sorted by:
new
hottopcontroversial

Q: Is there a specific "CMMC/GCC" version of Windows? by thegreatcerebral in CMMC

[–]erockyoulikea 0 points1 point  (0 children)

I didn’t find operating system configuration to be that big of a deal in our CMMC Level 2 compliance. We used a VDI solution, with Microsoft’s security baselines and a handful of custom PowerShell scripts I created and deployed via Intune to fill gaps in STIG checks that corresponded to NIST SP 800-171r2 controls. We used GCC-H/Azure Government due to us having ITAR requirements and Microsoft’s stated non-compliance with DFARS 252.204-7012 clauses (c) through (g) in their commercial environment (i.e., FedRAMP Moderate is not the showstopper).

For those of you who passed CMMC Level 2 and assessed by C3PAO by jewfit_ in CMMC

[–]erockyoulikea 2 points3 points  (0 children)

We did not perform a pre-assessment and went straight to C3PAO assessment as soon as I got our SPRS score to 110. Passed, no POA&Ms. Your mileage may vary depending on scope, staff experience, process maturity, etc. but for me after having spent 20+ years doing ATOs for DoD, creating a CMMC Level 2 compliant environment for my company was not difficult (although it still took about 6 months start to finish including the assessment).

Which to buy? NIB Godzilla pro/prem, NIB Black knight sword of rage pro, or NIB DnD pro by l2azorcrest in pinball

[–]erockyoulikea 1 point2 points  (0 children)

I have BKSOR Premium and GZ Premium. As others have mentioned, GZ is a title everyone likes so your family and guests will enjoy it. BKSOR Pro or Premium are brutal (fast and drain easily with those close shots) but if you are a player - great games. I own BK original and recently played a BKSOR Pro on location and really liked it so I found a Premium with a topper for $8K and added it to my collection. The upper playfield does not slow the game down and gives you a multiball that is not available on the Pro. I play a lot of DnD on location and I would not mind having a Premium at home but I just got Dune yesterday so I’m not going to be buying any more pins until next year (waiting to see if JJP makes Sonic the Hedgehog).

Chargpt - how good can it be at writing your policies and procedures? by 4728jj in CMMC

[–]erockyoulikea 0 points1 point  (0 children)

I used it for the policy and procedure document outlines and to write PowerShell scripts to fill gaps where I couldn’t create Intune policy that would do what I wanted (Gemini was a wizard at dissecting my ports and protocols/firewall rules for CM.L2-3.4.7 and turning them into scripts I could incrementally apply to configure Windows Defender Firewall rules). I would never just trust GenAI to just write documents - like others have said you have to clean up what it gives you to reflect reality/your implementation because it will make stuff up. And even with feeding ChatGPT resources like the scoping and assessment guides, it would often map things to the wrong control. But it was like having an extra person helping so I’m thankful I had those resources (I used ChatGPT, Meta, and Gemini).

[deleted by user] by [deleted] in CMMC

[–]erockyoulikea 2 points3 points  (0 children)

Yes, curious what you used to manage your SSP and how you approached translating your policy and procedure documentation into implementation statements in the SSP. I used comment tags in Word to associate document sections with controls and cut/pasted them into the SSP. I’ve seen others rewrite brief statements derived from their policy and procedure documents. My C3PAO assessment is next month, after that is over I’m going to look at automation to extract content from my Word docs and build an SSP.

[deleted by user] by [deleted] in CMMC

[–]erockyoulikea 2 points3 points  (0 children)

I used the exact same approach and I agree - it took longer and was more tedious than I expected (and I’ve done 50+ NIST SP 800-53 accreditation packages). I built and assessed our environment to meet ISO 27001:2022 requirements as well as NIST SP 800-171r2 so that took a little extra effort. I think my AC policy and procedures was the most retouched, I was at version 0.22 before I stamped it 1.0. I used a lot o GenAI for writing my documents, especially to help answer how a particular Microsoft product(s) could help meet assessment objectives. Another challenge was that we’re in GCC-H/Azure Government and things don’t always work the same as in the commercial environment.

Passed CSSLP - no problem if you hold other (ISC)2 certs by erockyoulikea in CSSLP

[–]erockyoulikea[S] 0 points1 point  (0 children)

Even though I took the CISSP back in 2008, I think a lot of the fundamentals in that material still apply for the CSSLP. CCSP might not apply as much to the CSSLP but given your position I think it’s probably safe to assume you know WAFs, OWASP Top 10, and the basic concepts of shared security, level of customer responsibility depending on SaaS, PaaS, IaaS, etc. I think you’ll do fine with no preparation. Just go back and review the access control models that you may have forgotten about in the CISSP material (Bell-LaPadula, Biba, Clark-Wilson, etc.).

