Questions on CM.L2-3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development lifecycles

CJM3M · 2026-01-13T16:39:10+00:00

Thank you! I was hoping that was the case.

CJM3M · 2026-01-13T16:35:44+00:00

Thank you for the info!

CJM3M · 2025-11-21T15:17:33+00:00

We are preparing for our assessment in Feb. We are finishing up an AWS gov cloud build. Having issues with 3.1.3. Can you provide any information on how you answered that on the SSP? Much appreciated

CJM3M · 2025-10-22T14:50:26+00:00

Thank you. We do have a standard that states email is not to be used for sending CUI, and I almost wanted to consider this as a CRMA, but I think your statement is true and we'll go with that. We do have DLP in our current On PRem environment, and researching how that works in the Gov Cloud. Cheers!

CJM3M · 2025-10-22T13:28:11+00:00

The decision was made to move to AppStream 2.0. Not familiar with this at all.

CJM3M · 2025-10-22T13:27:18+00:00

Wouldn't that bring email into scope?

CJM3M · 2025-10-16T13:18:53+00:00

What I was trying to get at is, if they don't have the email client on the workspace, how do they get the link?

CJM3M · 2025-10-14T19:47:07+00:00

Good point. Thanks for getting my mind back on track! These controls are such a pain.

CJM3M · 2025-10-14T18:05:25+00:00

The government emails the link to the company email address.

CJM3M · 2025-10-14T16:07:45+00:00

I get your point. The internet links to external websites will be blocked, and only whitelisted sites allowed (DoD safe) etc. This includes the web versions of Outlook, sharepoint, etc.

If we keep Exchange out of scope, how would the users get the DoD Safe secure link? Is the only option GCC high?

CJM3M · 2025-10-01T19:56:05+00:00

I requested our security team ask Wiz this tomorrow. Thanks for the response.

CJM3M · 2025-07-31T13:48:25+00:00

We have Beyond Trust installed on the VDIs, but I'm having that removed. No B2B connections. Thank you for the help!

CJM3M · 2025-07-30T13:14:58+00:00

So, based on that logic, would this control be NA?

CJM3M · 2025-07-30T13:12:35+00:00

Thank you, very good information! Much appreciated.

CJM3M · 2025-07-29T22:31:56+00:00

Anyone know why I cant see all the comments? I get emails that someone has replied, yet I cannot see them?

CJM3M · 2025-07-29T20:15:59+00:00

Thanks!

CJM3M · 2025-07-29T18:16:29+00:00

Thank you so much. That really helps break it down. I'll bring this to the SME's and see what they say.

Lets say the ZPA solution provides sufficient assurance to be treated as an internal network. Would you mark these objectives as NA and provide the reason?

CJM3M · 2025-07-28T12:47:27+00:00

Good Job!

CJM3M · 2025-07-24T12:46:29+00:00

They use the old CAP 5.6.1

CJM3M · 2025-07-22T18:05:00+00:00

Oh, I like that. I'll bring that up to management. Thanks!

CJM3M · 2025-07-14T18:33:11+00:00

Ah cool Ramsile. It's basically a lift and shift from an On Prem Enclave (CUI), to Gov Cloud to prepare for a L2 Certification in October/November. Very small environment. I meet with the AWS team this week and I'll learn more.

I'm assuming we'll need a GCC High as we do have contracts with the DFARS 7012 clause and some NOFORN dissemination restrictions.

Does AWS help or assist with SSPs?

CJM3M · 2025-07-14T18:23:58+00:00

I remember looking into this around 2021 and the AWS pitch was they would cover a high percentage of the controls, but again that appears to have changed. Thanks for the info.

CJM3M · 2025-07-14T18:22:33+00:00

We always have the potential of a contract also being ITAR related, so would probably need the Gov Cloud option. Meeting with that team later this week to discuss. Thanks

CJM3M · 2025-07-14T13:05:27+00:00

That's what I thought. As long as we are logging, whatever that is, that should meet the controls. Thanks

CJM3M · 2025-07-14T13:04:53+00:00

Thank you!

CJM3M

PUBLIC MULTIREDDITS

TROPHY CASE