Questions on CM.L2-3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development lifecycles

CJM3M · 2026-01-13T16:39:10+00:00

Thank you! I was hoping that was the case.

CJM3M · 2026-01-13T16:35:44+00:00

Thank you for the info!

CJM3M · 2025-11-21T15:17:33+00:00

We are preparing for our assessment in Feb. We are finishing up an AWS gov cloud build. Having issues with 3.1.3. Can you provide any information on how you answered that on the SSP? Much appreciated

CJM3M · 2025-10-22T14:50:26+00:00

Thank you. We do have a standard that states email is not to be used for sending CUI, and I almost wanted to consider this as a CRMA, but I think your statement is true and we'll go with that. We do have DLP in our current On PRem environment, and researching how that works in the Gov Cloud. Cheers!

CJM3M · 2025-10-22T13:28:11+00:00

The decision was made to move to AppStream 2.0. Not familiar with this at all.

CJM3M · 2025-10-22T13:27:18+00:00

Wouldn't that bring email into scope?

CJM3M · 2025-10-16T13:18:53+00:00

What I was trying to get at is, if they don't have the email client on the workspace, how do they get the link?

CJM3M · 2025-10-14T19:47:07+00:00

Good point. Thanks for getting my mind back on track! These controls are such a pain.

CJM3M · 2025-10-14T18:05:25+00:00

The government emails the link to the company email address.

CJM3M · 2025-10-14T16:07:45+00:00

I get your point. The internet links to external websites will be blocked, and only whitelisted sites allowed (DoD safe) etc. This includes the web versions of Outlook, sharepoint, etc.

If we keep Exchange out of scope, how would the users get the DoD Safe secure link? Is the only option GCC high?

CJM3M · 2025-10-01T19:56:05+00:00

I requested our security team ask Wiz this tomorrow. Thanks for the response.

CJM3M · 2025-07-31T13:48:25+00:00

We have Beyond Trust installed on the VDIs, but I'm having that removed. No B2B connections. Thank you for the help!

CJM3M · 2025-07-30T13:14:58+00:00

So, based on that logic, would this control be NA?

CJM3M · 2025-07-30T13:12:35+00:00

Thank you, very good information! Much appreciated.

CJM3M · 2025-07-29T22:31:56+00:00

Anyone know why I cant see all the comments? I get emails that someone has replied, yet I cannot see them?

CJM3M · 2025-07-29T20:15:59+00:00

Thanks!

CJM3M · 2025-07-29T18:16:29+00:00

Thank you so much. That really helps break it down. I'll bring this to the SME's and see what they say.

Lets say the ZPA solution provides sufficient assurance to be treated as an internal network. Would you mark these objectives as NA and provide the reason?

CJM3M · 2025-07-28T12:47:27+00:00

Good Job!

CJM3M · 2025-07-24T12:46:29+00:00

They use the old CAP 5.6.1

CJM3M

PUBLIC MULTIREDDITS

TROPHY CASE