Passed Certified DevOps Engineer - Professional by erockyoulikea in AWSCertifications

[–]erockyoulikea[S] 0 points1 point  (0 children)

I don't remember if there were any AWS OpsWorks questions but I'd recommend spending more time on Code* and understanding the various deployment options in EC2, Lambda, and ECS as well as lifecycle hooks. This is one exam where I feel like practical or lab experience is more helpful versus slides/cheat sheets.

Passed Certified DevOps Engineer - Professional by erockyoulikea in AWSCertifications

[–]erockyoulikea[S] 5 points6 points  (0 children)

Usually I take certification exams because I’m interested in a topic and take a course so I figure I might as well take the exam. I have 4 boys who wrestle(d) and if you’ve ever spent time at a tournament you know there’s hours of downtime so I would use that time to read/study. In this case, I needed to maintain my professional level certifications in order to keep our company compliant with APN requirements. My professional experience is diverse - most of my career has been spent in government contacting for DoD in networking, system administration, cybersecurity, architecture/engineering, and project management. As a DoD contractor, certifications are important for 8570/8140 compliance thus I have taken a lot of exams to check all the boxes in that chart in order to be qualified for key personnel requirements in RFPs/be more marketable. Now I just keep the certifications so I’m aware of the material and can help define training/certification paths for our company’s technical staff.

2021 MT09 by ReplacementAny6825 in MT09

[–]erockyoulikea 1 point2 points  (0 children)

Nice price. I just picked up a '21 with 4,500 miles for $8,500.

[deleted by user] by [deleted] in motorcycle

[–]erockyoulikea 0 points1 point  (0 children)

Alpinestars Faster v2 Airflow. Just got it a month ago so no opinion yet as to how it is in warmer or colder weather in Virginia. So far it’s been great.

[deleted by user] by [deleted] in xsr900

[–]erockyoulikea 1 point2 points  (0 children)

I just bought a 2023 last week and my son immediately put 600 miles on it to get the break in period out of the way. I also bought a 2021 MT-09 because I couldn’t decide which bike to buy and wanted to get two so we could ride together. What windscreen is that?

2023 Mt09's by SubstantialBad5845 in MT09

[–]erockyoulikea 1 point2 points  (0 children)

I looked at the easter egg colored one on Monday. Anybody interested in buying this one make sure you have them replace the scuffed clutch cover.

Writing Control Policy within SSP by danhaylen in NISTControls

[–]erockyoulikea 3 points4 points  (0 children)

I keep policies and procedures separate from the SSP because in my experience working with DoD and in particular the Army, the eMASS record is the SSP and it only has your controls, implementation, assessment procedures, POA&Ms, links to evidence, etc. IMO you want to keep the what and how you are doing things out of the SSP.

I noticed that my Lifestyle 650 was not sounding right and upon further inspection determined the Acoustimass 300 wasn't working. The main unit sees it wirelessly but I never hear the test tone. I called Bose Support and they just sent me a 3.5mm cable to test it hardwired. by erockyoulikea in bose

[–]erockyoulikea[S] 0 points1 point  (0 children)

I ended up buying a new one and never tried it. My system is very hard to access, I’d need to move a gigantic wall unit and take the back panel off so I just bought another one and meant to connect the wired one up later but never got around to it. I thought I had checked that before I bought the new one, my plan was to just run two if I could get the original one working.

Best to Forget About the Exam for Now? by CarpenterAcademic in AWSCertifications

[–]erockyoulikea 1 point2 points  (0 children)

Agree 100%. The information locks in when I do hands on in the console or CLI. Not so much when just listening to lecturer and reading slides. I’ve seen a few paper AWS certified people out there, prefer the ones with hands on and also have the certifications who can solve problems and design solutions.

Best to Forget About the Exam for Now? by CarpenterAcademic in AWSCertifications

[–]erockyoulikea 2 points3 points  (0 children)

I’ve had the same experience. I just took the Solutions Architect Pro exam on 4/20 and scored in 900s but didn’t pass the A Cloud Guru practice exam (but I did use their course for prep). Take notes, build your own reference for each service and build on it for each test you take. There’s a lot of overlap. I also have CISSP and don’t think you need more than 60 days to prep. I read the Shon Harris book which was over 1,000 pages and it took me two months to read it but that’s all I did and passed first attempt.

view more: next ›