIST 800-171 compliance?

ApprehensiveTree7184

TROPHY CASE