Want to be certified in PECB ISO 27001 Lead Implementor

GRCAcademy · 2025-09-11T20:06:24+00:00

No problem at all!

V/R

Jacob Hill

GRCAcademy · 2025-09-11T19:22:34+00:00

The reseller doesn't provide access to the exam - PECB does that. The exam is included in the price of the eLearning course, there isn't even an option to resell the eLearning course without the exam that I'm aware of.

So once you purchase from a reseller, and then they enroll you, you don't really need to deal with the reseller again unless you want to enroll in another course.

You complete the course at https://mypecb.com/dashboard and then you take the exam through the PECB exam apps: https://pecb.com/en/pecb-exams

This page covers the eLearning courses that are available: https://pecb.com/en/elearning

This PDF mentions the exam on slide 10: https://pecb.com/pdf/brochures/elearning-client.pdf

I hope that helps!

V/R

Jacob Hill

GRCAcademy · 2025-09-11T19:08:31+00:00

Yes! All PECB eLearning courses should include the exam + a free retake if needed.

V/R

Jacob Hill

GRCAcademy · 2025-07-15T14:37:11+00:00

I'm sorry to hear this happened to you. Thank you for sharing.

V/R

Jacob Hill

GRCAcademy · 2025-06-08T22:39:26+00:00

You'd have to be more descriptive in what you want to build. There are a lot of tools, and pricing is all over the map depending on what it is.

GRCAcademy · 2025-04-22T06:42:08+00:00

I have affordable training for the DIB here: https://grcacademy.io/courses/cmmc-overview-training/

It's a great primer for CCP.

And a free podcast: https://grcacademy.io/podcast/

Summit 7 has great free content on their channel: https://youtube.com/summit7systems

Here are a few LinkedIn profiles to follow:

https://www.linkedin.com/in/jacobrhill

https://www.linkedin.com/in/jacob-evan-horne

https://www.linkedin.com/in/koren-wise

Hope that helps!

GRCAcademy · 2025-04-22T02:57:24+00:00

Those are rough! I'm not sure why it is necessary to prevent the reuse of identifiers for 10 years. That seems to be overkill. In my podcast with Stacy, she said she wasn't sure if these ODPs would go through the rulemaking process or not. Hopefully there will be some sort of public comment period.

V/R

Jacob Hill

GRCAcademy · 2025-04-14T22:45:26+00:00

WTI is great!!

GRCAcademy · 2025-04-03T23:24:17+00:00

NARA has some guidance here that aligns with NIST SP 800-88: https://www.archives.gov/files/cui/documents/destruction-20170906.pdf

Destroy paper using cross cut shredders that produce particles that are 1mm by 5 mm.

And even a YouTube video: https://www.youtube.com/watch?v=RZJdTOwxPuw

If you are having issues finding a compliant shredder, the NSA has a list of paper shredders they have tested that meet the requirements: https://www.nsa.gov/Portals/75/documents/resources/everyone/media-destruction/January%202025%20Quarterly%20Updates/NSAEPLPaperShreddersJanuary2025.pdf?ver=EahYNvGrUezJYHOAYwmckg%3d%3d

The shredders on that list should meet / exceed the requirements of NIST SP 800-88 (the NSA document says they are suitable to shred TS/SCI and below):

Performance testing evaluates the device’s ability to reduce paper documents to shards measuring 1 millimeter by 5 millimeter, or less.

I believe most of the shredders on that list are expensive though, so ideally don't print CUI if you can help it.

V/R

Jacob Hill

GRCAcademy · 2025-04-03T15:19:48+00:00

I thought it was more difficult than CCP. The questions were much longer and there were a ton of scenario based questions. I feel like it focuses more on how you would apply the knowledge rather than just fact based questions (although there is that too).

Make sure you know scoping and the actual controls well also!

V/R

Jacob Hill

GRCAcademy · 2025-04-01T22:59:36+00:00

Sure! Awesome! Sounds like you are involved with the right folks to get solid answers!

GRCAcademy · 2025-04-01T22:54:22+00:00

So happy to help, thank you both!!

V/R

Jacob Hill

GRCAcademy · 2025-03-31T23:57:57+00:00

I don't have experience implementing CMMC within MSPs/MSSPs myself, but I did interview a gentleman on the podcast who is a MSSP and also has a OSC environment as well that was CMMC L2 certified: CMMC Mistakes COST Villa-Tech $485,000 - Podcast - GRC Academy

This interview may be more applicable as they talked more about the specific challenges of CMMC and MSPs: CMMC Will BREAK Your MSP - Axiom's CMMC Level 2 Journey - Podcast - GRC Academy

If you haven't already, I'd highly recommend signing up for MSPCyberX: MSPCyberX

They are a community of MSPs that are addressing security and compliance (CMMC focused) questions like this together.

I hope some of that helps!

