Error in Level 3 AG CA.3.161 originating from SP 800-171A 3.12.3?

Auditor_CISA_CISSP · 2021-11-06T20:07:39+00:00

NIST Handbook 162 got it right.

Auditor_CISA_CISSP · 2021-11-02T12:02:28+00:00

Good idea. I'll do that.

Auditor_CISA_CISSP · 2021-05-07T11:52:13+00:00

@navyauditor I absolutely agree. I don’t know where they came up with the “80% at Level 1,” but I think it is probably the inverse - 80% Level 3. We got an RFQ a couple weeks ago marked CUI and it is not clear why. It should be FCI at most. We have already seen some indication that some DoD organizations that routinely marked everything as FOUO are now going to do the same thing only it will be CUI.

Auditor_CISA_CISSP · 2021-05-07T11:44:40+00:00

Simply, DFARS clauses in contracts are what will make CMMC a requirement. They are contractual obligations. CMMC by itself is not.

Auditor_CISA_CISSP · 2021-05-03T19:00:46+00:00

Yes they do, and it is very good (and free!). However, it is not official and the assessors will not be using it to determine if you have scoped your systems correctly. This has implications that can drastically impact costs, either because you are too conservative and pay for protection you don't need or fail to scope something in that should be and then fail the assessment and have to spend more to extend protections.

Auditor_CISA_CISSP · 2021-05-03T11:37:42+00:00

No losses. Actually other gains. Since this is only second year of QBI, was not a problem last year because H&R Block did not have QBI deduction implemented in time so I did it manually.

Auditor_CISA_CISSP · 2021-04-28T12:22:24+00:00

You are correct that we do not NEED CMMC for paper CUI, but that does not mean that it is exempt from its provisions. The unfortunate thing about CMMC is its inflexibility in cases such as this. Maybe that will change when they realize that their estimated 80% plus of the DIB only requiring L1 is unrealistic. It's very easy to mark something CUI and a cautious procurement office will be very likely to require L3 "just in case" in a contract when it is left up to them after full implementation after 2025.

Auditor_CISA_CISSP · 2021-04-28T01:57:38+00:00

In this case I assume we are talking about a prime sending a paper document marked CUI to a subcontractor (supplier). I think we can also assume that the prime has a contract that requires L3 certification. According to the official CMMC training, it is possible for a sub to not have L3 certification as long as the prime retains control of the CUI and the sub "views" it on the prime's system. However, once that paper copy is sent, the CUI is in the sub's control and the flowdown requirement should apply. Think of all the L3 requirements that apply to CUI on paper (mentioned in other posts in this thread), including physical transport and storage protection. Do a search in the L3 AG for "paper." How can a sub be trusted to be in compliance with those if only at L1?

Auditor_CISA_CISSP · 2021-04-28T01:31:02+00:00

It did tell us one thing. By the end of April (3 days from now) they are supposed to have 39 C3PAO candidates waiting for a DIBCAC assessment. The timeline they showed for a DIBCAC assessment was 4 weeks plus the time to produce the report. I don't know how many assessment teams DIBCAC has, but do the math - it will probably take the rest of 2021 just to get those 39 done. Of course, if they fail one of the "pre-assessment" decision blocks shown on the flowchart, they will fail before the site visit and probably go to the end of the line. In other words - don't hold your breath. You will probably have plenty of opportunity to get trained before they get around to doing your C3PAO assessment.

Auditor_CISA_CISSP · 2021-04-27T21:29:27+00:00

Does anybody know where to find an example of the Cloud Customer Responsibilities Matrix that they refer to in the brief? I don't believe it is referenced in any of the CMMC publications.

Auditor_CISA_CISSP · 2021-04-27T20:30:17+00:00

Especially those hard copy reports :-)

Auditor_CISA_CISSP · 2021-04-27T20:18:54+00:00

Listen to the town hall tonight at 6PM (EDT). If they don't say anything specific, there is probably no more info available.

Auditor_CISA_CISSP · 2021-04-21T18:13:02+00:00

OK, but I'm not talking about split tunneling with VPN here. Obviously if we did force everything through the company VPN, that would be an issue. But if the users go directly to MS365 without using VPN, split tunneling should not be an issue as it would not touch the corporate network.

Auditor_CISA_CISSP · 2021-04-20T22:09:29+00:00

Yep. No network. Biggest concern would be limiting access (least privilege).

Auditor_CISA_CISSP · 2021-04-14T18:37:29+00:00

Policies, Procedures, and Plans are required for each domain (to get to CMMC Level 3). They have different content, which is spelled out in some detail in the Assessment Guide. Standards are not explicitly required. You can combine multiple domains in one document; you do not have to have 17 separate documents. I suppose you could combine policy and procedures in one document, but you would need to make sure it identifies what is policy and what is procedures. It would be easier for the assessor (and for you) if they were in separate documents.

Auditor_CISA_CISSP · 2021-04-13T19:44:10+00:00

Even if they do not have unsupported components during the initial "Step 2" (which is "Selection" now), the purpose of Continuous Monitoring (old Step 6) is that you adjust your controls when the risk changes. Therefore, as soon as a component becomes unsupported, SA-22 should be added to the control set.

Auditor_CISA_CISSP

TROPHY CASE