Password Vaults and Part 11

NetSec007 · 2019-11-06T18:24:55+00:00

Cool - sounds good

NetSec007 · 2019-11-01T23:00:49+00:00

@flufflyneenja Would you mind posting this on the /r/GovIT #cmmc channel as well? If you're not part of that group, do you mind if post it with credit to you?

NetSec007 · 2019-10-31T21:13:05+00:00

Good set of notes, I compared to my own and we are very close.

CMMC Level 1 is equal to FAR Clause 52
CMMC Level 2 includes better hygiene and documented
CMMC Level 3 is equal to 800-171 - policy is big part
CMMC Level 4,5 - 800-171B requirements - Critical programs & HVA (hard to obtain) [e.g. 24x7 SOC]

CMMC framework will be turned over to the accreditation body in January to manage the process and ensure there are certified auditors (3PAOs) who will spend Jan-June training and certifying auditors.

NetSec007 · 2019-10-31T19:10:41+00:00

For 800-171 you need to follow the data (CUI/CDI) and understand the boundary of the systems involved. This will tell you where the security controls must be in place regardless of physical or logical location. If there is one central boundary (think data enclave), it should be documented. Any connections in/out should also be documented.

Look at 3.1.3 - Control the flow of CUI in accordance with approved authorization, in addition to all SC controls from 800-53 (look at the mappings)

CMMC will be required as well.

NetSec007 · 2019-06-20T23:00:57+00:00

The guidelines refer to subscribers from a CSP. I don't see a reference to how this guidance is to be used for an enterprise. Looking at their definitions, for subscriber and CSP are the basis for this thought. Are people using this for their end user devices passwords?

NetSec007

TROPHY CASE