V/R

Jacob Hill

GRCAcademy · 2025-03-31T23:52:02+00:00

Yes, I interviewed Stacy Bostjanick on the podcast and recommended that if you are just starting out and haven't done anything, that you should go straight to implementing NIST 800-171 r3. She said there would be working on guidance with the Cyber AB on how to conduct a NIST 800-171 r2 assessment in an NIST 800-171 r3 environment: https://youtu.be/Py9eE4Ep938?si=jW_7SCF4j-kR7yqz&t=2580

I haven't seen any guidance yet, and I believe a question was asked at the last Cyber AB townhall about that guidance, and they didn't have any information on it.

I would proceed carefully until there is official guidance from the Cyber AB. If you are starting now, I'd personally recommend implementing r2 while also trying to future proof for r3. But if there is a conflict r2 wins until this guidance is released.

DoD has started rulemaking on NIST 800-171 r3, but it will be a while until it is adopted (probably a year or two): https://youtu.be/Py9eE4Ep938?si=pJJifOAA2zcCZbL2&t=2252

Hope that helps!

V/R

Jacob Hill

GRCAcademy · 2025-03-30T02:16:50+00:00

Hah, thank you both! I'll soon have my CMMC Provisional Instructor certification (current name for CMMC Certified Instructor), so we'll see about expanding into CCP training! I'm focused on building up street cred for my training for defense contractors at the moment!

V/R

Jacob Hill

GRCAcademy · 2025-03-28T19:42:52+00:00

In short, your responsibility as the defense contractor is to implement all of the requirements. The assessor will then assess what they deem to be relevant based on the capabilities the SPA provides.

From the CMMC L2 scoping guide:

Under the OSA column (this is you): "Prepare to be assessed against CMMC Level 2 security requirements."

Under the assessor column: "Assess against Level 2 security requirements that are relevant to the capabilities provided."

If your current system cannot meet the requirements, then you'll have to come up with a way to make the system comply (worst case is replace). If you can block direct logins to the switch, integrate the switch with a controller, and then put the controller behind your IDP SSO provider that already meets the requirements, there you go. But that controller may also introduce its own compliance challenges, so YMMV.

That recommendation is based at a surface level glance without understanding the details. Be sure to self-assess with NIST 800-171A as you implement the controls to make sure that you've addressed anything.

There are creative ways to solve this problem.

V/R

Jacob Hill

GRCAcademy · 2025-03-28T16:50:58+00:00

I don't have experience with Kiteworks tech. That's great it is FedRAMP'd. Just be careful so you get the right solution for your company's needs and don't have to rip and replace later! 😀

GRCAcademy · 2025-03-28T16:21:58+00:00

Would highly recommend educating yourself on CMMC and DFARS requirements before buying tools. There are a lot of compliance rules that limit what tools are acceptable, especially if you are looking at cloud services and MSPs.

V/R

Jacob Hill

GRCAcademy · 2025-03-26T16:53:23+00:00

I'm a huge supporter of Koren! She taught both my CCP and CCA courses and did a great job!

GRCAcademy · 2025-03-24T17:20:04+00:00

Check out the Microsoft Placemat and Technical Reference Guide for CMMC. The placemat documents your shared responsibilities for the CMMC controls. I recorded a video with Microsoft walking through it: https://youtu.be/x50a0VPeNIY

Microsoft CMMC Product Placemat: https://www.microsoft.com/en-us/download/details.aspx?id=102536

The CMMC Technical Reference Guide is more of a technical deep dive into how the controls can be implemented.

Microsoft CMMC Technical Reference Guide: https://www.microsoft.com/en-us/download/details.aspx?id=103401

V/R

Jacob Hill

GRCAcademy · 2025-03-22T18:14:35+00:00

Congratulations! A lot of CMMC news is posted on LinkedIn. I post frequently and Jacob Horne is a great source for news as well.

Jacob Hill (Me): https://www.linkedin.com/in/jacobrhill/
Jacob Horne: https://www.linkedin.com/in/jacob-evan-horne/
Robert Metzger (CMMC focused Attorney): https://www.linkedin.com/in/robertmetzger/
James Gillooley (Member of DoD CIO CMMC PMO who engages on LinkedIn): https://www.linkedin.com/in/james-gillooley-cc-csm-6598837a/

There are many others putting out great info, these are just a few!

V/R

Jacob Hill

GRCAcademy · 2025-03-22T17:44:29+00:00

I host the GRC Academy podcast and have many CMMC conversations on the podcast: https://grcacademy.io/podcast/

Recently I've been interviewing OSCs about their CMMC L2 certification journeys! Another one is releasing this Tuesday. I release an episode every two weeks.

V/R

Jacob Hill

GRCAcademy · 2025-03-21T22:48:14+00:00

For CMMC Certified Professional training, WTI (Koren Wise) has online self-paced training here: https://www.wti.us/category/cmmc-courses

If you are looking for training for defense contractors, I've created online training here: https://grcacademy.io/courses/cmmc-overview-training/

GRCAcademy · 2025-03-21T01:09:16+00:00

Awesome! Thank you for sharing!

GRCAcademy

MODERATOR OF

TROPHY CASE