The Unofficial CMMC 1.02 Checklist скачать в хорошем качестве

The Unofficial CMMC 1.02 Checklist

When we think of organizations seeking certification (OSCs) sitting down to look at the requirements proposed in the Cybersecurity Maturity Model Certification (CMMC), there are two types of reactions. First, it’s not knowing where to start. They’ll look at a list of requirements that contain letters and numbers that seem like a foreign language. LINKS: ____________________________________________ https://etactics.com/cmmc-compliance-... ____________________________________________ Second, there are the more advanced businesses that house controls in a CSV file. That’s great but it also means they spend eight hours a day looking up different standards to figure out what controls they meet or don’t. Either reaction feels like a lose-lose. Yet, a lot of the time all that’s required is a little help. Enter this checklist. Its intention is to help both categories of reactions as a road map to follow. The first thing you need to do is identify the main stakeholders from your organization. Most small to medium-sized organizations will have at least 3 to 5 primary stakeholders who will be driving this initiative…Executive Sponsor: provides proper oversight, execution and maintenance of activities and funding. The Information Technology and Information Security Department: has the largest responsibilities but it’s helpful to pull in resources from legal, administrative, human resources and physical security teams. If your team is light on internal resources, it may be beneficial early in the process to identify a registered provider organization (RPO). RPO’s have the required knowledge to assist in the early stages of preparing your organization. Second, you need t o determine your maturity level. We know from previous videos on this channel that there are four levels of maturity that are based on the amount of controlled unclassified information (CUI) an organization deals with. We also know that dontractors providing commercial off-the-shelf (COTS) products and services won’t need CMMC certification. This holds true as long as the product or service isn’t modified from the commercial version in any way. The number of contracts with CMMC requirements will continue to increase each year. The DoD will continue to increase its emphasis on its new mandate as more contracts contain CMMC from 2021 through 2025. Prime and subcontractors must have their CMMC certifications by the time of an awarded contract. In 2021, there will only be 15 prime contracts awarded with CMMC requirements. That's only approximately 1,500 contracts within the defense supply chain. But the DoD estimates the number of contracts with CMMC requirements will grow to. Third, you need to determine where FCI & CUI exists. The scope of where CUI and FCI exist encompasses the people, processes and technologies that store, process or transmit sensitive data. Network segmentation reduces the scope in two ways…Isolation by blocking logical access. And controlled access by traffic type or the direction of an initiated connection. Successful network segmentation creates a secure enclave. Thus, separating the secure data environment from everything outside the perimeter. It also defines how you control anything going in and out of that boundary. If you haven’t already identified the people, processes and technologies that influence the security of FCI and CUI, you should. Fourth, you need to build an environment. Your assessor will likely want to see a clearly defined secure enclave and controls to ensure that there aren’t any holes within the perimeter. If you intend on using an external cloud service provider, they should meet the FedRAMP moderate baseline and meet the requirements under DFARS 7012 [paragraph D]. Fifth, you need to identify gaps. If your organization needs at least a Maturity Level 1 certification, the CMMC-AB lists 17 controls. For each of those controls, you’ll need to provide sufficient objective evidence (OE). Your OE, in this case, should demonstrate your adoption of the required practices and that you’re performing the related processes. ► Reach out to Etactics @ https://www.etactics.com​ ►Subscribe: https://rb.gy/pso1fq​ to learn more tips and tricks in healthcare, health IT, and cybersecurity. ►Find us on LinkedIn:   / etactics-inc​   ►Find us on Facebook:   / ​   #CMMC #CMMCAB